[HN Gopher] Tor's history of D/DoS attacks and future strategies...
___________________________________________________________________
Tor's history of D/DoS attacks and future strategies for mitigation
Author : jerheinze
Score : 122 points
Date : 2023-07-06 13:58 UTC (9 hours ago)
(HTM) web link (forum.torproject.org)
(TXT) w3m dump (forum.torproject.org)
| favflam wrote:
| Has anyone tried using TOR as a replacement for Cloudflare DDOS
| protection? There is a single hop mode on hidden services.
| ThreeHopsAhead wrote:
| [dead]
| genpfault wrote:
| > There is a single hop mode on hidden services.
|
| These[0][1][2]?
|
| [0]: https://blog.torproject.org/whats-new-tor-0298/
|
| [1]: https://2019.www.torproject.org/docs/tor-
| manual.html.en#Hidd...
|
| [2]: https://2019.www.torproject.org/docs/tor-
| manual.html.en#Hidd...
| Arch-TK wrote:
| I wish people stopped using discourse.
|
| Sending pictures of pieces of hand written paper over email would
| be a more user friendly and usable interface than this javascript
| mess.
| kayodelycaon wrote:
| Most of your typical self-hosted forums aren't much better,
| just more familiar.
| moffkalast wrote:
| Ah yes I love how email is set up so any conversation becomes
| indented 200 times by quoting the entire previous chain so I
| have to add another monitor to see the whole thing, while being
| a complete mishmash of styles from different mail providers.
| Avamander wrote:
| Absolutely not. Most mailing lists are run horribly. With
| horrible deliverability, security ("don't use an important
| password here"-clownery plus no SRS, ARC or DKIM) and a
| plethora of MUA idiocy sprinkled on top. Not to mention way
| obsolete opinions such as "no HTML at all" or "40kB maximum".
|
| Discourse is one of the nicest to use forum platforms. Works on
| phones, has normal notifications, proper markdown, nice
| mention-subscription-quote system, nice plugins (such as
| abbreviation explainer) and it's not an eyesore.
| Nuzzerino wrote:
| Jeff Atwood is one of the co-founders of Discourse and
| probably knows what he is doing. Compared to much of the
| legacy forum software, it's a big upgrade. His team also, in
| my experience, has offered very good support for corporate
| customers.
|
| Source: Was on the team (but not the decision-maker) to
| replace a very large legacy forum with Discourse.
| zokula wrote:
| [dead]
| Nekit1234007 wrote:
| I wish for the opposite.
| cf141q5325 wrote:
| Why?
| Nekit1234007 wrote:
| I don't have many strong points, it mostly feels nice to
| use, be it browsing or participating.
|
| But to name a couple of points: it's index-able by search
| engines (compared to a certain similarly named popular
| "alternative"); robust topic tracking system: I know
| exactly where I left each topic off.
| hombre_fatal wrote:
| I prefer it over every forum I've used, especially on mobile.
| lapinot wrote:
| Ever tried flarum? It's my preferred option in the "modern"
| forum realm, still pretty lightweight (even degrades
| gracefully without js).
| vaylian wrote:
| One of the design goals of Discourse was that it should work
| well on mobile phones. I guess most other forum software is
| either from the time of before widespread smartphone use or
| it doesn't consider mobile users. With that being said, I
| actually don't like discourse's UI and prefer more classical
| forums like PHPbb.
| shrimp_emoji wrote:
| Working well on crappy toy devices = working shittily on
| actual computers
|
| Smart watches should have taken off, so everything could
| have been made post stamp-sized to work well on them and
| become completely unusable on a screen larger than your
| hand.
| simias wrote:
| Discourse goes a bit overboard with the javascript and all
| the bells and whistles but I don't understand how anybody
| could prefer PHPbb over it, other than familiarity. That
| being said I always found PHPbb abysmal to use, even in the
| early 2000, so clearly I'm biased.
|
| My main issue with Discourse is that I prefer HN/Reddit-
| like threading for replies rather than linear comments, but
| PHPbb does the same and there are pros and cons for both
| formats anyway.
| timeon wrote:
| > even in the early 2000
|
| Those signatures loaded with images and longer than
| actual content were pretty bad.
| Dalewyn wrote:
| You could turn them off, you know.
|
| Yes, 20 years ago we were able to customize software for
| use. Mindblowing, I know.
| yieldcrv wrote:
| What are anyones thoughts on the proof of work solution? Aside
| from energy use
| cf141q5325 wrote:
| The problem is, that it still requires an address (be it tor or
| IP). Even if you run the script locally, there is still a need
| to communicate input and output. So people can just ddos that
| page.
|
| Works great for combating human spam though. You tend to behave
| better if your login took half a day to get and expires quickly
| when not used. Plus build in cool down time after getting
| banned.
| Lk7Of3vfJS2n wrote:
| Behaving better isn't the only outcome. Another outcome is
| leaving the service permanently.
| bombcar wrote:
| It seems to work but mainly against later 7 ddos or similar.
| You still need enough endpoints that the lower layers don't
| bounce you.
| _factor wrote:
| These are likely nation state actors who have the ability to fund
| these attacks. I wouldn't be surprised if they're using advanced
| techniques to slow down the network and track the routes as they
| traverse. I would be wary of anonymity while using tor during one
| of these attacks.
| mcdonje wrote:
| Another tor page says ddos attacks primarily use UDP packets,
| which tor doesn't allow:
|
| https://support.torproject.org/abuse/what-about-ddos/
|
| So, is this an attack using a different method?
|
| And what about mitigating attacks on other networks/sites that
| originate from tor? The site I linked only said "attackers who
| control enough bandwidth to launch an effective DDoS attack can
| do it just fine without Tor." They didn't say anything about
| mitigating the use of tor by attackers. And what they're saying
| about attacks not being possible on the network is clearly wrong.
| beardog wrote:
| This is for protecting against attacks against the Tor network
| and onion services. Not for preventing people using Tor to
| conduct ddos attacks on normal websites which is what your
| linked page discusses
| yieldcrv wrote:
| I've heard passing mention of people switching to i2p because
| they feel the design choices of the Tor project are questionable
| - suggesting compromise. But these were vague assertions, is
| there more reading or ability to substantiate this?
| Levitating wrote:
| I2P has been designed with "hidden services" in mind. AlphaBay,
| which until a few months ago was the most modern and
| progressive dark web market had fully moved to I2P. Stating
| that they saw no future in Tor, as the Tor Project refused to
| address major design issues even though they have heaps of
| money.
|
| So far using i2p has been very nice to use and the tools are
| well developed. I run a node myself. The way i2p works is very
| interesting. Some services like Dread which provide i2p access
| have only been accessible via i2p in recent times due to the
| load on tor.
|
| We'll have to see how i2p holds up when it inevitably takes
| over Tor and becomes a target of ddos itself.
|
| https://geti2p.net/en/comparison/tor
| yieldcrv wrote:
| Yeah I think I saw AlphaBay's complaint and was hoping there
| was an elaboration
|
| Like is it like that Swiss encryption company that kept
| bricking the encryption for the CIA and employees kept
| noticing intentional encryption flaws and being told to work
| on something else?
|
| or something else
| cassepipe wrote:
| I was curious so I went and found this :
| https://geti2p.net/en/comparison/tor
| shrimp_emoji wrote:
| ```
|
| Benefits of I2P over Tor
|
| ...
|
| Java, not C (ewww)
|
| ```
|
| _Excuse_ me?
| ravenstine wrote:
| If you really dislike Java that much, there are other I2P
| implementations like this:
|
| https://github.com/PurpleI2P/i2pd
| gloria_mundi wrote:
| On the same site:
|
| > Benefits of Tor over I2P
|
| > ...
|
| > - C, not Java (ewww)
|
| It's a joke.
| owenmarshall wrote:
| I feel like "written in a memory-safe language" is a fair
| selling point, _especially_ when we are talking about a
| tool designed to accept completely untrusted data from the
| network and keep you safe from attackers with significant
| resources.
| chasil wrote:
| All of the "boring crypto" has been written in C.
|
| https://cr.yp.to/talks/2015.10.05/slides-
| djb-20151005-a4.pdf
|
| Unfortunately, Java encryption libraries are far from
| boring.
|
| https://www.bleepingcomputer.com/news/security/bouncy-
| castle...
|
| https://www.cvedetails.com/vulnerability-
| list/vendor_id-7637...
| Avamander wrote:
| People have done a lot of things, the track record so far
| has shown that to be a terrible idea.
| cf141q5325 wrote:
| I think its worth mentioning that DDOS protection has become a
| tool to control online discourse. Once you get kicked off
| Cloudfare, thats mostly it for you if you have a determined
| attacker. Thats quite a beneficial situation for governments.
| capableweb wrote:
| Have you actually run any sort of web service/website without
| Cloudflare? This sounds like something straight out of a sales
| reps mouth, obviously there is more solutions than just
| Cloudflare out there...
| cf141q5325 wrote:
| I dont think you appreciate the threat scenario discussed
| here if you think its reasonable to ask for personal
| experience. Leaves me to wonder if i am supposed to deny
| having committed any crimes while we are at it?
|
| Still thank you for the response, gives the ability to
| clarify that this is by no means an advertisement. You have
| of course endless options for ddos mitigation right now. But
| once cloudflare no longer wants you, your other options have
| a tendency to evaporate as well.
| [deleted]
| [deleted]
| Spivak wrote:
| It really isn't that dire, AWS has Shield (or really just
| Cloudfront), GPC has Cloud Armor, Azure has "Azure DDoS
| Protection", everything on Digital Ocean is protected by
| default. And if you're on-prem or colo then even a modestly
| sized edge router can handle quite a bit of traffic. And if all
| you want is the CDN part and not origin protection then every
| commercial CDN does DDoS protection.
|
| If you mean "providing expensive protection services for free
| on a $5/mo VPC" then sure Cloudflare might be your only bet.
| cf141q5325 wrote:
| Not a question of money. If i recall, all of these are as
| easy to reach for governments as cloudfare itself. Especially
| with the threat of KYC. Would be happy to be wrong here
| though.
| swores wrote:
| "If a government decides they want you offline" is quite a
| big difference from the original "Once you get kicked off
| Cloudfare, thats mostly it for you".
| cf141q5325 wrote:
| Initial post was about controlling public discourse.
| Thats something where the attackers are governments.
| Sorry if the wording was misleading.
| anamexis wrote:
| How is DDOS protection the issue then? Isn't the issue
| just DDOS?
| cf141q5325 wrote:
| Somebody else asked this but deleted before i could
| respond, so i am glad you asked.
|
| Centralized DDOS protection and DDOS seem to be two sides
| of the same coin, so i dont understand what the
| distinction would entail.
|
| edit: You could argue that DDOS is an equal opportunity
| tool, while the threat of getting kicked off cloudflare
| is reserved for a selected few. So the difference would
| be which is more at threat of getting exploited. Hope
| that helps.
| wbl wrote:
| Who got kicked off of Cloudflare? Because both the cases I can
| think of weren't because of governments and were the sorts of
| schmucks that you really don't want hanging around.
| nyolfen wrote:
| this is the same line as the UK takes for encryption btw
| malikNF wrote:
| Remember when google was one of the "not evil" companies?
| When it comes to internet companies we have got burned so
| many times it's good to keep a healthy dose of skepticism
| when it comes to a company that potentially decides if you
| are able to survive on the internet.
| didntcheck wrote:
| * * *
| cf141q5325 wrote:
| It was a generic statement about a path to get rid of
| unwanted public discourse. The problem is that paths that
| exist get taken. Examples of who that happened to already and
| your opinion of who deserves what are not the point.
|
| Its totalitarian rot, it doesnt stop, its like a moldy fruit.
| kiwifarmsthrow wrote:
| KiwiFarms, The Daily Stormer
| Run_DOS_Run wrote:
| Don't forget OVH. Their DDoS-protection is included in every
| server.
| malikNF wrote:
| At-least in my experience, OVH was the only hosting company
| where their network engineers spoke to me when we had a ddos
| problem.
|
| Had a situation where one of my servers were getting ddosed
| we tried multiple providers both cloud and dedicated, but the
| attack was not getting stopped by anyone, the customer
| service was useless on most other places its either we get
| null routed, or hours of back and forth with customer service
| without any solution.
|
| We moved our servers to OVH the customer service rep directed
| us to an engineer within a few minutes. I remember we had to
| send a few packet captures during an attack to one of their
| network engineers and, not only did they block the attack in
| a few hours, the engineer in charge explained exactly what
| happened was such a nice learning experience, that one
| interaction with them will always make me recommend them.
| peterhadlaw wrote:
| What do you mean every server? Pardon my ignorance, first
| time I am hearing about these folks.
| tw04 wrote:
| OVH is a hosting provider, you rent physical or virtual
| servers from them for a monthly fee. They protect their
| entire network with DDoS mitigation.
|
| https://www.ovhcloud.com/en/security/anti-ddos/ddos-
| attack-m...
| patrec wrote:
| If cloudflare won't touch you, chances are neither will OVH.
| TechBro8615 wrote:
| Governments have more effective ways of deplatforming you than
| temporarily DDOSing your site.
| victorbjorklund wrote:
| A bit dramatic right? Sure, it might be more expensive and
| difficult but obviously you can run your own WAF, DDOS
| protection etc.
| cf141q5325 wrote:
| There are quite a few options, but what could be heard
| through the grapevines with Kiwifarms most turn out to be
| theoretical once attackers are motivated enough. Think about
| them what you will, they make a great canary.
| malikNF wrote:
| Yes you can defend on your own. But it's going to cost you a
| lot of resources.
|
| In addition to a lot of clever tricks ddos protection comes
| down to a simple question. Who has more resources to keep
| going.
___________________________________________________________________
(page generated 2023-07-06 23:01 UTC)