Tor Proof of Work: Hidden Service DDoS Defense

Tor hidden services are vulnerable to a specific attack: flooding the service's introduction points with bogus introduction requests. Each request requires the hidden service to process and respond, consuming CPU and bandwidth. A sustained flood can exhaust the hidden service's processing capacity, making it unable to serve legitimate users - a denial of service. Unlike clearnet DDoS, the attack exploits the Tor protocol's need for the hidden service to respond to all introduction attempts. Previous mitigations required application-layer rate limiting (limited by the fact that all connections appear from the same internal Tor address), custom circuit management, and manually increasing introduction point count (to distribute the attack load). These were partial solutions at best.

Tor PoW adds a computational puzzle to the introduction request protocol. When the hidden service detects high load (configurable threshold), it begins requiring clients to solve a PoW puzzle before the introduction request is processed. The puzzle (based on the Equi-X algorithm, a memory-hard hash function) requires computational work proportional to a difficulty parameter. Legitimate users running Tor Browser solve the puzzle automatically - Tor handles PoW transparently without user interaction. The computational cost for a single user is minimal (milliseconds on modern hardware). For an attacker flooding with many simultaneous requests, the aggregate computational cost becomes prohibitive: to maintain the same attack volume, the attacker needs proportionally more computation.

Enable PoW in torrc: HiddenServicePoWDefensesEnabled 1 (enable PoW defense for this hidden service). HiddenServicePoWQueueRate 250 (maximum PoW requests queued per second when not under attack). HiddenServicePoWQueueBurst 2500 (burst capacity for the request queue). When under detected attack, Tor automatically raises the PoW difficulty to match the attack intensity. The difficulty adapts dynamically - lower difficulty when traffic is normal (minimal user impact), higher difficulty under attack. Minimum supported Tor version: 0.4.8.x or higher. Verify your Tor version: tor --version. Most distributions have Tor 0.4.8+ in their repositories as of 2025-2026.

Tor Browser 13.0+ (released late 2023) includes PoW client support. Clients using older Tor Browser versions cannot solve PoW puzzles and cannot connect to PoW-protected hidden services when PoW is required. As of 2026, the vast majority of active Tor Browser users have updated to versions that support PoW. For torsocks users (command-line Tor clients): torsocks + Tor 0.4.8+ supports PoW automatically. Older Tor clients without PoW support cannot connect to PoW-protected services when PoW is required. For services where backward compatibility with very old clients matters, PoW defense can be configured to apply only when attack is detected (dynamic threshold) rather than always-on.

Monitor PoW behavior through Tor logs at notice level: log messages report when PoW difficulty increases in response to detected flooding. Effective attack mitigation shows: attack volume increasing (log shows high introduction request rate), PoW difficulty increasing correspondingly, legitimate user connection rate remaining stable (or slightly declining as difficulty increases). Tuning considerations: HiddenServicePoWQueueRate should be set based on your service's legitimate peak introduction request rate. If legitimate users frequently trigger PoW even without an attack, QueueRate is set too low. If the service remains unreachable under attack before PoW kicks in, QueueRate is set too high and PoW responds too slowly. Monitor metrics and adjust based on observed behavior during both normal operation and any attack events.