Posted on July 6, 2019 at 1:18 PM

DDoS Attacks on Onion Sites Explained: Tor Browser Had a Flaw All Along

The Tor Browser, also known as the Tor Project, has recently announced that it will deal with a major flaw that allowed hackers to misuse it for years. The anonymous browser, which acts as the most popular way of accessing .onion websites, had a flaw that allowed cybercriminals to launch DDoS attacks against dark web websites.

Now, Tor turned its attention towards the bug and is getting ready to fix it. According to recent information, the problem should be mended with the upcoming Tor protocol 0.4.2 update.

The Tor browser flaw

The bug is a serious one, and in infosec circles, it is known as a DoS bug. When exploited, it is capable of crashing the Onion service, which runs an .onion website. Simply put, hackers are able to misuse the bug and send thousands upon thousands of connection requests to a website they wish to take down. The connections would simply be left hanging, which eventually overburdens the website, causing it to crash.

DDoS attacks that target regular websites work in a similar way, but these attacks were targeting .onion websites, which make up the dark web. When the connections start arriving, the remote Onion service has to send a complex circuit through the Tor network, which itself consists of thousands of nodes.

In other words, the request has a long way to go until it reaches the user who demanded information, which is very CPU-intensive. With enough of these connections and information requests, the server behind the targeted website gets maxed out, and it simply cannot handle any more connections.

This is an extremely old bug, and it was actually known to quite a few Tor developers. However, it was not fixed until now as developers simply did not have enough manpower to do so. In addition, dealing with the flaw is not so simple, as it exploits the process put in place so that legitimate users could gain access. There is simply no way to know whether an information request is coming from a real user or from a hacker that is aiming to bring the site down. At least, not before the attack starts, and once it does — it is too late for anyone to do anything.

Illegal marketplaces under attack

Unfortunately, the flaw was also known to hackers, and they continued abusing it for years, crashing one dark web portal after another. When it first started, legitimate dark web websites reported the attacks. However, the attackers recently started targeting illegal websites and dark web marketplaces which sell drugs, weapons, data stolen in hacking attacks, malware, and more.

One of the major illegal websites that were taken down was the Dream Market, which is the largest illegal marketplace of the entire dark web. Hackers started attacking it earlier this year, in March, and the website announced that it would shut down. The site’s operators also revealed that the attacker demanded $400,000 in Bitcoin in order to stop the attack. As expected, the Dream Market refused, and its website was closed.

Then, in April of this year, the attacks started hitting other markets that were trying to rise and replace the Dream Market. Nightmare Market is one example, and the Empire Market is another. Of course, the attackers did not stop there, and they also targeted numerous other websites, including the Dread forum.

Several markets decided that remaining on Tor is not worth it anymore, and they moved to I2P, which is a different anonymity network, although not nearly as popular and well-known as Tor. However, their efforts to actually do so failed.

Anyone could be behind the attacks

The attacks simply continued ever since, targeting all kinds of dark web portals. Onion site operators cannot protect themselves, and the only alternative is to shut down their sites and leave the network. There is no confirmed information about the attackers, and no one can tell who they are, where they are from, or what their end goal is. They could be anyone, as the tool they are using has been available on GitHub for over four years, now. The tool is known as Stinger-Tor, and anyone can use it for launching DDoS attacks against onion websites.

There are also groups that are selling other such tools on various underground forums. Their tools differ slightly, but they exploit the same bug, so the end result is the same as well.

The attacks have become such an issue, that many within the Dread community decided to ask for donations, as well as donate themselves. The donations would be sent to Tor developers, and would hopefully allow them some way to fix the bug and prevent further attacks. Considering the fact that Tor plans to release the patch with its next update, it appears that the plan worked.

Of course, this is unlikely to be the end of the story, as the developers cannot fix the bug completely — at least not without breaking Tor’s privacy and security features. However, the developers did say that the attacks will be less effective in the future, should they continue. The patch itself will simply allow onion site operators to activate defenses, should they find themselves under attack. Users will still be able to access the sites despite the defenses, but the connection requests will take longer to be established.