| blob | 552947eba2e72642bc2f4d2430dfb0c948c58a85 |
1 /* Copyright (c) 2001 Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2016, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
7 /**
8 * \file circpathbias.c
9 *
10 * \brief Code to track success/failure rates of circuits built through
11 * different tor nodes, in an attempt to detect attacks where
12 * an attacker deliberately causes circuits to fail until the client
13 * choses a path they like.
14 */
38 /** Increment the number of times we successfully extended a circuit to
39 * <b>guard</b>, first checking if the failure rate is high enough that
40 * we should eliminate the guard. Return -1 if the guard looks no good;
41 * return 0 if the guard looks fine.
42 */
43 static int
45 {
60 }
62 /** The minimum number of circuit attempts before we start
63 * thinking about warning about path bias and dropping guards */
64 static int
66 {
67 #define DFLT_PATH_BIAS_MIN_CIRC 150
70 else
72 DFLT_PATH_BIAS_MIN_CIRC,
74 }
76 /** The circuit success rate below which we issue a notice */
77 static double
79 {
80 #define DFLT_PATH_BIAS_NOTICE_PCT 70
83 else
86 }
88 /* XXXX024 I'd like to have this be static again, but entrynodes.c needs it. */
89 /** The circuit success rate below which we issue a warn */
90 static double
92 {
93 #define DFLT_PATH_BIAS_WARN_PCT 50
96 else
99 }
101 /* XXXX024 I'd like to have this be static again, but entrynodes.c needs it. */
102 /**
103 * The extreme rate is the rate at which we would drop the guard,
104 * if pb_dropguard is also set. Otherwise we just warn.
105 */
106 double
108 {
109 #define DFLT_PATH_BIAS_EXTREME_PCT 30
112 else
115 }
117 /* XXXX024 I'd like to have this be static again, but entrynodes.c needs it. */
118 /**
119 * If 1, we actually disable use of guards that fall below
120 * the extreme_pct.
121 */
122 int
124 {
125 #define DFLT_PATH_BIAS_DROP_GUARDS 0
128 else
131 }
133 /**
134 * This is the number of circuits at which we scale our
135 * counts by mult_factor/scale_factor. Note, this count is
136 * not exact, as we only perform the scaling in the event
137 * of no integer truncation.
138 */
139 static int
141 {
142 #define DFLT_PATH_BIAS_SCALE_THRESHOLD 300
145 else
148 INT32_MAX);
149 }
151 /**
152 * Compute the path bias scaling ratio from the consensus
153 * parameters pb_multfactor/pb_scalefactor.
154 *
155 * Returns a value in (0, 1.0] which we multiply our pathbias
156 * counts with to scale them down.
157 */
158 static double
160 {
161 /*
162 * The scale factor is the denominator for our scaling
163 * of circuit counts for our path bias window.
164 *
165 * Note that our use of doubles for the path bias state
166 * file means that powers of 2 work best here.
167 */
171 /**
172 * The mult factor is the numerator for our scaling
173 * of circuit counts for our path bias window. It
174 * allows us to scale by fractions.
175 */
178 }
180 /** The minimum number of circuit usage attempts before we start
181 * thinking about warning about path use bias and dropping guards */
182 static int
184 {
185 #define DFLT_PATH_BIAS_MIN_USE 20
188 else
190 DFLT_PATH_BIAS_MIN_USE,
192 }
194 /** The circuit use success rate below which we issue a notice */
195 static double
197 {
198 #define DFLT_PATH_BIAS_NOTICE_USE_PCT 80
201 else
203 DFLT_PATH_BIAS_NOTICE_USE_PCT,
205 }
207 /**
208 * The extreme use rate is the rate at which we would drop the guard,
209 * if pb_dropguard is also set. Otherwise we just warn.
210 */
211 double
213 {
214 #define DFLT_PATH_BIAS_EXTREME_USE_PCT 60
217 else
219 DFLT_PATH_BIAS_EXTREME_USE_PCT,
221 }
223 /**
224 * This is the number of circuits at which we scale our
225 * use counts by mult_factor/scale_factor. Note, this count is
226 * not exact, as we only perform the scaling in the event
227 * of no integer truncation.
228 */
229 static int
231 {
232 #define DFLT_PATH_BIAS_SCALE_USE_THRESHOLD 100
235 else
237 DFLT_PATH_BIAS_SCALE_USE_THRESHOLD,
239 }
241 /**
242 * Convert a Guard's path state to string.
243 */
246 {
262 }
265 }
267 /**
268 * This function decides if a circuit has progressed far enough to count
269 * as a circuit "attempt". As long as end-to-end tagging is possible,
270 * we assume the adversary will use it over hop-to-hop failure. Therefore,
271 * we only need to account bias for the last hop. This should make us
272 * much more resilient to ambient circuit failure, and also make that
273 * failure easier to measure (we only need to measure Exit failure rates).
274 */
275 static int
277 {
278 #define N2N_TAGGING_IS_POSSIBLE
279 #ifdef N2N_TAGGING_IS_POSSIBLE
280 /* cpath is a circular list. We want circs with more than one hop,
281 * and the second hop must be waiting for keys still (it's just
282 * about to get them). */
286 #else
287 /* If tagging attacks are no longer possible, we probably want to
288 * count bias from the first hop. However, one could argue that
289 * timing-based tagging is still more useful than per-hop failure.
290 * In which case, we'd never want to use this.
291 */
294 #endif
295 }
297 /**
298 * Decide if the path bias code should count a circuit.
299 *
300 * @returns 1 if we should count it, 0 otherwise.
301 */
302 static int
304 {
305 #define PATHBIAS_COUNT_INTERVAL (600)
310 /* We can't do path bias accounting without entry guards.
311 * Testing and controller circuits also have no guards.
312 *
313 * We also don't count server-side rends, because their
314 * endpoint could be chosen maliciously.
315 * Similarly, we can't count client-side intro attempts,
316 * because clients can be manipulated into connecting to
317 * malicious intro points. */
326 /* Check to see if the shouldcount result has changed due to a
327 * unexpected purpose change that would affect our results.
328 *
329 * The reason we check the path state too here is because for the
330 * cannibalized versions of these purposes, we count them as successful
331 * before their purpose change.
332 */
336 "Circuit %d is now being ignored despite being counted "
341 }
344 }
346 /* Completely ignore one hop circuits */
349 /* Check for inconsistency */
354 "One-hop circuit has length %d. Path state is %s. "
360 rate_msg);
362 }
364 }
366 /* Check to see if the shouldcount result has changed due to a
367 * unexpected change that would affect our results */
370 "One-hop circuit %d is now being ignored despite being counted "
375 }
378 }
380 /* Check to see if the shouldcount result has changed due to a
381 * unexpected purpose change that would affect our results */
384 "Circuit %d is now being counted despite being ignored "
389 }
393 }
395 /**
396 * Check our circuit state to see if this is a successful circuit attempt.
397 * If so, record it in the current guard's path bias circ_attempt count.
398 *
399 * Also check for several potential error cases for bug #6475.
400 */
401 int
403 {
404 #define CIRC_ATTEMPT_NOTICE_INTERVAL (600)
411 }
414 /* Help track down the real cause of bug #6475: */
419 "Opened circuit is in strange path state %s. "
424 rate_msg);
426 }
427 }
429 /* Don't re-count cannibalized circs.. */
437 guard =
439 }
446 /* Bogus guard; we already warned. */
448 }
453 "Unopened circuit has strange path state %s. "
458 rate_msg);
460 }
461 }
466 "Unopened circuit has no known guard. "
470 rate_msg);
472 }
473 }
474 }
475 }
478 }
480 /**
481 * Check our circuit state to see if this is a successful circuit
482 * completion. If so, record it in the current guard's path bias
483 * success count.
484 *
485 * Also check for several potential error cases for bug #6475.
486 */
487 void
489 {
490 #define SUCCESS_NOTICE_INTERVAL (600)
498 }
500 /* Don't count cannibalized/reused circs for path bias
501 * "build" success, since they get counted under "use" success. */
506 }
521 "Succeeded circuit is in strange path state %s. "
526 rate_msg);
528 }
529 }
536 }
537 /* In rare cases, CIRCUIT_PURPOSE_TESTING can get converted to
538 * CIRCUIT_PURPOSE_C_MEASURE_TIMEOUT and have no guards here.
539 * No need to log that case. */
544 "Completed circuit has no known guard. "
548 rate_msg);
550 }
551 }
557 "Opened circuit is in strange path state %s. "
562 rate_msg);
564 }
565 }
566 }
567 }
569 /**
570 * Record an attempt to use a circuit. Changes the circuit's
571 * path state and update its guard's usage counter.
572 *
573 * Used for path bias usage accounting.
574 */
575 void
577 {
582 }
586 "Used circuit is in strange path state %s. "
605 }
609 /* Harmless but educational log message */
611 "Used circuit %d is already in path state %s. "
617 }
620 }
622 /**
623 * Check the circuit's path state is appropriate and mark it as
624 * successfully used. Used for path bias usage accounting.
625 *
626 * We don't actually increment the guard's counters until
627 * pathbias_check_close(), because the circuit can still transition
628 * back to PATH_STATE_USE_ATTEMPTED if a stream fails later (this
629 * is done so we can probe the circuit for liveness at close).
630 */
631 void
633 {
636 }
640 "Used circuit %d is in strange path state %s. "
648 }
650 /* We don't do any accounting at the guard until actual circuit close */
654 }
656 /**
657 * If a stream ever detatches from a circuit in a retriable way,
658 * we need to mark this circuit as still needing either another
659 * successful stream, or in need of a probe.
660 *
661 * An adversary could let the first stream request succeed (ie the
662 * resolve), but then tag and timeout the remainder (via cell
663 * dropping), forcing them on new circuits.
664 *
665 * Rolling back the state will cause us to probe such circuits, which
666 * should lead to probe failures in the event of such tagging due to
667 * either unrecognized cells coming in while we wait for the probe,
668 * or the cipher state getting out of sync in the case of dropped cells.
669 */
670 void
672 {
675 "Rolling back pathbias use state to 'attempted' for detached "
678 }
679 }
681 /**
682 * Actually count a circuit success towards a guard's usage counters
683 * if the path state is appropriate.
684 */
685 static void
687 {
692 }
696 "Successfully used circuit %d is in strange path state %s. "
714 }
717 "Marked circuit %d (%f/%f) as used successfully for guard "
722 }
723 }
726 }
728 /**
729 * Send a probe down a circuit that the client attempted to use,
730 * but for which the stream timed out/failed. The probe is a
731 * RELAY_BEGIN cell with a 0.a.b.c destination address, which
732 * the exit will reject and reply back, echoing that address.
733 *
734 * The reason for such probes is because it is possible to bias
735 * a user's paths simply by causing timeouts, and these timeouts
736 * are not possible to differentiate from unresponsive servers.
737 *
738 * The probe is sent at the end of the circuit lifetime for two
739 * reasons: to prevent cryptographic taggers from being able to
740 * drop cells to cause timeouts, and to prevent easy recognition
741 * of probes before any real client traffic happens.
742 *
743 * Returns -1 if we couldn't probe, 0 otherwise.
744 */
745 static int
747 {
748 /* Based on connection_ap_handshake_send_begin() */
760 /* This can happen for cannibalized circuits. Their
761 * last hop isn't yet open */
763 "Got pathbias probe request for unopened circuit %d. "
767 }
769 /* We already went down this road. */
773 "Got pathbias probe request for circuit %d with "
776 }
778 /* Can't probe if the channel isn't open */
786 }
790 /* Update timestamp for when circuit_expire_building() should kill us */
793 /* Generate a random address for the nonce */
802 // XXX: need this? Can we assume ipv4 will always be supported?
803 // If not, how do we tell?
804 //if (payload_len <= RELAY_PAYLOAD_SIZE - 4 && edge_conn->begincell_flags) {
805 // set_uint32(payload + payload_len, htonl(edge_conn->begincell_flags));
806 // payload_len += 4;
807 //}
809 /* Generate+Store stream id, make sure it's non-zero */
814 "Ran out of stream IDs on circuit %u during "
818 }
825 /* Send a test relay cell */
833 }
835 /* Mark it freshly dirty so it doesn't get expired in the meantime */
839 }
841 /**
842 * Check the response to a pathbias probe, to ensure the
843 * cell is recognized and the nonce and other probe
844 * characteristics are as expected.
845 *
846 * If the response is valid, return 0. Otherwise return < 0.
847 */
848 int
850 {
851 /* Based on connection_edge_process_relay_cell() */
852 relay_header_t rh;
870 /* Check length+extract host: It is in network order after the reason code.
871 * See connection_edge_end(). */
876 }
880 /* Check nonce */
890 "Got strange probe value 0x%x vs 0x%x back for circ %d, "
894 }
895 }
897 "Got another cell back back on pathbias probe circuit %d: "
901 }
903 /**
904 * Check if a circuit was used and/or closed successfully.
905 *
906 * If we attempted to use the circuit to carry a stream but failed
907 * for whatever reason, or if the circuit mysteriously died before
908 * we could attach any streams, record these two cases.
909 *
910 * If we *have* successfully used the circuit, or it appears to
911 * have been closed by us locally, count it as a success.
912 *
913 * Returns 0 if we're done making decisions with the circ,
914 * or -1 if we want to probe it first.
915 */
916 int
918 {
923 }
926 /* If the circuit was closed after building, but before use, we need
927 * to ensure we were the ones who tried to close it (and not a remote
928 * actor). */
931 /* Remote circ close reasons on an unused circuit all could be bias */
933 "Circuit %d remote-closed without successful use for reason %d. "
945 /* If we didn't close the channel ourselves, it could be bias */
946 /* XXX: Only count bias if the network is live?
947 * What about clock jumps/suspends? */
949 "Circuit %d's channel closed without successful use for reason "
950 "%d, channel reason %d. Circuit purpose %d currently %d,%s. Len "
959 }
962 /* If we tried to use a circuit but failed, we should probe it to ensure
963 * it has not been tampered with. */
965 /* XXX: Only probe and/or count failure if the network is live?
966 * What about clock jumps/suspends? */
969 else
972 /* Any circuit where there were attempted streams but no successful
973 * streams could be bias */
975 "Circuit %d closed without successful use for reason %d. "
996 // Other states are uninteresting. No stats to count.
998 }
1003 }
1005 /**
1006 * Count a successfully closed circuit.
1007 */
1008 static void
1010 {
1014 }
1019 }
1022 /* In the long run: circuit_success ~= successful_circuit_close +
1023 * circ_failure + stream_failure */
1027 /* In rare cases, CIRCUIT_PURPOSE_TESTING can get converted to
1028 * CIRCUIT_PURPOSE_C_MEASURE_TIMEOUT and have no guards here.
1029 * No need to log that case. */
1031 "Successfully closed circuit has no known guard. "
1035 }
1036 }
1038 /**
1039 * Count a circuit that fails after it is built, but before it can
1040 * carry any traffic.
1041 *
1042 * This is needed because there are ways to destroy a
1043 * circuit after it has successfully completed. Right now, this is
1044 * used for purely informational/debugging purposes.
1045 */
1046 static void
1048 {
1053 }
1058 }
1064 /* In rare cases, CIRCUIT_PURPOSE_TESTING can get converted to
1065 * CIRCUIT_PURPOSE_C_MEASURE_TIMEOUT and have no guards here.
1066 * No need to log that case. */
1068 "Destroyed circuit has no known guard. "
1072 }
1073 }
1075 /**
1076 * Count a known failed circuit (because we could not probe it).
1077 *
1078 * This counter is informational.
1079 */
1080 static void
1082 {
1086 }
1091 }
1097 /* In rare cases, CIRCUIT_PURPOSE_TESTING can get converted to
1098 * CIRCUIT_PURPOSE_C_MEASURE_TIMEOUT and have no guards here.
1099 * No need to log that case. */
1100 /* XXX note cut-and-paste code in this function compared to nearby
1101 * functions. Would be nice to refactor. -RD */
1103 "Stream-failing circuit has no known guard. "
1107 }
1108 }
1110 /**
1111 * Count timeouts for path bias log messages.
1112 *
1113 * These counts are purely informational.
1114 */
1115 void
1117 {
1122 }
1124 /* For hidden service circs, they can actually be used
1125 * successfully and then time out later (because
1126 * the other side declines to use them). */
1129 }
1134 }
1139 }
1140 }
1142 /**
1143 * Helper function to count all of the currently opened circuits
1144 * for a guard that are in a given path state range. The state
1145 * range is inclusive on both ends.
1146 */
1147 static int
1149 path_state_t from,
1150 path_state_t to)
1151 {
1154 /* Count currently open circuits. Give them the benefit of the doubt. */
1171 DIGEST_LEN)) {
1175 open_circuits++;
1176 }
1177 }
1181 }
1183 /**
1184 * Return the number of circuits counted as successfully closed for
1185 * this guard.
1186 *
1187 * Also add in the currently open circuits to give them the benefit
1188 * of the doubt.
1189 */
1190 double
1192 {
1195 PATH_STATE_BUILD_SUCCEEDED,
1196 PATH_STATE_USE_SUCCEEDED);
1197 }
1199 /**
1200 * Return the number of circuits counted as successfully used
1201 * this guard.
1202 *
1203 * Also add in the currently open circuits that we are attempting
1204 * to use to give them the benefit of the doubt.
1205 */
1206 double
1208 {
1211 PATH_STATE_USE_ATTEMPTED,
1212 PATH_STATE_USE_SUCCEEDED);
1213 }
1215 /**
1216 * Check the path bias use rate against our consensus parameter limits.
1217 *
1218 * Emits a log message if the use success rates are too low.
1219 *
1220 * If pathbias_get_dropguards() is set, we also disable the use of
1221 * very failure prone guards.
1222 */
1223 static void
1225 {
1229 /* Note: We rely on the < comparison here to allow us to set a 0
1230 * rate and disable the feature entirely. If refactoring, don't
1231 * change to <= */
1234 /* Dropping is currently disabled by default. */
1238 "Your Guard %s ($%s) is failing to carry an extremely large "
1239 "amount of stream on its circuits. "
1240 "To avoid potential route manipulation attacks, Tor has "
1241 "disabled use of this guard. "
1242 "Use counts are %ld/%ld. Success counts are %ld/%ld. "
1243 "%ld circuits completed, %ld were unusable, %ld collapsed, "
1244 "and %ld timed out. "
1260 }
1264 "Your Guard %s ($%s) is failing to carry an extremely large "
1265 "amount of streams on its circuits. "
1266 "This could indicate a route manipulation attack, network "
1267 "overload, bad local network connectivity, or a bug. "
1268 "Use counts are %ld/%ld. Success counts are %ld/%ld. "
1269 "%ld circuits completed, %ld were unusable, %ld collapsed, "
1270 "and %ld timed out. "
1282 }
1288 "Your Guard %s ($%s) is failing to carry more streams on its "
1289 "circuits than usual. "
1290 "Most likely this means the Tor network is overloaded "
1291 "or your network connection is poor. "
1292 "Use counts are %ld/%ld. Success counts are %ld/%ld. "
1293 "%ld circuits completed, %ld were unusable, %ld collapsed, "
1294 "and %ld timed out. "
1306 }
1307 }
1308 }
1309 }
1311 /**
1312 * Check the path bias circuit close status rates against our consensus
1313 * parameter limits.
1314 *
1315 * Emits a log message if the use success rates are too low.
1316 *
1317 * If pathbias_get_dropguards() is set, we also disable the use of
1318 * very failure prone guards.
1319 *
1320 * XXX: This function shares similar log messages and checks to
1321 * pathbias_measure_use_rate(). It may be possible to combine them
1322 * eventually, especially if we can ever remove the need for 3
1323 * levels of closure warns (if the overall circuit failure rate
1324 * goes down with ntor). One way to do so would be to multiply
1325 * the build rate with the use rate to get an idea of the total
1326 * fraction of the total network paths the user is able to use.
1327 * See ticket #8159.
1328 */
1329 static void
1331 {
1335 /* Note: We rely on the < comparison here to allow us to set a 0
1336 * rate and disable the feature entirely. If refactoring, don't
1337 * change to <= */
1340 /* Dropping is currently disabled by default. */
1344 "Your Guard %s ($%s) is failing an extremely large "
1345 "amount of circuits. "
1346 "To avoid potential route manipulation attacks, Tor has "
1347 "disabled use of this guard. "
1348 "Success counts are %ld/%ld. Use counts are %ld/%ld. "
1349 "%ld circuits completed, %ld were unusable, %ld collapsed, "
1350 "and %ld timed out. "
1366 }
1370 "Your Guard %s ($%s) is failing an extremely large "
1371 "amount of circuits. "
1372 "This could indicate a route manipulation attack, "
1373 "extreme network overload, or a bug. "
1374 "Success counts are %ld/%ld. Use counts are %ld/%ld. "
1375 "%ld circuits completed, %ld were unusable, %ld collapsed, "
1376 "and %ld timed out. "
1388 }
1394 "Your Guard %s ($%s) is failing a very large "
1395 "amount of circuits. "
1396 "Most likely this means the Tor network is "
1397 "overloaded, but it could also mean an attack against "
1398 "you or potentially the guard itself. "
1399 "Success counts are %ld/%ld. Use counts are %ld/%ld. "
1400 "%ld circuits completed, %ld were unusable, %ld collapsed, "
1401 "and %ld timed out. "
1413 }
1419 "Your Guard %s ($%s) is failing more circuits than "
1420 "usual. "
1421 "Most likely this means the Tor network is overloaded. "
1422 "Success counts are %ld/%ld. Use counts are %ld/%ld. "
1423 "%ld circuits completed, %ld were unusable, %ld collapsed, "
1424 "and %ld timed out. "
1436 }
1437 }
1438 }
1439 }
1441 /**
1442 * This function scales the path bias use rates if we have
1443 * more data than the scaling threshold. This allows us to
1444 * be more sensitive to recent measurements.
1445 *
1446 * XXX: The attempt count transfer stuff here might be done
1447 * better by keeping separate pending counters that get
1448 * transfered at circuit close. See ticket #8160.
1449 */
1450 static void
1452 {
1455 /* If we get a ton of circuits, just scale everything down */
1461 PATH_STATE_BUILD_SUCCEEDED,
1462 PATH_STATE_USE_FAILED);
1463 /* Verify that the counts are sane before and after scaling */
1482 "Scaled pathbias counts to (%f,%f)/%f (%d/%d open) for guard "
1488 /* Have the counts just become invalid by this scaling attempt? */
1491 "Scaling has mangled pathbias counts to %f/%f (%d/%d open) "
1496 }
1497 }
1498 }
1500 /**
1501 * This function scales the path bias circuit close rates if we have
1502 * more data than the scaling threshold. This allows us to be more
1503 * sensitive to recent measurements.
1504 *
1505 * XXX: The attempt count transfer stuff here might be done
1506 * better by keeping separate pending counters that get
1507 * transfered at circuit close. See ticket #8160.
1508 */
1509 void
1511 {
1514 /* If we get a ton of circuits, just scale everything down */
1519 /* Verify that the counts are sane before and after scaling */
1534 /* Have the counts just become invalid by this scaling attempt? */
1537 "Scaling has mangled pathbias usage counts to %f/%f "
1542 }
1545 }
1546 }