[tor-onions] Protect against ddos in tor

Ron Risley ronqonions at risley.net
Thu Jan 28 15:55:43 UTC 2016


> On Jan 27, 2016, at 08:24, Flipchan <flipchan at riseup.net> wrote:
> 
> Hi all! Great with a new mailing list :) anyhow i was wondering IF anyone have any tips on some good ddos defense for .onion sites , take care 

Hi!

Many DDoS attacks, particularly those that use reflection and amplification, rely on the attacker knowing your IP address. Such attacks cannot be used against a properly implemented .onion site, as the service's IP address is hidden.

Conversely, defense against DoS attacks often involve blacklisting attacking IP addresses. Since the attacker's IP addresses will also be hidden, such defenses cannot be implemented.

What you're left with is using good fundamental site design. Specifically, putting any resource-intensive operations behind authentication or a CAPTCHA. Of course, any CAPTCHA should probably be locally generated to avoid leaking the hidden service's address, and CAPTCHA generation could, itself, become the target of a DOS attack.

If it's appropriate to the site's mission, I would make only a simple, static authentication page visible to non-authenticated users.

--R


More information about the tor-onions mailing list