[tor-project] Tor's history of D/DoS attacks; strategy for mitigation

Mike Perry mikeperry at torproject.org
Wed Jul 5 19:50:34 UTC 2023 

On 6/26/23 04:10, Cory Francis Myers wrote:
> I'm investigating the applicability of the IETF's DDoS Open Threat
> Signaling (DOTS) specifications[1] to the needs of privacy-preserving
> overlay networks, including VPNs but with particular interest in Tor.
> 
> Specifically, now that the July 2022 D/DoS attack has finally come to a
> close, I'm wondering about:
> 
> 1. the history, frequency, and magnitude of D/DoS attacks against the
>     Tor network;

We have seen high volumes of onion service activity indicative of 
internal onion service DDoS roughly once a year for the past several years.

We also have seen periodic attacks against the directory authorities, 
going back several years.

> 2. when these have taken the form of Tor traffic versus lower-level
>     attacks on Tor nodes and HSDirs; and

The most common attack has been either onion service related, or against 
the directory authorities. However, over the past year, we saw several 
attack attempts that appeared to target specific relays. This was a new 
phenomenon, at this scale.

We also saw some evidence of DDoS attack attempts through Tor. Relay 
operators have developed tools to block connections to external IP 
addresses that see connection spikes. One such example tool is: 
https://github.com/artikel10/surgeprotector

We have made several attempts to secure funding to develop mechanisms to 
rate limit scraping, spam, and externally-destined DDoS attack activity 
happening through Tor, but so far, these funding proposals have all been 
rejected.

> 3. how the new "proof of work over introduction circuits" scheme fits
>     into Tor's overall strategy for mitigating D/DoS attacks.

Around when the proof of work branch got finalized, the onion service 
attacks ended. We are not sure if this is related to the ability to 
deploy the PoW branch ad-hoc, or if it was just a coincidence.

Since the majority of DDoS activity has been onion service related, we 
expect this defense to act as a deterrent there, for most of the issues 
we have seen.

> I've found plenty of current and historical GitLab tickets---but I'm
> wondering if there are more comprehensive documents or other resources
> I'm not aware of.

No. Many of the non-onion attacks we have noticed have confidential 
tickets. Many attacks were quite effective at degrading service, and 
appeared to have this as their goal. They were also appeared to be 
probing in nature, and often stopped after a few days or a week from 
starting. These attacks ran parallel to the larger onion service DDoS.

We recently obtained funding to fix these kinds of specific attacks 
against Guards, dirauths, and Exits, but many issues will remain 
confidential until we do so. We do not want to advertise which of these 
probing attacks were actually effective vs not, or why.

--- cfm[2].
> 
> 
> [1]: https://datatracker.ietf.org/wg/dots/documents/
> 
> [2]: I'm a maintainer of the SecureDrop project at the Freedom of the
>       Press Foundation, but this work is supported by ARTICLE 19's
>       Internet of Rights Fellowship.
> _______________________________________________
> tor-project mailing list
> tor-project at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-project

-- 
Mike Perry

More information about the tor-project mailing list