mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-14 07:03:44 +01:00
b4bcd12709
svn:r9810
83 lines
3.8 KiB
Plaintext
83 lines
3.8 KiB
Plaintext
Filename: 109-no-sharing-ips.txt
|
|
Title: No more than one server per IP address.
|
|
Version:
|
|
Last-Modified:
|
|
Author: Kevin Bauer & Damon McCoy
|
|
Created: 9-March-2007
|
|
Status: Open
|
|
|
|
Overview:
|
|
This document describes a solution to a Sybil attack vulnerability in the
|
|
directory servers. Currently, it is possible for a single IP address to
|
|
host an arbitrarily high number of Tor routers. We propose that the
|
|
directory servers limit the number of Tor routers that may be registered at
|
|
a particular IP address to some small (fixed) number, perhaps just one Tor
|
|
router per IP address.
|
|
|
|
While Tor never uses more than one server from a given /16 in the same
|
|
circuit, an attacker with multiple servers in the same place is still
|
|
dangerous because he can get around the per-server bandwidth cap that is
|
|
designed to prevent a single server from attracting too much of the overall
|
|
traffic.
|
|
|
|
Motivation:
|
|
Since it is possible for an attacker to register an arbitrarily large
|
|
number of Tor routers, it is possible for malicious parties to do this
|
|
as part of a traffic analysis attack.
|
|
|
|
Security implications:
|
|
This countermeasure will increase the number of IP addresses that an
|
|
attacker must control in order to carry out traffic analysis.
|
|
|
|
Specification:
|
|
We propose that the directory servers check if an incoming Tor router IP
|
|
address is already registered under another router. If this is the case,
|
|
then prevent the new router from joining the network.
|
|
|
|
Compatibility:
|
|
|
|
Upon inspection of a directory server, we found that the following IP
|
|
addresses have more than one Tor router:
|
|
|
|
Scruples 68.5.113.81 ip68-5-113-81.oc.oc.cox.net 443
|
|
WiseUp 68.5.113.81 ip68-5-113-81.oc.oc.cox.net 9001
|
|
Unnamed 62.1.196.71 pc01-megabyte-net-arkadiou.megabyte.gr 9001
|
|
Unnamed 62.1.196.71 pc01-megabyte-net-arkadiou.megabyte.gr 9001
|
|
Unnamed 62.1.196.71 pc01-megabyte-net-arkadiou.megabyte.gr 9001
|
|
aurel 85.180.62.138 e180062138.adsl.alicedsl.de 9001
|
|
sokrates 85.180.62.138 e180062138.adsl.alicedsl.de 9001
|
|
moria1 18.244.0.188 moria.mit.edu 9001
|
|
peacetime 18.244.0.188 moria.mit.edu 9100
|
|
|
|
There may exist compatibility issues with this proposed fix. Reasons why
|
|
more than one server would share an IP address include:
|
|
|
|
* Testing. moria1, moria2, peacetime, and other morias all run on one
|
|
computer at MIT, because that way we get testing. Moria1 and moria2 are
|
|
run by Roger, and peacetime is run by Nick.
|
|
* NAT. If there are several servers but they port-forward through the same
|
|
IP address, ... we can hope that the operators coordinate with each
|
|
other. Also, we should recognize that while they help the network in
|
|
terms of increased capacity, they don't help as much as they could in
|
|
terms of location diversity. But our approach so far has been to take
|
|
what we can get.
|
|
* People who have more than 1.5MB/s and want to help out more. For
|
|
example, for a while Tonga was offering 10MB/s and its Tor server
|
|
would only make use of a bit of it. So Roger suggested that he run
|
|
two Tor servers, to use more.
|
|
|
|
Alternatives:
|
|
|
|
Roger suggested that instead of capping number of servers per IP to 1, we
|
|
should cap total declared bandwidth per IP to some N, and total declared
|
|
servers to some M. (He suggested N=5MB/s and M=5.) Directory authorities
|
|
would then always choose to keep the highest-bandwidth running servers
|
|
-- if they pick based on time joining the network we can get into bad
|
|
race conditions.
|
|
|
|
Roger also suggested that rather than not listing servers, we mark them as
|
|
not Running. (He originally suggested marking them as Running but not
|
|
Valid, but that would still allow an attacker to control an arbitrary
|
|
number of middle hops, which is still likely to be worrisome.)
|
|
|