Rate Limiting for Tor Hidden Services

Standard rate limiting operates on client IP addresses: if an IP sends too many requests, limit or block it. With Tor hidden services, all connections arrive from the Tor process on 127.0.0.1 (or via Unix socket). From nginx's perspective, every client connection comes from 127.0.0.1 regardless of the actual client. IP-based rate limiting would rate-limit ALL clients simultaneously (since they all share 127.0.0.1). This is why Tor's Proof of Work (PoW) defense exists: it operates at the Tor protocol layer, before the HTTP layer, and can differentiate clients by their cryptographic session. At the nginx/application layer: rate limiting must be based on non-IP identifiers. Options: session-based rate limiting (rate limit per authenticated session or cookie), API key-based rate limiting, rate limiting per Tor client introduction point (advanced, requires stem library integration), and coarse time-window limiting on overall traffic volume.

Tor's Proof of Work (PoW) defense requires connecting clients to compute a hashcash-style puzzle before the hidden service processes their connection. This is implemented in Tor 0.4.8+ and defends against DoS floods. Enable in torrc: HiddenServicePoWDefensesEnabled 1. Optional parameter: HiddenServicePoWQueueRate (connections per second with PoW verification allowed), HiddenServicePoWQueueBurst (burst allowance). The PoW difficulty adjusts dynamically based on introduction circuit queue depth - when the service is not under load, PoW difficulty is minimal (0-1ms computation). Under heavy load, difficulty increases to 10-100ms computation, significantly reducing the rate of DoS connections. Legitimate users experience slightly slower connection setup under load but eventually connect. Bot floods face exponentially higher computational costs to maintain the same connection rate.

nginx's limit_req module implements rate limiting. For .onion services where all traffic appears from 127.0.0.1, configure rate limiting based on the X-Real-IP header (if set by Tor, which it typically is not) or use binary_remote_addr (which is 127.0.0.1 for all clients - same problem). Alternative: use the $cookie_session_id variable for per-session rate limiting. Define a zone: limit_req_zone $cookie_session_id zone=session_limit:10m rate=30r/m (30 requests per minute per session cookie). Apply to location blocks: limit_req zone=session_limit burst=5 nodelay;. For unauthenticated endpoints: use overall connection rate limiting per server: limit_conn_zone $server_name zone=server:10m; limit_conn server 1000; (limit total concurrent connections to the server to 1000 regardless of source). This prevents resource exhaustion but does not discriminate between legitimate and abusive clients.

Application frameworks provide rate limiting based on application identifiers: (1) API key rate limiting: enforce per-API-key rate limits (e.g., 100 requests per minute per key). Implemented in middleware. (2) Session rate limiting: after authentication, apply per-session limits tracked in Redis. (3) CAPTCHA for anonymous access: for unauthenticated endpoints that serve high value (search, registration), require a CAPTCHA challenge for repeated access without authentication. Self-hosted CAPTCHA (altcha.org, mCaptcha) avoids clearnet dependency. (4) Proof-of-work CAPTCHA in application: JavaScript-based PoW challenge that the browser must solve before certain actions (anti-spam registration). Works even without IP information. (5) Content addressing: if the service allows uploading content, hash-based deduplication prevents the same content from being uploaded repeatedly (spam content addresses are identical hashes).

Detecting DoS attacks on .onion services from logs: monitor nginx access log rate per time window. A sudden spike in request rate (even all from 127.0.0.1) indicates an attack. Log analysis: awk '{print $4}' access.log | sort | uniq -c | sort -rn | head -20 shows request rate by time. Prometheus + alert rule: if request rate exceeds 10x the normal baseline for more than 30 seconds, fire an alert. Systemd journal monitoring: track Tor daemon log messages about introduction circuit queue depth (indication of PoW defense activation). Configure alert via Telegram bot (Tor-proxied) when: Tor PoW defense activates (log message), nginx returns 503 Service Unavailable at elevated rate (from nginx error log), or server CPU/RAM exceeds 80% (from node_exporter Prometheus alert).