We are thrilled to announce that the Proof of Work (PoW) protection for Onion Services is now available for general adoption with the tor 0.4.8.4 stable release.
If you’re an Onion Service operator, your feedback will help us identify issues with this new protection and ensure its reliability.
Proof of Work (PoW) is a cryptographic mechanism where a computing system can prove to another that they have performed some computational effort.
The Proof of Work (PoW) defense for Onion Services is a way to protect against Denial of Service (DoS) attacks by prioritizing, when under stress, clients that have proved to the service that they performed a number of resource-intensive operations.
It’s a way to prioritize verified effort (but not a way to verify users), which means attackers would have trouble launching many requests to an Onion Service, but users will possibly have resources to do their legitimate requests.
In other words, Onion Services may be configured to offer a Client Puzzle if they’re under heavy load, and to prioritize incoming client connections containing solutions to the puzzle.
For an overview of this new protection, check it’s blog post.
If you operate an Onion Service and believe that it may be subject to high traffic or even a DoS attack, you may help Tor by giving feedback about the PoW protection.
To setup the PoW protection, please follow the steps outlined at the Onion Services DoS Guidelines page. This involves:
Using a GPL-covered C Tor binary version 0.4.8.4 onwards (your software distribution may already provide it or you might need to compile it yourself).
Enable the protection for each of your Onion Services with
HiddenServicePoWQueueBurstfor each Onion Service as needed.
During DoS attacks, you might also want to increase verbosity on your logs for a short while to help understanding what’s going on. To do that, use a
Log configuration like this:
Log info file /var/log/tor/info.log
For general questions about PoW, you can leave a comment in this post, or start a new thread.
If you believe that you have found a non-security issue, submit your feedback at the Tor GitLab repository for technical reports. Include a clear description of the problem, your Tor logs, steps to reproduce it, and any relevant details.
In the other hand, if you think you found a security issue, follow the procedure at the Security Policy page in order to report it privately.
Be careful with the data you share in your bug reports (
MetricsPort data or log files). When in doubt, don’t share it at first and ask for help on how to clean them.
By testing PoW and reporting any issues, bugs, or suggestions, you will contribute significantly to refining its performance and optimizing its capabilities. Your participation will not only benefit the Tor community but also help advance the Internet freedom community.