[tor-project] Tor's history of D/DoS attacks; strategy for mitigation - Mailing...

I'm investigating the applicability of the IETF's DDoS Open Threat
Signaling (DOTS) specifications[1] to the needs of privacy-preserving
overlay networks, including VPNs but with particular interest in Tor.

Specifically, now that the July 2022 D/DoS attack has finally come to a
close, I'm wondering about:

1. the history, frequency, and magnitude of D/DoS attacks against the
   Tor network;

2. when these have taken the form of Tor traffic versus lower-level
   attacks on Tor nodes and HSDirs; and

3. how the new "proof of work over introduction circuits" scheme fits
   into Tor's overall strategy for mitigating D/DoS attacks.

I've found plenty of current and historical GitLab tickets---but I'm
wondering if there are more comprehensive documents or other resources
I'm not aware of.

  --- cfm[2].

[1]: DDoS Open Threat Signaling (dots) 63

[2]: I'm a maintainer of the SecureDrop project at the Freedom of the
     Press Foundation, but this work is supported by ARTICLE 19's
     Internet of Rights Fellowship.

I'm investigating the applicability of the IETF's DDoS Open Threat
Signaling (DOTS) specifications[1] to the needs of privacy-preserving
overlay networks, including VPNs but with particular interest in Tor.

Specifically, now that the July 2022 D/DoS attack has finally come to a
close, I'm wondering about:

1. the history, frequency, and magnitude of D/DoS attacks against the
    Tor network;

We have seen high volumes of onion service activity indicative of internal onion service DDoS roughly once a year for the past several years.

We also have seen periodic attacks against the directory authorities, going back several years.

2. when these have taken the form of Tor traffic versus lower-level
    attacks on Tor nodes and HSDirs; and

The most common attack has been either onion service related, or against the directory authorities. However, over the past year, we saw several attack attempts that appeared to target specific relays. This was a new phenomenon, at this scale.

We also saw some evidence of DDoS attack attempts through Tor. Relay operators have developed tools to block connections to external IP addresses that see connection spikes. One such example tool is: GitHub - artikel10/surgeprotector: Block Tor Exit traffic to flooded IP addresses via ExitPolicy. 41

We have made several attempts to secure funding to develop mechanisms to rate limit scraping, spam, and externally-destined DDoS attack activity happening through Tor, but so far, these funding proposals have all been rejected.

3. how the new "proof of work over introduction circuits" scheme fits
    into Tor's overall strategy for mitigating D/DoS attacks.

Around when the proof of work branch got finalized, the onion service attacks ended. We are not sure if this is related to the ability to deploy the PoW branch ad-hoc, or if it was just a coincidence.

Since the majority of DDoS activity has been onion service related, we expect this defense to act as a deterrent there, for most of the issues we have seen.

I've found plenty of current and historical GitLab tickets---but I'm
wondering if there are more comprehensive documents or other resources
I'm not aware of.

No. Many of the non-onion attacks we have noticed have confidential tickets. Many attacks were quite effective at degrading service, and appeared to have this as their goal. They were also appeared to be probing in nature, and often stopped after a few days or a week from starting. These attacks ran parallel to the larger onion service DDoS.

We recently obtained funding to fix these kinds of specific attacks against Guards, dirauths, and Exits, but many issues will remain confidential until we do so. We do not want to advertise which of these probing attacks were actually effective vs not, or why.

--- cfm[2].

···