The Tor Project is preparing a fix for a bug that has been abused for the past years to launch distributed denial of service (DDoS) attacks against dark web (.onion) websites.
Barring any unforeseen problems, the fix is scheduled for the upcoming Tor protocol 0.4.2 release, according to a bug report seen by ZDNet.
How the DoS bug works
In information security (infosec) terms, the bug is a "denial of service" (DoS) issue that crashes the Onion service running on a web server hosting a .onion website.
More specifically, in a simplified explanation of what happens during this bug, an attacker can initiate thousands of connections to a targeted website hosted on the dark web, but leave the connections hanging.
For each connection, the remote Onion service must negotiate a complex circuit through the Tor network that secures the connection between the remote user and its server. This process is CPU intensive, and with enough connections, the server processor is maxed out at 100% and can't accept new connections.
This is an old bug that has been known to Tor developers for years but has not been fixed because of a lack of human power, but also because there's no simple and straightforward way -- because the bug also exploits the same process which needs to happen to establish a legitimate user's connection.
There is no viable way to identify if any incoming connection requests are from an attacker or a legitimate user until the connection is established, at which point, it is already too late.
