For years now, users on the Darknet have requested that Tor move towards a Proof-of-work option as a method to counter-attack DDoS and threat actors. The system would solve multiple issues within the Tor browser, yet the Tor Project team wouldn’t address the issue. Today, Proof-of-Work defense for Onion sites is officially available on Tor 0.4.8.4 stable release 5.
An Attack On The Darknet
DDoS Attacks have always been an issue. Due to relay systems and the difficulty in running a .onion domain, they’re more susceptible to DDoS attacks than your typical clearnet website. The Tor Network is already a slow system, making things extremely difficult to run.
For your average Joe, this isn’t an issue… However, for the millions of users who access the Tor Network monthly, it creates a frustrating experience. DDoS attacks have taken down Darknet Markets and forums and prevented users from accessing content regularly. Therefore, it’s not a surprise that there’s been a call for a solution to these issues for some time now. For ages now, the most suggested feature as a preventative method was proof of work.
If you don’t know, Proof of Work (PoW) is a cryptographic technique that uses computational puzzles to validate transactions and secure networks. It involves proving to a system that a certain amount of computational effort has been expended. It’s a system used to make sure that when Sally says she paid Bitcoin to John, she really did. That’s why we wait for Bitcoin transactions to be “confirmed“ before funds are released.
In the Context of Tor and Privacy: PoW is crucial for Tor, a privacy-focused network, as it strengthens security and guards against malicious activities like Denial of Service (DoS) attacks. By prioritising clients who have completed resource-intensive tasks, PoW helps ensure legitimate users can access services even under stress. To keep OpSec up, it’s not PoW stored on an open ledger and rather resembles Monero’s style of PoW.
How Will Tor Use PoW?
In the case of Onion Services within Tor, PoW 2 is implemented as a defence against DoS attacks. When the service is under heavy load, clients are required to solve a computational puzzle (client puzzle) before being allowed access. This prioritises connections from users who have demonstrated computational effort, making it difficult for attackers to flood the service with requests.
The new system will safeguard Onion Services from DoS attacks, enhancing their availability to genuine users by filtering out malicious or excessive requests. It aims to protect the integrity of the network and promote equitable access. Ideally, we’ll see less downtime on our favourite websites. We shouldn’t see cases like Dread’s 2022 act of disappearing for a solid 3 months.
For attackers, attempting to overwhelm an onion service with a flood of requests becomes significantly more challenging due to the PoW defense. When they initiate an attack, the new PoW defence mechanism activates and raises the computational effort required to access a .onion site.
Will this make DoS attacks impossible? No. But, this means attackers face increasing computational demands for each connection attempt they make. As they escalate their efforts, they encounter diminishing returns, making it progressively more strenuous to sustain these attacks.
That being said, keeping the system good for a regular user is essential. For regular users, the impact of PoW is different. Users who typically send a limited number of requests at a time will find the added computational work of solving the puzzle manageable for most devices. The time taken to solve the puzzle varies – faster computers take about 5 milliseconds, while slower hardware might need up to 30 milliseconds. As the network comes under heavier attack traffic, the computational effort for users will increase, peaking at around 1 minute of work. While this process remains hidden from users, it offers a notable advantage: the opportunity to access the Tor network even during stressful periods by demonstrating their genuine intent.
To you and me, we won’t even see a difference on the network (ideally).
What Took the Tor Project so Long to Set It Up?
Realistically, Implementing PoW for Tor likely took time due to the need for careful design and testing. Balancing effective protection against DoS attacks while ensuring a seamless user experience and 100% anonymity is a complex task. Once you’ve figured that out, Tor needs to ensure that the implementation is compatible with existing Tor infrastructure and doesn’t negatively impact user privacy would have been priorities.
If the new system was released without adequate testing, we would have seen websites break, and lots of maintenance from .Onion servers. We should also note that there’s a reality that implementing such systems opens doors for vulnerabilities that onion sites didn’t have previously. Only time will tell on this front.
Setting Up PoW Protection (For Nerds)
- Environment Preparation: Ensure you have a GPL-covered C Tor binary version 0.4.8.4 or newer. You might need to compile it or obtain it from your software distribution.
- Activation: Enable PoW protection for each Onion Service by configuring “HiddenServicePoWDefensesEnabled” to 1.
- Monitoring: Employ tools like MetricsPort (keeping it private), Prometheus, and Grafana to monitor your services.
- Customization: Fine-tune “HiddenServicePoWQueueRate” and “HiddenServicePoWQueueBurst” parameters for each service based on your needs.
- Logging during DoS Attacks: Temporarily increase logging verbosity to better understand and address attacks.
As per the Tor Project Forum post, feedback is necessary and critical in these early stages of PoW releasing. So they’re urging all to leave feedback as needed.
- For General Questions: Comment on relevant blog posts or start discussions for general queries about PoW.
- For Non-Security Issues: Submit feedback via the Tor GitLab repository, including detailed descriptions, logs, and steps to reproduce problems.
- For Security Issues: For security concerns, follow the reporting process in the Security Policy for private reporting.
Conclusion
The past year has seen dedicated efforts to enhance network security and fortify onion services against attacks. The introduction of Tor’s PoW defense is a major victory for onion services. It’s going to build into the ecosystem, and stop dirty competitive tactics. PoW transforms the landscape for attackers, requiring increasing computational effort, and provides a seamless experience for users while ensuring access during network stress. The ongoing commitment to strengthening defenses not only marks a significant advancement for onion services but also reflects Tor’s dedication to improving the reliability and privacy of the network.
Hey there, I’m a dark web geek who’s been around for the last 8 years. More precisely, I’m livedarknet’s senior content writer who’s been writing about darknet marketplaces, tutorials, and cybersecurity stuff for educational purposes.