Since late last October, onion service operators have been on the receiving end of numerous DoS and DDoS attacks, both on the deep web onion service and also on the clearnet websites.
The Dos and DDoS attacks have generally alternated between the deep web and the clearnet over the span of a couple of days and as things stand now, the motivation behind the attacks are anyone’s guesses.
Definition of Terms
DoS means Denial of Service. Typically, a DoS attack involves the flooding of a server or network with traffic from a single device as a way of drastically crippling the website and making it unable to serve legitimate traffic.
Depending on the magnitude of the attack and the capabilities of the server or network, the flooding often gets too overwhelming and forces the website to go offline for a period ranging from a few hours to months.
DDoS stands for Distributed Denial of Service. Like DoS attacks, it seeks to cripple the target’s server by sending it tons of traffic.
Unlike DoS, however, DDoS deploys several devices from all over the internet, DDoS usually infected with malware to serve that exact same purpose, to launch the attacks to the specific server or network.
As such, they can be quite a headache to handle for onion service operators.
Attacks Utilize Onion Services’ Only Weakness
When carried out properly, DoS and DDoS attacks are very effective ways to bring down a victim’s server and consequently disrupt their services or halt their operations for a period of time.
Ironically, it is much easier to block DDoS and DoS attacks on clearnet websites than it is for onion services to mitigate them.
This is because in clearnet websites one is able to access individual connection information such as IP addresses and geographic locations, single them out, drop the connection(s) and prevent it from reconnecting.
For onion services, however, this is a luxury they cannot afford.
Simply put, the design of onion services that prevents them from accessing individual connection information becomes a flaw when it comes to mitigating DDoS and DoS attacks because it is impossible to single out an IP address or a geographic location.
There is only one connection that can be seen by the server and block it means blocking out everybody else using it, which is exactly what the attackers want anyway.
How Can Onion Servers Prevent/Deal with DDoS and DoS Attacks?
Seeing that the DoS and DDoS attacks rely on overwhelming both the resources of your network and the capabilities of your server, upgrading them will help to significantly reduce the impact of the resource-limiting DDoS and DoS attacks.
DDoS attacks especially seem to target the network speed of onion services more than anything.
As a result, there are hardly any performance tweaks to be undertaken that can reduce the impact of a DDoS attack that focuses mainly on disabling the network speeds.
Onion services can, however, adopt a number of safety and counter-measures to ensure that they survive DDoS and DoS attacks.
1. Constantly Update Your System
Getting on the mailing list for services such as Tor is important for onion services.
This is because recent upgrades often address some of the biggest vulnerabilities of the onion router and you would be on the safer side if you got the upgrades as soon as possible.
Tor’s most recent release 0.2.8.9 for example, came as a relief for many users as it fixed a crucial weakness that was being utilized by remote hackers.
2. Upgrade Your Software as Well
Most onion service operators fail to see the simple yet vital importance of upgrading their services.
A powerful server can only do as much when it comes to withstanding heavy influxes of traffic, but improving the software as well can also help mitigate heavy DDoS attacks.
Some of the recommended upgrades include Nginx for apache users, and PHP 7 from the much slower PHP 5.6 in order to triple server response capabilities while reducing memory usage.
3. Monitor Your Information Logs
Logs will help you identify deficiencies with pinpoint accuracy and provide insight on the type of configuration you can go in to make things run a bit smoother.
In the event of Dos and DDoS attack, onion service operators should also avoid piling on to the problem by rate limiting or using code solutions, as these often result in the failing of the server.
4. Tor Limits Bandwidth During the First Few Months
When onion service operators introduce their sites to Tor, it gradually increases the site traffic over time, meaning that it might take a while before your network usage picks up speed.
Using anti-bot repellents is one effective way for users to speed up the process and enjoy full network usage sooner.
To summarize, the best an onion service operator can do to mitigate DDoS and DoS attacks is to improve their service in anticipation of an attack so that they can absorb as much of the influx of traffic as possible without shutting down operations.