[OPSEC/Computer] Megathread for TOR DDoS attack questions, information, and theories.

[Disclaimer: I don't know anything. I don't have technical expertise.]

There is a lot of speculation, confusion, and general lack of information as to why the markets have been down so much these past few days. It seems like their MAY be a larger issue going on then just normal DNM outages and there isn't a good source of information as to what is exactly happening.

Some thoughts and questions:

1. While EVO's closing did not help the situation, it doesn't seem to be the ONLY reason behind the ups and downs.

Most DNM's were functioning much better than they were currently in the days are EVO's closure. Also, DeepDotWeb and several admins from various markets have specifically stated they were being DDOS'd, and these outages are longer than usual.

2. Whether or not there are attacks beyond DNM hidden services is unclear at the moment

There are only very scattered reports of TOR sites being attacked outside of the DNM community. Also, why would dnstats.net be targeted? DeepDotWeb suggests it may be a new type of TOR focused "DDOS - that seems hard to block and targeting few DNM's." On the otherhand /u/uhwiki says their hidden service is being DDOS'd as well. Unclear what is happening on this front.

3. [FUD] Is it possible that the DNM's are being targeted with DDOS attacks as an attempt to decloak/identify/locate them?

This post by /u/Gwern is the most solid support I could find for this (and it's not really support at all). However, perhaps they really did mean "Guard Node" instead of "Exit Node". After all, many hidden services were indeed identified in November 2014, and we know there are various ways of decloaking hidden services as explained in various scholarly papers. This also fits with the explanation/question (below) of why dnstats is being attacked.

Again, all of the above are my thoughts. I have no clue what is happening, and hopefully everything will be back to normal in a few hours.

Questions for those who actually know stuff (not me):

What thoughts/questions/observations am I missing? Can we try to consolidate all related information to this (or any other specific) thread?

It would probably help limit the number of FUD posts, and would bring more clarity to the situation as a whole.

If this thread gains any traction I can put together all the various explanations given for the outages in the past week on some sort of timeline.


Comments


[8 Points] select1on:

The amount of users on my site has no impact on the markets. One problem with my site is the server is fairly weak and my webserver can handle a lot more connections than my database server can so its fairly easy to push over in terms of ddosing. There was some malicious attacks that I haven't identified yet because I was serving 1/3 of the connection but they were taking up all my SQL connections and I hadn't made any changes at all.

I'll see if I can pinpoint the source but my daughter is unwell and after work I have little time to spend on it, I will probably get a new server or a load balancer/reverse proxy.


[5 Points] uhwiki:

It is not limited to just DNMs. I run a fairly high profile wiki, and we have been crippled these past few days.


[3 Points] motsanciens:

Non-technical theory: With Evo fallen, some enterprising person wants to dick over the remaining markets for a while using a new approach. They will then present a market that is not susceptible to the attack and garner all the businesd for themselves. Perhaps this new market will be run by LE.


[2 Points] MLP_is_my_OPSEC:

Is there any way to figure out where the traffic flooding dnstats.net is coming from?

It might be possible if someone had network logs from their server containing the IPs doing the attack. The issue is a DDoS attack is distributed across multiple devices, so you could have IPs from all over the world. It doesn't help that there are still NTP servers that are vulnerable to being used as a zombie in a DDoS attack.

Where does this TOR vulnerability fit in with all this, if at all?

From what I can see, it just looks like a fault with Tor not being able to handle a large number of requests at once. Whenever a guard node receives more traffic it can handle, Tor will see a circuit fail and attempt to relaunch it, which just exacerbates the problem.


[2 Points] deepdot:

The wording of this post on DeeptDotWeb sounds like it is an attack on TOR as a whole

No, Its not an attack on Tor as a whole for sure, but some sort of New Tor DDOS - that seems hard to block and targeting few DNM's (don't know the technical details just from what few people quoted me their support tickets/replies and such)

Agora are claiming that its Evo traffic but at the same time their vendors url is working faster than their site ever did


[1 Points] None:

I have too little information to speculate on anything, but I have many DMNs open in tabs, and whenever my market is down, the other ones seem down too, or very slow. When my market becomes fast again, the other ones are fast as well. This makes me suspect an attack targeted to DMNs, but it's too soon to draw conclusions.


[1 Points] melodiousdirge:

It's interesting that the emergency release of tails 1.3.1 preceded the TOR ddos by a couple of days. Is it an extreme stretch to speculate that tails has been compromised/hijacked? Probably a stretch, but I like the sound of my own voice, so. Yeah.