Closed legoktm closed 4 months ago
Looks like efforts to build with --enable-gpl
are in progress: https://gitlab.torproject.org/tpo/core/debian/tor/-/commit/2ed69025aba31eb16c90c0782e756158edfeca4a
@zenmonkeykstop I think for this one, we mainly only need to add the config params in the torrc file. Let me know when we decide on the values and I can help with that!
@prateekj117 there is probably a bit more there to do, as I'd expect this would be an optional setting that admins could enable/disable - and we'd have to apply it cleanly to existing instances. But very open to any thoughts/research you may have on appropriate parameters, I haven't looked to see how it's been working out for other onion service operators so far.
some useful docs here: https://gitlab.torproject.org/tpo/onion-services/onion-support/-/wikis/Documentation/PoW-FAQ#configuring-an-onion-service-with-the-pow-protection
The default config looks like this (added as part of a hidden service stanza):
HiddenServicePoWDefensesEnabled 1
# HiddenServicePoWQueueRate 250
# HiddenServicePoWQueueBurst 2500
PoWQueueRate is "The sustained rate of rendezvous requests to dispatch per second from the priority queue," so lower implies slower queue movement and more difficult client puzzles (0 just turns off queueing altogether, and it has no impact if PoW is disabled)
PoWQueueBurst is "The maximum burst size for rendezvous requests handled from the priority queue at once," so again lower => slower.
As per @legoktm's take, this would be applied on non-auth services only (so just the SI). Thinking on approaches to this from UX perspective:
sdconfig
step.this is relatively straightforward - there would be additional options to toggle PoW and set queue params in sdconfig, they'd get stored in site-specific, and configured as part of a subsequent ./securedrop-admin install
run. The major downside here is that install
runs can take a long while, and touch everything.
./securedrop-admin pow-defenses
commandThis could look something like:
./securedrop-admin pow-defenses
- parse site-specific and show current state./securedrop-admin pow-defenses --disable
- run ansible playbook to update Tor config on app server to set PoWDefenses to 0, validate config and restart tor, and update site-specific to match./securedrop-admin pow-defenses --enable --rate <num> --burst <num>
- validate rate and burst, run ansible playbook to update Tor config on app server to set PoWDefenses to 1 etc, validate config and restart tor, and update site-specific to match.One extra-credit thing we could do here is actually check if the Tor version on the server supports PoW before configuring anything. Currently GPG-compatible Tor versions do, this macy change in the future or we may end up pushing a package without PoW support in error.
I have this running on my QA instance from https://github.com/freedomofpress/securedrop/compare/ef9aad6^..9fd6f7e, defaulting to enabled on new securedrop-admin {sdconfig,install}
runs.
See https://blog.torproject.org/introducing-proof-of-work-defense-for-onion-services/ for details on the feature itself.
https://community.torproject.org/onion-services/advanced/dos/ contains documentation on the different configuration options we need to set.
One catch is that the PoW puzzles are LGPL, so a new
--enable-gpl
flag needs to be set at build time. There are 0.4.8.4 packages on deb.torproject.org now, but they don't have the GPL bits enabled, so we might need to do our own builds. I've commented on https://forum.torproject.org/t/proof-of-work-pow-defense-for-onion-service-is-released/8887 asking if they're going to provide GPL builds (my comment is still pending moderation).In checklist form: