Security Experts:

Connect with us

Hi, what are you looking for?


Privacy & Compliance

Attacking Tor: What it Takes to Disrupt the Popular Onion Routing Network

Launching denial-of-service (DoS) attacks against Tor’s most commonly used default bridges and flooding them would cost attackers around $17,000 per month, researchers have discovered. 

Launching denial-of-service (DoS) attacks against Tor’s most commonly used default bridges and flooding them would cost attackers around $17,000 per month, researchers have discovered. 

Tor has long become a target for disruption and censorship, as attackers aim to prevent users from reaching information, to identify Tor users’ communication content, or deanonymize users.

According to security researchers Rob Jansen from the U.S. Naval Research Laboratory, and Tavish Vaidya and Micah Sherr from Georgetown University, however, DoS attacks on Tor can be used to significantly degrade network performance and are actually not that expensive to perform. 

While launching DoS attacks against the entire Tor network would cost millions of dollars each month, assaults that intelligently utilize bandwidth to impact network performance and reliability are rather feasible, the researchers explain in a paper (PDF) presented at the 2019 USENIX Security Symposium. 

Although Tor relays do not publish their link capacities, the researchers estimate the total link capacity across the Tor network to range from 429 to 575 Gbit/s (Gigabits per second) over the year. 

For their study, the researchers used the average of 512.73 Gbit/s and estimated that an attacker would need one DoS stresser service to target each Tor relay, which would incur costs of around $10,000 per hour, or $7.2 million per month. 

An attack on Tor’s most commonly used default bridges and flooding those that are operational, on the other hand, would only cost around $17,000 per month. Such an attack, the researchers say, could reduce client throughput by 44% and more than double bridge maintenance costs. 

Attacks targeting all scanners in the Tor Flow bandwidth measurement system, on the other hand, would cost $2,800 per month and reduce the median client download rate by 80%. 

Lastly, the researchers estimate that an adversary could use Tor to congest itself and that targeting all Tor relays in such an attack would cost $1,600 per month, resulting in the median client download time increasing by 47%. 

As of version 8.0.3, Tor has 38 hard-coded default bridges, but the researchers focused on the 25 default bridges that use the obfs4 obfuscation protocol. They also requested 135 unlisted obfs4 bridges from the TorProject’s bridge authority, 95 of which were functional. 

The researchers estimate that the costs associated with employing stresser services to attack the full set of 38 default bridges could be of around $31,000 per month, which is “well within the budget of a nation-state adversary.” 

With 90% of bridge traffic traversing default bridges, any switch to unlisted bridges could significantly impact network performance, the researchers say. With a quarter of previously default bridge users switching to unlisted bridges, performance would drop by more than half, the researchers suggest. 

The study also compared the presented attack scenarios with launching a Sybil DoS attack, where the adversary could run Sybil relays and then arbitrarily degrade traffic performance or deny service by dropping circuits, or de-anonymize users by observing both the entry and exit points in a vulnerable circuit, and concludes that attacks on Tor bridges are more flexible and less expensive. 

“We find that Tor’s bridge infrastructure is heavily dependent on a small set of fixed default bridges, the operational of which can be disrupted at a cost of $17K/month. Additionally, Tor’s mechanism for measuring load is too centralized and brittle, […] attackers can saturate Tor’s capacity by constructing long paths in the network, and exploit protocol vulnerabilities to decrease the costs of such attacks,” the researchers conclude. 

Related: Internet Society Publishes Privacy Code of Conduct

Related: Cloudflare Launches Security Service for Tor Users

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...


Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...


Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...

Application Security

Less than a week after patching critical security defects affecting multiple enterprise-facing products, VMware is warning that one of the flaws is being exploited...


Meta was fined an additional $5.9 million for violating EU data protection regulations with WhatsApp messaging app.