[tor-project] Tor's history of D/DoS attacks; strategy for mitigation
Mike Perry
mikeperry at torproject.org
Wed Jul 5 19:50:34 UTC 2023
On 6/26/23 04:10, Cory Francis Myers wrote:
> I'm investigating the applicability of the IETF's DDoS Open Threat
> Signaling (DOTS) specifications[1] to the needs of privacy-preserving
> overlay networks, including VPNs but with particular interest in Tor.
>
> Specifically, now that the July 2022 D/DoS attack has finally come to a
> close, I'm wondering about:
>
> 1. the history, frequency, and magnitude of D/DoS attacks against the
> Tor network;
We have seen high volumes of onion service activity indicative of
internal onion service DDoS roughly once a year for the past several years.
We also have seen periodic attacks against the directory authorities,
going back several years.
> 2. when these have taken the form of Tor traffic versus lower-level
> attacks on Tor nodes and HSDirs; and
The most common attack has been either onion service related, or against
the directory authorities. However, over the past year, we saw several
attack attempts that appeared to target specific relays. This was a new
phenomenon, at this scale.
We also saw some evidence of DDoS attack attempts through Tor. Relay
operators have developed tools to block connections to external IP
addresses that see connection spikes. One such example tool is:
https://github.com/artikel10/surgeprotector
We have made several attempts to secure funding to develop mechanisms to
rate limit scraping, spam, and externally-destined DDoS attack activity
happening through Tor, but so far, these funding proposals have all been
rejected.
> 3. how the new "proof of work over introduction circuits" scheme fits
> into Tor's overall strategy for mitigating D/DoS attacks.
Around when the proof of work branch got finalized, the onion service
attacks ended. We are not sure if this is related to the ability to
deploy the PoW branch ad-hoc, or if it was just a coincidence.
Since the majority of DDoS activity has been onion service related, we
expect this defense to act as a deterrent there, for most of the issues
we have seen.
> I've found plenty of current and historical GitLab tickets---but I'm
> wondering if there are more comprehensive documents or other resources
> I'm not aware of.
No. Many of the non-onion attacks we have noticed have confidential
tickets. Many attacks were quite effective at degrading service, and
appeared to have this as their goal. They were also appeared to be
probing in nature, and often stopped after a few days or a week from
starting. These attacks ran parallel to the larger onion service DDoS.
We recently obtained funding to fix these kinds of specific attacks
against Guards, dirauths, and Exits, but many issues will remain
confidential until we do so. We do not want to advertise which of these
probing attacks were actually effective vs not, or why.
--- cfm[2].
>
>
> [1]: https://datatracker.ietf.org/wg/dots/documents/
>
> [2]: I'm a maintainer of the SecureDrop project at the Freedom of the
> Press Foundation, but this work is supported by ARTICLE 19's
> Internet of Rights Fellowship.
> _______________________________________________
> tor-project mailing list
> tor-project at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-project
--
Mike Perry
More information about the tor-project
mailing list