Darknet Hidden Services Facing Large Scale DDoS Attacks

On the 13th of October, five of the largest darknet markets found themselves subject to a large-scale distributed denial of service (DDoS) attack. Markets affected included the most popular markets since the Alphabay and Hansa seizure: Dream, Trade Route, Point/T•chka, Wall Street Market, and RsClub.  The day the attack began it seemed as though the offensive was only launched against the main hidden service URLs, for markets with the mirror sites were still operational. However, within days, the mirror sites were also under attack as well.

What exactly is a DDoS?

DDoS stands for Distributed Denial of Service. The technique is a well known and beloved tool in the hacker’s arsenal. The denial of service attack involves overwhelming a URL with traffic from multiple sources, rendering the site inaccessible. They generally involve a large army or network of “botnets” used to generate huge floods of traffic to overwhelm the victim server. DDoS binaries are available as “digital goods” for purchase on darknet marketplaces such as the ones under attack. A week-long DDoS attack, capable of taking a small organization offline can cost as little as 100 to 200 USD.

One popular DDoS tool for use across Tor is SlowLoris. SlowLoris achieves denial of service by starting many concurrent HTTP connections and sending a byte of data every 15 seconds. Certainly, timing is often adjusted in relation to target server’s timeout, but it’s very effective. Because the attacker’s computer sends only a handful of bytes per 15 seconds per connection, some servers can go down while the attacker uses his internet as if nothing’s going on. A Python implementation of SlowLoris is pyloris.py (shown below), which is popular with python darknet enthusiasts. It is slightly different from the original code, in that it throttles the entire request, allowing the attacker to specify the bandwidth for the connection as well as how large the request is. Unfortunately, the brevity of the code does not leave room for SSL/TLS handling, so only HTTP is supported for the time being and more than adequate for Tor hidden services. 

Figure       SEQ Figure \* ARABIC
   1:       pyloris.py available options

Figure 1: pyloris.py available options

In essence, SlowLoris behaves very similarly to a classic TCP SYN flood attack where an attacker’s client sends numerous SYN messages to the target server. The server creates an entry in its connection table for each SYN received and responds to each with a SYN-ACK message. The attacker then either doesn’t send the ACK message, or many times, has spoofed its client IP address in the SYN packets so that the target server’s SYN-ACK responses are never received. As the attacker continues to send SYN messages, the target server’s connection tables become full and the server can no longer respond to any more connection requests. With all of its resources consumed, the target server is unable to connect with legitimate clients, creating a denial of service.

What are markets doing now?

It appears as though the markets are bracing themselves as the latest attack continues for nearly a week straight. Some markets have directed customers to alternative URLs or “mirror” sites - ones the attackers apparently have not affected. For example, an admin from Dream Market posted that mirror sites were indeed available and operating with business as usual. The mirror site was verified to point to the main onion hidden service address under attack.

Figure       SEQ Figure \* ARABIC
   2:       RsClub Acquires 5 new hidden service URLs to Counter DDoS

Figure 2: RsClub Acquires 5 new hidden service URLs to Counter DDoS

Aero Market on the other hand, posted proudly on reddit less than a week ago, that they had successfully managed to remediate the situation and offered their assistance to the other markets under attack. Of course, this did not stop a reddit troll from viewing this as an opportunity to threaten the poster of more aggressive attacks in the future and as one would expect, the site is subsequently unavailable.

Figure        SEQ Figure \* ARABIC     3:       Aero Market Admin Post on Reddit

Figure 3: Aero Market Admin Post on Reddit

History of Market DDoS Attacks

Darknet markets are well versed in dealing with DDoS attacks. In June 2015 major darknet markets faced a similar, large-scale DDoS impacting TheRealDeal and Agora Marketplaces, the market hubs at the time. The DDoS against Agora and TheRealDeal occurred for almost two weeks and was believed to have been attributed to a competing market who was ransoming the sites for up to 10 bitcoin. In that scenario, Mr. Nice Guy, the market owner behind the ransom, was also under attack and had bargained with the blackmailer, ddosforsale. Mr. Nice Guy offered to pay $200 each day if seven select markets were brought offline. If and when customers then flooded to his market he would have the option of pulling an "exit scam” and could pay the attacker.  An exit scam occurs when a hidden service administrator, without any warning, spontaneously shuts down the website or marketplace and, in almost every scenario, takes any monies that are left in the digital wallet and transfers them to their own personal cryptocurrency account.

not just markets

While the DDoS appears to initially target darknet marketplaces, other sites across the darknet are experiencing similar circumstances. Darknet social media site, Galaxy2 has been down since last weekend.

Coincidently, TradeRoute, also involved in the DDoS, has apparently pulled an exit scam during the attack in light of being blackmailed for a major security leak in the marketplace site.

According to reddit threads, the hacker, Phishkingz, also known for phishing big vendor accounts and scamming buyers on Dream Market and AlphaBay in 2016, contacted TradeRoute admins through another account, where allegedly he had gained access to TradeRoute’s admin panel and found several vulnerabilities, he referred to as “bugs.” He offered to help repair the site in exchange for bitcoin payment for the estimate of 2,000 USD per week to which the admins supplied. He closed his offer with a threat to release the entire software code for the site if the administrators did not pay him more, and ended up releasing portions of the code anyway out of sheer maliciousness.

 Fortunately for the darknet community, the infamous phisher was finally doxed by extortionist, InsanityDRM, because he reused the same passwords in clearnet sites and darknet hidden services, according to The Daily Beast.

Figure       SEQ Figure \* ARABIC
   4:       Reddit post by InsanityDRM threatening the PhishKingZ

Figure 4: Reddit post by InsanityDRM threatening the PhishKingZ

Darknet regulars recall that Silk Road 1.0 and 2.0, AlphaBay, and most recently RAMP, all suffered DDoS attacks shortly before they were compromised and taken over by Law Enforcement (LE). Considering the real possibility of an implementation of DDoS prior to facilitate LE intercession, this begs the question of this latest darknet DDoS intention. What is the motivation behind taking down so many hidden services across Tor? Who is behind such an attack? Is it a handful of “script kiddies” practicing their hacking and doxing skills?

Given the sophistication of malicious scripts that are readily available on the darknet and github, this could be possible. Further, it could indeed be a conscientious attempt by law enforcement to shut down the darknet’s drug trade completely as US Senator Jeff Sessions has vowed to do[1]. Earlier this week, an IRC chatter by the moniker, “cyberphil,” was claiming he was behind the DDoS and looking for more targets. His rants in the digital chatroom continued claiming he was doing it in retribution for the 5-year anniversary of his friend, Jeremy Hammond. But given the fact that Hammond was a famous Hacktivist, passionate about freedom of speech, it does make logical sense to target dozens of Tor sites, valued for the anonymity services they provide.

While the markets are down and success of the mirror sites ebb and flow, we know that the darknet community will continue to find ways to function despite this hiccup in business as usual. Vendor sites will continue to serve customers and new marketplaces will appear on the scene while others will revert to purchasing drugs from their local dealer. Although October 2017 marks the end of TradeRoute, another hidden service will rise up and take its place in the top 3. We can only theorize who or why this latest DDoS has struck Tor or how long it will continue.