Hi everyone, I’m a strong advocate of Tor and am happily helping Tor to do some stress or security testing.
Tor’s official agency claims to have introduced Proof-of-Work Defense for onion services in version 0.4.8.x. It is a dynamic and reactive mechanism, remaining dormant under normal use conditions to ensure a seamless user experience, but when an onion service is under stress, the mechanism will prompt incoming client connections to perform a number of successively more complex operations. However, I have some questions about its effectiveness.
-
Does the proof-of-work mechanism still work for lower versions of tor clients? Because attackers often tend to use lower versions of Tor client to reduce the complexity of their attacks.
-
When I use a tor client to stress test the onion service using multithreading + Stem, very few circuits are actually used to transfer data. In fact I created a large number of multithreads and I expected that there would be so many Client-HS circuits that every circuit should be used for data transfer. However the result of the test was that very few circuits were actually used for data transfer. This is clearly not what I expected.