Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security The Internet

Tor Project To Fix Bug Used For DDoS Attacks On Onion Sites For Years (zdnet.com) 30

An anonymous reader writes: "The Tor Project is preparing a fix for a bug that has been abused for the past years to launch DDoS attacks against dark web (.onion) websites," reports ZDNet. "Barring any unforeseen problems, the fix is scheduled for the upcoming Tor protocol 0.4.2 release." The bug has been known to Tor developers for years, and has been used to launch Slow Loris-like attacks on the web servers that run the Tor service supporting an .onion site. It works by opening many connections to the server and maxing out the CPU. Since Tor connections are CPU intensive because of the cryptography involved to support the privacy and anonymity of the network, even a a few hundreds connections are enough to bring down dark web portals. A tool to exploit the bug and to automate DDoS attacks has been around for four years, and has been used by hackers to extort dark web marketplaces all spring. At least two markets selling illegal products have shut down after refusing to pay attackers. To get the bug fixed, members of a dark web forum banded together and donated to the Tor Project to sponsor the bug's patch.
This discussion has been archived. No new comments can be posted.

Tor Project To Fix Bug Used For DDoS Attacks On Onion Sites For Years

Comments Filter:
  • by Anonymous Coward

    IMHO, DARK WEB created by TOR is nothing but safe haven for all kinds of harmful content & criminal activity!!!
    IMHO, all legitimate uses cited by TOR advocates are nothing but worthless disguise!!!
    & even if all were real benefits, still, all harm caused by TOR would far surpass all those benefits!!!

    IMHO, TOR should/must be banned globally for common good of general public of whole world/humanity!!!

    • Re:BAN TOR!!! (Score:4, Insightful)

      by lucifer_666 ( 662754 ) on Saturday July 06, 2019 @09:12AM (#58881854)

      I feel you're being a little sarcastic, but I'd like to address your point as if you weren't.

      While you're probably not wrong, speculation as to the motives of crypto and privacy software developers is pointless. The reality is that TOR is just a tool, and as has been demonstrated countless times over the past fifty years, if a software tool becomes unusable, others will be developed to take its place.

      The reason we have drug trafficking on the web is the same reason we have drug trafficking off the web: there is a demand for an illegal product, there is a supply and there is money to be made. You could say drugs are trafficked by trucks, so we should ban trucks. Drug barons talk about their plans on mobile phones so we should ban mobile phones. In these cases, the workaround is more obvious - trucks can be replaced by cars or horses and carts, mobile phones can be replaced by landlines.

      Point is, banning the tool is a band aid, temporary solution at best. New workarounds will be found, new methods developed. Where there is a will, and a dollar to be made, there is a way.

      Software can be ephemeral. I can create code to encrypt something very easily, almost as easily as I can delete that code. You could ban encryption; but what is encryption? Is a zip file encryption? Is an executable file? They are both forms of codes, replacement of one character or idea with another. Just because your computer knows how to unpack a zip file or run an executable, doesn't mean its any less encrypted. So what is it exactly you plan on banning? Is a simple XOR code that substitutes one letter for another enough? Or does it need to be secure, something that currently can't be broken? What if it could be broken mathematically, but we don't have enough computing resources to do so? What if it protects your password as its sent over the Internet to your mail server? Or protects the information that appears in your online banking app from review by others?

      It seems pretty clear now that while TOR may hinder law enforcement to an extent, by no means are dark web sites infallible or permanently resistant. They can be and are brought down the same ways many cartels, mobs and criminal gangs were taken down in the past: informants, evidence, detective work, investigation. There is no law that says law enforcement's job should be easy, and that we need to do everything we can to make it so. Maybe we should make a law that all bags carried in public should be made of transparent material? No? I didn't think so.

      Our ability to communicate with each other in a private, forthright manner, is an essential right. From the simple act of a discussion between two people in a park up to the technology we have now, we've always had it. Our free society has come about because of such private communications, and the possibility of the oppressed becoming free depends on it. You could surrender this right. You could surrender it and live a happy life. But one day the people doing the watching and listening may decide something you don't agree with, or isn't in your interest, and right at that moment, you'll wish you had it.

  • by Anonymous Coward

    Morons that decided to ignore a reported issue probably because they thought they were "above that". Open-source assholes.

  • by Anonymous Coward

    To get the bug fixed, members of a dark web forum banded together and donated to the Tor Project to sponsor the bug's patch.

    How very libertarian.

  • Why on earth would they target the best newspaper in the world?

    http://www.theonion.com/ [theonion.com]

To be or not to be, that is the bottom line.

Working...