Best way to block this kind of attack on hidden service

Edit - In case the attacker is actually reading whonix forums.

edited

General Tor question. Which makes it possible to ask on the tor-talk mailing list where more people might have ideas on how to solve ddos issues.

Perhaps onionbalance?

https://onionbalance.readthedocs.io

Now also, due to your question, the attacker if he is reading here also might be able to link your hidden service to this forum as I can imagine there are not that many types of ddos attacks ongoing.

I will look into onion balance and join the tor mailing list, ty Patrick, good call on the logs, so I edited them out just in case he/she does read here.

Just to make sure Patrick I would install this on the Workstation correct? I know we don’t install anything on the Gateway normally but I want to make sure about this because it’s important.

Thanks

Ideally we could make onionshare run in Whonix-Workstation, but that looks hard before Whonix 14, because it apparently uses Tor’s control port to create the HSes. It’s not yet documented and will take a long time until I get to that.

Also I doubt there are that many Tor HS as well as that many Tor HS under ddos as well as Tor HS owners asking for advice.

This is a layer 7 http flood ddos so Tor can’t help because it is limited to layer 3. To defend against them try deploying a reverse proxy like nginx and deploy rate limiting rules.

Let us know if it works.

1 Like

I will do this today and see if it helps out some.

Thanks

I have done what the guide suggested

in the main.conf http section

http {
limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;
limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=5r/s;

and inside my sites vhost
server {
limit_conn conn_limit_per_ip 10;
limit_req zone=req_limit_per_ip burst=10 nodelay;
}
}

As you know this is for a hidden service, do you think I should increase those times, it’s not a really busy hidden service.

Yes but don’t overdo it.