The Tor Project is finally going to release a fix for a bug that has been plaguing Onion sites for years, making them vulnerable to distributed denial of service (DDoS).
The bug is a DDoS issue that causes the Onion service (running on a server that hosts the website) to crash.
How does the DDoS bug attack .onion sites?
While launching a DDoS attack on the targeted site, the attacker initiates thousands of connections to the website and leaves those connections hanging.
But for each connection, the Onion service routes through a complex circuit in the Tor network to keep the connection secure between the server and remote user.
Each process is CPU intensive, so whenever the site is bombarded with a huge number of connections, the server’s processor reaches its limit and cannot accept new connections.
Why not fix it earlier?
The bug in question is an old one and Tor developers have been aware of it for years. However, they were unable to fix it due to a lack of manpower.
That’s not all. The bug in itself is a tricky one as it exploits the very process which is necessary to establish a genuine user’s connection.
In the Tor network, there is no way to identify if the incoming connection requests are from a genuine user or an attacker until the connection is established — but at this point, it’s too late to recover.
Series of DDoS attacks on sites on Dark Web
The DDoS vulnerability in Onion sites has infested several dark web portals for years. It began with attacks on legitimate sites, but in recent months, dark web marketplaces that sell illegal products have been hit by such attacks.
These sites sell drugs, weapons, malware, and hacked user data on the dark web. One such example is the DDoS attack launched in March 2019 on Dream Market (a marketplace for illegal funds).
Dream Market was bombarded with DDoS attacks for months and the attackers demanded $400,000 worth of Bitcoin to stop it. However, Dream Market operators chose to shut down the website instead.
The same happened to other dark web markets such as Empire Market, Nightmare Market, and other smaller sites like Dread forum.
DDoS attack tool for Tor has existed on GitHub for years
Four years ago, a tool named Stinger-Tor was uploaded to GitHub that allows anyone to launch a DDoS attack on Tor network just by running a Python script.
There are other groups in underground forums that sell similar Tor DDoS tools that leverage the same vulnerability.
Someone just selling Tor DoS exploit on the Dark Web forum. pic.twitter.com/2WrXI4EPK8
— Sh1ttyKids (してぃーきっず) (@Sh1ttyKids) June 30, 2019
A fix is on the way
As discussed above, due to lack of resources, Tor project hasn’t been able to fix this vulnerability but now it seems that they have received enough donations to proceed.
The vulnerability list now shows a “sponsor” status.
It is to be noted that the upcoming patch won’t fix the bug completely because it will end up destroying some of the main privacy and security features in Tor. Nevertheless, this fix will make DDoS attacks less effective.
Besides this, there will be a new option for .onion site operators, using which they can enable defenses for their sites. Whenever it is enabled, Tor users will be able to access those sites under attack, but it will take a longer time to establish the connection.
But at least the sites will continue to work, which is better than being offline for days or weeks.