[HN Gopher] Tor's history of D/DoS attacks and future strategies... ___________________________________________________________________ Tor's history of D/DoS attacks and future strategies for mitigation Author : jerheinze Score : 122 points Date : 2023-07-06 13:58 UTC (9 hours ago) (HTM) web link (forum.torproject.org) (TXT) w3m dump (forum.torproject.org) | favflam wrote: | Has anyone tried using TOR as a replacement for Cloudflare DDOS | protection? There is a single hop mode on hidden services. | ThreeHopsAhead wrote: | [dead] | genpfault wrote: | > There is a single hop mode on hidden services. | | These[0][1][2]? | | [0]: https://blog.torproject.org/whats-new-tor-0298/ | | [1]: https://2019.www.torproject.org/docs/tor- | manual.html.en#Hidd... | | [2]: https://2019.www.torproject.org/docs/tor- | manual.html.en#Hidd... | Arch-TK wrote: | I wish people stopped using discourse. | | Sending pictures of pieces of hand written paper over email would | be a more user friendly and usable interface than this javascript | mess. | kayodelycaon wrote: | Most of your typical self-hosted forums aren't much better, | just more familiar. | moffkalast wrote: | Ah yes I love how email is set up so any conversation becomes | indented 200 times by quoting the entire previous chain so I | have to add another monitor to see the whole thing, while being | a complete mishmash of styles from different mail providers. | Avamander wrote: | Absolutely not. Most mailing lists are run horribly. With | horrible deliverability, security ("don't use an important | password here"-clownery plus no SRS, ARC or DKIM) and a | plethora of MUA idiocy sprinkled on top. Not to mention way | obsolete opinions such as "no HTML at all" or "40kB maximum". | | Discourse is one of the nicest to use forum platforms. Works on | phones, has normal notifications, proper markdown, nice | mention-subscription-quote system, nice plugins (such as | abbreviation explainer) and it's not an eyesore. | Nuzzerino wrote: | Jeff Atwood is one of the co-founders of Discourse and | probably knows what he is doing. Compared to much of the | legacy forum software, it's a big upgrade. His team also, in | my experience, has offered very good support for corporate | customers. | | Source: Was on the team (but not the decision-maker) to | replace a very large legacy forum with Discourse. | zokula wrote: | [dead] | Nekit1234007 wrote: | I wish for the opposite. | cf141q5325 wrote: | Why? | Nekit1234007 wrote: | I don't have many strong points, it mostly feels nice to | use, be it browsing or participating. | | But to name a couple of points: it's index-able by search | engines (compared to a certain similarly named popular | "alternative"); robust topic tracking system: I know | exactly where I left each topic off. | hombre_fatal wrote: | I prefer it over every forum I've used, especially on mobile. | lapinot wrote: | Ever tried flarum? It's my preferred option in the "modern" | forum realm, still pretty lightweight (even degrades | gracefully without js). | vaylian wrote: | One of the design goals of Discourse was that it should work | well on mobile phones. I guess most other forum software is | either from the time of before widespread smartphone use or | it doesn't consider mobile users. With that being said, I | actually don't like discourse's UI and prefer more classical | forums like PHPbb. | shrimp_emoji wrote: | Working well on crappy toy devices = working shittily on | actual computers | | Smart watches should have taken off, so everything could | have been made post stamp-sized to work well on them and | become completely unusable on a screen larger than your | hand. | simias wrote: | Discourse goes a bit overboard with the javascript and all | the bells and whistles but I don't understand how anybody | could prefer PHPbb over it, other than familiarity. That | being said I always found PHPbb abysmal to use, even in the | early 2000, so clearly I'm biased. | | My main issue with Discourse is that I prefer HN/Reddit- | like threading for replies rather than linear comments, but | PHPbb does the same and there are pros and cons for both | formats anyway. | timeon wrote: | > even in the early 2000 | | Those signatures loaded with images and longer than | actual content were pretty bad. | Dalewyn wrote: | You could turn them off, you know. | | Yes, 20 years ago we were able to customize software for | use. Mindblowing, I know. | yieldcrv wrote: | What are anyones thoughts on the proof of work solution? Aside | from energy use | cf141q5325 wrote: | The problem is, that it still requires an address (be it tor or | IP). Even if you run the script locally, there is still a need | to communicate input and output. So people can just ddos that | page. | | Works great for combating human spam though. You tend to behave | better if your login took half a day to get and expires quickly | when not used. Plus build in cool down time after getting | banned. | Lk7Of3vfJS2n wrote: | Behaving better isn't the only outcome. Another outcome is | leaving the service permanently. | bombcar wrote: | It seems to work but mainly against later 7 ddos or similar. | You still need enough endpoints that the lower layers don't | bounce you. | _factor wrote: | These are likely nation state actors who have the ability to fund | these attacks. I wouldn't be surprised if they're using advanced | techniques to slow down the network and track the routes as they | traverse. I would be wary of anonymity while using tor during one | of these attacks. | mcdonje wrote: | Another tor page says ddos attacks primarily use UDP packets, | which tor doesn't allow: | | https://support.torproject.org/abuse/what-about-ddos/ | | So, is this an attack using a different method? | | And what about mitigating attacks on other networks/sites that | originate from tor? The site I linked only said "attackers who | control enough bandwidth to launch an effective DDoS attack can | do it just fine without Tor." They didn't say anything about | mitigating the use of tor by attackers. And what they're saying | about attacks not being possible on the network is clearly wrong. | beardog wrote: | This is for protecting against attacks against the Tor network | and onion services. Not for preventing people using Tor to | conduct ddos attacks on normal websites which is what your | linked page discusses | yieldcrv wrote: | I've heard passing mention of people switching to i2p because | they feel the design choices of the Tor project are questionable | - suggesting compromise. But these were vague assertions, is | there more reading or ability to substantiate this? | Levitating wrote: | I2P has been designed with "hidden services" in mind. AlphaBay, | which until a few months ago was the most modern and | progressive dark web market had fully moved to I2P. Stating | that they saw no future in Tor, as the Tor Project refused to | address major design issues even though they have heaps of | money. | | So far using i2p has been very nice to use and the tools are | well developed. I run a node myself. The way i2p works is very | interesting. Some services like Dread which provide i2p access | have only been accessible via i2p in recent times due to the | load on tor. | | We'll have to see how i2p holds up when it inevitably takes | over Tor and becomes a target of ddos itself. | | https://geti2p.net/en/comparison/tor | yieldcrv wrote: | Yeah I think I saw AlphaBay's complaint and was hoping there | was an elaboration | | Like is it like that Swiss encryption company that kept | bricking the encryption for the CIA and employees kept | noticing intentional encryption flaws and being told to work | on something else? | | or something else | cassepipe wrote: | I was curious so I went and found this : | https://geti2p.net/en/comparison/tor | shrimp_emoji wrote: | ``` | | Benefits of I2P over Tor | | ... | | Java, not C (ewww) | | ``` | | _Excuse_ me? | ravenstine wrote: | If you really dislike Java that much, there are other I2P | implementations like this: | | https://github.com/PurpleI2P/i2pd | gloria_mundi wrote: | On the same site: | | > Benefits of Tor over I2P | | > ... | | > - C, not Java (ewww) | | It's a joke. | owenmarshall wrote: | I feel like "written in a memory-safe language" is a fair | selling point, _especially_ when we are talking about a | tool designed to accept completely untrusted data from the | network and keep you safe from attackers with significant | resources. | chasil wrote: | All of the "boring crypto" has been written in C. | | https://cr.yp.to/talks/2015.10.05/slides- | djb-20151005-a4.pdf | | Unfortunately, Java encryption libraries are far from | boring. | | https://www.bleepingcomputer.com/news/security/bouncy- | castle... | | https://www.cvedetails.com/vulnerability- | list/vendor_id-7637... | Avamander wrote: | People have done a lot of things, the track record so far | has shown that to be a terrible idea. | cf141q5325 wrote: | I think its worth mentioning that DDOS protection has become a | tool to control online discourse. Once you get kicked off | Cloudfare, thats mostly it for you if you have a determined | attacker. Thats quite a beneficial situation for governments. | capableweb wrote: | Have you actually run any sort of web service/website without | Cloudflare? This sounds like something straight out of a sales | reps mouth, obviously there is more solutions than just | Cloudflare out there... | cf141q5325 wrote: | I dont think you appreciate the threat scenario discussed | here if you think its reasonable to ask for personal | experience. Leaves me to wonder if i am supposed to deny | having committed any crimes while we are at it? | | Still thank you for the response, gives the ability to | clarify that this is by no means an advertisement. You have | of course endless options for ddos mitigation right now. But | once cloudflare no longer wants you, your other options have | a tendency to evaporate as well. | [deleted] | [deleted] | Spivak wrote: | It really isn't that dire, AWS has Shield (or really just | Cloudfront), GPC has Cloud Armor, Azure has "Azure DDoS | Protection", everything on Digital Ocean is protected by | default. And if you're on-prem or colo then even a modestly | sized edge router can handle quite a bit of traffic. And if all | you want is the CDN part and not origin protection then every | commercial CDN does DDoS protection. | | If you mean "providing expensive protection services for free | on a $5/mo VPC" then sure Cloudflare might be your only bet. | cf141q5325 wrote: | Not a question of money. If i recall, all of these are as | easy to reach for governments as cloudfare itself. Especially | with the threat of KYC. Would be happy to be wrong here | though. | swores wrote: | "If a government decides they want you offline" is quite a | big difference from the original "Once you get kicked off | Cloudfare, thats mostly it for you". | cf141q5325 wrote: | Initial post was about controlling public discourse. | Thats something where the attackers are governments. | Sorry if the wording was misleading. | anamexis wrote: | How is DDOS protection the issue then? Isn't the issue | just DDOS? | cf141q5325 wrote: | Somebody else asked this but deleted before i could | respond, so i am glad you asked. | | Centralized DDOS protection and DDOS seem to be two sides | of the same coin, so i dont understand what the | distinction would entail. | | edit: You could argue that DDOS is an equal opportunity | tool, while the threat of getting kicked off cloudflare | is reserved for a selected few. So the difference would | be which is more at threat of getting exploited. Hope | that helps. | wbl wrote: | Who got kicked off of Cloudflare? Because both the cases I can | think of weren't because of governments and were the sorts of | schmucks that you really don't want hanging around. | nyolfen wrote: | this is the same line as the UK takes for encryption btw | malikNF wrote: | Remember when google was one of the "not evil" companies? | When it comes to internet companies we have got burned so | many times it's good to keep a healthy dose of skepticism | when it comes to a company that potentially decides if you | are able to survive on the internet. | didntcheck wrote: | * * * | cf141q5325 wrote: | It was a generic statement about a path to get rid of | unwanted public discourse. The problem is that paths that | exist get taken. Examples of who that happened to already and | your opinion of who deserves what are not the point. | | Its totalitarian rot, it doesnt stop, its like a moldy fruit. | kiwifarmsthrow wrote: | KiwiFarms, The Daily Stormer | Run_DOS_Run wrote: | Don't forget OVH. Their DDoS-protection is included in every | server. | malikNF wrote: | At-least in my experience, OVH was the only hosting company | where their network engineers spoke to me when we had a ddos | problem. | | Had a situation where one of my servers were getting ddosed | we tried multiple providers both cloud and dedicated, but the | attack was not getting stopped by anyone, the customer | service was useless on most other places its either we get | null routed, or hours of back and forth with customer service | without any solution. | | We moved our servers to OVH the customer service rep directed | us to an engineer within a few minutes. I remember we had to | send a few packet captures during an attack to one of their | network engineers and, not only did they block the attack in | a few hours, the engineer in charge explained exactly what | happened was such a nice learning experience, that one | interaction with them will always make me recommend them. | peterhadlaw wrote: | What do you mean every server? Pardon my ignorance, first | time I am hearing about these folks. | tw04 wrote: | OVH is a hosting provider, you rent physical or virtual | servers from them for a monthly fee. They protect their | entire network with DDoS mitigation. | | https://www.ovhcloud.com/en/security/anti-ddos/ddos- | attack-m... | patrec wrote: | If cloudflare won't touch you, chances are neither will OVH. | TechBro8615 wrote: | Governments have more effective ways of deplatforming you than | temporarily DDOSing your site. | victorbjorklund wrote: | A bit dramatic right? Sure, it might be more expensive and | difficult but obviously you can run your own WAF, DDOS | protection etc. | cf141q5325 wrote: | There are quite a few options, but what could be heard | through the grapevines with Kiwifarms most turn out to be | theoretical once attackers are motivated enough. Think about | them what you will, they make a great canary. | malikNF wrote: | Yes you can defend on your own. But it's going to cost you a | lot of resources. | | In addition to a lot of clever tricks ddos protection comes | down to a simple question. Who has more resources to keep | going. ___________________________________________________________________ (page generated 2023-07-06 23:01 UTC)