Tor outage: How a major attack felled the onion network

Tor Onion with arrow through the middle

On 10 January 2021, the Tor Network experienced what appears to be a DDoS attack on its core infrastructure, causing users to be unable to use the Tor Browser, with most Version 3 onion sites becoming unavailable for several hours.

How does the Tor Network work?

The Tor Network is an open-source network that anybody can join from their computer using free software. Your data is routed between at least three nodes to its destination and is encrypted in a way that each node cannot get a full picture of your activity. The entry node might only see your local IP address, the exit node can only see the final destination of your data, and the node in between aims to segregate these two.

Anybody can participate in the Tor Network, and the network relies on a vast trove of volunteers to keep it going, including public libraries. The Tor Network is only safe if enough people are using it and contributing to it, and if a single actor cannot flood the network with their own nodes in an attempt to piece together the information from its users.

While the project is entirely open source and anyone can join as a user, hidden service, or relay, the network is not decentralized, meaning the network relies on a couple of services provided by the Tor Project to function. This does not mean that the Tor Project is able to see our data, but it means there are points of failure in the network that could lead to the unavailability of the entire network.

[Get tips and tools to protect your privacy. Sign up for the ExpressVPN Blog Newsletter.]

Why did the Tor Network fail?

And so it was in January 2021, when the project’s validator nodes were knocked offline by a DDoS attack. As a result, they could not come to a consensus about the state of the network, hidden services became unreachable, and for some, the Tor browser gave an error message at startup.

Screenshot of the Tor Browser displaying "Something Went Wrong"

There are nine privileged Tor directory servers, plus one “consensus” server. You can find them listed on this page, and your Tor Browser or client will ping them at startups. These servers are distributed around the world and run as independently as possible, to make it difficult for anyone to take them over.

Every hour these directory servers vote on the state of the network, keeping each other informed about which node fulfills which function, which nodes behave poorly, or even which nodes have been deemed malicious and need to be kicked off the network.

The individuals running these directory nodes are constantly surveilling their own anti-surveillance network in search of bad actors and performance issues. A prominent case arose in mid-2020 when a group was found to have run almost a quarter of all exit nodes.

The votes, one of which you can find here, are transmitted unencrypted, but signed using a PGP key. When too many of these voting nodes are offline, or as in the January 2020 case, unable to respond due to a novel DDoS attack, a Tor client is unable to retrieve this consensus, and either has to fallback to an older state of the network and risk routing errors and malicious actors, or not engage at all.

What is the purpose of attacking Tor?

It is yet unclear which group is responsible for the attack, though it seems unlikely that error or a bug is to blame. Pulling off such a feat could be a simple show of strength for a hacking group, aimed at building a reputation and highlighting weaknesses in otherwise cherished software.

It could however also be a targeted attack aimed at some groups or individuals inside of the Tor Network, for instance to trick them into switching from hidden onion sites to connections to the clearnet.

Only a day later, for instance, the operators of the world’s largest darknet market were arrested by German police.

Can Tor defend against such an attack?

Defending against DDoS attacks is tedious, yet possible. To increase the capacity and bandwidth of the consensus nodes could be an option, as could multiple mirrors of the data and “private” backchannels, for example through a VPN or otherwise privileged connection.

The successful attack on the Tor Network has dampened many sites’ plans to move their networks inside Tor only, in fear of availability issues. The weakness might also inspire others to come up with more decentralized future versions of the anonymity network that relies less, or not at all, on consensus models. After all, that might be just what the attackers were after.

Read more: Why more apps should integrate Tor

Lexie is the blog's resident tech expert and gets excited about empowerment through technology, space travel, and pancakes with blueberries.