1 Filename: 109-no-sharing-ips.txt
2 Title: No more than one server per IP address.
5 Author: Kevin Bauer & Damon McCoy
10 This document describes a solution to a Sybil attack vulnerability in the
11 directory servers. Currently, it is possible for a single IP address to
12 host an arbitrarily high number of Tor routers. We propose that the
13 directory servers limit the number of Tor routers that may be registered at
14 a particular IP address to some small (fixed) number, perhaps just one Tor
15 router per IP address.
17 While Tor never uses more than one server from a given /16 in the same
18 circuit, an attacker with multiple servers in the same place is still
19 dangerous because he can get around the per-server bandwidth cap that is
20 designed to prevent a single server from attracting too much of the overall
24 Since it is possible for an attacker to register an arbitrarily large
25 number of Tor routers, it is possible for malicious parties to do this
26 as part of a traffic analysis attack.
28 Security implications:
29 This countermeasure will increase the number of IP addresses that an
30 attacker must control in order to carry out traffic analysis.
34 For each IP address, each directory authority tracks the number of routers
35 using that IP address, along with their total observed bandwidth. If there
36 are more than MAX_SERVERS_PER_IP servers at some IP, the authority should
37 "disable" all but MAX_SERVERS_PER_IP servers. If the total observed
38 bandwidth of the remaining non-"disabled" servers exceeds MAX_BW_PER_IP,
39 the authority should "disable" some of the remaining servers until only one
40 server remains, or until the remaining observed bandwidth of non-"disabled"
41 servers is under MAX_BW_PER_IP. When choosing which servers to disable,
42 the authority should first disable non-Running servers in increasing order
43 of observed bandwidth, and then should disable Running servers in
44 increasing order of bandwidth.
46 Servers that are "disabled" MUST be marked as non-Valid and non-Running.
48 MAX_SERVERS_PER_IP is 3.
50 MAX_BW_PER_IP is 8 MB per s.
54 Upon inspection of a directory server, we found that the following IP
55 addresses have more than one Tor router:
57 Scruples 68.5.113.81 ip68-5-113-81.oc.oc.cox.net 443
58 WiseUp 68.5.113.81 ip68-5-113-81.oc.oc.cox.net 9001
59 Unnamed 62.1.196.71 pc01-megabyte-net-arkadiou.megabyte.gr 9001
60 Unnamed 62.1.196.71 pc01-megabyte-net-arkadiou.megabyte.gr 9001
61 Unnamed 62.1.196.71 pc01-megabyte-net-arkadiou.megabyte.gr 9001
62 aurel 85.180.62.138 e180062138.adsl.alicedsl.de 9001
63 sokrates 85.180.62.138 e180062138.adsl.alicedsl.de 9001
64 moria1 18.244.0.188 moria.mit.edu 9001
65 peacetime 18.244.0.188 moria.mit.edu 9100
67 There may exist compatibility issues with this proposed fix. Reasons why
68 more than one server would share an IP address include:
70 * Testing. moria1, moria2, peacetime, and other morias all run on one
71 computer at MIT, because that way we get testing. Moria1 and moria2 are
72 run by Roger, and peacetime is run by Nick.
73 * NAT. If there are several servers but they port-forward through the same
74 IP address, ... we can hope that the operators coordinate with each
75 other. Also, we should recognize that while they help the network in
76 terms of increased capacity, they don't help as much as they could in
77 terms of location diversity. But our approach so far has been to take
79 * People who have more than 1.5MB/s and want to help out more. For
80 example, for a while Tonga was offering 10MB/s and its Tor server
81 would only make use of a bit of it. So Roger suggested that he run
82 two Tor servers, to use more.