On 12/21/19 4:00 AM, hi...@safe-mail.net wrote: > > I tried the Vanguards add-on, with all settings set to default. > > Question 1: > > But the first time I started tor with this add-on enabled, it connected to no > less than 21 entry nodes! Most of these connections died out after a certain > amount of time. But still, is this normal behavior?
Without more details this is hard to say. Was this a first-start of the Tor client, or was it offline for a long time? These connections might be directory mirror fetches unrelated to vanguards. If Tor's consensus is stale or non-existent, it will bootstrap from these mirrors instead of dirauths. After this phase, a steady-state vanguards Tor client should use only two Tor network connections. If this is not the case, please file a ticket on github at https://github.com/mikeperry-tor/vanguards/issues. > Question 2: > > If you limit the the `circ_max_megabytes` option in the Bandguards module, > will that work as some kind of DoS protection? This is unclear. You can see some details at an attempt at this here: https://github.com/mikeperry-tor/vanguards/issues/42 I think it won't be as helpful as other rate limiting solutions that have already been merged to Tor: https://trac.torproject.org/projects/tor/ticket/15516 But that fix may not drastically improve things yet either. More complete HS DoS fixes are still in the works, and require significant Tor protocol upgrades. > Question 3: > > When, approximately, will we see the Vanguards add-on in the Tor source? This will be a long project. The vanguards addon has many sub-components, some of which still require more research and analysis wrt false positives and reliability effects, and some may be deprecated/altered by future changes such as conflux (multipath Tor circuits). Overall timeline could be multiple years. This is why we put the effort into getting the addon itself well-tested, included in Debian, etc. Of all the defenses, the Proposal #247 multi-layer guards sub-component is closest to being ready for inclusion in Tor itself in terms of being well-understood, but even this piece by itself is a large engineering effort that currently has no funding to complete. -- Mike Perry
signature.asc
Description: OpenPGP digital signature
-- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
