My hidden service was getting a lot of DDOS attacks recently. It was firstly against Apache itself. I created a captcha system that doesn't spend much bandwidth even when under DDOS. Using OnionBalance to balance Tor instances between CPUs. My service is V3.
So recently the way of DDOS changed. My bandwidth usage is nearly at maximum but even after I stop Apache service it continues. I checked it with Nethogs and Tor is spending the bandwidth when Apache is running or not running.
HiddenServiceEnableIntroDoSDefense 1 HiddenServiceEnableIntroDoSRatePerSec 25 HiddenServiceEnableIntroDoSBurstPerSec 200
Using these settings with my hidden service but doesn't seem to be doing anything.
Is there something known to stop this with a configuration or is dedicating more bandwidth the only way? My server spends 800 Mbps of bandwidth even though nothing is served.
Thank you.
On Thu, Aug 13, 2020 at 03:56:18PM -0700, froggo@secmail.pro wrote:
My hidden service was getting a lot of DDOS attacks recently. It was firstly against Apache itself. I created a captcha system that doesn't spend much bandwidth even when under DDOS. Using OnionBalance to balance Tor instances between CPUs. My service is V3.
Can you describe more what you mean by "it was against apache itself"? Was it simply a lot of normal http requests? Or was it a bunch of requests which made your apache use a lot of cpu to answer? Or something else?
So recently the way of DDOS changed. My bandwidth usage is nearly at maximum but even after I stop Apache service it continues. I checked it with Nethogs and Tor is spending the bandwidth when Apache is running or not running.
This description is compatible with a person who is visiting your onion service many many times. They send an introduction cell to one of your introduction points, you make a Tor circuit to the rendezvous point they specify, finish setting up the rendezvous circuit, then they send a BEGIN cell requesting to connect to your webserver, and that connection fails so your Tor sends back an END cell. Repeat as many times as they want to try to connect.
HiddenServiceEnableIntroDoSDefense 1 HiddenServiceEnableIntroDoSRatePerSec 25 HiddenServiceEnableIntroDoSBurstPerSec 200
Using these settings with my hidden service but doesn't seem to be doing anything.
Is there something known to stop this with a configuration or is dedicating more bandwidth the only way? My server spends 800 Mbps of bandwidth even though nothing is served.
Hm! "This should work", at least in the sense that you should be limiting yourself to 25*3=75 incoming intro requests per second (25 requests times 3 intro points = 75). If each incoming intro request causes you to do 10 cells in response (I just made up that number but I think it's in the right range), that's 750 cells per second, or a bit under 400 kilobytes per second of traffic.
So you should be spending way less than 800 mbits/s.
Are you sure you set the new torrc lines correctly, including in the right place in the torrc (after the HiddenServiceDir directive)?
It is also possible there is a bug or implementation flaw with this feature. I don't know how much it has been tested.
--Roger
On Tue, Aug 18, 2020 at 05:12:11PM -0400, Roger Dingledine wrote:
HiddenServiceEnableIntroDoSDefense 1 HiddenServiceEnableIntroDoSRatePerSec 25 HiddenServiceEnableIntroDoSBurstPerSec 200
[...] It is also possible there is a bug or implementation flaw with this feature. I don't know how much it has been tested.
I just found what might be a bug in how the design is implemented at introduction points.
This is the ticket to follow: https://gitlab.torproject.org/tpo/core/tor/-/issues/40109
--Roger
tor-onions@lists.torproject.org