The Onion Router (Tor) has now turned to proof-of-work (PoW) defense to defend its networks against DDoS attacks. The online anti-censorship service underwent a massive storm of DDoS attacks from June last year through to May, which made it imperative to work on anti-DDoS defenses.
The attacks that led Tor to implement the proof-of-work puzzles have finally subsided, but DDoS abuse continues to be a persistent issue for its network. Not only does it degrade the performance of the service, but it has also given rise to security concerns.
What Is Tor and Why Do DDoS Attacks Pose Such a Problem?
For those unfamiliar with Tor, the onion routing is a privacy technology designed to help users hide their true IP address on the internet.
It relays your internet traffic via a maze of shifting nodes, along with encryption encapsulation to protect the data. This makes it extremely hard for network eavesdroppers to identify a user’s IP address and link them to any observed online activity.
While those in need of communicating privately love the Tor project, it has consistently been targeted by governments.
The Tor browser used to access .onion addresses works fine, but it isn’t perfect. Now, the DDoS attacks in question aim to disrupt access to .onion sites.
Set on fending off such attacks, Tor developers started working on a proposed anti-DDoS defense in 2020. It was finally introduced in Tor version 0.4.8.4, following which Tor encouraged Onion services to update to the new version.
As it turns out, Tor’s new line of defense is based on a mechanism that was first developed in 1992 by Moni Naor and Cynthia Dwork to thwart DDoS attacks and spam – spam-proof-of-work.
How Do Proof-Of-Work Tests Protect Against DDoS Attacks?
Hereon, clients trying to access .onion services using Tor may be asked to complete small proof-of-work tests.
While those connecting as legitimate users won’t notice a thing, the proof-of-work challenges will hinder attempts to repeatedly hammer the network of nodes with too many repeated connections.
Tevador described EquiX as a “CPU-friendly client puzzle with fast verification and small solution size (16 bytes)”.
In the outline of the project, Tor contributors George Kadianakis, Mike Perry, David Goulet, and Tevador explained – “If we ever hope to have truly reachable global onion services, we need to make it harder for attackers to overload the service with introduction requests”.
They went on to add that this is exactly what the new proof-of-work tests would help achieve.
The proof-of-work challenge, named EquiX, was designed by Tevador, who also developed Monero’s proof-of-work algorithm.
Though the proof-of-work grew popular for its role in energy profligacy by Bitcoin, it appears that this computation won’t contribute towards crypto-mining. Some might find it to be a lost revenue opportunity, but others feel that this is an ethical requirement.
The inherent design of onion services, which prioritizes user privacy by obfuscating IP addresses, has made it vulnerable to DoS attacks.Pavel Zoneff, Tor Project Director of Communications
Traditional IP-based rate limiting doesn’t work perfectly in this scenario, which led to the need for better defenses. The proof-of-work puzzle starts at defaults to zero effort by default and scales up with network stress.
Before accessing an onion service, a small puzzle must be solved, proving that some ‘work’ has been done by the client.Pavel Zoneff
Zoneff added that a harder puzzle indicates that more work is being performed.
An attempt to flood an Onion service with requests will trigger the POW defense, significantly ramping up the computational effort needed by the attacker. The actual effectiveness of the new defense against DDoS attacks now remains to be seen.