Possible Large-Scale DDOS Attacks on TOR Exit Nodes
Posted by: Chris McCandless
November 14, 2015
Recently, there have been several reports of DDOS attacks being directed at TOR exit nodes. While a few of these reports are consistent, it is often difficult to assess a threat via community interaction alone. One user has posted a PGP-signed message on November 9th, and contained the following warning:
“Hi, I am the operator of several exit nodes and would like to stay anonymous due to the nature of the given attacks. Since Thursday (05.11.2015 1800 UTC) I have seen large DDoS attacks on each of my exit nodes from a common /16 source. The attacks originate from UK.”
Along with this claim were several other coincidental connections made by users of the /r/darknetmarkets subreddit. Several website owners have made DDOS announcements, such as Quantik and ScamLogs.
Quantik has specifically stated that these attacks are “massive”, and directly linked his finding to the TOR Project’s metrics website. At the time of posting, the graph clearly indicated that “1/3 of TOR relays simultaneously crashed”. However, it is important to clarify that it was only at the time of posting – since then, the graph detailing the November 4th crash appears to show only a slight decline, not anything like it was at the time of posting.
One user speculated that this was simply a glitch in the TOR metrics website.
“It’s a glitch on the charts. This can be verified by comparing the relay-descriptor consensus from 11/4 and 11/7. There were roughly 6625 relays running on 11/4 and around 6600 on 11/7.”
While the “glitchy graph” theory does explain a lot, one of the biggest recent “mysteries” was the disappearance of the Abraxas Marketplace. While this was most likely just an elaborate exit-scam, with the site mysteriously disappearing after the Bitcoin price increased, it’s important to not disregard it entirely, as it does contain some unusual evidence.
For days before Abraxas ceased to function, users reported very slow servers and difficulty logging into the marketplace. This could be synonymous with a targeted DDOS attack, and even more suspiciously, this image was posted on the /r/darknetmarkets subreddit by user /u/BoxersCompany. The validity of this is obviously a huge concern – for one, the operating system looks completely unsecured and vulnerable, as well as unprofessional. While this could be /u/BoxersCompany simply trolling the “community” for drama, it is still worth mentioning as it could be a clue to something larger.
At this time last year, early November, The DNM community witnessed Operation Onymous, an international law enforcement operation targeting many Darknet Markets and many other hidden services on the TOR network. There were over 400 seized sites, including SilkRoad 2, Cloud 9, and Hydra. This was a collaborative joint effort by the FBI, ICE, HSI, and European Law Enforcement acting through Europol and Eurojust.
It seems unlikely that law enforcement would simply stop pursuing a large criminal platform, and with more unusual events springing up, such as Agora voluntarily shutting down only to be replaced by Abraxas, who is currently MIA. Arrests are plausible, and certainly not a stretch to assume, however, exit scams are far more prevalent than an event of this magnitude, so it’s important to note that this is all purely speculation.
There seems to be an array of puzzle pieces strewn across the dark net, and all we can do is try and put them together to form a bigger picture and a wider perspective of the situation. Let’s just hope that law enforcement doesn’t come along and solve the puzzle for us, as anything is possible at this point.
Remember, stay safe and informed. Now more than ever, the community needs to come together and advocate safe practices while remaining vigilant.
Updated: 2015-11-14