Hi all! Great with a new mailing list :) anyhow i was wondering IF anyone have any tips on some good ddos defense for .onion sites , take care
On Jan 27, 2016, at 08:24, Flipchan flipchan@riseup.net wrote:
Hi all! Great with a new mailing list :) anyhow i was wondering IF anyone have any tips on some good ddos defense for .onion sites , take care
Hi!
Many DDoS attacks, particularly those that use reflection and amplification, rely on the attacker knowing your IP address. Such attacks cannot be used against a properly implemented .onion site, as the service's IP address is hidden.
Conversely, defense against DoS attacks often involve blacklisting attacking IP addresses. Since the attacker's IP addresses will also be hidden, such defenses cannot be implemented.
What you're left with is using good fundamental site design. Specifically, putting any resource-intensive operations behind authentication or a CAPTCHA. Of course, any CAPTCHA should probably be locally generated to avoid leaking the hidden service's address, and CAPTCHA generation could, itself, become the target of a DOS attack.
If it's appropriate to the site's mission, I would make only a simple, static authentication page visible to non-authenticated users.
--R
On 29 Jan 2016, at 02:55, Ron Risley ronqonions@risley.net wrote:
On Jan 27, 2016, at 08:24, Flipchan flipchan@riseup.net wrote:
Hi all! Great with a new mailing list :) anyhow i was wondering IF anyone have any tips on some good ddos defense for .onion sites , take care
Hi!
Many DDoS attacks, particularly those that use reflection and amplification, rely on the attacker knowing your IP address. Such attacks cannot be used against a properly implemented .onion site, as the service's IP address is hidden.
Alec, I'd be interested in how Facebook has handled attacks like this against its one-hop onion service (RSOS), which has public IP addresses.
Does the existing Facebook infrastructure handle the extra load? Or are you more focused on firewalls and load balancing?
Tim
Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP 968F094B
teor at blah dot im OTR CAD08081 9755866D 89E2A06F E3558B7F B5A9D14F
On 28 Jan 2016, at 20:08, Tim Wilson-Brown - teor teor2345@gmail.com wrote:
Alec, I'd be interested in how Facebook has handled attacks like this against its one-hop onion service (RSOS), which has public IP addresses.
We’ve had no IP-level attacks that I am aware of.
We are already generally geared up to deal such attacks on our infrastructure, and because our Onions live in enclaves / are unreachable from “the internet”, living within the infrastructure, such attacks don’t impact the Onion site.
Our onions connect out to the internet / to the Tor network through (a cloud of) proxies. This is why RSOS is currently such a good fit for us, because (non-R) Single Onions would require inbound connectivity and thus presumably some mitigation would need to be applied.
-a
tor-onions@lists.torproject.org