Coordinated DDoS Attack Targeting TOR Exit Nodes

Summary

On June 20, 2025, AS214503 experienced a coordinated distributed denial-of-service (DDoS) attack primarily targeting TOR exit nodes. The attack originated from AWS EC2 instances with secondary attack vectors from Hetzner infrastructure. The incident began at 17:00 UTC and was fully resolved at 00:45 UTC, lasting 7 hours and 45 minutes.

The DDoS attack traffic from AWS peaked at 15.24 Gbit/s (95th percentile) and caused elevated packet loss up to 20% during peak attack periods. A misconfigured BGP Multi-Exit Discriminator (MED) amplified the impact by preventing optimal traffic distribution across available upstream providers. Multiple TOR operators reported simultaneous attacks on their exit infrastructure, suggesting a coordinated effort to overload TOR exit capacity.

Impact

• Primary Target: TOR exit nodes operated by AS214503
• Attack Vectors:
  • Primary: AWS EC2 instances (15.24 Gbit/s peak, several factors above baseline)
  • Secondary: Hetzner infrastructure (2x baseline traffic)
• DDoS Volume: 15.24 Gbit/s (95th percentile, AWS traffic only)
• Packet Loss: Up to 20% during peak attack periods
• Customer Impact: Degraded service performance and intermittent connectivity issues for TOR users
• Geographic Scope: Global impact across all transit services

Timeline (All times UTC)

17:00 - Hetzner traffic volume doubles baseline levels, NOC alerts triggered
18:30 - AWS EC2 traffic escalates to several factors above baseline, targeting TOR exit nodes
20:17 - Multiple TOR operators report coordinated attacks on their exit infrastructure
21:30 - AWS attack traffic reaches peak volume of 15.24 Gbit/s (95th percentile)
22:00 - BGP MED misconfiguration identified and corrected
23:00 - Packet loss normalized to baseline levels following BGP optimization
00:45 - Attack traffic ceases, all network metrics return to normal operation
08:00 - Post-incident analysis completed

Root Cause

Primary Cause: Coordinated DDoS attack targeting TOR exit nodes, originating from compromised or malicious infrastructure across multiple cloud providers. AWS EC2 instances generated the primary attack vector with traffic several factors above baseline, while Hetzner infrastructure contributed secondary attack traffic at 2x baseline levels.

Attack Pattern: Multiple TOR operators reported simultaneous attacks on their exit nodes during the same timeframe, suggesting a coordinated effort to overload TOR exit capacity. The attack pattern indicates an attempt to force TOR traffic to exit through specific nodes by making other exit nodes unavailable, representing a significant threat to TOR network anonymity.

Amplifying Factor: Misconfigured BGP Multi-Exit Discriminator (MED) values prevented optimal traffic engineering during the attack. The incorrect MED configuration (uniform value of 100 across all paths) forced traffic through congested paths instead of distributing load across available upstream providers, significantly increasing packet loss beyond what the attack volume alone would have caused.

Resolution

Immediate Actions:

• Activated DDoS mitigation systems and traffic filtering at 18:30 UTC
• Corrected BGP MED configuration at 22:00 UTC to enable proper traffic distribution
• Implemented temporary rate limiting on affected interfaces
• Attempted coordination with AWS abuse team (no response received during incident)

Technical Changes:

• BGP MED values adjusted from incorrectly uniform 100 to proper tiered values (50/100/150)
• Enhanced DDoS detection thresholds for AWS-sourced traffic
• Improved traffic engineering policies for asymmetric attack scenarios

Prevention Measures

• BGP Configuration Review: Comprehensive audit of all MED configurations completed
• Monitoring Enhancement: Added specific alerting for MED-related traffic engineering issues
• DDoS Response Update: Updated runbooks to include BGP traffic engineering verification during DDoS incidents
• TOR Network Coordination: Established communication channels with other TOR operators for coordinated defense
• Multi-Vector Detection: Enhanced monitoring to detect coordinated attacks across multiple cloud providers
• Cloud Provider Escalation: Established direct escalation paths with AWS and Hetzner abuse teams for future incidents
• Capacity Planning: Evaluated additional DDoS mitigation capacity requirements

Lessons Learned

1. BGP traffic engineering configuration must be regularly validated, especially MED values
2. DDoS mitigation effectiveness can be significantly impacted by routing configuration
3. Multi-vendor DDoS protection requires coordination with upstream traffic engineering
4. Cloud provider abuse reporting channels may be unavailable during incidents, requiring alternative mitigation strategies
5. Coordinated attacks against TOR infrastructure represent a significant threat to network anonymity
6. TOR exit node operators should coordinate defense strategies against systematic overload attacks
7. Multi-vector attacks (AWS + Hetzner) require comprehensive monitoring across all major cloud providers

TOR Network Security Implications

This incident appears to be part of a broader coordinated attack targeting multiple TOR exit operators simultaneously. The attack pattern suggests an attempt to selectively overload TOR exit nodes, potentially forcing traffic through specific exit points controlled by the attacker. This represents a significant threat to the TOR network’s decentralized design and user anonymity.

Incident resolved. All systems operating normally with improved BGP configuration and enhanced DDoS protection.