Some services of the Tor network – the best known in the deep web – have been unavailable or unstable in recent years due to a complex problem: denial of service attacks (DDoS, in the acronym in English). To mitigate them, the Tor Project proposed some defense measures, with emphasis on a token system.
A denial of service attack is one that causes a server to receive more simultaneous requests than it is capable of handling. It is as if an army of “zombie computers” were trying to access a particular website, all at the same time.
There are defense techniques. One is to analyze patterns that identify invalid traffic to block or divert these accesses. The problem is that the anonymous nature of the Tor network – whose pages end in .onion – makes this job extremely difficult, if not impossible.
In a simplified way, here’s what happens: the site that is the target of the attack receives hundreds or thousands of simultaneous requests from small messages that require a lot of service resources to be served; as the requests are very numerous, the server is overloaded and, consequently, unstable.
As itself Tor Project explains on his blog, “In today’s onion services, each request is indistinguishable from the others (after all, this is a system of anonymity), so the only strategy available is to treat each one equally”.
What to do then to prevent malicious requests from being blocked without affecting legitimate requests? There is no easy solution. DDoS attacks can be orchestrated in several ways.
In mid-2019, the Tor Project even fixed a flaw in its protocol that, for years, allowed DDoS attacks on .onion sites. However, this bug was only one of the ways explored. Attacks continue to be carried out using other approaches.
A definitive solution would require profound changes to the Tor network, which is not feasible, at least in the short term. That is where the proposal of the token, which would act as a kind of ticket that would prove that the request received is legitimate, that is, it comes from a real user.
A token can be any type of information capable of validating an access: IP address, cell phone number, e-mail and so on. The problem is that the already mentioned anonymous nature of the deep web makes the use of these types of data meaningless.
But there are other approaches that can be tried. The Tor Project team suggests implementing a CAPTCHA service that would reward users with anonymous tokens. Type systems are not foolproof, but even if attackers obtain tokens by this means, they are unlikely to have enough tokens for an effective attack.
Another suggested approach is the use of a proof of workbasically an algorithm that validates a request when a problem (like a quick puzzle) is solved. This system could be implemented alone or in conjunction with the CAPTCHA system.
These ideas were presented so that the community around the Tor network sees that there are ways to combat DDoS attacks, even if no solution is perfect. The subject is still being studied, but in the end, each case is different: the adoption or not of the ideas will be the responsibility of those responsible for each .onion page.
With information: Bleeping Computer.