Massive DDoSes being reported everywhere on the DNM.

Look at this graph:

https://metrics.torproject.org/networksize.html?graph=networksize&start=2015-11-02&end=2015-11-09

What happend on the 4th? A massive crash of A THIRD of tor relays simultaneously? This is consistent with a VERY large DDoS Attack.

This "New user" says to control many nodes and has seen the DDoS too.

https://www.reddit.com/r/DarkNetMarkets/comments/3s7k6b/ongoing_ddos_attacks/

my own website is getting DDoSed, Abraxas is down, MEM is down. Other vendors are reporting it too.

https://www.reddit.com/r/DarkNetMarkets/comments/3s7plu/scamlogs_announcement_we_are_under_ddos_attack/

With so many nodes crashing, and a sustained DDOS of so long with so many different targets, the attacker must have access to MASSIVE ressources, probably LE in origin.

What do you think? Tinfoil? Or are we getting buttfucked by the latest LE wizardry?


Comments


[35 Points] high_as_flight93:

sorry guys i was pinging the sites in cmd and got a little carried away


[29 Points] ClassyAssAssassin:

LE is probing for something in the darknet.


[15 Points] rappercake:

Is it too late to blame this on Umbreon?


[12 Points] Transistor420:

First off, TOR was created by the US government for CIA intelligence encryption... So the matter of them cracking the onion layers is always going to be a constant threat. Secondly, you can easily track who, what, and where the attacks are coming from simply by loading Kali Linux and doing a little probing of your own... ;)

As to how to STOP DDoS attacks? The most effective methods are to set a DMZ away from your server, set up honey-pots and traps to redirect and monitor what traffic hits your network. And IDPS would help in this, alerting to attempted breaches and forcefully stopping those repeated attempts.

However, with the massive amount of attacks across the broad network of DNM's, I would say it's someone with a grudge... or someone running one hell of a botnet. (As a botnet or supercomputer would be necessary to launch sequential attacks against numerous targets... this is not a method generally used by LE.) You can always deny ICMP requests, or add a time-out on pings should they attempt to continually flood the system. But a good hacker, with an already built botnet is next to impossible to stop entirely.

The main point is to layer your defenses so targeting the the main server becomes an incredibly tedious task... granted, this takes resources and knowledge on how to set this up, but it's useful. ;)

I'm still on the boat with a rogue or hired hacker targeting specific sites to try and oust the competition whlie they can... Take note, watch which ones drop and which stay active for longer periods. I like to think of it as internet gang warfare... the longer you can hinder your competition, the more likely the 'junkies and dealers' will move to the open site... Then it's just a matter of waiting for a mass flood of money to come in before they exit out with a massive sum of money.

I am a cyber defense major... and knowing how LE works (look at silk road, and Ross Ulbrich), they wait for mistakes so they can pinpoint the 'big guys'. But the fact remains that no matter how many precautions you take, or how great your defense are, a knowledgeable hacker with botnet can pretty much do whatever they want...


[12 Points] None:

It's not just the exit nodes

Quantik, are you sure your site is being hit and the connection problems aren't actually being created by a DoS attack on tor nodes?


[9 Points] hog_master:

Thank you for posting a quality, informative post. With so many trolls and shit posts being posted on this sub lately, this is a breath of fresh air, a glass of cold water.

Lot of assholes out here, so I commend you mate.


[4 Points] ayyyyyThrowaway:

You've reached international supervillain status Q. World powers are possibly launching cyber attacks on your personal vendor site.

If this is the case it's a bit funny. I can't wait till the truth about this is revealed.

If the attacks are LE than why not go after alphabay more aggressively since they're a huge market? I know they experienced attacks at the start of this and claimed to have dealt with it? How do you work around denial of service attacks?


[4 Points] KeystoneSoze:

If it isn't the Joint Operations Cell (successor to GCHQ's JTRIG unit), then perhaps we're seeing an investigation into a possible threat. Holiday season is here, and we've got Veteran's Day in the US just around the corner, not to mention the big three, Thanksgiving, Christmas and NYE...

Not everything is about taking down dealers and/or harassing end users.


[6 Points] druggieslut:

Alphabay is doing it


[3 Points] illadelphia_collins:

Didn't the UK just draft/pass an expansive internet powers bill? Tinfoily but w/e


[3 Points] aboutthednm:

Take a look at the advertised bandwith as well

https://metrics.torproject.org/bandwidth.html

something is going on


[2 Points] RosyPalm:

With so many nodes crashing, and a sustained DDOS of so long, the attacker must have access to MASSIVE ressources, probably LE in origin.

I don't believe this is correct. I'm of the understanding it's infinitely easier to attack TOR by simple nature of the way it's designed. Hopefully a more knowledgeable user can chime in.

What do you think? Tinfoil? Or are we getting buttfucked by the latest LE wizardry?

Anyone have an ETA on when TOR is going to push out the fix for the exit node vulnerability? My guess is it's on the way and this is LE pulling the trigger before their window of opportunity closes.


[2 Points] earthmoonsun:

maybe it's a good time to get to know i2p


[2 Points] None:

Well it was 100Gbps that was hitting Proton. Not sure of who in here is a technician but on Gig switches switches you would be completing fucked.

I personally think it is a coordinated attack. Just me but I think it is clearly some government agency. I dont think any hackers not in Russia or N. Korea would be able to sustain an attach of this scale.

But why are Nuke and AB not part of it?


[2 Points] coffeencreme:

Yeah LE are trying to locate someone's server, one of the markets if not more is about to fall.


[1 Points] None:

It doesn't matter who is doing it (indeed- how would we know? what evidence could exist?) but what matters more is how it can be moved past for now.

The current DDoS is heavy, but with the number of compromised machines worldwide, it's still easily within the realms of a small organised group- that's what makes botnets so scary.

LEO are happy for TOR to continue because they can exploit it over time. LEO/Intel agencies helped set up TOR in the first place. Taking it out doesn't make sense when they can keep it going, exploiting the holes we don't know about for information- if they had taken it out, then they would have also tried to bust whoever they had anything on before they got spooked and changed their gameplan.


[1 Points] None:

probably a one two punch. i'm hoping. someone said by friday the attacks will start to back off. I'm hoping.


[1 Points] None:

http://money.cnn.com/news/newsfeeds/articles/globenewswire/6023643.htm


[1 Points] None:

[removed]


[1 Points] FrozenMCVegetableCok:

Maybe this is what happens when DARPA expands their research grant for the creation of a darknet search engine to include attack capabilities.


[1 Points] oVerde:

These attacks are not over Tor, someone is probing to possible Cloud shared servers with Tor data traffic on its band, now on clear net they shoot, on dark net they fall, so they can be sure where the honey is.


[1 Points] None:

The Russian federation has the resources to do this.


[1 Points] None:

[deleted]


[1 Points] Devoid_:

For 20% of the exits to go down its gotta be someone with some level of sophistication. I doubt it's a gov/LE intervention, everyone they drop a market they take it within hours. They wouldnot ddos it for days while giving the operator a chance to encrypt/delete everything


[1 Points] Devoid_:

The graph doesn't show the relays being down anymore