hello, im hosting a hidden service on whonix. someone is ddosing it and i can see very high spikes of download/upload on ARM on the whonix-gateway.
In the whonix-workstation I installed mod security, quos and hardened apache as much as i could, but it doesnt stop. Im pretty sure i should do something on the whonix-gateway to protect my hidden serivice from ddos attacks. what can i do? without whonix fail2ban would work but here i dont know how. Please help.
changing something about the GW won’t help you with DOS/DDOS attacks, as they’d still reach you. Preventing such attacks on a hidden service works just the same as on a “normal website”, simply send anyone trying to reach you to a simple, light site which can’t create much overhead, were they have to somehow verify that they are real (e.g. via captcha).
Hello, yes i redirect everyone to a captcha before they can enter the website.
I know that preventing this stuff works the same as for clearnet, what i meant is that with whonix specifically i dont know if i should do anything on the gateway as well, since on the workstation and apache im doing everything possible to protect from ddos attacks. This is making the website offline for every legit user anyway.
the only thing I can recommend then, would be switching from Apache to lighttpd, as it has the least overhead of any server and thus should be more stable. That’s the reason we actually recommend it in our guide to hidden service hosting, see: Onion Services - Whonix
There is nothing really specific about Whonix which could really help you to solve this problem. Maybe increasing the RAM assigned, or, if you use VBox, looking at the more efficient alternatives (especially Qubes) could help reduce overload even more.
I tried with both lighttpd and others, still overloads from too much traffic.
I will try to transfer it into a server with a higher bandwidth tomorrow.
Setting more resources to vbox doesnt do anything. I even tried 4 cpu cores for each virtual machine and 8 gb of ram. With more easy settings like 2 cpu cores / 2gb of ram for the workstation and 1 cpu core / 1gb ram for the gateway they use < 30% of resources, so those are not the bottleneck, but the bandwidth it is since they keep filling it and it overloads.
But more generally what can be done to protect a tor hidden service from ddos and similar attacks?
With a .com clear website you can find help in services like cloudflare and use fail2ban with the apache / nginx filters, in addition to all the various apache mods and configurations. With a tor hidden service you dont have cloudflare.
Also with whonix every ip address in the apache access logs on the whonix-workstation is 10.152.152.10 (aka the whonix-gateway).
In the whonix-gateway tor logs there are entries like “open sock listener on”, “you configured a non-loopback adress”, “opening socks listener” and either 127.0.0.1 or 10.152.152.10.
A fail2ban filter to ban the ip when it makes too many requests would be useful on the whonix-gateway and also on the workstation? i cant find a filter for that. it should ban either 127.0.0.1 or 10.152.152.10 on both virtual machines. On the workstation fail2ban can inspect apache logs but i dont know how to implement the same thing with tor logs on the gateway.
Also i think something should be done in the gateway as well, because i can ban everyone in the workstation fail2ban settings but the gateway its still naked, it receives all the spammy requests and sends them to apache on the worstation. I need to block it at the source
I havent slept so sorry for spaghetti explanation, to me right now it looks clear but yet i dont know what to do.
Thank you
Sorry to say, but my previous answer contains pretty much all possibilities.
Well, what cloudflare does is pretty much “put” their (massive) server between yours and show a captcha if the IP is suspicious. In the case of a hidden service, for this you’d have to trust a third party. So, not an option.
Sadly isn’t possible. The way a hidden service is accessed is very different from a normal website. If you look at this, you’ll see that the whole design of a hidden service makes it impossible to block anyone: How can we help? | Tor Project | Support You’d at best block your own rendezvous, which means, no one will be able to access your site, no matter if friend or foe.
Those are all local IPs. You’d essentially block yourself then. Sorry.
Like mentioned before you can’t block anyone from accessing your hidden service that way, because people don’t directly connect to you, they use rendezvous points which, if blocked, would lead to noone beeing able to access you.
Me neither.
The only thing you could do in theory, would be ask for a password via a prompt. Seen a few hidden service do that some time ago. They’d put the necessary password in the prompt to, so anyone could access the site, so it was simply another layer of verification.
