Recently, the Tor Project released Tor version 0.4.8, which officially introduced the Proof-of-Work Defense (PoW Defense) mechanism for onion services, designed to prioritize authenticated network traffic to stop denial-of-service (DoS) attacks.
Tor's Proof-of-Work (PoW) defense mechanism is a dynamic response mechanism that remains dormant under normal usage conditions. However, when the Onion service is stressed by a DoS attack, the mechanism prompts incoming client connections to perform a series of successively more complex operations. The Onion service will then prioritize these connections based on the level of workload exhibited by the client.
This move is intended to increase the cost of DoS attacks to unsustainable levels while prioritizing legitimate traffic and suppressing attack traffic. Introducing a proof-of-workload mechanism would discourage attackers by making large-scale attacks costly and impractical. The Tor Project therefore encourages users to upgrade the onion service to version 0.4.8.
If an attacker sends a large number of connection requests to the onion service, the PoW defense initiates an increase in the amount of computation required to access the .onion site. The increased amount of computation is manageable for the vast majority of devices and takes from 5 ms to 30 ms. As the attack traffic increases, the workload increases, taking up to 1 minute of work. The entire process is invisible to the user.
Why do I need to update?
The Onion service prioritizes user privacy by obfuscating IP addresses, an inherent design that makes it vulnerable to DoS attacks, and traditional IP-based rate-limiting does not provide good protection in these cases. To find an alternative solution, the Tor project designed a proof-of-work mechanism involving client-side puzzles to stop DoS attacks without compromising user privacy.
How does it work?
Proof-of-workload is like a ticket system that is turned off by default but adapts to network stress by creating a priority queue. Before accessing the Onion service, a small puzzle must be solved to prove that the client has done some "work". The harder the puzzle, the more work the user has done, thus proving that the user is real and not a bot trying to flood the onion service. Ultimately, the proof-of-work mechanism stops the attacker while providing the real user with a chance to reach their destination.
What does this mean for attackers and users?
If an attacker attempts to send a large number of requests to the onion service and floods it, the PoW defense kicks in and increases the amount of computation required to access the .onion site. This ticket system is designed to disadvantage attackers who try to connect to the onion service in large numbers. Maintaining such attacks would require a significant amount of computational effort, with diminishing returns as computational power increases.
However, for everyday users who tend to submit only a few requests at a time, the increased computational effort to solve the puzzle is affordable for most devices, with initial times ranging from 5 milliseconds to 30 milliseconds per solution for faster versus slightly slower computers. If the attack traffic increases, the workload increases, up to approximately 1 minute of work. While this process is invisible to the user and makes waiting for a proof-of-workload solution comparable to waiting for a slow network connection, it has the distinct advantage of providing users with access to the Tor network by proving its non-machine properties, even when the Tor network is under stress.
Over the past year, the Tor Project has invested a great deal of work in mitigating attacks on the Tor network and enhancing defenses against the Onion service. The introduction of Tor's PoW defenses not only makes the Onion service one of the few communication protocols with built-in DoS protection but also promises to reduce the negative impact of targeted attacks on network speeds once it is adopted by major websites. The dynamic nature of the system helps to balance the load during sudden surges in traffic, ensuring more stable and reliable access to the Onion service.