Index | Thread | Search

From:
openbsd@systemfailure.net
Subject:
[net/tor] Please enable Onion PoW defense
To:
ports@openbsd.org,pascal@stumpf.co,Solene Rapenne <solene@perso.pw>
Date:
Fri, 18 Oct 2024 14:34:51 +0000

Download raw body.

Thread 
Hello,

Denial-of-service attacks are a recurring problem on the Tor network, especially for Onion services. Over time, the Tor Project devs introduced several mitigations [1], the most recent one being Proof-of-Work (PoW) defense [2].

This defense mechanism has to be enabled at compile time, and is not currently enabled on OpenBSD. The catch is that the code implementing this PoW algorithm is under the LGPL-3.0 license; it is enabled by default... but only if tor is compiled with --enable-gpl, which basically turns tor from BSD to GPL:

  --enable-gpl            allow the inclusion of GPL-licensed code, building a
                          version of tor and libtor covered by the GPL rather
                          than its usual 3-clause BSD license

Despite this licensing change, I think that it would be very useful to enable this PoW defense in our port for people operating Onion services on OpenBSD, and that it would even be beneficial for the Tor ecosystem more broadly. The Tor Project team explicitly requested that Onion services operators enable this feature [3].

IMHO, it would even make sense to bring this PoW defense to -stable users, since it can arguably be considered a security feature, mitigating denial-of-service attacks.

With the attached patch, tor builds and runs fine on amd64... as far as I tested: I must admit I didn't build or rent a botnet to DDoS myself ;-)

You can check if your version of tor supports PoW by running 'tor --list-modules'.

Best regards.

-- 
[1] https://community.torproject.org/onion-services/advanced/dos/

[2] https://forum.torproject.org/t/proof-of-work-pow-defense-for-onion-service-is-released/8887

[3] https://forum.torproject.org/t/tor-relays-onion-services-operators-please-enable-tor-pow-defense/13043
Index: Makefile
===================================================================
RCS file: /cvs/ports/net/tor/Makefile,v
diff -u -p -r1.165 Makefile
--- Makefile	8 Jun 2024 08:22:17 -0000	1.165
+++ Makefile	16 Oct 2024 13:04:49 -0000
@@ -3,10 +3,11 @@ COMMENT=	anonymity service using onion r
 DISTNAME=	tor-0.4.8.12
 CATEGORIES=	net
 HOMEPAGE=	https://www.torproject.org/
+REVISION=   0
 
 MAINTAINER=	Pascal Stumpf <pascal@stumpf.co>
 
-# BSD
+# GPL
 PERMIT_PACKAGE=	Yes
 
 WANTLIB += c crypto event_core event_extra execinfo m pthread ssl z
@@ -21,7 +22,8 @@ CONFIGURE_ARGS=	--with-ssl-dir=/usr \
 		--with-libevent-dir="${LOCALBASE}" \
 		--disable-gcc-hardening \
 		--disable-lzma \
-		--disable-zstd
+		--disable-zstd \
+		--enable-gpl
 CONFIGURE_ENV+=ac_cv_member_struct_ssl_method_st_get_cipher_by_char=no
 CFLAGS+=	-DDISABLE_ENGINES