Tor Adopts a Proof-of-Work Defense to Protect Against DDoS Attacks – Source: securityboulevard.com

Tor, the routing service that stresses anonymity and for almost a year was under a distributed denial-of-service (DDoS) attack, is introducing a new line of defense with the latest release of its software.

Included in Tor 0.4.8, released this month is a proof-of-work (PoW) defense that is used to allow verified network traffic to flow relatively untouched.

“But when an onion service is under stress, the mechanism will prompt incoming client connections to perform a number of successively more complex operations,” Pavel Zoneff, director of strategic communications for The Tor Project, wrote in a blog post. “The onion service will then prioritize these connections based on the effort level demonstrated by the client.”

The goal is making large-scale DDoS attack expensive and impractical to run while continuing to give priority to legitimate traffic, with some verified users seeing slight delays of a second or less, according to Zoneff.

DDoS attacks work by overwhelming a system or network with messages or requests from myriad sources and essentially shutting it down by blocking legitimate traffic from working. At times, the attackers will demand money from the targeted company to turn off the attack.

Tor Project officials had said during the massive DDoS attack, which lasted from June 2022 to late spring, at times made it impossible for users to load pages or access onion services.

DDoS Attacks on the Rise

The organization’s move to a PoW defense comes at a time when DDoS attacks are on the rise. In a report last week, network services and security firm Zayo Group said that in the first half of this year, there was a 200% increase in DDoS attacks over the entire 2022 and a 314% jump when compared to the first half of last year.

In some industries, the numbers grew by as much as 1,300%. Telecoms, education, retail, and media sectors were among the hardest hit, and cloud and software-as-a-service (SaaS) companies also were targets. On average, DDoS attacks cost companies about $200,000.

Zayo pointed to such factors as the increasing digitation of business, the expanding adoption of work-from-home models, global political unrest, and attackers’ growing use of AI and automation as drivers of the increase.

Anonymity Makes Tor an Attractive DDoS Target

Tor, which has been around since 2003, and its Onion Services are designed to ensure the privacy and anonymity of its users by obfuscating IP addresses and directing traffic through a global network comprising thousands of relays. It’s a legitimate service, though because of is focus on anonymity, can be used for nefarious purposes and has been the target of government criticism.

Because of this design, the Tor network has been vulnerable to DoS attacks, Zoneff wrote, adding that “traditional IP-based rate limits have been imperfect protections in these scenarios. In need of alternative solutions, we devised a proof-of-work mechanism involving a client puzzle to thwart DoS attacks without compromising user privacy.”

The term “proof of work” can be confusing because it suggests that the work that to verify legitimacy needs to be done by the user. However, according to The Tor Project, the PoW defense for Onion Services is a cryptographic tool in which a computing system can prove to another that they have performed a level of computational effort.

“It’s a way to prioritize verified effort (but not a way to verify users), which means attackers would have trouble launching many requests to an Onion Service, but users will possibly have resources to do their legitimate requests,” the group said in a support note. “In other words, Onion Services may be configured to offer a Client Puzzle if they’re under heavy load, and to prioritize incoming client connections containing solutions to the puzzle.”

Through the Client Puzzle Protocol, if a server or network node is under attack, all clients connecting to a service have to correctly solve a mathematical puzzle before being connection. The puzzles are simple but require a minimal amount of computation by the client.

It’s Not Another CAPTCHA

Some of the blog readers assumed it was similar to CAPTCHA defenses, though one reader said that PoW is “It’s not a captcha, just compute work that the browser will do in the background that’s invisible to the user.”

PoW was developed in the early 1990s to protect against DDoS attacks and spam on a network and Bitcoin in 2009 adopted a version of it for creating secure consensus in a permissionless decentralized network. Other cryptocurrencies later adopted PoW defense for the same reason.

“If attackers attempt to flood an onion service with requests, the PoW defense will kick into action and increase the computational effort required to access a .onion site,” Tor’s Zoneff wrote. “This ticketing system aims to disadvantage attackers who make a huge number of connection attempts to an onion service. Sustaining these kinds of attacks will require a lot of computational effort on their part with diminishing returns, as the effort increases.”

For legitimate users who usually submit only a few requests at a time, the added computational effort to solve the puzzle will lead to a small delay in connection that can range from 5 to 30 milliseconds, though that can go up to as much as a second, if the attack traffic grows and the effort for the work increases, he wrote.

“The introduction of Tor’s PoW defense not only positions onion services among the few communication protocols with built-in DoS protections but also, when adopted by major sites, promises to reduce the negative impact of targeted attacks on network speeds,” Zoneff wrote. “The dynamic nature of this system helps balance the load during sudden surges in traffic ensuring more consistent and reliable access to onion services.”