Tor 的 Onion 導入防禦機制,在遭受 DoS 的時候要求用戶端執行 PoW 任務
source link: https://blog.gslin.org/archives/2023/08/27/11316/tor-%e7%9a%84-onion-%e5%b0%8e%e5%85%a5%e9%98%b2%e7%a6%a6%e6%a9%9f%e5%88%b6%ef%bc%8c%e5%9c%a8%e9%81%ad%e5%8f%97-dos-%e7%9a%84%e6%99%82%e5%80%99%e8%a6%81%e6%b1%82%e7%94%a8%e6%88%b6%e7%ab%af%e5%9f%b7/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Tor 的 Onion 導入防禦機制,在遭受 DoS 的時候要求用戶端執行 PoW 任務
在「Introducing Proof-of-Work Defense for Onion Services」這邊看到 0.4.8 的新機制,當 Onion 服務受到 DoS 時,會需要 client 提供 PoW 證明,有證明的會優先處理:
Tor's PoW defense is a dynamic and reactive mechanism, remaining dormant under normal use conditions to ensure a seamless user experience, but when an onion service is under stress, the mechanism will prompt incoming client connections to perform a number of successively more complex operations. The onion service will then prioritize these connections based on the effort level demonstrated by the client.
主要原因是傳統遇到 DoS 時可以透過 IP address 之類的資訊設計阻擋機制,但在 Onion 服務裡面沒有這個資訊,所以需要其他方式阻擋:
The inherent design of onion services, which prioritizes user privacy by obfuscating IP addresses, has made it vulnerable to DoS attacks and traditional IP-based rate limits have been imperfect protections in these scenarios. In need of alternative solutions, we devised a proof-of-work mechanism involving a client puzzle to thwart DoS attacks without compromising user privacy.
這個 PoW 機制的說明可以在「torspec/proposals/327-pow-over-intro.txt」這邊看到,看起來是三年前 (2020/04/02) 就提出來了,直到 0.4.8 才推出。
裡面有提到 PoW 的演算法是用 Equi-X:
For our proof-of-work function we will use the Equi-X scheme by tevador [REF_EQUIX].
看起來是個方法,而且從 cryptocurrency 後大家對 PoW 的用法愈來愈熟悉了,在這邊用還不錯...
Related
架設 Tor 的 Hidden Service
會想要寫這篇是因為前陣子警察施暴影片在 YouTube 上一直被下架。 Tor 最常用到的是「隱藏使用者」的功能:使用者從 Internet 連到 Tor network 的進入節點 (entry node) 後,透過全世界的 Tor 節點加密傳輸,最後在出口節點 (exit node) 再連回 Internet 上的服務,藉此隱匿行蹤。 另外一個比較少被提到的用途是「架站」,也就是 Hidden Service。 在傳統的 Internet 架構上,知道 IP address 就容易發現機器所在地,要抄台或是在 ISP 端直接 ban IP address 也就相對容易。而 Hidden Service 就是想把服務藏到 Tor network 裡,讓外部不知道是哪一台伺服器,達成無法審查內容的目標。 官方的文件是「Configuring Hidden Services for Tor」這份。而這邊以 Ubuntu 12.04 的環境為例。 首先是先架設…
March 29, 2014In "Computer"
下一代的 Tor Hidden Service
Tor 公佈了下一代的 Hidden Service (Onion Service):「Tor's Fall Harvest: the Next Generation of Onion Services」。 三年前 Facebook 自己暴力算出 facebookcorewwwi.onion 這個很特別的名字 (參考「Facebook 證明 Tor 的 Hidden Service 不安全」),這陣子連紐約時報也能暴力算出 nytimes3xbfgragh.onion 這個好名字 (參考「紐約時報網站上 Tor 的 Hidden Service (i.e. Tor Onion Service)」,這讓只有 16 chars 的 hostname 的 hashed-space 不夠大的問題愈來愈明顯 (只有 80 bits 的空間)。 如果你也想要找出一個有趣的 hostname…
November 3, 2017In "Computer"
讓 Tor 的 .onion 支援 HTTPS
看到 Tor 官方的「Get a TLS certificate for your onion site」這篇,查了一下發現先前漏掉一些資訊... 首先是 2020 年二月的時候 CA/Browser Forum 就已經在投票是否有開放 v3 .onion 的憑證:「[Servercert-wg] Voting Begins: Ballot SC27v3: Version 3 Onion Certificates」,而結果也順利通過:「Ballot SC27v3: Version 3 Onion Certificates - CAB Forum」。 而一直到今年才有消息,希臘的 Harica CA 在月初時正式支援 v3 .onion:「Harica CA now supports issuance of DV .onion certificates」,不過拿 SSL…
March 26, 2021In "Computer"
Leave a Reply
Your email address will not be published. Required fields are marked *
Comment *
Name *
Email *
Website
Notify me of follow-up comments by email.
Notify me of new posts by email.
To respond on your own website, enter the URL of your response which should contain a link to this post's permalink URL. Your response will then appear (possibly after moderation) on this page. Want to update or remove your response? Update or delete your post and re-enter your post's URL again. (Learn More)
Post navigation
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK