Bugs in Tor network used in attacks against underground markets
The operator of an underground marketplace hosted within the Tor network has reported a flaw in Tor that he claims is being used for an ongoing denial of service attack on the site. The problem, which is similar to one reported by another hidden site operator in December on the Tor mailing list, allows attackers to conduct a denial of service attack against hidden sites by creating a large number of simultaneous connections, or "circuits," via Tor, overwhelming the hidden service's ability to respond.
The problem is still under review, but it appears to be related to abuse of the "introduce" message in the Tor Hidden Services protocol, which is used to negotiate the connection between the client and the hidden server. By sending multiple "introduce" requests to the same hidden service, an attacker could make the targeted server create multiple circuits (paths over the Tor network used for the session), eating the server's available CPU and network resources and making it inaccessible to users. While the problem has been reproduced by at least one Tor developer, short-term fixes proposed to prevent the attacks have, thus far, not panned out. A number of long-term fixes have been proposed that require substantial changes to Tor's Hidden Services Protocol implementation, including the use of dedicated bridges to connect larger hidden sites to Tor (part of Tor's Proposal 188, first put forward in 2012 by Tor co-founder and developer Roger Dingledine in June 2012).
Bugs in Tor network used in attacks against underground markets