In part one of this two-part series, I described what we know about the September 14 attack against the drug sites on the Tor network. To review:

  1. The attack simultaneously took down 11 drug sites on the dark web, yet traffic patterns were unaffected.
  2. The site administrators indicated a problem on a public forum; and
  3. There was no discernible traffic anomaly.

What follows is what I have deduced from the attack along with a few quizzical thoughts about possible perpetrators.

As I viewed the attack method, I am certain that this attack was an application-level attack. In this case, the application being attacked is in the web server. What this means is that the attacker flooded the markets’ web servers with requests, making them work to process the request. If there are enough of these requests, the web server will begin to fail to respond to legitimate requests resulting in a denial-of-service to users. There are a few reasons that lead me to this conclusion.

  1. It is unlikely that somehow the attacker found the real IPs of all of the targets. If that were true, the attacker would have far better things to do than just DDoS drug markets. This would mean they found an extremely valuable vulnerability in ToR.
  2. There is no sign of the attack being a network-level attack. Were this attack a network-level attack, the bandwidth anomalies would have reflected that. An application-level attack would use very little bandwidth in comparison to a network-level attack
  3. An application-layer attack is uniquely effective against TOR hidden service sites.

Typically, when a site is experiencing a layer 7 DDoS attack, the response is something like this:

  • Find the IPs that are sending the malicious traffic (roughly).
  • Block the malicious IPs at the network level (preferably as far upstream as possible).
  • Refine (Read more...)