Best way to block this kind of attack on hidden service

Edit - In case the attacker is actually reading whonix forums.


General Tor question. Which makes it possible to ask on the tor-talk mailing list where more people might have ideas on how to solve ddos issues.

Perhaps onionbalance?

Now also, due to your question, the attacker if he is reading here also might be able to link your hidden service to this forum as I can imagine there are not that many types of ddos attacks ongoing.

I will look into onion balance and join the tor mailing list, ty Patrick, good call on the logs, so I edited them out just in case he/she does read here.

Just to make sure Patrick I would install this on the Workstation correct? I know we don’t install anything on the Gateway normally but I want to make sure about this because it’s important.


Ideally we could make onionshare run in Whonix-Workstation, but that looks hard before Whonix 14, because it apparently uses Tor’s control port to create the HSes. It’s not yet documented and will take a long time until I get to that.

Also I doubt there are that many Tor HS as well as that many Tor HS under ddos as well as Tor HS owners asking for advice.

This is a layer 7 http flood ddos so Tor can’t help because it is limited to layer 3. To defend against them try deploying a reverse proxy like nginx and deploy rate limiting rules.

Let us know if it works.

1 Like

I will do this today and see if it helps out some.


I have done what the guide suggested

in the main.conf http section

http {
limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;
limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=5r/s;

and inside my sites vhost
server {
limit_conn conn_limit_per_ip 10;
limit_req zone=req_limit_per_ip burst=10 nodelay;

As you know this is for a hidden service, do you think I should increase those times, it’s not a really busy hidden service.

Yes but don’t overdo it.