Merge pull request 'Adds PoW tutorial for opsec/torwebsite' (#156) from Lumaca/blog-contributions:main into main

Reviewed-on: nihilist/blog-contributions#156
looks good thx, will merge it and send payment shortly.
This commit is contained in:
nihilist 2024-10-19 20:05:58 +02:00
commit 917dae7de8

View File

@ -398,6 +398,46 @@ nginx: configuration file /etc/nginx/nginx.conf test is successful
</code></pre>
<img src="3.png" class="imgRz">
<p>Now that we have our website up and running, it's better to configure some <strong>DoS countermeasures</strong> to avoid any unpleasant problems.</p>
<p>There are many countermeasures, one of the most effective is <strong>PoW</strong>. If you want to learn more about other DoS prevention methods check the <a href="https://community.torproject.org/onion-services/advanced/dos/">guidelines</a>. If you want to learn more about how PoW works, check out the <a href="https://onionservices.torproject.org/technology/pow/">FAQs</a>.</p>
<p>Without further ado, let's enable PoW for our onion service.
<br/>
Add the following to your <code>/etc/tor/torrc</code>
</p>
<pre><code class="nim"> HiddenServicePoWDefensesEnabled 1
HiddenServicePoWQueueRate 250
HiddenServicePoWQueueBurst 2500
</code></pre>
<p>This is what the options do (taken from <code>tor(1)</code> manual)</p>
<pre><code class="nim"> HiddenServicePoWDefensesEnabled 0|1
Enable proof-of-work based service DoS mitigation. If set to 1
(enabled), tor will include parameters for an optional client
puzzle in the encrypted portion of this hidden services
descriptor. Incoming rendezvous requests will be prioritized based
on the amount of effort a client chooses to make when computing a
solution to the puzzle. The service will periodically update a
suggested amount of effort, based on attack load, and disable the
puzzle entirely when the service is not overloaded. (Default: 0)
HiddenServicePoWQueueRate NUM
The sustained rate of rendezvous requests to dispatch per second
from the priority queue. Has no effect when proof-of-work is
disabled. If this is set to 0 theres no explicit limit and we will
process requests as quickly as possible. (Default: 250)
HiddenServicePoWQueueBurst NUM
The maximum burst size for rendezvous requests handled from the
priority queue at once. (Default: 2500)
</code></pre>
<p>If you don't know what <em>rendezvous requests</em> are, check out <a href="https://spec.torproject.org/rend-spec/rendezvous-protocol.html">the specification</a>, but essentially see them as "Hello I am NODE_X, I want to connect to NODE_Y to create a circuit, can you let me do it?"</p>
<p>If you are wondering how the priority queue is managed, think of it as how much <em>effort</em> the client put into solving the challenge; the more effort the <em>higher</em> the client priority will be (but also the time took to solve the challenge)</p>
<p>Don't forget to restart the hidden service to enable the changes made.</p>
</div>
</div><!-- /row -->
</div> <!-- /container -->