mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2025-02-23 22:47:12 +01:00
manpage: document HiddenServicePoWDefensesEnabled option
Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
This commit is contained in:
Micah Elizabeth Scott
parent
a0b9f3546e
commit
98299e0f8b
1 changed files with 24 additions and 7 deletions
|
|
@ -3021,14 +3021,14 @@ Denial of Service mitigation subsystem described above.
|
|||
(Default: auto)
|
||||
|
||||
|
||||
As for onion services, only one possible mitigation exists. It was intended to
|
||||
protect the network first and thus do not help the service availability or
|
||||
reachability.
|
||||
For onion services, mitigations are a work in progress and multiple options
|
||||
are currently available.
|
||||
|
||||
The mitigation we put in place is a rate limit of the amount of introduction
|
||||
that happens at the introduction point for a service. In other words, it rates
|
||||
limit the number of clients that are attempting to reach the service at the
|
||||
introduction point instead of at the service itself.
|
||||
The introduction point defense is a rate limit on the number of introduction
|
||||
requests that will be forwarded to a service by each of its honest
|
||||
introduction point routers. This can prevent some types of overwhelming floods
|
||||
from reaching the service, but it will also prevent legitimate clients from
|
||||
establishing new connections.
|
||||
|
||||
The following options are per onion service:
|
||||
|
||||
|
|
@ -3082,6 +3082,23 @@ The bottom line is that this protects the network by preventing an onion
|
|||
service to flood the network with new rendezvous circuits that is reducing load
|
||||
on the network.
|
||||
|
||||
A secondary mitigation is available, based on prioritized dispatch of rendezvous
|
||||
circuits for new connections. The queue is ordered based on effort a client
|
||||
chooses to spend at computing a proof-of-work function.
|
||||
|
||||
The following options are per onion service:
|
||||
|
||||
[[HiddenServicePoWDefensesEnabled]] **HiddenServicePoWDefensesEnabled** **0**|**1**::
|
||||
|
||||
Enable proof-of-work based service DoS mitigation. If set to 1 (enabled),
|
||||
tor will include parameters for an optional client puzzle in the encrypted
|
||||
portion of this hidden service's descriptor. Incoming rendezvous requests
|
||||
will be prioritized based on the amount of effort a client chooses to make
|
||||
when computing a solution to the puzzle. The service will periodically update
|
||||
a suggested amount of effort, based on attack load, and disable the puzzle
|
||||
entirely when the service is not overloaded.
|
||||
(Default: 0)
|
||||
|
||||
|
||||
== DIRECTORY AUTHORITY SERVER OPTIONS
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue