Since Tor network is under a heavy DDoS attack these days, I have a question. Is Tor network resistant to TCP SYN flood DoS attacks from outside of Tor?
As far as I know, every Tor relay (no matter if it’s an entry, intermediate or an exit one) is listening for incoming connections on a specific TCP port number. It means that any machine outside of Tor network can easily send millions of raw SYN packets to Tor relays which may cause the Denial of Service.
I looked up to a support page:
But I’ve only found the information about impossibility of initializing DoS attacks over Tor using exit nodes. But what if a machine which is located outside of Tor network sends millions of TCP SYN raw packets to Tor relays? Will it cause to DoS?
I also found a thread on Tor Project forum:
where a Tor relay operator reported about TCP SYN flood DDoS attack against his relay. He was given an advice to create a whitelist which would have consisted of other Tor relays only.
The exhaustive list of all Tor relays is located in:
which means that an attacker can use this list in order to initiate TCP SYN flood attack against Tor infrastructure.
So, how can we protect Tor network from TCP SYN flood DDoS attacks? My ideas:
Ask Tor intermediate and exit relay operators to set up a whitelist which includes only IP addresses of other Tor relays and bridges (for intermediate relays only). In this case, neither intermediate nor exit relays can be used as entry nodes (which may be good because many users use bridges as entry nodes instead of regular Tor relays).
Recent Tor slowdown and SYN flood should not be related.
Users reported slow connections, while during SYN flood there won’t be any new connections at all.
"Distributed denial of service (DDoS) attacks typically rely on having a group of thousands of computers all sending floods of traffic to a victim. Since the goal is to overpower the bandwidth of the victim, they typically send UDP packets since those don’t require handshakes or coordination.
But because Tor only transports correctly formed TCP streams, not all IP packets, you cannot send UDP packets over Tor. (You can’t do specialized forms of this attack like SYN flooding either.) So ordinary DDoS attacks are not possible over Tor. Tor also doesn’t allow bandwidth amplification attacks against external sites: you need to send in a byte for every byte that the Tor network will send to your destination. So in general, attackers who control enough bandwidth to launch an effective DDoS attack can do it just fine without Tor."
Also, hardened relays have strict firewall rules to further prevent DDOS attacks. I also utilize hosts.deny to block known bad ips, block UDP through my firewalls, and Fail2Ban to block new bad ips actively attacking my server.
Why has the Tor relay operator reported about DoS attack against his relay then? Read this:
Isn’t it a DoS attack?
My thread is about “Is Tor network resistant to TCP SYN flood DoS attacks from outside of Tor?” I know that Tor relay operator can block all incoming ICMP and UDP traffic. But how can it help against TCP SYN flood attacks?
An attacker can send millions of raw TCP SYN packets which don’t require handshakes too. Have you heard about TCP SYN flood attack?
The question is: how does Tor network fight against TCP SYN flood attacks?
Thank you for your answer. That’s exactly what I was looking for. But I still have a question:
Do most of Tor relay operators apply firewall rules by default? I think it is worth to built-in these rules to Tor Core;
What about SYN cache? This type of protection is better than SYN cookies and it can be used on FreeBSD but I don’t know whether it is possible to enable SYN cache on Linux kernel. SYN cookie cannot help against TCP ACK flood.
You can read scientific paper about SYN cache here:
I guess Tor relay operators should set up Tor relays on top of FreeBSD rather than GNU/Linux because FreeBSD systems are more resistant to networking attacks than GNU/Linux systems.