All v3 Onion Addresses Down After Attack On The Tor Network
For a few hours today all v3 onion addresses on the Tor network were down. This appears to be a new kind of attack which affects the entire network and involves overloading the consensus authority nodes.
You will currently not be able to access any v3 onion addresses, what is happening is unknown, but it is potentially a huge attack on the entire network. Earlier today I made a post outlining consequences I would be putting into place to deter markets from funding DDoS attacks against each other, as the potential to scale and completely kill every node on the network is a very real potential outcome. Now everything is down and I have no idea if this has sped up the process of this occurring or if it is even an attack at all, all I know is, this is big.Reddit post by u/hugbunt3r
This attack began after Dread forum owner, HugBunter made a post stating the consequences for market owners who continue to attack rival markets.
—–BEGIN PGP SIGNED MESSAGE—– Hash: SHA512
The recent/current attacks on multiple markets have been troubling after we’ve all had a good break for some time and things started to heal and become stronger.
We’ve now had large scale attacks hitting the likes of WHM, DarkMarket and apparently some other services, although I cannot really confirm any others.
I’d like to outline the main issues with this here. Firstly, /u/Paris and /u/mr_white ‘s work on /d/EndGame has been amazing and has allowed us to all have some really good filtering processes to limit malicious traffic from hitting the application layer and dropping their connections for v3’s where possible. Along with our collective knowledge of the attacks since February 2019, we have some very solid configurations that allow us to scale enough to stay ahead of the attacks and continue scaling alongside it. This is the absolute best protection we as service operators can currently provide and it works, but at many costs.
We’re not really any closer to seeing a Tor PoW implementation that will seriously improve the situation, but the position we’re in with our own developments is a hell of a lot better than when this all started. There are things I haven’t disclosed publicly because of the potential for abuse, but a lot more worrying things have come from these attacks, costs that aren’t of the monetary kind. The seriousness of the attacks’ will probably become clear at some point. Consequences for Markets
Consequences for Markets
I am aware of at least 2 markets that have paid for attacks against other markets within the last few weeks. I also know of one wishing to pay for retaliation attacks.
This behavior from market admins is absolutely unacceptable and it will not be tolerated. You have [b]no idea[/b] of the ramifications this has, it is way beyond just taking your competitor offline, inadvertadly, but you are causing a problem that is a great deal worse without even knowing it, if market admins wish me to disclose these other issues to them, they can contact me directly and you will soon rethink your poor business strategy.
– From here, there will be extreme consequences for any Market admin found to be funding attacks against any other service, market or not. You know who you are and I won’t publicly out you here for it, for the time being.
- Any Ads/other promotional material will be indefinitely disabled
- You may have your Subdread banned
- You will be delisted from Recon
- You will be delisted from DDF
- Most importantly, your own service will be attacked.
This is where it ends, I’m not sitting through another storm of attacks.
—–BEGIN PGP SIGNATURE—– iQIzBAEBCgAdFiEEYTOs4fS4fFHb8/6l6GEFEPmm6SIFAl/5pNwACgkQ6GEFEPmm 6SIJWA/+M0KfiK5D4T9D3ELwqtAHRBjU8cPqP1yxMYmoZrnZPKO81SuP+fH59xMj XtQn01rIPmRwuLntitf4zGo05LvPWBu8eDErLw4va9yqZtcBVKpP7Jaj+pr8vuRx XgqBA+bdcYpESHs1dzl10HVmeDe2dT7QuuJk63sohw9xf+31wgp9TI2wr8VM48Sv enbO9UUf+dHOajHqmbvNbUOIcf6EPcIUgCA/iedm5WhUfKDOt1AHK4xLYJA7Mmbz 7Y+vCBbPitx0kGMth/xWUsvKWhHeTsv/eSAlsbxmMaVQ4S7zJqJKvHAjxpxT1ZDG lNZqGAH5E4geylibg/mfntJmo4bIg62jQTCT3/kd9Q4ZNWp84Y6FXq55kTTIzrZt ii5Q5wdSIAtUG+mk7gKsPSO2vgvh7TIh8Y6LYg89xvCV1kS9SHC6d2bTiRDqJH7F qo/+qf3ml4jgYqSv4rJIZ7NqmJVGRqQpMMwHxp8zUZyW0ArmE78nTf9I3rRRvaJN OiPnCXDi1i/gK3TrwHOrek4VXhqT+VRBAbUWUPCu1i0IHsfJv3UKgDYLRP2S8x6q A9ed97mTwqNnIKxrXOozvvfE5CJj/N+6Mfu5Q9+3mFNI9FRQtTmoWSpzxrZZdozx nbexW83LKN/b6/zu+KRE/uaabDLg8kvdE/iRiYYAR6gzHlDlHPk= =wZW1 —–END PGP SIGNATURE—–
u/HugBunter on Dread
An explanation of the attack from Paris, the co-admin of Dread.
The Tor network is not fully decentralized. When you first connect to the Tor network there is hard coded IPs that your Tor process uses to bootstrap your connection into the Tor network. These IPs allow your Tor process to load up the network’s consensus. This consensus tells the Tor process things like what relays are within the network, which are good relays, bad relays, which are guards, exit nodes, how much traffic a relay can handle, that kind of idea. Your Tor process gets all that information and validates it by signatures of these hard coded IPs. These hard coded IPs are called authority nodes. There is currently 10 of them on the Tor network. And they are why the Tor network cleared out V3 onions for a period of time.u/Paris on Dread
The authority nodes “vote” on a majority consensus they all share with the Tor network. Generally a new vote happens every hour and the voting process takes 5 minutes. If there is no consensus for three times in a row (as in for three hours) the health the network goes massively down. You can check consensus health at this URL https://consensus-health.torproject.org/. The vote decides a lot of things in the network and when the consensus can’t be succeeded, there is a lot of issues that can occur. Things like V3 Directory variables not being included within a valid consensus so all V3 onions become unreachable.
The attack basically overloads the authority nodes by sucking up all their bandwidth so the authority nodes can’t communicate between themselves to vote and make a consensus. This fundamentally breaks the network if it goes on too long. This isn’t so new. Like a lot of the Tor attack issues which get exploited in this way there is a closed issue on it.
We’ve contacted The Tor Project for a comment.
Subscribe to Dark Net Daily for updates on this situation.