DDoS Attacks on Onion Sites Explained Tor Browser Had a Flaw All Along

The Tor Browser, also known as the Tor Project, has recently announced that it will deal with a major flaw that allowed hackers to misuse it for years. The anonymous browser, which acts as the most popular way of accessing .onion websites, had a flaw that allowed cybercriminals to launch DDoS attacks against dark web websites.

Now, Tor turned its attention towards the bug
and is getting ready to fix it. According to recent information, the problem
should be mended with the upcoming Tor protocol 0.4.2 update.

The bug is a serious one, and in infosec circles, it is known as a DoS bug. When exploited, it is capable of crashing the Onion service, which runs an .onion website. Simply put, hackers are able to misuse the bug and send thousands upon thousands of connection requests to a website they wish to take down. The connections would simply be left hanging, which eventually overburdens the website, causing it to crash.

DDoS attacks that target regular websites work
in a similar way, but these attacks were targeting .onion websites, which make
up the dark web. When the connections start arriving, the remote Onion service
has to send a complex circuit through the Tor network, which itself consists of
thousands of nodes.

In other words, the request has a long way to
go until it reaches the user who demanded information, which is very
CPU-intensive. With enough of these connections and information requests, the
server behind the targeted website gets maxed out, and it simply cannot handle
any more connections.

This is an extremely old bug, and it was actually known to quite a few Tor developers. However, it was not fixed until now as developers simply did not have enough manpower to do so. In addition, dealing with the flaw is not so simple, as it exploits the process put in place so that legitimate users could gain access. There is simply no way to know whether an information request is coming from a real user or from a hacker that is aiming to bring the site down. At least, not before the attack starts, and once it does — it is too late for anyone to do anything.

Unfortunately, the flaw was also known to hackers, and they continued abusing it for years, crashing one dark web portal after another. When it first started, legitimate dark web websites reported the attacks. However, the attackers recently started targeting illegal websites and dark web marketplaces which sell drugs, weapons, data stolen in hacking attacks, malware, and more.

One of the major illegal websites that were
taken down was the Dream Market, which is the largest illegal marketplace of
the entire dark web. Hackers started attacking it earlier this year, in March,
and the website announced that it would shut down. The site’s operators also
revealed that the attacker demanded $400,000 in Bitcoin in order to stop the
attack. As expected, the Dream Market refused, and its website was closed.

Then, in April of this year, the attacks
started hitting other markets that were trying to rise and replace the Dream
Market. Nightmare Market is one example, and the Empire Market is another. Of
course, the attackers did not stop there, and they also targeted numerous other
websites, including the Dread forum.

Several markets decided that remaining on Tor
is not worth it anymore, and they moved to I2P, which is a different anonymity
network, although not nearly as popular and well-known as Tor. However, their
efforts to actually do so failed.

The attacks simply continued ever since,
targeting all kinds of dark web portals. Onion site operators cannot protect
themselves, and the only alternative is to shut down their sites and leave the
network. There is no confirmed information about the attackers, and no one can tell
who they are, where they are from, or what their end goal is. They could be
anyone, as the tool they are using has been available on GitHub for over four
years, now. The tool is known as Stinger-Tor, and anyone can use it for
launching DDoS attacks against onion websites.

There are also groups that are selling other
such tools on various underground forums. Their tools differ slightly, but they
exploit the same bug, so the end result is the same as well.

The attacks have become such an issue, that
many within the Dread community decided to ask for donations, as well as donate
themselves. The donations would be sent to Tor developers, and would hopefully
allow them some way to fix the bug and prevent further attacks. Considering the
fact that Tor plans to release the patch with its next update, it appears that
the plan worked.

Of course, this is unlikely to be the end of the story, as the developers cannot fix the bug completely — at least not without breaking Tor’s privacy and security features. However, the developers did say that the attacks will be less effective in the future, should they continue. The patch itself will simply allow onion site operators to activate defenses, should they find themselves under attack . Users will still be able to access the sites despite the defenses, but the connection requests will take longer to be established.