sarah
/
tor
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

man: Document default values if not in the consensus for DoS mitigation 

Fixes #25236

Signed-off-by: David Goulet <dgoulet@torproject.org>
This commit is contained in:
David Goulet 2018-02-13 10:53:47 -05:00
parent b60ffc5ce0
commit 9cf8d669fa
1 changed files with 21 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
doc/tor.1.txt
View File

@ -2454,7 +2454,7 @@ Denial of Service mitigation subsystem.
address is positively identified, tor will activate defenses against the address is positively identified, tor will activate defenses against the
address. See the DoSCircuitCreationDefenseType option for more details. address. See the DoSCircuitCreationDefenseType option for more details.
This is a client to relay detection only. "auto" means use the consensus This is a client to relay detection only. "auto" means use the consensus
parameter. parameter. If not defined in the consensus, the value is 0.
(Default: auto) (Default: auto)
[[DoSCircuitCreationMinConnections]] **DoSCircuitCreationMinConnections** __NUM__:: [[DoSCircuitCreationMinConnections]] **DoSCircuitCreationMinConnections** __NUM__::
@ -2463,19 +2463,22 @@ Denial of Service mitigation subsystem.
flagged as executing a circuit creation DoS. In other words, once a client flagged as executing a circuit creation DoS. In other words, once a client
address reaches the circuit rate and has a minimum of NUM concurrent address reaches the circuit rate and has a minimum of NUM concurrent
connections, a detection is positive. "0" means use the consensus connections, a detection is positive. "0" means use the consensus
parameter. parameter. If not defined in the consensus, the value is 3.
(Default: 0) (Default: 0)
[[DoSCircuitCreationRate]] **DoSCircuitCreationRate** __NUM__:: [[DoSCircuitCreationRate]] **DoSCircuitCreationRate** __NUM__::
The allowed circuit creation rate per second applied per client IP The allowed circuit creation rate per second applied per client IP
address. If this option is 0, it obeys a consensus parameter. (Default: 0) address. If this option is 0, it obeys a consensus parameter. If not
defined in the consensus, the value is 3.
(Default: 0)
[[DoSCircuitCreationBurst]] **DoSCircuitCreationBurst** __NUM__:: [[DoSCircuitCreationBurst]] **DoSCircuitCreationBurst** __NUM__::
The allowed circuit creation burst per client IP address. If the circuit The allowed circuit creation burst per client IP address. If the circuit
rate and the burst are reached, a client is marked as executing a circuit rate and the burst are reached, a client is marked as executing a circuit
creation DoS. "0" means use the consensus parameter. creation DoS. "0" means use the consensus parameter. If not defined in the
consensus, the value is 90.
(Default: 0) (Default: 0)
[[DoSCircuitCreationDefenseType]] **DoSCircuitCreationDefenseType** __NUM__:: [[DoSCircuitCreationDefenseType]] **DoSCircuitCreationDefenseType** __NUM__::
@ -2486,28 +2489,31 @@ Denial of Service mitigation subsystem.
1: No defense. 1: No defense.
2: Refuse circuit creation for the DoSCircuitCreationDefenseTimePeriod period of time. 2: Refuse circuit creation for the DoSCircuitCreationDefenseTimePeriod period of time.
+ +
"0" means use the consensus parameter. "0" means use the consensus parameter. If not defined in the consensus,
the value is 2.
(Default: 0) (Default: 0)
[[DoSCircuitCreationDefenseTimePeriod]] **DoSCircuitCreationDefenseTimePeriod** __NUM__:: [[DoSCircuitCreationDefenseTimePeriod]] **DoSCircuitCreationDefenseTimePeriod** __N__ **seconds**|**minutes**|**hours**::
The base time period that the DoS defense is activated for. The actual The base time period in seconds that the DoS defense is activated for. The
value is selected randomly for each activation from NUM+1 to 3/2 * NUM. actual value is selected randomly for each activation from N+1 to 3/2 * N.
"0" means use the consensus parameter. "0" means use the consensus parameter. If not defined in the consensus,
(Default: 0) the value is 3600 seconds (1 hour). (Default: 0)
[[DoSConnectionEnabled]] **DoSConnectionEnabled** **0**|**1**|**auto**:: [[DoSConnectionEnabled]] **DoSConnectionEnabled** **0**|**1**|**auto**::
Enable the connection DoS mitigation. For client address only, this allows Enable the connection DoS mitigation. For client address only, this allows
tor to mitigate against large number of concurrent connections made by a tor to mitigate against large number of concurrent connections made by a
single IP address. "auto" means use the consensus parameter. single IP address. "auto" means use the consensus parameter. If not
defined in the consensus, the value is 0.
(Default: auto) (Default: auto)
[[DoSConnectionMaxConcurrentCount]] **DoSConnectionMaxConcurrentCount** __NUM__:: [[DoSConnectionMaxConcurrentCount]] **DoSConnectionMaxConcurrentCount** __NUM__::
The maximum threshold of concurrent connection from a client IP address. The maximum threshold of concurrent connection from a client IP address.
Above this limit, a defense selected by DoSConnectionDefenseType is Above this limit, a defense selected by DoSConnectionDefenseType is
applied. "0" means use the consensus parameter. applied. "0" means use the consensus parameter. If not defined in the
consensus, the value is 100.
(Default: 0) (Default: 0)
[[DoSConnectionDefenseType]] **DoSConnectionDefenseType** __NUM__:: [[DoSConnectionDefenseType]] **DoSConnectionDefenseType** __NUM__::
@ -2518,7 +2524,8 @@ Denial of Service mitigation subsystem.
1: No defense. 1: No defense.
2: Immediately close new connections. 2: Immediately close new connections.
+ +
"0" means use the consensus parameter. "0" means use the consensus parameter. If not defined in the consensus,
the value is 2.
(Default: 0) (Default: 0)
[[DoSRefuseSingleHopClientRendezvous]] **DoSRefuseSingleHopClientRendezvous** **0**|**1**|**auto**:: [[DoSRefuseSingleHopClientRendezvous]] **DoSRefuseSingleHopClientRendezvous** **0**|**1**|**auto**::
@ -2526,7 +2533,7 @@ Denial of Service mitigation subsystem.
Refuse establishment of rendezvous points for single hop clients. In other Refuse establishment of rendezvous points for single hop clients. In other
words, if a client directly connects to the relay and sends an words, if a client directly connects to the relay and sends an
ESTABLISH_RENDEZVOUS cell, it is silently dropped. "auto" means use the ESTABLISH_RENDEZVOUS cell, it is silently dropped. "auto" means use the
consensus parameter. consensus parameter. If not defined in the consensus, the value is 0.
(Default: auto) (Default: auto)
TESTING NETWORK OPTIONS TESTING NETWORK OPTIONS