On tor-talk there is speculative discussion of the methods of deanonymization used in the recent law-enforcement takedown of some hidden sites.
One theory is that it was done, by a global surveillance network, by watching a relatively small number of suspect machines, and then launching a denial-of-service attack on a particular hidden service. When the hidden service becomes unavailable as a result of the attack, the attacker sees if any machine that he is watching become unavailable at the same time.
My main question is: Is there any way to prevent a hidden service becoming unavailable to a particular visitor at the same time as the service’s main tor connection goes down? In other words, can the service have some form of redundancy of resources that makes the attack invisible to most of its visitors?
Some ideas, some a bit wild:
-
One Whonix workstation with multiple gateways, with the gateways at different geographical locations, load-sharing the visitor connections to the service (workstation).
-
Because each visitor to a hidden service is on his own tor circuit, is there a way to segregate each connection in its own “container” so that if one misbehaves such as by launching a DOS attack then the others won’t notice?