[tor-onions] Protect against ddos in tor
Ann O'Nymous
ann.onymous at vfemail.net
Tue Feb 9 04:37:10 UTC 2016
Ron Risley:
>
>> On Jan 27, 2016, at 08:24, Flipchan <flipchan at riseup.net> wrote:
>>
>> Hi all! Great with a new mailing list anyhow i was wondering IF
>> anyone have any tips on some good ddos defense for .onion sites ,
>> take care
>
> Hi!
>
> Many DDoS attacks, particularly those that use reflection and
> amplification, rely on the attacker knowing your IP address. Such
> attacks cannot be used against a properly implemented .onion site, as
> the service's IP address is hidden.
There are also torloris and pyloris, which are not volumetric.
> Conversely, defense against DoS attacks often involve blacklisting
> attacking IP addresses. Since the attacker's IP addresses will also
> be hidden, such defenses cannot be implemented.
Indeed.
> What you're left with is using good fundamental site design.
> Specifically, putting any resource-intensive operations behind
> authentication or a CAPTCHA. Of course, any CAPTCHA should probably
> be locally generated to avoid leaking the hidden service's address,
> and CAPTCHA generation could, itself, become the target of a DOS
> attack.
>
> If it's appropriate to the site's mission, I would make only a
> simple, static authentication page visible to non-authenticated
> users.
Wouldn't torloris or pyloris work against that too?
Are these attacks still effective against onion sites? If so, what are
the best defenses? One can reduce webserver read and write idle times,
but that can also block legitimate users on high latency circuits. There
is also the flag CloseHSServiceRendCircuitsImmediatelyOnTimeout. Is it
useful to set that to "1"?
More information about the tor-onions
mailing list