[hackerfactor1]

I don't know this attacker's reason. I only see the attack.

But I can offer some baseless suspicions:

I'm forwarding traffic from Tor to the Internet Archive. During the last French election, someone DoS'ed most of their media outlets. As a result, lots of French people used Tor to access the current news from the Internet Archive's collection. Shortly after that, someone tried to DDoS my onion service.

With all of the voting and elections and the impeachment vote coming up, I'm expecting attacks since the Internet Archive stores lots of information that the current administration tried to remove from the Internet.

Then again, it could be a "researcher", or just someone seeing if it can be done. Perhaps they will decide what they want to do after their attack succeeds.

[incompatible]

Perhaps countries that have already blocked the Internet Archive? But Tor users can already access it through Tor without a hidden service.

If the IA itself was DoSed then wouldn't your relay stop working?

[gruez]

random guess: the servers are reached via anycast. if you DDoS from the US, you'll take down access from the US, but not from other regions.

[oofabz]

It's not much of a DDoS if it's from a single country.

[az656]

That’s pretty invalid — I often see large attacks that are almost entirely made up of bots from one country.

[lima]

I've even seen 100+ Gbps from a single ASN in a single country.

[az656]

Isn’t the point of anycast to absorb the brunt of the attack? If your traffic is localized, maybe dropping the announcement for that PoP would be useful.

[aasasd]

Now we have a mystery of why Frenchmen had to use Tor to read the Internet Archive.