[tor-onions] Question about preventing DDOS

Roger Dingledine arma at torproject.org
Tue Aug 18 21:12:11 UTC 2020

On Thu, Aug 13, 2020 at 03:56:18PM -0700, froggo at secmail.pro wrote:
> My hidden service was getting a lot of DDOS attacks recently. It was
> firstly against Apache itself. I created a captcha system that doesn't
> spend much bandwidth even when under DDOS. Using OnionBalance to balance
> Tor instances between CPUs. My service is V3.

Can you describe more what you mean by "it was against apache itself"?
Was it simply a lot of normal http requests? Or was it a bunch of requests
which made your apache use a lot of cpu to answer? Or something else?

> So recently the way of DDOS changed. My bandwidth usage is nearly at
> maximum but even after I stop Apache service it continues. I checked it
> with Nethogs and Tor is spending the bandwidth when Apache is running or
> not running.

This description is compatible with a person who is visiting your onion
service many many times. They send an introduction cell to one of your
introduction points, you make a Tor circuit to the rendezvous point they
specify, finish setting up the rendezvous circuit, then they send a BEGIN
cell requesting to connect to your webserver, and that connection fails
so your Tor sends back an END cell. Repeat as many times as they want
to try to connect.

> HiddenServiceEnableIntroDoSDefense 1
> HiddenServiceEnableIntroDoSRatePerSec 25
> HiddenServiceEnableIntroDoSBurstPerSec 200
> Using these settings with my hidden service but doesn't seem to be doing
> anything.
> Is there something known to stop this with a configuration or is
> dedicating more bandwidth the only way? My server spends 800 Mbps of
> bandwidth even though nothing is served.

Hm! "This should work", at least in the sense that you should be limiting
yourself to 25*3=75 incoming intro requests per second (25 requests
times 3 intro points = 75). If each incoming intro request causes you
to do 10 cells in response (I just made up that number but I think it's
in the right range), that's 750 cells per second, or a bit under 400
kilobytes per second of traffic.

So you should be spending way less than 800 mbits/s.

Are you sure you set the new torrc lines correctly, including in the
right place in the torrc (after the HiddenServiceDir directive)?

It is also possible there is a bug or implementation flaw with this
feature. I don't know how much it has been tested.


More information about the tor-onions mailing list