Bugs in Tor exploited to run DoS against black markets

A severe vulnerability in Tor network was exploited by attackers to run denial of service attacks against two underground black markets.

An operator of an underground black market hosted on the Tor network revealed that hit site suffered a DoS attack that exploited a flaw in Tor architecture.

The event is not isolated, a similar case was reported in December 2014 by another operator on the Tor mailing list, and also in that case the website suffered a DoS attack. Both operators revealed that their websites were flooded with a significant number of simultaneous connections that paralyzed the hidden service.

The black market is Middle Earth and its operator using the Reddit name MEMGandalf confirmed the attacks on the server.

“Middle Earth and Agora are the focus of the most serious attack TOR has ever seen.” He explained and confirmed that Middle Earth’s operator had reported the flaw to Tor. (The bug report was opened under the name “alberto.”) .

The problem, which is similar to the one reported by another hidden site operator in December on the Tor mailing list, allows attackers to conduct a denial of service attack against hidden sites by creating a large number of simultaneous connections, or “circuits,” via Tor, overwhelming the hidden service’s ability to respond.

The experts analyzing the issue have discovered that it could be caused by a flaw in the negotiation process between a client and the hidden server. It seems that it is possible for an attacker to abuse the “introduce” message, implemented in the Tor Hidden Services protocol and used to negotiate the connection between the client and server. Every time a client sends an “introduce” message to a hidden service it creates a circuit and allocate server resources to manage the request. By sending multiple “introduce” requests to the same hidden service, an attacker could cause a DoS attack.

“Currently, it seems like clients are able to send multiple INTRODUCE1 cells to the IP. The result is that many INTRODUCE2 cells reach the HS, which means that the HS will try to establish multiple rendezvous circuits. This gives a better position to attackers who want to flood a HS with rendezvous circuits (like #15463), since with a single circuit they can cause hundreds of rendezvous.” reports the Tor Project.

The worrying aspect of the Tor flaw is that it is not possible to fix it in the short-term due to its heavy impact on the Tor’s Hidden Services Protocol implementation.

A long term propose includes the use of dedicated bridges (part of Tor’s Proposal 188) to connect larger hidden sites to the Tor network.

Pierluigi Paganini

(Security Affairs – Tor, hacking)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.