Tor’s history of D/DoS attacks and future strategies for mitigation (opens in new tab)

(forum.torproject.org)

163 pointsjerheinze2y ago98 comments

98 comments

I think its worth mentioning that DDOS protection has become a tool to control online discourse. Once you get kicked off Cloudfare, thats mostly it for you if you have a determined attacker. Thats quite a beneficial situation for governments.

capableweb2y ago

Have you actually run any sort of web service/website without Cloudflare? This sounds like something straight out of a sales reps mouth, obviously there is more solutions than just Cloudflare out there...

cf141q53252y ago

I dont think you appreciate the threat scenario discussed here if you think its reasonable to ask for personal experience. Leaves me to wonder if i am supposed to deny having committed any crimes while we are at it?

Still thank you for the response, gives the ability to clarify that this is by no means an advertisement. You have of course endless options for ddos mitigation right now. But once cloudflare no longer wants you, your other options have a tendency to evaporate as well.

2 more replies

ThrowawayTestr2y ago

Yes, you can roll your own protection but if kiwifarms is any indication it becomes your full time job.

DoItToMe812y ago

A lot of these solutions don't actually mitigate large DDoS attacks, or have enormous loopholes that can be bypassed by a novice attacker. I've heard that OVH's DDoS protection used to let in other OVH servers, for example.

When I checked, some of the equivalents to Cloudflare's lower plans cost hundreds of dollars a month.

1 more reply

fullspectrumdev2y ago

Yes? I haven’t used cloudflare in years now.

99.9% of the time you literally don’t need their services.

neodypsis2y ago

Yes, AWS's WAF is very good, for instance.

Spivak2y ago

It really isn't that dire, AWS has Shield (or really just Cloudfront), GPC has Cloud Armor, Azure has "Azure DDoS Protection", everything on Digital Ocean is protected by default. And if you're on-prem or colo then even a modestly sized edge router can handle quite a bit of traffic. And if all you want is the CDN part and not origin protection then every commercial CDN does DDoS protection.

If you mean "providing expensive protection services for free on a $5/mo VPC" then sure Cloudflare might be your only bet.

cf141q53252y ago

Not a question of money. If i recall, all of these are as easy to reach for governments as cloudfare itself. Especially with the threat of KYC. Would be happy to be wrong here though.

1 more reply

wbl2y ago

Who got kicked off of Cloudflare? Because both the cases I can think of weren't because of governments and were the sorts of schmucks that you really don't want hanging around.

didntcheck2y ago

A few companies with enough resources being able to decide who is a "schmuck that you really don't want hanging around" is worse than a government doing it IMO. At least the latter have to pretend to follow process and be accountable to the people

Though I'm not sure how to really solve it. I support ISPs being considered utilities with an obligation to serve any customer unless they can argue a compelling reason why they can't, but DDoS protection is not a technical essential like an internet connection is. Even if it's almost essential for a popular site in 2023

1 more reply

cf141q53252y ago

It was a generic statement about a path to get rid of unwanted public discourse. The problem is that paths that exist get taken. Examples of who that happened to already and your opinion of who deserves what are not the point.

Its totalitarian rot, it doesnt stop, its like a moldy fruit.

1 more reply

malikNF2y ago

Remember when google was one of the “not evil” companies? When it comes to internet companies we have got burned so many times it’s good to keep a healthy dose of skepticism when it comes to a company that potentially decides if you are able to survive on the internet.

poisonarena2y ago

One of my favorite illegal streaming websites that streamed old nickelodion tv shows and the xfiles from the 90s. they had problems with cloudflare and had to deal with a lot of problems from a rival hacker group ddosing

1 more reply

nyolfen2y ago

this is the same line as the UK takes for encryption btw

kiwifarmsthrow2y ago

KiwiFarms, The Daily Stormer

Run_DOS_Run2y ago

Don't forget OVH. Their DDoS-protection is included in every server.

malikNF2y ago

At-least in my experience, OVH was the only hosting company where their network engineers spoke to me when we had a ddos problem.

Had a situation where one of my servers were getting ddosed we tried multiple providers both cloud and dedicated, but the attack was not getting stopped by anyone, the customer service was useless on most other places its either we get null routed, or hours of back and forth with customer service without any solution.

We moved our servers to OVH the customer service rep directed us to an engineer within a few minutes. I remember we had to send a few packet captures during an attack to one of their network engineers and, not only did they block the attack in a few hours, the engineer in charge explained exactly what happened was such a nice learning experience, that one interaction with them will always make me recommend them.

patrec2y ago

If cloudflare won't touch you, chances are neither will OVH.

peterhadlaw2y ago

What do you mean every server? Pardon my ignorance, first time I am hearing about these folks.

1 more reply

TechBro86152y ago

Governments have more effective ways of deplatforming you than temporarily DDOSing your site.

gruez2y ago

Taking down a website by sending men with guns is a much worse look for them than an unpopular site succumbing to ddos attacks.

victorbjorklund2y ago

A bit dramatic right? Sure, it might be more expensive and difficult but obviously you can run your own WAF, DDOS protection etc.

cf141q53252y ago

There are quite a few options, but what could be heard through the grapevines with Kiwifarms most turn out to be theoretical once attackers are motivated enough. Think about them what you will, they make a great canary.

1 more reply

malikNF2y ago

Yes you can defend on your own. But it’s going to cost you a lot of resources.

In addition to a lot of clever tricks ddos protection comes down to a simple question. Who has more resources to keep going.

_factor2y ago

These are likely nation state actors who have the ability to fund these attacks. I wouldn’t be surprised if they’re using advanced techniques to slow down the network and track the routes as they traverse. I would be wary of anonymity while using tor during one of these attacks.

TechBro86152y ago

Eh, the techniques don't need to be that advanced or even expensive, and there are plenty of markets with motivation to DDOS their competitors. The government might even prefer that the markets stay up, so they can continue monitoring them and honeypotting criminals using them.

Arch-TK2y ago

I wish people stopped using discourse.

Sending pictures of pieces of hand written paper over email would be a more user friendly and usable interface than this javascript mess.

Avamander2y ago

Absolutely not. Most mailing lists are run horribly. With horrible deliverability, security ("don't use an important password here"-clownery plus no SRS, ARC or DKIM) and a plethora of MUA idiocy sprinkled on top. Not to mention way obsolete opinions such as "no HTML at all" or "40kB maximum".

Discourse is one of the nicest to use forum platforms. Works on phones, has normal notifications, proper markdown, nice mention-subscription-quote system, nice plugins (such as abbreviation explainer) and it's not an eyesore.

Nuzzerino2y ago

Jeff Atwood is one of the co-founders of Discourse and probably knows what he is doing. Compared to much of the legacy forum software, it's a big upgrade. His team also, in my experience, has offered very good support for corporate customers.

Source: Was on the team (but not the decision-maker) to replace a very large legacy forum with Discourse.

Arch-TK2y ago

It's weird how <insert painful and idiotic method of communicating here> gets treated as an endorsement on this website.

For reference, me saying that emailing around pictures of handwritten text would be preferable to discourse was not an endorsement of mailing around pictures of handwritten text.

Also, as a side note, mailing list deliverability sucks because mailing list maintainers are sometimes stuck in the past and think that impersonating users while modifying messages is a good idea.

All the well ran mailing lists either don't modify messages and instead add unsubscribe headers and pass things on, or modify the messages as well as the from email addresses to avoid falling afoul of DKIM and therefore causing deliverability problems due to DMARC rejections.

HTML emails are also an abomination for replying so I am not sure what your point is there. There's basically one standard for in-line replies for plain text emails but there is no agreement on how to in-line reply to HTML emails.

But I can see how someone might dislike emails and don't think its the right solution for forums. That being said, they're still better than discourse.

List of advantages over discourse:

- Don't need a modern PC or phone to render all the javascript

- There's no mandatory (or any) javascript

- My keyboard isn't hijacked for the purposes of implementing an input scheme which doesn't match the rest of my browsing experience and therefore requires me to re-learn how to use my web browser when I go on the website

- I archive the content easily, index it myself and search through it at my leisure

- The UI is as simple as I want it to be

Forum websites should not require javascript for rendering, or even ideally posting, it was never needed it in the past and I never felt like adding javascript added anything to the user experience. It should be simple, secure, easily searchable and above all else shouldn't hijack your keyboard.

hombre_fatal2y ago

I prefer it over every forum I’ve used, especially on mobile.

vaylian2y ago

One of the design goals of Discourse was that it should work well on mobile phones. I guess most other forum software is either from the time of before widespread smartphone use or it doesn't consider mobile users. With that being said, I actually don't like discourse's UI and prefer more classical forums like PHPbb.

2 more replies

lapinot2y ago

Ever tried flarum? It's my preferred option in the "modern" forum realm, still pretty lightweight (even degrades gracefully without js).

Arch-TK2y ago

For some context, I use a keyboard driven vim binding plugin for firefox to deal with the web. Discourse, aside from just being slow on older machines due to all the JS, binds half my keyboard to some nonsense. Apparently due to how firefox works, these bindings take precedence over everything else and there's no way to turn them off.

This is a frustrating web experience for anyone who uses any custom bindings in a browser and it repeats itself every time I use one of these websites.

Lastly, I have no idea why forum software needs absolutely any javascript to just render a basic page. Discourse renders as a blank page with javascript disabled, that's just extremely unnecessary.

account422y ago

> Apparently due to how firefox works, these bindings take precedence over everything else and there's no way to turn them off.

We really need a user agent that actually acts in the interest of the user.

moffkalast2y ago

Ah yes I love how email is set up so any conversation becomes indented 200 times by quoting the entire previous chain so I have to add another monitor to see the whole thing, while being a complete mishmash of styles from different mail providers.

gcoakes2y ago

That's the user and/or user agent inserting those. You can have streamlined email threads without those issues. You just don't top post.

Now, try to do encourage that behavior in a corporate environment, and you'll just get blank stares.

Nekit12340072y ago

I wish for the opposite.

cf141q53252y ago

Why?

1 more reply

kayodelycaon2y ago

Most of your typical self-hosted forums aren't much better, just more familiar.

Arch-TK2y ago

Most of your typical self-hosted forums don't have excessive amounts of javascript which override half your keyboard inputs.

mcdonje2y ago

Another tor page says ddos attacks primarily use UDP packets, which tor doesn't allow:

https://support.torproject.org/abuse/what-about-ddos/

So, is this an attack using a different method?

And what about mitigating attacks on other networks/sites that originate from tor? The site I linked only said "attackers who control enough bandwidth to launch an effective DDoS attack can do it just fine without Tor." They didn't say anything about mitigating the use of tor by attackers. And what they're saying about attacks not being possible on the network is clearly wrong.

beardog2y ago

This is for protecting against attacks against the Tor network and onion services. Not for preventing people using Tor to conduct ddos attacks on normal websites which is what your linked page discusses

DoItToMe812y ago

There have been cases of darknet markets employing enormous botnets to layer 7 DDoS their rivals, by constantly requesting data from the site through seemingly legitimate requests. Considering that Proof of Work is one of the primary things they're looking into, it's probably something similar to this.

yieldcrv2y ago

I’ve heard passing mention of people switching to i2p because they feel the design choices of the Tor project are questionable - suggesting compromise. But these were vague assertions, is there more reading or ability to substantiate this?

Levitating2y ago

I2P has been designed with "hidden services" in mind. AlphaBay, which until a few months ago was the most modern and progressive dark web market had fully moved to I2P. Stating that they saw no future in Tor, as the Tor Project refused to address major design issues even though they have heaps of money.

So far using i2p has been very nice to use and the tools are well developed. I run a node myself. The way i2p works is very interesting. Some services like Dread which provide i2p access have only been accessible via i2p in recent times due to the load on tor.

We'll have to see how i2p holds up when it inevitably takes over Tor and becomes a target of ddos itself.

https://geti2p.net/en/comparison/tor

yieldcrv2y ago

Yeah I think I saw AlphaBay’s complaint and was hoping there was an elaboration

Like is it like that Swiss encryption company that kept bricking the encryption for the CIA and employees kept noticing intentional encryption flaws and being told to work on something else?

or something else

voldacar2y ago

What was alphabay's specific complaint?

cassepipe2y ago

I was curious so I went and found this : https://geti2p.net/en/comparison/tor

shrimp_emoji2y ago

```

Benefits of I2P over Tor

...

Java, not C (ewww)

```

Excuse me?

4 more replies

basedrum2y ago

Wow, yeah I would definitely not make a decision to do something critical like that based on that kind of "evidence" lol

favflam2y ago

Has anyone tried using TOR as a replacement for Cloudflare DDOS protection? There is a single hop mode on hidden services.

LinuxBender2y ago

I've run it in NonAnonymous mode as an experiment. Not to replace a CDN for DDoS protection but to replace the CDN as a way to anonymize where the server is because people play games to try to cancel hosting accounts when they get mad about topics being discussed. When they can't control the narrative they will start emailing abuse@ making false claims and some hosting providers are lazy. From the DDoS aspect, people could send Tor to 100% CPU but the httpd server wasn't even passing 1% CPU. This was long ago however so this observation is likely outdated. early days of v3

Nobody was able to decloak the server even being in NonAnonymous mode but the bigger issue was the ability to reach the server. At least at the time not many people had a browser that could talk to .onion sites. I don't know how many people use Brave or the Tor Browser these days so maybe now it would be less of an issue now. Maybe I will try it again soon. It's easy to send people to the Tor Onion version of your site using the Onion-Location header [1] to see how many people would be able to reach the .onion side of your site.

[1] - https://community.torproject.org/onion-services/advanced/oni...

theblazehen2y ago

I've done a POC before where the main site was a tor hidden service, and I had cheap VPSs acting as a clearnet reverse proxy to it

genpfault2y ago

> There is a single hop mode on hidden services.

These[0][1][2]?

[0]: https://blog.torproject.org/whats-new-tor-0298/

[1]: https://2019.www.torproject.org/docs/tor-manual.html.en#Hidd...

[2]: https://2019.www.torproject.org/docs/tor-manual.html.en#Hidd...

favflam2y ago

Yes, this feature. It seems like a cheap way to put a bunch of servers between yourself and connecting users with built-in rate limiting.

ThrowawayTestr2y ago

Yes, kiwifarms still exists on the deep web.

yieldcrv2y ago

What are anyones thoughts on the proof of work solution? Aside from energy use

cf141q53252y ago

The problem is, that it still requires an address (be it tor or IP). Even if you run the script locally, there is still a need to communicate input and output. So people can just ddos that page.

Works great for combating human spam though. You tend to behave better if your login took half a day to get and expires quickly when not used. Plus build in cool down time after getting banned.

Lk7Of3vfJS2n2y ago

Behaving better isn't the only outcome. Another outcome is leaving the service permanently.

1 more reply

bombcar2y ago

It seems to work but mainly against later 7 ddos or similar. You still need enough endpoints that the lower layers don’t bounce you.

j / k navigate · click thread line to collapse

98 comments

cf141q53252y ago

capableweb2y ago

cf141q53252y ago

2 more replies

ThrowawayTestr2y ago

Yes, you can roll your own protection but if kiwifarms is any indication it becomes your full time job.

DoItToMe812y ago

When I checked, some of the equivalents to Cloudflare's lower plans cost hundreds of dollars a month.

1 more reply

fullspectrumdev2y ago

Yes? I haven’t used cloudflare in years now.

99.9% of the time you literally don’t need their services.

neodypsis2y ago

Yes, AWS's WAF is very good, for instance.

Spivak2y ago

If you mean "providing expensive protection services for free on a $5/mo VPC" then sure Cloudflare might be your only bet.

cf141q53252y ago

Not a question of money. If i recall, all of these are as easy to reach for governments as cloudfare itself. Especially with the threat of KYC. Would be happy to be wrong here though.

1 more reply

wbl2y ago

Who got kicked off of Cloudflare? Because both the cases I can think of weren't because of governments and were the sorts of schmucks that you really don't want hanging around.

didntcheck2y ago

1 more reply

cf141q53252y ago

Its totalitarian rot, it doesnt stop, its like a moldy fruit.

1 more reply

malikNF2y ago

poisonarena2y ago

1 more reply

nyolfen2y ago

this is the same line as the UK takes for encryption btw

kiwifarmsthrow2y ago

KiwiFarms, The Daily Stormer

Run_DOS_Run2y ago

Don't forget OVH. Their DDoS-protection is included in every server.

malikNF2y ago

At-least in my experience, OVH was the only hosting company where their network engineers spoke to me when we had a ddos problem.

patrec2y ago

If cloudflare won't touch you, chances are neither will OVH.

peterhadlaw2y ago

What do you mean every server? Pardon my ignorance, first time I am hearing about these folks.

1 more reply

TechBro86152y ago

Governments have more effective ways of deplatforming you than temporarily DDOSing your site.

gruez2y ago

Taking down a website by sending men with guns is a much worse look for them than an unpopular site succumbing to ddos attacks.

victorbjorklund2y ago

A bit dramatic right? Sure, it might be more expensive and difficult but obviously you can run your own WAF, DDOS protection etc.

cf141q53252y ago

1 more reply

malikNF2y ago

Yes you can defend on your own. But it’s going to cost you a lot of resources.

In addition to a lot of clever tricks ddos protection comes down to a simple question. Who has more resources to keep going.

_factor2y ago

TechBro86152y ago

Arch-TK2y ago

I wish people stopped using discourse.

Sending pictures of pieces of hand written paper over email would be a more user friendly and usable interface than this javascript mess.

Avamander2y ago

Nuzzerino2y ago

Source: Was on the team (but not the decision-maker) to replace a very large legacy forum with Discourse.

Arch-TK2y ago

It's weird how <insert painful and idiotic method of communicating here> gets treated as an endorsement on this website.

For reference, me saying that emailing around pictures of handwritten text would be preferable to discourse was not an endorsement of mailing around pictures of handwritten text.

Also, as a side note, mailing list deliverability sucks because mailing list maintainers are sometimes stuck in the past and think that impersonating users while modifying messages is a good idea.

But I can see how someone might dislike emails and don't think its the right solution for forums. That being said, they're still better than discourse.

List of advantages over discourse:

- Don't need a modern PC or phone to render all the javascript

- There's no mandatory (or any) javascript

- I archive the content easily, index it myself and search through it at my leisure

- The UI is as simple as I want it to be

hombre_fatal2y ago

I prefer it over every forum I’ve used, especially on mobile.

vaylian2y ago

2 more replies

lapinot2y ago

Ever tried flarum? It's my preferred option in the "modern" forum realm, still pretty lightweight (even degrades gracefully without js).

Arch-TK2y ago

This is a frustrating web experience for anyone who uses any custom bindings in a browser and it repeats itself every time I use one of these websites.

Lastly, I have no idea why forum software needs absolutely any javascript to just render a basic page. Discourse renders as a blank page with javascript disabled, that's just extremely unnecessary.

account422y ago

> Apparently due to how firefox works, these bindings take precedence over everything else and there's no way to turn them off.

We really need a user agent that actually acts in the interest of the user.

moffkalast2y ago

gcoakes2y ago

That's the user and/or user agent inserting those. You can have streamlined email threads without those issues. You just don't top post.

Now, try to do encourage that behavior in a corporate environment, and you'll just get blank stares.

Nekit12340072y ago

I wish for the opposite.

cf141q53252y ago

Why?

1 more reply

kayodelycaon2y ago

Most of your typical self-hosted forums aren't much better, just more familiar.

Arch-TK2y ago

Most of your typical self-hosted forums don't have excessive amounts of javascript which override half your keyboard inputs.

mcdonje2y ago

Another tor page says ddos attacks primarily use UDP packets, which tor doesn't allow:

https://support.torproject.org/abuse/what-about-ddos/

So, is this an attack using a different method?

beardog2y ago

DoItToMe812y ago

yieldcrv2y ago

Levitating2y ago

We'll have to see how i2p holds up when it inevitably takes over Tor and becomes a target of ddos itself.

https://geti2p.net/en/comparison/tor

yieldcrv2y ago

Yeah I think I saw AlphaBay’s complaint and was hoping there was an elaboration

Like is it like that Swiss encryption company that kept bricking the encryption for the CIA and employees kept noticing intentional encryption flaws and being told to work on something else?

or something else

voldacar2y ago

What was alphabay's specific complaint?

cassepipe2y ago

I was curious so I went and found this : https://geti2p.net/en/comparison/tor

shrimp_emoji2y ago

```

Benefits of I2P over Tor

...

Java, not C (ewww)

```

Excuse me?

4 more replies

basedrum2y ago

Wow, yeah I would definitely not make a decision to do something critical like that based on that kind of "evidence" lol

favflam2y ago

Has anyone tried using TOR as a replacement for Cloudflare DDOS protection? There is a single hop mode on hidden services.

LinuxBender2y ago

[1] - https://community.torproject.org/onion-services/advanced/oni...

theblazehen2y ago

I've done a POC before where the main site was a tor hidden service, and I had cheap VPSs acting as a clearnet reverse proxy to it

genpfault2y ago

> There is a single hop mode on hidden services.

These[0][1][2]?

[0]: https://blog.torproject.org/whats-new-tor-0298/

[1]: https://2019.www.torproject.org/docs/tor-manual.html.en#Hidd...

[2]: https://2019.www.torproject.org/docs/tor-manual.html.en#Hidd...

favflam2y ago

Yes, this feature. It seems like a cheap way to put a bunch of servers between yourself and connecting users with built-in rate limiting.

ThrowawayTestr2y ago

Yes, kiwifarms still exists on the deep web.

yieldcrv2y ago

What are anyones thoughts on the proof of work solution? Aside from energy use

cf141q53252y ago

The problem is, that it still requires an address (be it tor or IP). Even if you run the script locally, there is still a need to communicate input and output. So people can just ddos that page.

Works great for combating human spam though. You tend to behave better if your login took half a day to get and expires quickly when not used. Plus build in cool down time after getting banned.

Lk7Of3vfJS2n2y ago

Behaving better isn't the only outcome. Another outcome is leaving the service permanently.

1 more reply

bombcar2y ago

It seems to work but mainly against later 7 ddos or similar. You still need enough endpoints that the lower layers don’t bounce you.

j / k navigate · click thread line to collapse