The operator of an underground marketplace hosted within the Tor network has reported a flaw in Tor that he claims is being used for an ongoing denial of service attack on the site.

The problem, which is similar to one reported by another hidden site operator in December on the Tor mailing list, allows attackers to conduct a denial of service attack against hidden sites by creating a large number of simultaneous connections, or "circuits," via Tor, overwhelming the hidden service's ability to respond.

The problem is still under review, but it appears to be related to abuse of the "introduce" message in the Tor Hidden Services protocol, which is used to negotiate the connection between the client and the hidden server. By sending multiple "introduce" requests to the same hidden service, an attacker could make the targeted server create multiple circuits (paths over the Tor network used for the session), eating the server's available CPU and network resources and making it inaccessible to users.

An individual associated with Middle Earth, one of the hidden sites targeted by the denial of service attacks, posted to reddit's "darknet markets" subreddit earlier this week to apologize for the long downtime associated with the attack. Using the reddit account name MEMGandalf, he claimed "Middle Earth and Agora are the focus of the most serious attack TOR has ever seen." He additionally reported that Middle Earth's operator had reported the flaw to Tor. (The bug report was opened under the name "alberto.") The attack raised the server's processor load to 100 percent utilization.

While the problem has been reproduced by at least one Tor developer, short-term fixes proposed to prevent the attacks have, thus far, not panned out. A number of long-term fixes have been proposed that require substantial changes to Tor's Hidden Services Protocol implementation, including the use of dedicated bridges to connect larger hidden sites to Tor (part of Tor's Proposal 188, first put forward in 2012 by Tor co-founder and developer Roger Dingledine in June 2012).

Browser bugs

There was also a number of Tor client-related security patches pushed out this week——largely triggered by a critical "safety hazard" alert from Mozilla for Firefox, Firefox Extended Support Release, and the Thunderbird mail client. Both the Tor Browser Bundle and Tails live-bootable operating system were updated to fix problems in the Mozilla browser engine used across all the projects. Because of problems in how the browser engine handled memory safety, "we presume that with enough effort at least some of these (flaws) could be exploited to run arbitrary code," the Mozilla team noted in the alert.

The Tor Browser Bundle and the Tor browser in Tails both use Firefox ESR as their code base. In theory, the flaws could be exploited to run script within a browser session that could be used to launch an attack against the browser by loading code to memory outside the browser's context. Now that the flaw has been made public, Tor and the Tails project are urging users to update their software as soon as possible.

The latest Tails release also fixes more problems in OpenSSL, the open-source crypto kit that was the source of last year's Heartbleed bug. A set of problems in OpenSSL that could have caused memory corruption and software crashes found in the Debian distribution of Linux were patched in mid-March; Tails is based on Debian, and these fixes were rolled into the latest bootable distribution.