1 /* Copyright (c) 2001 Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2016, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
10 * \brief Code to track success/failure rates of circuits built through
11 * different tor nodes, in an attempt to detect attacks where
12 * an attacker deliberately causes circuits to fail until the client
13 * choses a path they like.
18 #include "circpathbias.h"
19 #include "circuitbuild.h"
20 #include "circuitlist.h"
21 #include "circuituse.h"
22 #include "circuitstats.h"
23 #include "connection_edge.h"
25 #include "entrynodes.h"
26 #include "networkstatus.h"
29 static void pathbias_count_successful_close(origin_circuit_t
*circ
);
30 static void pathbias_count_collapse(origin_circuit_t
*circ
);
31 static void pathbias_count_use_failed(origin_circuit_t
*circ
);
32 static void pathbias_measure_use_rate(entry_guard_t
*guard
);
33 static void pathbias_measure_close_rate(entry_guard_t
*guard
);
34 static void pathbias_scale_use_rates(entry_guard_t
*guard
);
35 static void pathbias_scale_close_rates(entry_guard_t
*guard
);
36 static int entry_guard_inc_circ_attempt_count(entry_guard_t
*guard
);
38 /** Increment the number of times we successfully extended a circuit to
39 * <b>guard</b>, first checking if the failure rate is high enough that
40 * we should eliminate the guard. Return -1 if the guard looks no good;
41 * return 0 if the guard looks fine.
44 entry_guard_inc_circ_attempt_count(entry_guard_t
*guard
)
46 entry_guards_changed();
48 pathbias_measure_close_rate(guard
);
50 if (guard
->path_bias_disabled
)
53 pathbias_scale_close_rates(guard
);
54 guard
->circ_attempts
++;
56 log_info(LD_CIRC
, "Got success count %f/%f for guard %s ($%s)",
57 guard
->circ_successes
, guard
->circ_attempts
, guard
->nickname
,
58 hex_str(guard
->identity
, DIGEST_LEN
));
62 /** The minimum number of circuit attempts before we start
63 * thinking about warning about path bias and dropping guards */
65 pathbias_get_min_circs(const or_options_t
*options
)
67 #define DFLT_PATH_BIAS_MIN_CIRC 150
68 if (options
->PathBiasCircThreshold
>= 5)
69 return options
->PathBiasCircThreshold
;
71 return networkstatus_get_param(NULL
, "pb_mincircs",
72 DFLT_PATH_BIAS_MIN_CIRC
,
76 /** The circuit success rate below which we issue a notice */
78 pathbias_get_notice_rate(const or_options_t
*options
)
80 #define DFLT_PATH_BIAS_NOTICE_PCT 70
81 if (options
->PathBiasNoticeRate
>= 0.0)
82 return options
->PathBiasNoticeRate
;
84 return networkstatus_get_param(NULL
, "pb_noticepct",
85 DFLT_PATH_BIAS_NOTICE_PCT
, 0, 100)/100.0;
88 /* XXXX024 I'd like to have this be static again, but entrynodes.c needs it. */
89 /** The circuit success rate below which we issue a warn */
91 pathbias_get_warn_rate(const or_options_t
*options
)
93 #define DFLT_PATH_BIAS_WARN_PCT 50
94 if (options
->PathBiasWarnRate
>= 0.0)
95 return options
->PathBiasWarnRate
;
97 return networkstatus_get_param(NULL
, "pb_warnpct",
98 DFLT_PATH_BIAS_WARN_PCT
, 0, 100)/100.0;
101 /* XXXX024 I'd like to have this be static again, but entrynodes.c needs it. */
103 * The extreme rate is the rate at which we would drop the guard,
104 * if pb_dropguard is also set. Otherwise we just warn.
107 pathbias_get_extreme_rate(const or_options_t
*options
)
109 #define DFLT_PATH_BIAS_EXTREME_PCT 30
110 if (options
->PathBiasExtremeRate
>= 0.0)
111 return options
->PathBiasExtremeRate
;
113 return networkstatus_get_param(NULL
, "pb_extremepct",
114 DFLT_PATH_BIAS_EXTREME_PCT
, 0, 100)/100.0;
117 /* XXXX024 I'd like to have this be static again, but entrynodes.c needs it. */
119 * If 1, we actually disable use of guards that fall below
123 pathbias_get_dropguards(const or_options_t
*options
)
125 #define DFLT_PATH_BIAS_DROP_GUARDS 0
126 if (options
->PathBiasDropGuards
>= 0)
127 return options
->PathBiasDropGuards
;
129 return networkstatus_get_param(NULL
, "pb_dropguards",
130 DFLT_PATH_BIAS_DROP_GUARDS
, 0, 1);
134 * This is the number of circuits at which we scale our
135 * counts by mult_factor/scale_factor. Note, this count is
136 * not exact, as we only perform the scaling in the event
137 * of no integer truncation.
140 pathbias_get_scale_threshold(const or_options_t
*options
)
142 #define DFLT_PATH_BIAS_SCALE_THRESHOLD 300
143 if (options
->PathBiasScaleThreshold
>= 10)
144 return options
->PathBiasScaleThreshold
;
146 return networkstatus_get_param(NULL
, "pb_scalecircs",
147 DFLT_PATH_BIAS_SCALE_THRESHOLD
, 10,
152 * Compute the path bias scaling ratio from the consensus
153 * parameters pb_multfactor/pb_scalefactor.
155 * Returns a value in (0, 1.0] which we multiply our pathbias
156 * counts with to scale them down.
159 pathbias_get_scale_ratio(const or_options_t
*options
)
162 * The scale factor is the denominator for our scaling
163 * of circuit counts for our path bias window.
165 * Note that our use of doubles for the path bias state
166 * file means that powers of 2 work best here.
168 int denominator
= networkstatus_get_param(NULL
, "pb_scalefactor",
172 * The mult factor is the numerator for our scaling
173 * of circuit counts for our path bias window. It
174 * allows us to scale by fractions.
176 return networkstatus_get_param(NULL
, "pb_multfactor",
177 1, 1, denominator
)/((double)denominator
);
180 /** The minimum number of circuit usage attempts before we start
181 * thinking about warning about path use bias and dropping guards */
183 pathbias_get_min_use(const or_options_t
*options
)
185 #define DFLT_PATH_BIAS_MIN_USE 20
186 if (options
->PathBiasUseThreshold
>= 3)
187 return options
->PathBiasUseThreshold
;
189 return networkstatus_get_param(NULL
, "pb_minuse",
190 DFLT_PATH_BIAS_MIN_USE
,
194 /** The circuit use success rate below which we issue a notice */
196 pathbias_get_notice_use_rate(const or_options_t
*options
)
198 #define DFLT_PATH_BIAS_NOTICE_USE_PCT 80
199 if (options
->PathBiasNoticeUseRate
>= 0.0)
200 return options
->PathBiasNoticeUseRate
;
202 return networkstatus_get_param(NULL
, "pb_noticeusepct",
203 DFLT_PATH_BIAS_NOTICE_USE_PCT
,
208 * The extreme use rate is the rate at which we would drop the guard,
209 * if pb_dropguard is also set. Otherwise we just warn.
212 pathbias_get_extreme_use_rate(const or_options_t
*options
)
214 #define DFLT_PATH_BIAS_EXTREME_USE_PCT 60
215 if (options
->PathBiasExtremeUseRate
>= 0.0)
216 return options
->PathBiasExtremeUseRate
;
218 return networkstatus_get_param(NULL
, "pb_extremeusepct",
219 DFLT_PATH_BIAS_EXTREME_USE_PCT
,
224 * This is the number of circuits at which we scale our
225 * use counts by mult_factor/scale_factor. Note, this count is
226 * not exact, as we only perform the scaling in the event
227 * of no integer truncation.
230 pathbias_get_scale_use_threshold(const or_options_t
*options
)
232 #define DFLT_PATH_BIAS_SCALE_USE_THRESHOLD 100
233 if (options
->PathBiasScaleUseThreshold
>= 10)
234 return options
->PathBiasScaleUseThreshold
;
236 return networkstatus_get_param(NULL
, "pb_scaleuse",
237 DFLT_PATH_BIAS_SCALE_USE_THRESHOLD
,
242 * Convert a Guard's path state to string.
245 pathbias_state_to_string(path_state_t state
)
248 case PATH_STATE_NEW_CIRC
:
250 case PATH_STATE_BUILD_ATTEMPTED
:
251 return "build attempted";
252 case PATH_STATE_BUILD_SUCCEEDED
:
253 return "build succeeded";
254 case PATH_STATE_USE_ATTEMPTED
:
255 return "use attempted";
256 case PATH_STATE_USE_SUCCEEDED
:
257 return "use succeeded";
258 case PATH_STATE_USE_FAILED
:
260 case PATH_STATE_ALREADY_COUNTED
:
261 return "already counted";
268 * This function decides if a circuit has progressed far enough to count
269 * as a circuit "attempt". As long as end-to-end tagging is possible,
270 * we assume the adversary will use it over hop-to-hop failure. Therefore,
271 * we only need to account bias for the last hop. This should make us
272 * much more resilient to ambient circuit failure, and also make that
273 * failure easier to measure (we only need to measure Exit failure rates).
276 pathbias_is_new_circ_attempt(origin_circuit_t
*circ
)
278 #define N2N_TAGGING_IS_POSSIBLE
279 #ifdef N2N_TAGGING_IS_POSSIBLE
280 /* cpath is a circular list. We want circs with more than one hop,
281 * and the second hop must be waiting for keys still (it's just
282 * about to get them). */
283 return circ
->cpath
&&
284 circ
->cpath
->next
!= circ
->cpath
&&
285 circ
->cpath
->next
->state
== CPATH_STATE_AWAITING_KEYS
;
287 /* If tagging attacks are no longer possible, we probably want to
288 * count bias from the first hop. However, one could argue that
289 * timing-based tagging is still more useful than per-hop failure.
290 * In which case, we'd never want to use this.
292 return circ
->cpath
&&
293 circ
->cpath
->state
== CPATH_STATE_AWAITING_KEYS
;
298 * Decide if the path bias code should count a circuit.
300 * @returns 1 if we should count it, 0 otherwise.
303 pathbias_should_count(origin_circuit_t
*circ
)
305 #define PATHBIAS_COUNT_INTERVAL (600)
306 static ratelim_t count_limit
=
307 RATELIM_INIT(PATHBIAS_COUNT_INTERVAL
);
308 char *rate_msg
= NULL
;
310 /* We can't do path bias accounting without entry guards.
311 * Testing and controller circuits also have no guards.
313 * We also don't count server-side rends, because their
314 * endpoint could be chosen maliciously.
315 * Similarly, we can't count client-side intro attempts,
316 * because clients can be manipulated into connecting to
317 * malicious intro points. */
318 if (get_options()->UseEntryGuards
== 0 ||
319 circ
->base_
.purpose
== CIRCUIT_PURPOSE_TESTING
||
320 circ
->base_
.purpose
== CIRCUIT_PURPOSE_CONTROLLER
||
321 circ
->base_
.purpose
== CIRCUIT_PURPOSE_S_CONNECT_REND
||
322 circ
->base_
.purpose
== CIRCUIT_PURPOSE_S_REND_JOINED
||
323 (circ
->base_
.purpose
>= CIRCUIT_PURPOSE_C_INTRODUCING
&&
324 circ
->base_
.purpose
<= CIRCUIT_PURPOSE_C_INTRODUCE_ACKED
)) {
326 /* Check to see if the shouldcount result has changed due to a
327 * unexpected purpose change that would affect our results.
329 * The reason we check the path state too here is because for the
330 * cannibalized versions of these purposes, we count them as successful
331 * before their purpose change.
333 if (circ
->pathbias_shouldcount
== PATHBIAS_SHOULDCOUNT_COUNTED
334 && circ
->path_state
!= PATH_STATE_ALREADY_COUNTED
) {
336 "Circuit %d is now being ignored despite being counted "
337 "in the past. Purpose is %s, path state is %s",
338 circ
->global_identifier
,
339 circuit_purpose_to_string(circ
->base_
.purpose
),
340 pathbias_state_to_string(circ
->path_state
));
342 circ
->pathbias_shouldcount
= PATHBIAS_SHOULDCOUNT_IGNORED
;
346 /* Completely ignore one hop circuits */
347 if (circ
->build_state
->onehop_tunnel
||
348 circ
->build_state
->desired_path_len
== 1) {
349 /* Check for inconsistency */
350 if (circ
->build_state
->desired_path_len
!= 1 ||
351 !circ
->build_state
->onehop_tunnel
) {
352 if ((rate_msg
= rate_limit_log(&count_limit
, approx_time()))) {
354 "One-hop circuit has length %d. Path state is %s. "
355 "Circuit is a %s currently %s.%s",
356 circ
->build_state
->desired_path_len
,
357 pathbias_state_to_string(circ
->path_state
),
358 circuit_purpose_to_string(circ
->base_
.purpose
),
359 circuit_state_to_string(circ
->base_
.state
),
363 tor_fragile_assert();
366 /* Check to see if the shouldcount result has changed due to a
367 * unexpected change that would affect our results */
368 if (circ
->pathbias_shouldcount
== PATHBIAS_SHOULDCOUNT_COUNTED
) {
370 "One-hop circuit %d is now being ignored despite being counted "
371 "in the past. Purpose is %s, path state is %s",
372 circ
->global_identifier
,
373 circuit_purpose_to_string(circ
->base_
.purpose
),
374 pathbias_state_to_string(circ
->path_state
));
376 circ
->pathbias_shouldcount
= PATHBIAS_SHOULDCOUNT_IGNORED
;
380 /* Check to see if the shouldcount result has changed due to a
381 * unexpected purpose change that would affect our results */
382 if (circ
->pathbias_shouldcount
== PATHBIAS_SHOULDCOUNT_IGNORED
) {
384 "Circuit %d is now being counted despite being ignored "
385 "in the past. Purpose is %s, path state is %s",
386 circ
->global_identifier
,
387 circuit_purpose_to_string(circ
->base_
.purpose
),
388 pathbias_state_to_string(circ
->path_state
));
390 circ
->pathbias_shouldcount
= PATHBIAS_SHOULDCOUNT_COUNTED
;
396 * Check our circuit state to see if this is a successful circuit attempt.
397 * If so, record it in the current guard's path bias circ_attempt count.
399 * Also check for several potential error cases for bug #6475.
402 pathbias_count_build_attempt(origin_circuit_t
*circ
)
404 #define CIRC_ATTEMPT_NOTICE_INTERVAL (600)
405 static ratelim_t circ_attempt_notice_limit
=
406 RATELIM_INIT(CIRC_ATTEMPT_NOTICE_INTERVAL
);
407 char *rate_msg
= NULL
;
409 if (!pathbias_should_count(circ
)) {
413 if (pathbias_is_new_circ_attempt(circ
)) {
414 /* Help track down the real cause of bug #6475: */
415 if (circ
->has_opened
&& circ
->path_state
!= PATH_STATE_BUILD_ATTEMPTED
) {
416 if ((rate_msg
= rate_limit_log(&circ_attempt_notice_limit
,
419 "Opened circuit is in strange path state %s. "
420 "Circuit is a %s currently %s.%s",
421 pathbias_state_to_string(circ
->path_state
),
422 circuit_purpose_to_string(circ
->base_
.purpose
),
423 circuit_state_to_string(circ
->base_
.state
),
429 /* Don't re-count cannibalized circs.. */
430 if (!circ
->has_opened
) {
431 entry_guard_t
*guard
= NULL
;
433 if (circ
->cpath
&& circ
->cpath
->extend_info
) {
434 guard
= entry_guard_get_by_id_digest(
435 circ
->cpath
->extend_info
->identity_digest
);
436 } else if (circ
->base_
.n_chan
) {
438 entry_guard_get_by_id_digest(circ
->base_
.n_chan
->identity_digest
);
442 if (circ
->path_state
== PATH_STATE_NEW_CIRC
) {
443 circ
->path_state
= PATH_STATE_BUILD_ATTEMPTED
;
445 if (entry_guard_inc_circ_attempt_count(guard
) < 0) {
446 /* Bogus guard; we already warned. */
447 return -END_CIRC_REASON_TORPROTOCOL
;
450 if ((rate_msg
= rate_limit_log(&circ_attempt_notice_limit
,
453 "Unopened circuit has strange path state %s. "
454 "Circuit is a %s currently %s.%s",
455 pathbias_state_to_string(circ
->path_state
),
456 circuit_purpose_to_string(circ
->base_
.purpose
),
457 circuit_state_to_string(circ
->base_
.state
),
463 if ((rate_msg
= rate_limit_log(&circ_attempt_notice_limit
,
466 "Unopened circuit has no known guard. "
467 "Circuit is a %s currently %s.%s",
468 circuit_purpose_to_string(circ
->base_
.purpose
),
469 circuit_state_to_string(circ
->base_
.state
),
481 * Check our circuit state to see if this is a successful circuit
482 * completion. If so, record it in the current guard's path bias
485 * Also check for several potential error cases for bug #6475.
488 pathbias_count_build_success(origin_circuit_t
*circ
)
490 #define SUCCESS_NOTICE_INTERVAL (600)
491 static ratelim_t success_notice_limit
=
492 RATELIM_INIT(SUCCESS_NOTICE_INTERVAL
);
493 char *rate_msg
= NULL
;
494 entry_guard_t
*guard
= NULL
;
496 if (!pathbias_should_count(circ
)) {
500 /* Don't count cannibalized/reused circs for path bias
501 * "build" success, since they get counted under "use" success. */
502 if (!circ
->has_opened
) {
503 if (circ
->cpath
&& circ
->cpath
->extend_info
) {
504 guard
= entry_guard_get_by_id_digest(
505 circ
->cpath
->extend_info
->identity_digest
);
509 if (circ
->path_state
== PATH_STATE_BUILD_ATTEMPTED
) {
510 circ
->path_state
= PATH_STATE_BUILD_SUCCEEDED
;
511 guard
->circ_successes
++;
512 entry_guards_changed();
514 log_info(LD_CIRC
, "Got success count %f/%f for guard %s ($%s)",
515 guard
->circ_successes
, guard
->circ_attempts
,
516 guard
->nickname
, hex_str(guard
->identity
, DIGEST_LEN
));
518 if ((rate_msg
= rate_limit_log(&success_notice_limit
,
521 "Succeeded circuit is in strange path state %s. "
522 "Circuit is a %s currently %s.%s",
523 pathbias_state_to_string(circ
->path_state
),
524 circuit_purpose_to_string(circ
->base_
.purpose
),
525 circuit_state_to_string(circ
->base_
.state
),
531 if (guard
->circ_attempts
< guard
->circ_successes
) {
532 log_notice(LD_BUG
, "Unexpectedly high successes counts (%f/%f) "
533 "for guard %s ($%s)",
534 guard
->circ_successes
, guard
->circ_attempts
,
535 guard
->nickname
, hex_str(guard
->identity
, DIGEST_LEN
));
537 /* In rare cases, CIRCUIT_PURPOSE_TESTING can get converted to
538 * CIRCUIT_PURPOSE_C_MEASURE_TIMEOUT and have no guards here.
539 * No need to log that case. */
540 } else if (circ
->base_
.purpose
!= CIRCUIT_PURPOSE_C_MEASURE_TIMEOUT
) {
541 if ((rate_msg
= rate_limit_log(&success_notice_limit
,
544 "Completed circuit has no known guard. "
545 "Circuit is a %s currently %s.%s",
546 circuit_purpose_to_string(circ
->base_
.purpose
),
547 circuit_state_to_string(circ
->base_
.state
),
553 if (circ
->path_state
< PATH_STATE_BUILD_SUCCEEDED
) {
554 if ((rate_msg
= rate_limit_log(&success_notice_limit
,
557 "Opened circuit is in strange path state %s. "
558 "Circuit is a %s currently %s.%s",
559 pathbias_state_to_string(circ
->path_state
),
560 circuit_purpose_to_string(circ
->base_
.purpose
),
561 circuit_state_to_string(circ
->base_
.state
),
570 * Record an attempt to use a circuit. Changes the circuit's
571 * path state and update its guard's usage counter.
573 * Used for path bias usage accounting.
576 pathbias_count_use_attempt(origin_circuit_t
*circ
)
578 entry_guard_t
*guard
;
580 if (!pathbias_should_count(circ
)) {
584 if (circ
->path_state
< PATH_STATE_BUILD_SUCCEEDED
) {
586 "Used circuit is in strange path state %s. "
587 "Circuit is a %s currently %s.",
588 pathbias_state_to_string(circ
->path_state
),
589 circuit_purpose_to_string(circ
->base_
.purpose
),
590 circuit_state_to_string(circ
->base_
.state
));
591 } else if (circ
->path_state
< PATH_STATE_USE_ATTEMPTED
) {
592 guard
= entry_guard_get_by_id_digest(
593 circ
->cpath
->extend_info
->identity_digest
);
595 pathbias_measure_use_rate(guard
);
596 pathbias_scale_use_rates(guard
);
597 guard
->use_attempts
++;
598 entry_guards_changed();
601 "Marked circuit %d (%f/%f) as used for guard %s ($%s).",
602 circ
->global_identifier
,
603 guard
->use_successes
, guard
->use_attempts
,
604 guard
->nickname
, hex_str(guard
->identity
, DIGEST_LEN
));
607 circ
->path_state
= PATH_STATE_USE_ATTEMPTED
;
609 /* Harmless but educational log message */
611 "Used circuit %d is already in path state %s. "
612 "Circuit is a %s currently %s.",
613 circ
->global_identifier
,
614 pathbias_state_to_string(circ
->path_state
),
615 circuit_purpose_to_string(circ
->base_
.purpose
),
616 circuit_state_to_string(circ
->base_
.state
));
623 * Check the circuit's path state is appropriate and mark it as
624 * successfully used. Used for path bias usage accounting.
626 * We don't actually increment the guard's counters until
627 * pathbias_check_close(), because the circuit can still transition
628 * back to PATH_STATE_USE_ATTEMPTED if a stream fails later (this
629 * is done so we can probe the circuit for liveness at close).
632 pathbias_mark_use_success(origin_circuit_t
*circ
)
634 if (!pathbias_should_count(circ
)) {
638 if (circ
->path_state
< PATH_STATE_USE_ATTEMPTED
) {
640 "Used circuit %d is in strange path state %s. "
641 "Circuit is a %s currently %s.",
642 circ
->global_identifier
,
643 pathbias_state_to_string(circ
->path_state
),
644 circuit_purpose_to_string(circ
->base_
.purpose
),
645 circuit_state_to_string(circ
->base_
.state
));
647 pathbias_count_use_attempt(circ
);
650 /* We don't do any accounting at the guard until actual circuit close */
651 circ
->path_state
= PATH_STATE_USE_SUCCEEDED
;
657 * If a stream ever detatches from a circuit in a retriable way,
658 * we need to mark this circuit as still needing either another
659 * successful stream, or in need of a probe.
661 * An adversary could let the first stream request succeed (ie the
662 * resolve), but then tag and timeout the remainder (via cell
663 * dropping), forcing them on new circuits.
665 * Rolling back the state will cause us to probe such circuits, which
666 * should lead to probe failures in the event of such tagging due to
667 * either unrecognized cells coming in while we wait for the probe,
668 * or the cipher state getting out of sync in the case of dropped cells.
671 pathbias_mark_use_rollback(origin_circuit_t
*circ
)
673 if (circ
->path_state
== PATH_STATE_USE_SUCCEEDED
) {
675 "Rolling back pathbias use state to 'attempted' for detached "
676 "circuit %d", circ
->global_identifier
);
677 circ
->path_state
= PATH_STATE_USE_ATTEMPTED
;
682 * Actually count a circuit success towards a guard's usage counters
683 * if the path state is appropriate.
686 pathbias_count_use_success(origin_circuit_t
*circ
)
688 entry_guard_t
*guard
;
690 if (!pathbias_should_count(circ
)) {
694 if (circ
->path_state
!= PATH_STATE_USE_SUCCEEDED
) {
696 "Successfully used circuit %d is in strange path state %s. "
697 "Circuit is a %s currently %s.",
698 circ
->global_identifier
,
699 pathbias_state_to_string(circ
->path_state
),
700 circuit_purpose_to_string(circ
->base_
.purpose
),
701 circuit_state_to_string(circ
->base_
.state
));
703 guard
= entry_guard_get_by_id_digest(
704 circ
->cpath
->extend_info
->identity_digest
);
706 guard
->use_successes
++;
707 entry_guards_changed();
709 if (guard
->use_attempts
< guard
->use_successes
) {
710 log_notice(LD_BUG
, "Unexpectedly high use successes counts (%f/%f) "
712 guard
->use_successes
, guard
->use_attempts
,
713 guard
->nickname
, hex_str(guard
->identity
, DIGEST_LEN
));
717 "Marked circuit %d (%f/%f) as used successfully for guard "
719 circ
->global_identifier
, guard
->use_successes
,
720 guard
->use_attempts
, guard
->nickname
,
721 hex_str(guard
->identity
, DIGEST_LEN
));
729 * Send a probe down a circuit that the client attempted to use,
730 * but for which the stream timed out/failed. The probe is a
731 * RELAY_BEGIN cell with a 0.a.b.c destination address, which
732 * the exit will reject and reply back, echoing that address.
734 * The reason for such probes is because it is possible to bias
735 * a user's paths simply by causing timeouts, and these timeouts
736 * are not possible to differentiate from unresponsive servers.
738 * The probe is sent at the end of the circuit lifetime for two
739 * reasons: to prevent cryptographic taggers from being able to
740 * drop cells to cause timeouts, and to prevent easy recognition
741 * of probes before any real client traffic happens.
743 * Returns -1 if we couldn't probe, 0 otherwise.
746 pathbias_send_usable_probe(circuit_t
*circ
)
748 /* Based on connection_ap_handshake_send_begin() */
749 char payload
[CELL_PAYLOAD_SIZE
];
751 origin_circuit_t
*ocirc
= TO_ORIGIN_CIRCUIT(circ
);
752 crypt_path_t
*cpath_layer
= NULL
;
753 char *probe_nonce
= NULL
;
757 cpath_layer
= ocirc
->cpath
->prev
;
759 if (cpath_layer
->state
!= CPATH_STATE_OPEN
) {
760 /* This can happen for cannibalized circuits. Their
761 * last hop isn't yet open */
763 "Got pathbias probe request for unopened circuit %d. "
764 "Opened %d, len %d", ocirc
->global_identifier
,
765 ocirc
->has_opened
, ocirc
->build_state
->desired_path_len
);
769 /* We already went down this road. */
770 if (circ
->purpose
== CIRCUIT_PURPOSE_PATH_BIAS_TESTING
&&
771 ocirc
->pathbias_probe_id
) {
773 "Got pathbias probe request for circuit %d with "
774 "outstanding probe", ocirc
->global_identifier
);
778 /* Can't probe if the channel isn't open */
779 if (circ
->n_chan
== NULL
||
780 (!CHANNEL_IS_OPEN(circ
->n_chan
)
781 && !CHANNEL_IS_MAINT(circ
->n_chan
))) {
783 "Skipping pathbias probe for circuit %d: Channel is not open.",
784 ocirc
->global_identifier
);
788 circuit_change_purpose(circ
, CIRCUIT_PURPOSE_PATH_BIAS_TESTING
);
790 /* Update timestamp for when circuit_expire_building() should kill us */
791 tor_gettimeofday(&circ
->timestamp_began
);
793 /* Generate a random address for the nonce */
794 crypto_rand((char*)ô
->pathbias_probe_nonce
,
795 sizeof(ocirc
->pathbias_probe_nonce
));
796 ocirc
->pathbias_probe_nonce
&= 0x00ffffff;
797 probe_nonce
= tor_dup_ip(ocirc
->pathbias_probe_nonce
);
799 tor_snprintf(payload
,RELAY_PAYLOAD_SIZE
, "%s:25", probe_nonce
);
800 payload_len
= (int)strlen(payload
)+1;
802 // XXX: need this? Can we assume ipv4 will always be supported?
803 // If not, how do we tell?
804 //if (payload_len <= RELAY_PAYLOAD_SIZE - 4 && edge_conn->begincell_flags) {
805 // set_uint32(payload + payload_len, htonl(edge_conn->begincell_flags));
809 /* Generate+Store stream id, make sure it's non-zero */
810 ocirc
->pathbias_probe_id
= get_unique_stream_id_by_circ(ocirc
);
812 if (ocirc
->pathbias_probe_id
==0) {
814 "Ran out of stream IDs on circuit %u during "
815 "pathbias probe attempt.", ocirc
->global_identifier
);
816 tor_free(probe_nonce
);
821 "Sending pathbias testing cell to %s:25 on stream %d for circ %d.",
822 probe_nonce
, ocirc
->pathbias_probe_id
, ocirc
->global_identifier
);
823 tor_free(probe_nonce
);
825 /* Send a test relay cell */
826 if (relay_send_command_from_edge(ocirc
->pathbias_probe_id
, circ
,
827 RELAY_COMMAND_BEGIN
, payload
,
828 payload_len
, cpath_layer
) < 0) {
830 "Failed to send pathbias probe cell on circuit %d.",
831 ocirc
->global_identifier
);
835 /* Mark it freshly dirty so it doesn't get expired in the meantime */
836 circ
->timestamp_dirty
= time(NULL
);
842 * Check the response to a pathbias probe, to ensure the
843 * cell is recognized and the nonce and other probe
844 * characteristics are as expected.
846 * If the response is valid, return 0. Otherwise return < 0.
849 pathbias_check_probe_response(circuit_t
*circ
, const cell_t
*cell
)
851 /* Based on connection_edge_process_relay_cell() */
855 origin_circuit_t
*ocirc
= TO_ORIGIN_CIRCUIT(circ
);
859 tor_assert(circ
->purpose
== CIRCUIT_PURPOSE_PATH_BIAS_TESTING
);
861 relay_header_unpack(&rh
, cell
->payload
);
863 reason
= rh
.length
> 0 ?
864 get_uint8(cell
->payload
+RELAY_HEADER_SIZE
) : END_STREAM_REASON_MISC
;
866 if (rh
.command
== RELAY_COMMAND_END
&&
867 reason
== END_STREAM_REASON_EXITPOLICY
&&
868 ocirc
->pathbias_probe_id
== rh
.stream_id
) {
870 /* Check length+extract host: It is in network order after the reason code.
871 * See connection_edge_end(). */
872 if (rh
.length
< 9) { /* reason+ipv4+dns_ttl */
873 log_notice(LD_PROTOCOL
,
874 "Short path bias probe response length field (%d).", rh
.length
);
875 return - END_CIRC_REASON_TORPROTOCOL
;
878 ipv4_host
= ntohl(get_uint32(cell
->payload
+RELAY_HEADER_SIZE
+1));
881 if (ipv4_host
== ocirc
->pathbias_probe_nonce
) {
882 pathbias_mark_use_success(ocirc
);
883 circuit_mark_for_close(circ
, END_CIRC_REASON_FINISHED
);
885 "Got valid path bias probe back for circ %d, stream %d.",
886 ocirc
->global_identifier
, ocirc
->pathbias_probe_id
);
890 "Got strange probe value 0x%x vs 0x%x back for circ %d, "
891 "stream %d.", ipv4_host
, ocirc
->pathbias_probe_nonce
,
892 ocirc
->global_identifier
, ocirc
->pathbias_probe_id
);
897 "Got another cell back back on pathbias probe circuit %d: "
898 "Command: %d, Reason: %d, Stream-id: %d",
899 ocirc
->global_identifier
, rh
.command
, reason
, rh
.stream_id
);
904 * Check if a circuit was used and/or closed successfully.
906 * If we attempted to use the circuit to carry a stream but failed
907 * for whatever reason, or if the circuit mysteriously died before
908 * we could attach any streams, record these two cases.
910 * If we *have* successfully used the circuit, or it appears to
911 * have been closed by us locally, count it as a success.
913 * Returns 0 if we're done making decisions with the circ,
914 * or -1 if we want to probe it first.
917 pathbias_check_close(origin_circuit_t
*ocirc
, int reason
)
919 circuit_t
*circ
= ô
->base_
;
921 if (!pathbias_should_count(ocirc
)) {
925 switch (ocirc
->path_state
) {
926 /* If the circuit was closed after building, but before use, we need
927 * to ensure we were the ones who tried to close it (and not a remote
929 case PATH_STATE_BUILD_SUCCEEDED
:
930 if (reason
& END_CIRC_REASON_FLAG_REMOTE
) {
931 /* Remote circ close reasons on an unused circuit all could be bias */
933 "Circuit %d remote-closed without successful use for reason %d. "
934 "Circuit purpose %d currently %d,%s. Len %d.",
935 ocirc
->global_identifier
,
936 reason
, circ
->purpose
, ocirc
->has_opened
,
937 circuit_state_to_string(circ
->state
),
938 ocirc
->build_state
->desired_path_len
);
939 pathbias_count_collapse(ocirc
);
940 } else if ((reason
& ~END_CIRC_REASON_FLAG_REMOTE
)
941 == END_CIRC_REASON_CHANNEL_CLOSED
&&
943 circ
->n_chan
->reason_for_closing
944 != CHANNEL_CLOSE_REQUESTED
) {
945 /* If we didn't close the channel ourselves, it could be bias */
946 /* XXX: Only count bias if the network is live?
947 * What about clock jumps/suspends? */
949 "Circuit %d's channel closed without successful use for reason "
950 "%d, channel reason %d. Circuit purpose %d currently %d,%s. Len "
951 "%d.", ocirc
->global_identifier
,
952 reason
, circ
->n_chan
->reason_for_closing
,
953 circ
->purpose
, ocirc
->has_opened
,
954 circuit_state_to_string(circ
->state
),
955 ocirc
->build_state
->desired_path_len
);
956 pathbias_count_collapse(ocirc
);
958 pathbias_count_successful_close(ocirc
);
962 /* If we tried to use a circuit but failed, we should probe it to ensure
963 * it has not been tampered with. */
964 case PATH_STATE_USE_ATTEMPTED
:
965 /* XXX: Only probe and/or count failure if the network is live?
966 * What about clock jumps/suspends? */
967 if (pathbias_send_usable_probe(circ
) == 0)
970 pathbias_count_use_failed(ocirc
);
972 /* Any circuit where there were attempted streams but no successful
973 * streams could be bias */
975 "Circuit %d closed without successful use for reason %d. "
976 "Circuit purpose %d currently %d,%s. Len %d.",
977 ocirc
->global_identifier
,
978 reason
, circ
->purpose
, ocirc
->has_opened
,
979 circuit_state_to_string(circ
->state
),
980 ocirc
->build_state
->desired_path_len
);
983 case PATH_STATE_USE_SUCCEEDED
:
984 pathbias_count_successful_close(ocirc
);
985 pathbias_count_use_success(ocirc
);
988 case PATH_STATE_USE_FAILED
:
989 pathbias_count_use_failed(ocirc
);
992 case PATH_STATE_NEW_CIRC
:
993 case PATH_STATE_BUILD_ATTEMPTED
:
994 case PATH_STATE_ALREADY_COUNTED
:
996 // Other states are uninteresting. No stats to count.
1000 ocirc
->path_state
= PATH_STATE_ALREADY_COUNTED
;
1006 * Count a successfully closed circuit.
1009 pathbias_count_successful_close(origin_circuit_t
*circ
)
1011 entry_guard_t
*guard
= NULL
;
1012 if (!pathbias_should_count(circ
)) {
1016 if (circ
->cpath
&& circ
->cpath
->extend_info
) {
1017 guard
= entry_guard_get_by_id_digest(
1018 circ
->cpath
->extend_info
->identity_digest
);
1022 /* In the long run: circuit_success ~= successful_circuit_close +
1023 * circ_failure + stream_failure */
1024 guard
->successful_circuits_closed
++;
1025 entry_guards_changed();
1026 } else if (circ
->base_
.purpose
!= CIRCUIT_PURPOSE_C_MEASURE_TIMEOUT
) {
1027 /* In rare cases, CIRCUIT_PURPOSE_TESTING can get converted to
1028 * CIRCUIT_PURPOSE_C_MEASURE_TIMEOUT and have no guards here.
1029 * No need to log that case. */
1031 "Successfully closed circuit has no known guard. "
1032 "Circuit is a %s currently %s",
1033 circuit_purpose_to_string(circ
->base_
.purpose
),
1034 circuit_state_to_string(circ
->base_
.state
));
1039 * Count a circuit that fails after it is built, but before it can
1040 * carry any traffic.
1042 * This is needed because there are ways to destroy a
1043 * circuit after it has successfully completed. Right now, this is
1044 * used for purely informational/debugging purposes.
1047 pathbias_count_collapse(origin_circuit_t
*circ
)
1049 entry_guard_t
*guard
= NULL
;
1051 if (!pathbias_should_count(circ
)) {
1055 if (circ
->cpath
&& circ
->cpath
->extend_info
) {
1056 guard
= entry_guard_get_by_id_digest(
1057 circ
->cpath
->extend_info
->identity_digest
);
1061 guard
->collapsed_circuits
++;
1062 entry_guards_changed();
1063 } else if (circ
->base_
.purpose
!= CIRCUIT_PURPOSE_C_MEASURE_TIMEOUT
) {
1064 /* In rare cases, CIRCUIT_PURPOSE_TESTING can get converted to
1065 * CIRCUIT_PURPOSE_C_MEASURE_TIMEOUT and have no guards here.
1066 * No need to log that case. */
1068 "Destroyed circuit has no known guard. "
1069 "Circuit is a %s currently %s",
1070 circuit_purpose_to_string(circ
->base_
.purpose
),
1071 circuit_state_to_string(circ
->base_
.state
));
1076 * Count a known failed circuit (because we could not probe it).
1078 * This counter is informational.
1081 pathbias_count_use_failed(origin_circuit_t
*circ
)
1083 entry_guard_t
*guard
= NULL
;
1084 if (!pathbias_should_count(circ
)) {
1088 if (circ
->cpath
&& circ
->cpath
->extend_info
) {
1089 guard
= entry_guard_get_by_id_digest(
1090 circ
->cpath
->extend_info
->identity_digest
);
1094 guard
->unusable_circuits
++;
1095 entry_guards_changed();
1096 } else if (circ
->base_
.purpose
!= CIRCUIT_PURPOSE_C_MEASURE_TIMEOUT
) {
1097 /* In rare cases, CIRCUIT_PURPOSE_TESTING can get converted to
1098 * CIRCUIT_PURPOSE_C_MEASURE_TIMEOUT and have no guards here.
1099 * No need to log that case. */
1100 /* XXX note cut-and-paste code in this function compared to nearby
1101 * functions. Would be nice to refactor. -RD */
1103 "Stream-failing circuit has no known guard. "
1104 "Circuit is a %s currently %s",
1105 circuit_purpose_to_string(circ
->base_
.purpose
),
1106 circuit_state_to_string(circ
->base_
.state
));
1111 * Count timeouts for path bias log messages.
1113 * These counts are purely informational.
1116 pathbias_count_timeout(origin_circuit_t
*circ
)
1118 entry_guard_t
*guard
= NULL
;
1120 if (!pathbias_should_count(circ
)) {
1124 /* For hidden service circs, they can actually be used
1125 * successfully and then time out later (because
1126 * the other side declines to use them). */
1127 if (circ
->path_state
== PATH_STATE_USE_SUCCEEDED
) {
1131 if (circ
->cpath
&& circ
->cpath
->extend_info
) {
1132 guard
= entry_guard_get_by_id_digest(
1133 circ
->cpath
->extend_info
->identity_digest
);
1138 entry_guards_changed();
1143 * Helper function to count all of the currently opened circuits
1144 * for a guard that are in a given path state range. The state
1145 * range is inclusive on both ends.
1148 pathbias_count_circs_in_states(entry_guard_t
*guard
,
1152 int open_circuits
= 0;
1154 /* Count currently open circuits. Give them the benefit of the doubt. */
1155 SMARTLIST_FOREACH_BEGIN(circuit_get_global_list(), circuit_t
*, circ
) {
1156 origin_circuit_t
*ocirc
= NULL
;
1157 if (!CIRCUIT_IS_ORIGIN(circ
) || /* didn't originate here */
1158 circ
->marked_for_close
) /* already counted */
1161 ocirc
= TO_ORIGIN_CIRCUIT(circ
);
1163 if (!ocirc
->cpath
|| !ocirc
->cpath
->extend_info
)
1166 if (ocirc
->path_state
>= from
&&
1167 ocirc
->path_state
<= to
&&
1168 pathbias_should_count(ocirc
) &&
1169 fast_memeq(guard
->identity
,
1170 ocirc
->cpath
->extend_info
->identity_digest
,
1172 log_debug(LD_CIRC
, "Found opened circuit %d in path_state %s",
1173 ocirc
->global_identifier
,
1174 pathbias_state_to_string(ocirc
->path_state
));
1178 SMARTLIST_FOREACH_END(circ
);
1180 return open_circuits
;
1184 * Return the number of circuits counted as successfully closed for
1187 * Also add in the currently open circuits to give them the benefit
1191 pathbias_get_close_success_count(entry_guard_t
*guard
)
1193 return guard
->successful_circuits_closed
+
1194 pathbias_count_circs_in_states(guard
,
1195 PATH_STATE_BUILD_SUCCEEDED
,
1196 PATH_STATE_USE_SUCCEEDED
);
1200 * Return the number of circuits counted as successfully used
1203 * Also add in the currently open circuits that we are attempting
1204 * to use to give them the benefit of the doubt.
1207 pathbias_get_use_success_count(entry_guard_t
*guard
)
1209 return guard
->use_successes
+
1210 pathbias_count_circs_in_states(guard
,
1211 PATH_STATE_USE_ATTEMPTED
,
1212 PATH_STATE_USE_SUCCEEDED
);
1216 * Check the path bias use rate against our consensus parameter limits.
1218 * Emits a log message if the use success rates are too low.
1220 * If pathbias_get_dropguards() is set, we also disable the use of
1221 * very failure prone guards.
1224 pathbias_measure_use_rate(entry_guard_t
*guard
)
1226 const or_options_t
*options
= get_options();
1228 if (guard
->use_attempts
> pathbias_get_min_use(options
)) {
1229 /* Note: We rely on the < comparison here to allow us to set a 0
1230 * rate and disable the feature entirely. If refactoring, don't
1232 if (pathbias_get_use_success_count(guard
)/guard
->use_attempts
1233 < pathbias_get_extreme_use_rate(options
)) {
1234 /* Dropping is currently disabled by default. */
1235 if (pathbias_get_dropguards(options
)) {
1236 if (!guard
->path_bias_disabled
) {
1238 "Your Guard %s ($%s) is failing to carry an extremely large "
1239 "amount of stream on its circuits. "
1240 "To avoid potential route manipulation attacks, Tor has "
1241 "disabled use of this guard. "
1242 "Use counts are %ld/%ld. Success counts are %ld/%ld. "
1243 "%ld circuits completed, %ld were unusable, %ld collapsed, "
1244 "and %ld timed out. "
1245 "For reference, your timeout cutoff is %ld seconds.",
1246 guard
->nickname
, hex_str(guard
->identity
, DIGEST_LEN
),
1247 tor_lround(pathbias_get_use_success_count(guard
)),
1248 tor_lround(guard
->use_attempts
),
1249 tor_lround(pathbias_get_close_success_count(guard
)),
1250 tor_lround(guard
->circ_attempts
),
1251 tor_lround(guard
->circ_successes
),
1252 tor_lround(guard
->unusable_circuits
),
1253 tor_lround(guard
->collapsed_circuits
),
1254 tor_lround(guard
->timeouts
),
1255 tor_lround(get_circuit_build_close_time_ms()/1000));
1256 guard
->path_bias_disabled
= 1;
1257 guard
->bad_since
= approx_time();
1258 entry_guards_changed();
1261 } else if (!guard
->path_bias_use_extreme
) {
1262 guard
->path_bias_use_extreme
= 1;
1264 "Your Guard %s ($%s) is failing to carry an extremely large "
1265 "amount of streams on its circuits. "
1266 "This could indicate a route manipulation attack, network "
1267 "overload, bad local network connectivity, or a bug. "
1268 "Use counts are %ld/%ld. Success counts are %ld/%ld. "
1269 "%ld circuits completed, %ld were unusable, %ld collapsed, "
1270 "and %ld timed out. "
1271 "For reference, your timeout cutoff is %ld seconds.",
1272 guard
->nickname
, hex_str(guard
->identity
, DIGEST_LEN
),
1273 tor_lround(pathbias_get_use_success_count(guard
)),
1274 tor_lround(guard
->use_attempts
),
1275 tor_lround(pathbias_get_close_success_count(guard
)),
1276 tor_lround(guard
->circ_attempts
),
1277 tor_lround(guard
->circ_successes
),
1278 tor_lround(guard
->unusable_circuits
),
1279 tor_lround(guard
->collapsed_circuits
),
1280 tor_lround(guard
->timeouts
),
1281 tor_lround(get_circuit_build_close_time_ms()/1000));
1283 } else if (pathbias_get_use_success_count(guard
)/guard
->use_attempts
1284 < pathbias_get_notice_use_rate(options
)) {
1285 if (!guard
->path_bias_use_noticed
) {
1286 guard
->path_bias_use_noticed
= 1;
1288 "Your Guard %s ($%s) is failing to carry more streams on its "
1289 "circuits than usual. "
1290 "Most likely this means the Tor network is overloaded "
1291 "or your network connection is poor. "
1292 "Use counts are %ld/%ld. Success counts are %ld/%ld. "
1293 "%ld circuits completed, %ld were unusable, %ld collapsed, "
1294 "and %ld timed out. "
1295 "For reference, your timeout cutoff is %ld seconds.",
1296 guard
->nickname
, hex_str(guard
->identity
, DIGEST_LEN
),
1297 tor_lround(pathbias_get_use_success_count(guard
)),
1298 tor_lround(guard
->use_attempts
),
1299 tor_lround(pathbias_get_close_success_count(guard
)),
1300 tor_lround(guard
->circ_attempts
),
1301 tor_lround(guard
->circ_successes
),
1302 tor_lround(guard
->unusable_circuits
),
1303 tor_lround(guard
->collapsed_circuits
),
1304 tor_lround(guard
->timeouts
),
1305 tor_lround(get_circuit_build_close_time_ms()/1000));
1312 * Check the path bias circuit close status rates against our consensus
1315 * Emits a log message if the use success rates are too low.
1317 * If pathbias_get_dropguards() is set, we also disable the use of
1318 * very failure prone guards.
1320 * XXX: This function shares similar log messages and checks to
1321 * pathbias_measure_use_rate(). It may be possible to combine them
1322 * eventually, especially if we can ever remove the need for 3
1323 * levels of closure warns (if the overall circuit failure rate
1324 * goes down with ntor). One way to do so would be to multiply
1325 * the build rate with the use rate to get an idea of the total
1326 * fraction of the total network paths the user is able to use.
1330 pathbias_measure_close_rate(entry_guard_t
*guard
)
1332 const or_options_t
*options
= get_options();
1334 if (guard
->circ_attempts
> pathbias_get_min_circs(options
)) {
1335 /* Note: We rely on the < comparison here to allow us to set a 0
1336 * rate and disable the feature entirely. If refactoring, don't
1338 if (pathbias_get_close_success_count(guard
)/guard
->circ_attempts
1339 < pathbias_get_extreme_rate(options
)) {
1340 /* Dropping is currently disabled by default. */
1341 if (pathbias_get_dropguards(options
)) {
1342 if (!guard
->path_bias_disabled
) {
1344 "Your Guard %s ($%s) is failing an extremely large "
1345 "amount of circuits. "
1346 "To avoid potential route manipulation attacks, Tor has "
1347 "disabled use of this guard. "
1348 "Success counts are %ld/%ld. Use counts are %ld/%ld. "
1349 "%ld circuits completed, %ld were unusable, %ld collapsed, "
1350 "and %ld timed out. "
1351 "For reference, your timeout cutoff is %ld seconds.",
1352 guard
->nickname
, hex_str(guard
->identity
, DIGEST_LEN
),
1353 tor_lround(pathbias_get_close_success_count(guard
)),
1354 tor_lround(guard
->circ_attempts
),
1355 tor_lround(pathbias_get_use_success_count(guard
)),
1356 tor_lround(guard
->use_attempts
),
1357 tor_lround(guard
->circ_successes
),
1358 tor_lround(guard
->unusable_circuits
),
1359 tor_lround(guard
->collapsed_circuits
),
1360 tor_lround(guard
->timeouts
),
1361 tor_lround(get_circuit_build_close_time_ms()/1000));
1362 guard
->path_bias_disabled
= 1;
1363 guard
->bad_since
= approx_time();
1364 entry_guards_changed();
1367 } else if (!guard
->path_bias_extreme
) {
1368 guard
->path_bias_extreme
= 1;
1370 "Your Guard %s ($%s) is failing an extremely large "
1371 "amount of circuits. "
1372 "This could indicate a route manipulation attack, "
1373 "extreme network overload, or a bug. "
1374 "Success counts are %ld/%ld. Use counts are %ld/%ld. "
1375 "%ld circuits completed, %ld were unusable, %ld collapsed, "
1376 "and %ld timed out. "
1377 "For reference, your timeout cutoff is %ld seconds.",
1378 guard
->nickname
, hex_str(guard
->identity
, DIGEST_LEN
),
1379 tor_lround(pathbias_get_close_success_count(guard
)),
1380 tor_lround(guard
->circ_attempts
),
1381 tor_lround(pathbias_get_use_success_count(guard
)),
1382 tor_lround(guard
->use_attempts
),
1383 tor_lround(guard
->circ_successes
),
1384 tor_lround(guard
->unusable_circuits
),
1385 tor_lround(guard
->collapsed_circuits
),
1386 tor_lround(guard
->timeouts
),
1387 tor_lround(get_circuit_build_close_time_ms()/1000));
1389 } else if (pathbias_get_close_success_count(guard
)/guard
->circ_attempts
1390 < pathbias_get_warn_rate(options
)) {
1391 if (!guard
->path_bias_warned
) {
1392 guard
->path_bias_warned
= 1;
1394 "Your Guard %s ($%s) is failing a very large "
1395 "amount of circuits. "
1396 "Most likely this means the Tor network is "
1397 "overloaded, but it could also mean an attack against "
1398 "you or potentially the guard itself. "
1399 "Success counts are %ld/%ld. Use counts are %ld/%ld. "
1400 "%ld circuits completed, %ld were unusable, %ld collapsed, "
1401 "and %ld timed out. "
1402 "For reference, your timeout cutoff is %ld seconds.",
1403 guard
->nickname
, hex_str(guard
->identity
, DIGEST_LEN
),
1404 tor_lround(pathbias_get_close_success_count(guard
)),
1405 tor_lround(guard
->circ_attempts
),
1406 tor_lround(pathbias_get_use_success_count(guard
)),
1407 tor_lround(guard
->use_attempts
),
1408 tor_lround(guard
->circ_successes
),
1409 tor_lround(guard
->unusable_circuits
),
1410 tor_lround(guard
->collapsed_circuits
),
1411 tor_lround(guard
->timeouts
),
1412 tor_lround(get_circuit_build_close_time_ms()/1000));
1414 } else if (pathbias_get_close_success_count(guard
)/guard
->circ_attempts
1415 < pathbias_get_notice_rate(options
)) {
1416 if (!guard
->path_bias_noticed
) {
1417 guard
->path_bias_noticed
= 1;
1419 "Your Guard %s ($%s) is failing more circuits than "
1421 "Most likely this means the Tor network is overloaded. "
1422 "Success counts are %ld/%ld. Use counts are %ld/%ld. "
1423 "%ld circuits completed, %ld were unusable, %ld collapsed, "
1424 "and %ld timed out. "
1425 "For reference, your timeout cutoff is %ld seconds.",
1426 guard
->nickname
, hex_str(guard
->identity
, DIGEST_LEN
),
1427 tor_lround(pathbias_get_close_success_count(guard
)),
1428 tor_lround(guard
->circ_attempts
),
1429 tor_lround(pathbias_get_use_success_count(guard
)),
1430 tor_lround(guard
->use_attempts
),
1431 tor_lround(guard
->circ_successes
),
1432 tor_lround(guard
->unusable_circuits
),
1433 tor_lround(guard
->collapsed_circuits
),
1434 tor_lround(guard
->timeouts
),
1435 tor_lround(get_circuit_build_close_time_ms()/1000));
1442 * This function scales the path bias use rates if we have
1443 * more data than the scaling threshold. This allows us to
1444 * be more sensitive to recent measurements.
1446 * XXX: The attempt count transfer stuff here might be done
1447 * better by keeping separate pending counters that get
1448 * transfered at circuit close. See ticket #8160.
1451 pathbias_scale_close_rates(entry_guard_t
*guard
)
1453 const or_options_t
*options
= get_options();
1455 /* If we get a ton of circuits, just scale everything down */
1456 if (guard
->circ_attempts
> pathbias_get_scale_threshold(options
)) {
1457 double scale_ratio
= pathbias_get_scale_ratio(options
);
1458 int opened_attempts
= pathbias_count_circs_in_states(guard
,
1459 PATH_STATE_BUILD_ATTEMPTED
, PATH_STATE_BUILD_ATTEMPTED
);
1460 int opened_built
= pathbias_count_circs_in_states(guard
,
1461 PATH_STATE_BUILD_SUCCEEDED
,
1462 PATH_STATE_USE_FAILED
);
1463 /* Verify that the counts are sane before and after scaling */
1464 int counts_are_sane
= (guard
->circ_attempts
>= guard
->circ_successes
);
1466 guard
->circ_attempts
-= (opened_attempts
+opened_built
);
1467 guard
->circ_successes
-= opened_built
;
1469 guard
->circ_attempts
*= scale_ratio
;
1470 guard
->circ_successes
*= scale_ratio
;
1471 guard
->timeouts
*= scale_ratio
;
1472 guard
->successful_circuits_closed
*= scale_ratio
;
1473 guard
->collapsed_circuits
*= scale_ratio
;
1474 guard
->unusable_circuits
*= scale_ratio
;
1476 guard
->circ_attempts
+= (opened_attempts
+opened_built
);
1477 guard
->circ_successes
+= opened_built
;
1479 entry_guards_changed();
1482 "Scaled pathbias counts to (%f,%f)/%f (%d/%d open) for guard "
1484 guard
->circ_successes
, guard
->successful_circuits_closed
,
1485 guard
->circ_attempts
, opened_built
, opened_attempts
,
1486 guard
->nickname
, hex_str(guard
->identity
, DIGEST_LEN
));
1488 /* Have the counts just become invalid by this scaling attempt? */
1489 if (counts_are_sane
&& guard
->circ_attempts
< guard
->circ_successes
) {
1491 "Scaling has mangled pathbias counts to %f/%f (%d/%d open) "
1492 "for guard %s ($%s)",
1493 guard
->circ_successes
, guard
->circ_attempts
, opened_built
,
1494 opened_attempts
, guard
->nickname
,
1495 hex_str(guard
->identity
, DIGEST_LEN
));
1501 * This function scales the path bias circuit close rates if we have
1502 * more data than the scaling threshold. This allows us to be more
1503 * sensitive to recent measurements.
1505 * XXX: The attempt count transfer stuff here might be done
1506 * better by keeping separate pending counters that get
1507 * transfered at circuit close. See ticket #8160.
1510 pathbias_scale_use_rates(entry_guard_t
*guard
)
1512 const or_options_t
*options
= get_options();
1514 /* If we get a ton of circuits, just scale everything down */
1515 if (guard
->use_attempts
> pathbias_get_scale_use_threshold(options
)) {
1516 double scale_ratio
= pathbias_get_scale_ratio(options
);
1517 int opened_attempts
= pathbias_count_circs_in_states(guard
,
1518 PATH_STATE_USE_ATTEMPTED
, PATH_STATE_USE_SUCCEEDED
);
1519 /* Verify that the counts are sane before and after scaling */
1520 int counts_are_sane
= (guard
->use_attempts
>= guard
->use_successes
);
1522 guard
->use_attempts
-= opened_attempts
;
1524 guard
->use_attempts
*= scale_ratio
;
1525 guard
->use_successes
*= scale_ratio
;
1527 guard
->use_attempts
+= opened_attempts
;
1530 "Scaled pathbias use counts to %f/%f (%d open) for guard %s ($%s)",
1531 guard
->use_successes
, guard
->use_attempts
, opened_attempts
,
1532 guard
->nickname
, hex_str(guard
->identity
, DIGEST_LEN
));
1534 /* Have the counts just become invalid by this scaling attempt? */
1535 if (counts_are_sane
&& guard
->use_attempts
< guard
->use_successes
) {
1537 "Scaling has mangled pathbias usage counts to %f/%f "
1538 "(%d open) for guard %s ($%s)",
1539 guard
->circ_successes
, guard
->circ_attempts
,
1540 opened_attempts
, guard
->nickname
,
1541 hex_str(guard
->identity
, DIGEST_LEN
));
1544 entry_guards_changed();