Silk Road forums

Sure it will. Otherwise it would close a circuit as soon as a page is done being loaded. It keeps an established but inactive circuit open for about ten minutes before discarding it.

Those are the baseline ones I was talking about, the 3 hop circuits that it always keeps open and rotates every times minutes.

You can prolong the life of the circuit by trying to open streams through it, even if the streams fail to connect it resets the remaining time to keep the circuit open. I was able to indefinitely keep the circuit to the market open despite never being able to establish an open stream through it, but after manually closing the circuit I wasn't able to establish another one, likely because the introduction nodes are being pwnt.

Right, you're sending data through it. How often did you do that?

If the actual service goes down, like the web server, then a TCP connection won't be formed and the circuit will (or should) be killed.

The old security through obscurity.

The attacker knows what kind of attack he's running, thus he already knows how it can be mitigated, if that's possible at all. Openly discussing it reveals nothing new to the attacker.*

What appears to be the case is that DPR doesn't know how to mitigate it, which is why he mentioned several options in his latest post. That's why we need to be throwing out suggestions.



*Not to mention that if we throw out enough ideas, he won't know which ones were implemented.

Ok, while you all work on killing the attacker, anyone else have technical advice?

It's time for the community to step up and help the site they love.

/r/silkroad is the bottom of the barrel of SR users. I suspect a large percentage of them have never used the browser bundle. They access SR through clearnet proxies like onion.to and onion.sh, which of course means they post on /r/silkroad with their real IP addresses. The more sophisticated people might use a VPN, which offers little protection if LE really wants to find them. There appears to be very little overlap between the /r/silkroad and forum communities. Occasionally I see people over there reference the forum, but for the most part they seem to not have a clue about the conversations going on over here, or much of anything for that matter.

All that being said, why are you trying to get it shut down? Who gives a fuck what they do. The information is out there on how to be safe, if they choose not to read or follow it, that's their problem.

Does anyone want to brainstorm ways to mitigate the DOS attack? Of course, without knowing the nature of the attack, we can't offer specific help, but if we compile enough ideas, DPR should know which ones work, or test them until he finds a solution.

I can start with two suggestions.

1. Increase the number of intro points.

You'll have to download the Tor source code and edit /src/or/rendservice.c

Which can be viewed here:

https://gitweb.torproject.org/tor.git/blob/ab3d5c049032651a9c9164262f9a8f81de9709d4:/src/or/rendservice.c

Look at this section:

  72 /** Try to maintain this many intro points per service by default. */
  73 #define NUM_INTRO_POINTS_DEFAULT 3
  74 /** Maintain no more than this many intro points per hidden service. */
  75 #define NUM_INTRO_POINTS_MAX 10
  76
  77 /** If we can't build our intro circuits, don't retry for this long. */
  78 #define INTRO_CIRC_RETRY_PERIOD (60*5)
  79 /** Don't try to build more than this many circuits before giving up
  80  * for a while.*/
  81 #define MAX_INTRO_CIRCS_PER_PERIOD 10
  82 /** How many times will a hidden service operator attempt to connect to
  83  * a requested rendezvous point before giving up? */
  84 #define MAX_REND_FAILURES 30
  85 /** How many seconds should we spend trying to connect to a requested
  86  * rendezvous point before giving up? */
  87 #define MAX_REND_TIMEOUT 30
  88
  89 /** How many seconds should we wait for new HS descriptors to reach
  90  * our clients before we close an expiring intro point? */
  91 #define INTRO_POINT_EXPIRATION_GRACE_PERIOD (5*60)


Increase NUM_INTRO_POINTS_DEFAULT to something like 8, and NUM_INTRO_POINTS_MAX to 20. You may also experiment with changing the other values.

Then take a look at this section:

https://gitweb.torproject.org/tor.git/blob/ab3d5c049032651a9c9164262f9a8f81de9709d4:/src/or/rendservice.c#l1001

That's the formula for changing the number of intro points. You might try increasing the fudge factor from 1.5 to 2, or otherwise adjusting the formula to be more "sensitive" to intro point usage, and increase by a larger factor when they are getting hammered.

Build instructions are in the INSTALL file and here: https://www.torproject.org/docs/tor-doc-unix



2. Increase the number of entry guards.

This is potentially dangerous. It increases the likelihood of certain kinds of attacks and should only be used temporarily to mitigate an attack, if at all. You probably already know how to do this, but add NumEntryGuards to your torrc and set the value to something like 8 or 10.


Does anyone with experience defending web or database servers from attacks want to offer advice?

Shit like this is why we need Bitcoin and Zerocoin. Banks are supposed to hold your money. Their business is to make money by loaning your money to other people (fractional reserve banking). Unfortunately, banking laws have turned them into police organizations. Every purchase is watched and stored forever. Inconsistent with your last decade of banking? Jesus. They know about that sandwich you bought in 1993.