Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable Tor Proof-of-Work defenses for Onion Services #6933

Closed
1 of 3 tasks
legoktm opened this issue Aug 24, 2023 · 5 comments · Fixed by #7175
Closed
1 of 3 tasks

Enable Tor Proof-of-Work defenses for Onion Services #6933

legoktm opened this issue Aug 24, 2023 · 5 comments · Fixed by #7175
Assignees
@cfm
Labels
tor
Milestone
SecureDrop 2.9.0

Comments

@legoktm
Copy link
Member

legoktm commented Aug 24, 2023
edited
Loading

See https://blog.torproject.org/introducing-proof-of-work-defense-for-onion-services/ for details on the feature itself.

https://community.torproject.org/onion-services/advanced/dos/ contains documentation on the different configuration options we need to set.

One catch is that the PoW puzzles are LGPL, so a new --enable-gpl flag needs to be set at build time. There are 0.4.8.4 packages on deb.torproject.org now, but they don't have the GPL bits enabled, so we might need to do our own builds. I've commented on https://forum.torproject.org/t/proof-of-work-pow-defense-for-onion-service-is-released/8887 asking if they're going to provide GPL builds (my comment is still pending moderation).

In checklist form:

  • Get Tor packages that have all the bits for PoW defenses: New Tor update available #6937
  • Update onion service configuration to enable PoW for SI (the JI is secret and protected by an auth key, so presumably doesn't need protection)
  • Tune PoW flags as needed
@legoktm legoktm added the tor label Aug 24, 2023
@legoktm legoktm changed the title Enable Tor Proof-of-Work defenses Enable Tor Proof-of-Work defenses for Onion Services Aug 24, 2023
@zenmonkeykstop
Copy link
Contributor

Looks like efforts to build with --enable-gpl are in progress: https://gitlab.torproject.org/tpo/core/debian/tor/-/commit/2ed69025aba31eb16c90c0782e756158edfeca4a

@zenmonkeykstop zenmonkeykstop added this to the SecureDrop 2.8.0 milestone Jan 9, 2024
@prateekj117
Copy link
Contributor

@zenmonkeykstop I think for this one, we mainly only need to add the config params in the torrc file. Let me know when we decide on the values and I can help with that!

@zenmonkeykstop
Copy link
Contributor

@prateekj117 there is probably a bit more there to do, as I'd expect this would be an optional setting that admins could enable/disable - and we'd have to apply it cleanly to existing instances. But very open to any thoughts/research you may have on appropriate parameters, I haven't looked to see how it's been working out for other onion service operators so far.

@zenmonkeykstop
Copy link
Contributor

some useful docs here: https://gitlab.torproject.org/tpo/onion-services/onion-support/-/wikis/Documentation/PoW-FAQ#configuring-an-onion-service-with-the-pow-protection

The default config looks like this (added as part of a hidden service stanza):

HiddenServicePoWDefensesEnabled 1
# HiddenServicePoWQueueRate 250
# HiddenServicePoWQueueBurst 2500

PoWQueueRate is "The sustained rate of rendezvous requests to dispatch per second from
the priority queue," so lower implies slower queue movement and more difficult client puzzles (0 just turns off queueing altogether, and it has no impact if PoW is disabled)

PoWQueueBurst is "The maximum burst size for rendezvous requests handled from the
priority queue at once," so again lower => slower.

As per @legoktm's take, this would be applied on non-auth services only (so just the SI). Thinking on approaches to this from UX perspective:

add in sdconfig step.

this is relatively straightforward - there would be additional options to toggle PoW and set queue params in sdconfig, they'd get stored in site-specific, and configured as part of a subsequent ./securedrop-admin install run. The major downside here is that install runs can take a long while, and touch everything.

add a ./securedrop-admin pow-defenses command

This could look something like:

  • ./securedrop-admin pow-defenses - parse site-specific and show current state
  • ./securedrop-admin pow-defenses --disable - run ansible playbook to update Tor config on app server to set PoWDefenses to 0, validate config and restart tor, and update site-specific to match
  • ./securedrop-admin pow-defenses --enable --rate <num> --burst <num> - validate rate and burst, run ansible playbook to update Tor config on app server to set PoWDefenses to 1 etc, validate config and restart tor, and update site-specific to match.

One extra-credit thing we could do here is actually check if the Tor version on the server supports PoW before configuring anything. Currently GPG-compatible Tor versions do, this macy change in the future or we may end up pushing a package without PoW support in error.

both!

  • because why not.

@cfm cfm moved this to In Progress in SecureDrop dev cycle May 30, 2024
@cfm cfm self-assigned this May 30, 2024
@cfm
Copy link
Member

cfm commented May 30, 2024

I have this running on my QA instance from https://github.com/freedomofpress/securedrop/compare/ef9aad6^..9fd6f7e, defaulting to enabled on new securedrop-admin {sdconfig,install} runs.

@cfm cfm mentioned this issue Jun 5, 2024
Merged
8 tasks
@github-project-automation github-project-automation bot moved this from In Progress to Done in SecureDrop dev cycle Jun 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cfm cfm

Labels
tor
Projects
SecureDrop dev cycle
Archived in project
Milestone
SecureDrop 2.9.0
Development

Successfully merging a pull request may close this issue.

feat: enable Tor's proof-of-work defense on the Source Interface freedomofpress/securedrop
4 participants
@legoktm @cfm @zenmonkeykstop @prateekj117