1 Filename: 109-no-sharing-ips.txt
2 Title: No more than one server per IP address.
5 Author: Kevin Bauer & Damon McCoy
8 Implemented-In: 0.2.0.x
11 This document describes a solution to a Sybil attack vulnerability in the
12 directory servers. Currently, it is possible for a single IP address to
13 host an arbitrarily high number of Tor routers. We propose that the
14 directory servers limit the number of Tor routers that may be registered at
15 a particular IP address to some small (fixed) number, perhaps just one Tor
16 router per IP address.
18 While Tor never uses more than one server from a given /16 in the same
19 circuit, an attacker with multiple servers in the same place is still
20 dangerous because he can get around the per-server bandwidth cap that is
21 designed to prevent a single server from attracting too much of the overall
25 Since it is possible for an attacker to register an arbitrarily large
26 number of Tor routers, it is possible for malicious parties to do this
27 as part of a traffic analysis attack.
29 Security implications:
30 This countermeasure will increase the number of IP addresses that an
31 attacker must control in order to carry out traffic analysis.
35 For each IP address, each directory authority tracks the number of routers
36 using that IP address, along with their total observed bandwidth. If there
37 are more than MAX_SERVERS_PER_IP servers at some IP, the authority should
38 "disable" all but MAX_SERVERS_PER_IP servers. When choosing which servers
39 to disable, the authority should first disable non-Running servers in
40 increasing order of observed bandwidth, and then should disable Running
41 servers in increasing order of bandwidth.
43 [[ We don't actually do this part here. -NM
46 bandwidth of the remaining non-"disabled" servers exceeds MAX_BW_PER_IP,
47 the authority should "disable" some of the remaining servers until only one
48 server remains, or until the remaining observed bandwidth of non-"disabled"
49 servers is under MAX_BW_PER_IP.
52 Servers that are "disabled" MUST be marked as non-Valid and non-Running.
54 MAX_SERVERS_PER_IP is 3.
56 MAX_BW_PER_IP is 8 MB per s.
60 Upon inspection of a directory server, we found that the following IP
61 addresses have more than one Tor router:
63 Scruples 68.5.113.81 ip68-5-113-81.oc.oc.cox.net 443
64 WiseUp 68.5.113.81 ip68-5-113-81.oc.oc.cox.net 9001
65 Unnamed 62.1.196.71 pc01-megabyte-net-arkadiou.megabyte.gr 9001
66 Unnamed 62.1.196.71 pc01-megabyte-net-arkadiou.megabyte.gr 9001
67 Unnamed 62.1.196.71 pc01-megabyte-net-arkadiou.megabyte.gr 9001
68 aurel 85.180.62.138 e180062138.adsl.alicedsl.de 9001
69 sokrates 85.180.62.138 e180062138.adsl.alicedsl.de 9001
70 moria1 18.244.0.188 moria.mit.edu 9001
71 peacetime 18.244.0.188 moria.mit.edu 9100
73 There may exist compatibility issues with this proposed fix. Reasons why
74 more than one server would share an IP address include:
76 * Testing. moria1, moria2, peacetime, and other morias all run on one
77 computer at MIT, because that way we get testing. Moria1 and moria2 are
78 run by Roger, and peacetime is run by Nick.
79 * NAT. If there are several servers but they port-forward through the same
80 IP address, ... we can hope that the operators coordinate with each
81 other. Also, we should recognize that while they help the network in
82 terms of increased capacity, they don't help as much as they could in
83 terms of location diversity. But our approach so far has been to take
85 * People who have more than 1.5MB/s and want to help out more. For
86 example, for a while Tonga was offering 10MB/s and its Tor server
87 would only make use of a bit of it. So Roger suggested that he run
88 two Tor servers, to use more.
90 [Note Roger's tweak to this behavior, in
91 http://archives.seul.org/or/cvs/Oct-2007/msg00118.html]