1. Home
  2. >
  3. Technology
Categories
Advocacy Blog DDoS Technology

Tor and DDoS attacks: myths and reality

– Non-DDOS attacks
Any vector that does not require a large flood of traffic could be
effectively routed through Tor.  This covers most attacks with the
notable exception of DDoS. If I were trying to properly hack, not
just DoS, Deflect – I would use Tor.

– C&C functions
Probably we wouldn’t observe this, but it goes without saying the Tor
can be used for communicating with botnet C&C.  That’s what I would
do.

– Monitoring of site availability and other DDoS-related functions
Before and during an attack, it must be of interest to monitor the
availability of the target site.  Tor could be useful here… maybe I
would use it to monitor the attacked site.

– Regular browsing by Tor users
In any attempt to monitor Tor traffic to alert us to an immanent
attack, care must be taken to filter out normal traffic as much as
possible.  ML or significance algorithms would probably do the job
best.  Sniffles may also provide inside: an increase in Tor traffic
to ports other than 80/443 might be adequate without further
computation.

– Actions for more detailed research:
o Install license for Elastic Graph which arrived today to facilitate
significance analysis o Get sniffles online and see what we can see
(following a subsequent, ie monitored, attack) o Apply significance
or other analysis to Tor traffic patters in and out of proximity to
an attack

CASE STUDY: BLM

The first image shows banjax bans for blacklivesmatter.com on top, and
torified traffic to blacklivesmatter.com on the bottom, both over the
last 8 weeks.

Again, the second image shows banjax bans for blacklivesmatter.com on
top, and torified traffic to blacklivesmatter.com on the bottom, but
zoomed in to a period approximately 1 week before and 1 week after the
large spike in bans.

Some observations:
– There appears to be a sharp uptick in Tor traffic adjacent to the
incident
– Torified traffic continues long after the attack appears to have
ended: perhaps we are looking at a coincidence, or perhaps another
attack is being planned/prepared, or perhaps both.
– The number of banned IPs is two orders of magnitude larger than the
number of torified hits (note that unique IPs is a more or less useless
metric for torified traffic, and also that the total hits *from* the
banned IPs above will be quite a bit larger than the number of banned
IPs)
– The number of banned IPs is, in fact, far larger than the number of
Tor exit nodes.

Caveats:
– BLM have not been with us long
– Only one site is analysed here, superficially
– We are looking at traffic to ports 80/443 which is not filtered by
our providers

QUICK CASE 2: www.btselem.org

A small uptick in bans corresponding with a large spike in torified
traffic.  Then a large uptick in bans, with no corresponding increase
in torified traffic.  The attack appears to either subside or be
successfully blocked, then another smaller attack occurs – this time
with a simultaneous uptick in torified traffic.  Hard to draw
conclusions, but not inconsistent with the theory that a correlation
may exist.  A clear lesson from this is example, IF a correlation is
proven or assumed, is that time between a spike in torified probing and
an actual DDoS will vary.

USELESS AGGREGATE GRAPHS:

Without separating by HTTP Host (or anything else), the data is mushed
into useless noise.

  1. Home
  2. >
  3. Technology
Categories
DDoS Technology

Q1 2014 Traffic Report: DoStoyevsky’s Crimean Punishment

In the last 12 months we have seen steady growth in many aspects of the Deflect project, particularly with respect to membership, traffic, localisation and network capacity. The most significant contributing factors have been the uptake of more partners, the efficacy of our new banning software and the continued rise in DDoS attacks as a form of censorship.

To this end, we have more than doubled the number of our partners, so Deflected sites now operate in 17 languages and focus on affairs in 55 countries across the world. In addition, we have taken on more sites that report news or advocate for issues from a transnational perspective, resulting in a more even distribution of traffic from around the world.

A comparison between the first quarters of 2013 and 2014 shows this clearly.

Selection_021

Selection_020

We see that unique visitors have nearly tripled, the number of visits has more than doubled, page requests have all multiplied, hits are between four and five times as many and we are dealing with at least twice the amount of bandwidth as this time last year. The figures continue to grow as we move into March and April because of the current Ukraine situation. In the wake of the Euromaidan protests, the fall of the Yanukovich government and the annexation of the Crimea, we brought onto the network a number of key independent news sites operating in the region that have brought with them a large amount of traffic and a comparable amount of DDoS attacks.

The figures above are only for the legitimate traffic served. With respect to malicious requests, we saw an average of around 8MBps across the network for the month and when we first took on the Ukranian sites in March we saw spikes of 200 bots per edge.