Pierluigi Paganini April 04, 2015

A severe vulnerability  in Tor network was exploited by attackers to run denial of service attacks against two underground black markets.

An operator of an underground black market hosted on the Tor network revealed that hit site suffered a DoS attack that exploited a flaw in Tor architecture.

The event is not isolated, a similar case was reported in December 2014 by another operator on the Tor mailing list, and also in that case the website suffered a DoS attack. Both operators revealed that their websites were flooded with a significant number of simultaneous connections that paralyzed the hidden service.

The black market is Middle Earth and its operator using the Reddit name MEMGandalf confirmed the attacks on the server.

“Middle Earth and Agora are the focus of the most serious attack TOR has ever seen.” He explained and confirmed that Middle Earth’s operator had reported the flaw to Tor. (The bug report was opened under the name “alberto.”) .

The problem, which is similar to the one reported by another hidden site operator in December on the Tor mailing list, allows attackers to conduct a denial of service attack against hidden sites by creating a large number of simultaneous connections, or “circuits,” via Tor, overwhelming the hidden service’s ability to respond.

The experts analyzing the issue have discovered that it could be caused by a flaw in the negotiation process between a client and the hidden server. It seems that it is possible for an attacker to abuse the “introduce” message, implemented in the Tor Hidden Services protocol and used to negotiate the connection between the client and server. Every time a client sends an “introduce” message to a hidden service it creates a circuit and allocate server resources to manage the request. By sending multiple “introduce” requests to the same hidden service, an attacker could cause a DoS attack.

“Currently, it seems like clients are able to send multiple INTRODUCE1 cells to the IP. The result is that many INTRODUCE2 cells reach the HS, which means that the HS will try to establish multiple rendezvous circuits. This gives a better position to attackers who want to flood a HS with rendezvous circuits (like #15463), since with a single circuit they can cause hundreds of rendezvous.” reports the Tor Project.

The worrying aspect of the Tor flaw is that it is not possible to fix it in the short-term due to its heavy impact on the Tor’s Hidden Services Protocol implementation.

A long term propose includes the use of dedicated bridges (part of Tor’s Proposal 188) to connect larger hidden sites to the Tor network.

Pierluigi Paganini

(Security Affairs –  Tor, hacking)