#1 2022-11-13 11:10

Verified Vendor
Registered: 2022-11-13
Posts: 3

DOS attacks on TOR hidden services

Each type of DOS attack is targeted at different layers of the protocol stack:

4. Web app layer
3. HTTP application layer
2. TCP/IP transport layer
1. TOR network layer

Defences against attacks at each layer:

4. CAPTCHAs, defences built into the application - for the web app layer.

3. HTTP web application firewall - for HTTP layer.

2. TCP/IP firewall - for TCP transport layer.

1. TOR network layer - not really any good solutions currently. Right now just a battle between attacker and defender for who can add the most servers/resources to maximize numbers of tor circuit creation vs keep up with tor circuit creation requests.Tor software needs redesigning to add costs (CPU/memory/cryptocurrency fees) to make TOR circuit setup expensive when thousands of simultaneous circuits are made. Another anonymity network is I2P which attackers haven't started DOSing yet.

When the TOR network layer is being attacked the attack traffic never reaches the other layers. So the web server runs fine but you need to find a path to it that isn't being attacked. A DOS attack on the TOR layer only effects the path (a specific onion name is the path). This is what the private onions are for - the path isn't known to the public so can't be attacked.

When a TOR layer DOS attack is happening, it only effects the onion name being attacked. The other onion names keep working. If you keep trying long enough to reach the attacked onion name it will eventually work, then it will continue to work normally and fast for 15 minutes. After 15 mins the TOR client retires the working circuit and builds a fresh one, but the process of building a fresh circuit is what a DOS attack impacts, causing intermittent failures and delays of 2-5 minutes as browser keeps trying the connection setup.

In summary, if one onion name doesn't work after it has tried connecting for 5 minutes, then use another. When there are three alternative paths to reach your destination, choose the one with the least traffic. If none work then a DOS attack could be targeting a different layer like the web app layer.

Board footer