I operate a tor hidden service, here are the version and dependencies I use (output of tor --version command):
Tor version 0.4.8.21.
This build of Tor is covered by the GNU General Public License (https://www.gnu.org/licenses/gpl-3.0.en.html)
Tor is running on Linux with Libevent 2.1.12-stable, OpenSSL 3.0.17, Zlib 1.2.13, Liblzma 5.4.1, Libzstd 1.5.4 and Glibc 2.36 as libc.
Tor compiled with GCC version 12.2.0
Sometimes the hidden service would go offline for no reasons and thousands of these lines would show up
Dec 13 15:28:05.000 [warn] Detected possible compression bomb with input size = 20000 and output size = 700000 (compression factor = 30)
Dec 13 15:28:05.000 [warn] Possible compression bomb; abandoning stream
Restarting / reloading tor service doesn’t fixes the issue, I would generally wait a while like 4, 5 hours and restart the service it would (most of the times) work again.
Now here is where it gets interesting, this is the full log when restarting the tor service while experiencing this bug making the tor service unreachable
(NOTE : I did round the input size and output size and also the factor value for privacy reasons, the numbers were more random but the scale still the same)
[redacted] 15:27:58.000 [warn] Detected possible compression bomb with input size = 50000 and output size = 1000000 (compression factor = 30)
[redacted]15:27:58.000 [warn] Possible compression bomb; abandoning stream.
[redacted] 15:27:59.000 [warn] Detected possible compression bomb with input size = 20000 and output size = 700000 (compression factor = 30)
[redacted] 15:27:59.000 [warn] Possible compression bomb; abandoning stream.
[redacted] 15:27:59.000 [warn] Detected possible compression bomb with input size = 20000 and output size = 700000 (compression factor = 30)
[redacted] 15:27:59.000 [warn] Possible compression bomb; abandoning stream.
[redacted] 15:28:03.000 [notice] Interrupt: exiting cleanly.
[redacted] 15:28:03.000 [notice] Tor 0.4.8.21 opening log file.
[redacted] 15:28:03.309 [notice] We compiled with OpenSSL 30000110: OpenSSL 3.0.17 1 Jul 2025 and we are running with OpenSSL 30000110: 3.0.17. These two versions should be binary compatible.
[redacted] 15:28:03.310 [notice] Tor 0.4.8.21 running on Linux with Libevent 2.1.12-stable, OpenSSL 3.0.17, Zlib 1.2.13, Liblzma 5.4.1, Libzstd 1.5.4 and Glibc 2.36 as libc.
[redacted] 15:28:03.311 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://support.torproject.org/faq/staying-anonymous/
[redacted] 15:28:03.311 [notice] Read configuration file "/usr/share/tor/tor-service-defaults-torrc".
[redacted] 15:28:03.311 [notice] Read configuration file "/etc/tor/torrc".
[redacted] 15:28:03.311 [notice] Opening Socks listener on 127.0.0.1:9050
[redacted] 15:28:03.312 [notice] Opened Socks listener connection (ready) on 127.0.0.1:9050
[redacted] 15:28:03.000 [notice] Parsing GEOIP IPv4 file /usr/share/tor/geoip.
[redacted] 15:28:03.000 [notice] Parsing GEOIP IPv6 file /usr/share/tor/geoip6.
[redacted] 15:28:03.000 [notice] Set list of supported TLS groups to: P-256:X25519:P-224
[redacted] 15:28:03.000 [notice] Bootstrapped 0% (starting): Starting
[redacted] 15:28:03.000 [notice] Starting with guard context "default"
[redacted] 15:28:03.000 [notice] Our directory information is no longer up-to-date enough to build circuits: We're missing descriptors for 1/3 of our primary entry guards (total microdescriptors: 9125/9487). That's ok. We will try to fetch missing descriptors soon.
[redacted] 15:28:03.000 [notice] Signaled readiness to systemd
[redacted] 15:28:03.000 [notice] Bootstrapped 5% (conn): Connecting to a relay
[redacted] 15:28:03.000 [notice] Bootstrapped 10% (conn_done): Connected to a relay
[redacted] 15:28:04.000 [notice] Bootstrapped 14% (handshake): Handshaking with a relay
[redacted] 15:28:04.000 [notice] Bootstrapped 15% (handshake_done): Handshake with a relay done
[redacted] 15:28:04.000 [notice] Bootstrapped 75% (enough_dirinfo): Loaded enough directory info to build circuits
[redacted] 15:28:04.000 [notice] Opening Socks listener on /run/tor/socks
[redacted] 15:28:04.000 [notice] Opened Socks listener connection (ready) on /run/tor/socks
[redacted] 15:28:04.000 [notice] Opening Control listener on /run/tor/control
[redacted] 15:28:04.000 [notice] Opened Control listener connection (ready) on /run/tor/control
[redacted] 15:28:05.000 [warn] Detected possible compression bomb with input size = 50000 and output size = 1000000 (compression factor = 30)
[redacted] 15:28:05.000 [warn] Possible compression bomb; abandoning stream.
[redacted] 15:28:05.000 [warn] Unable to decompress HTTP body (tried Zstandard compressed, on Directory connection (client reading) with [redacted*]:8080).
[redacted] 15:28:05.000 [warn] Detected possible compression bomb with input size = 20000 and output size = 700000 (compression factor = 30)
[redacted] 15:28:05.000 [warn] Possible compression bomb; abandoning stream.
[redacted] 15:28:05.000 [warn] Detected possible compression bomb with input size = 20000 and output size = 700000 (compression factor = 30)
[redacted] 15:28:05.000 [warn] Possible compression bomb; abandoning stream.
[redacted*] is an IP address from a specific country lets call it “A”
Sometimes when restarting the service I would see another IP which is in the same IP range of country A, the IP address is a tor exit node.
After blacklisting it, it still show up. note that the last 2 lines just more or less repeat 10 of thousands of times.
Is this some kind of ddos / de-anonymisation exploit? Once again it prevents tor from connecting. And the hidden service is offline (no timeout, 100% offline). I cannot do anything. Waiting for hours seems like the only fix.
The torrc file has nothing special :
Log notice file /var/log/tor/log
RunAsDaemon 1
DataDirectory /var/lib/tor
HiddenServiceDir /var/lib/[redacted]
HiddenServicePort 80 unix:/var/run/[redacted].sock
HiddenServicePoWDefensesEnabled 1
If this isn’t some NSA complex timing attack exploit, I have no idea what it is.
If anyone had at a very least a little idea of what could be happening I’d be glad,
Thank you you advance.