~vern Onion DDoS

~vern team

Mon, 24 Oct 2022

Hello ~vern members,

We have recently been DDoSed over the Tor network, meaning our onion services were down for a short period of time.

I first noticed strange behavior starting around 9:30 AM UTC, where ~vern onions would time out. I have seen this behavior before, in DuckDuckGoOnion. I didn’t know what it was, so I tried restarting the Tor service, which worked at first. Then it happened again, and when I restarted Tor, the onion sites would simply not connect at all.

I began to wonder if maybe our ISP had blocked tor, or if it was another network issue. I tried using torsocks to cURL vern.cc, which worked on my local machine, but not the tildeserver.

As my suspicions of the ISP grew, I decided to rule out a DoS attack by checking the data usage graphs. The one for October 24th showed a great spike in network usage at 9:30 AM, the time i began noticing the issues.

A graph showing data usage for 2022-10-24

This graph proved that it wasn’t the ISP, and our Tor service was, in fact, being DDoSed over the Tor network. It had to be over the Tor network, because no other services were going down.

I disabled Tor and waited until around 4:00 PM, when I re-enabled Tor and the onion services started working again.

Hopefully, this does not happen again in the future.