[buildbuildbuild]

Tor admins and cyber researchers rely heavily on this site to disseminate links in the wake of DeepDotWeb’s takedown. DDoS attackers seem to love it too as some sites change their .onion URLs ~hourly. Interesting how all sides of a battle can find a simple verified link so useful.

[steveeq1]

Does anyone know if there's any progress on finding a solution to the DDOS attacks that can run on tor?

[Liquix]

The v3 onion protocol [0] is supposed to provide better DDoS resistance than v2 [1] - haven't read up on the specifics though.

[0] https://www.jamieweb.net/blog/onionv3-hidden-service/

[1] https://darknetlive.com/post/cryptonia-market-countering-ddo...

[Forbo]

They're making progress on it: https://github.com/torproject/tor/pull/1262

[aaron695]

> some sites change their .onion URLs ~hourly.

Not sure why you would do this?

Do you have an example?

[Liquix]

Addresses are changed when the DDoS takes one down. This mean's the attacker's (usually automated) resources are wasted on a domain no one will ever visit again, while users will just visit dark.fail and get a new link 15 seconds after the site goes down.

At the beginning of the DNM large-scale DDoS attacks (Empire in particular), there was panic, confusion, and a whole lot of phishing. As another commenter noted, Empire users have now been trained (or learned the hard way) to visit dark.fail, copy/paste a mirror .onion address they've never seen before, verify it as legitimate through the various captchas/pgp/safeguards on the Empire login page, and then enter their username/password.

Sure, it's frustrating and complex the first time - a heck of a departure from cookies and 'sign in with google' buttons. But after five or ten times, it's just the way you log in to the website, and it takes an extra 60 seconds tops.

Not saying this is the only/best solution to a dedicated onion DDoS - just sharing that it's been working for Empire.

[theamk]

Is there a reason automated DDOS bots cannot visit dark.fail as well, to automatically attack all the mirrors too?

Seems like an obvious next step.

[mysterydip]

If DDoS traffic is aimed at domain1.onion, changing your site to donain2.onion would avoid that, wouldn't it?

[luckylion]

Yeah, and nobody would know about the new URL, effectively having the same result as a successful DDoS. On the other hand, notifying your users of the URL change will also notify the attackers.

I've seen the response to DDoS mostly be a multiple public URLs, but it seems the results varied greatly, and since these operations are typically very secretive, they won't publish a lot of information (is the ddos still active but they are mitigating it? has the ddos stopped because they mitigated it? have they paid the attackers? etc).