[tor-dev] [PATCH] Defences against the recent hidden service DoS attacks

Wed May 20 19:03:38 UTC 2015

Hello,

we recently received more reports of Denial of Service attacks on
hidden services. You can find our ticket here:

   https://trac.torproject.org/projects/tor/ticket/16052

After some debugging, we found the attack vector and identified a few
ways to fix or mitigate it. In this attack, the adversary forces a
hidden service to create thousands of connections to its underlying
application (e.g. the webserver), which overwhelms both Tor and the
underlying application.

It's worth noting that Tor is a small network, and even simple DoS
attacks can be quite effective against it. Consider that there are
botnets out there with more bandwidth than the whole Tor
network. Hence, completely solving DoS attacks on Tor is still an open
problem; a few long-term defense ideas were stated on the trac ticket.

In any case, we have prepared an experimental short-term fix for this
vulnerability that hidden service operators can deploy. It seems to
mitigate the attack in our lab tests, so maybe it helps others too.

The fix, allows the hidden service operator to ignore hidden service
circuits that try to open tons of connections. This is possible since
normal clients will only open a few such connections, whereas the
attacker was opening like 5000 connections per circuit.

Here are some instructions for the short-term fix:

== Instructions ==

Our patch is not in an official Tor release yet, so you will need to
use an unofficial git branch:

    https://trac.torproject.org/projects/tor/ticket/16052#comment:18

First, use one of the provided branches or apply the commits directly
to your tor, and recompile your tor. You need to do this. The
instructions below *won't* work with stock tor.

Next, an operator who wants to deploy this experimental fix, should
first figure out how many simultaneous TCP connections a normal client
would establish. For example, an IRC server would probably not need
more than 1 simultaneous connection per user. A web server, depending
on the use, might need something between 6 to 12 (?) simultaneous
connections.

To proceed, as an example, let's say that a client of your hidden
service can work fine with 20 simultaneous TCP connections.

Then add the following to your torrc, as part of the per-hidden
service configuration:

            HiddenServiceMaxStreams 20

and start up your new Tor. See if that helps out for you. You might
still get 100% CPU when under attack, but other clients should work
normally.

If that doesn't stop the attack, there is a more aggressive solution
that might work. In your torrc also add the following line

            HiddenServiceMaxStreamsCloseCircuit 1

That will make your hidden service *kill* the attacker's circuit,
which will reduce CPU load even more. However, if you have picked a
small max streams number, it might also kill normal users'
connections. So be careful! Also, please don't set max streams to a
tiny value while this is enabled; forcing the attacker to build tons
of circuits to you is not good for your HS or for the network.

====

In any case, let us know if this works for you, by sending an email to
this list, or commenting on the trac ticket. If it works for people,
we might incorporate to a Tor release soon.