Configuring Tor Proof of Work Defense for Hidden Services

Tor's PoW defense uses an equix puzzle - a memory-hard function based on Equihash that is designed to be computationally expensive on CPUs, particularly bot networks, while remaining solvable in 1-5 seconds on legitimate client hardware. When an introduction request arrives at the hidden service's introduction point, the service can issue a PoW challenge to the client. The client must compute a solution meeting the current difficulty level before the introduction proceeds. Difficulty automatically scales with introduction request rate: under normal load, difficulty is zero (no puzzle required). When introduction request rate increases above normal (indicating potential DDoS), difficulty increases automatically to throttle attackers.

PoW is configured in the hidden service's torrc. Add to the HiddenService configuration block: HiddenServicePoWDefensesEnabled 1. This enables automatic PoW with adaptive difficulty. Additional tuning parameters: HiddenServicePoWQueueRate (default 250) - maximum introduction requests per second processed when PoW queue is active. HiddenServicePoWQueueBurst (default 2500) - maximum burst of requests before PoW queue starts. HiddenServicePoWQueueDelay (default 0) - delay before starting to impose PoW on clients. Restart Tor after configuration changes. Verify PoW is enabled by checking the Tor log: grep 'pow' /var/log/tor/notices.log.

Monitor PoW effectiveness through the Tor control port. Connect with: echo 'AUTHENTICATE password' | nc 127.0.0.1 9051. Query PoW statistics: GETINFO hs/service/v3/desc/id/FINGERPRINT. PoW metrics visible in Tor logs include current difficulty level, puzzle solve success rate, and introduction request queue depth. Under normal operation, difficulty should remain at or near zero. During an attack, difficulty increases - a difficulty of 30+ indicates active attack mitigation. If difficulty remains high for extended periods (hours) after an attack, reduce HiddenServicePoWQueueBurst to limit sustained attack throughput.

Tor Browser 13.0+ (released with Tor 0.4.8) automatically solves PoW puzzles when connecting to PoW-protected hidden services. Users on older Tor Browser versions may fail to connect to PoW-protected services without an error message. For hidden services that cannot accept connection failures from older clients, consider starting PoW in monitor-only mode (HiddenServicePoWDefensesEnabled 1 with high QueueBurst to avoid actual puzzle imposition until needed) and activating strict difficulty only during active DDoS events. Post a notice on your service informing users to upgrade to current Tor Browser if they experience connectivity issues.

PoW defends specifically against introduction point flooding - the most common DDoS vector for hidden services. Combine with additional defenses for comprehensive protection. Application-level rate limiting (HAProxy, Nginx) limits connections once they reach your application. TCP connection limits via iptables (hashlimit module using CONNTRACK rather than IP) prevent connection exhaustion at the OS level. OnionBalance distributes introduction points across multiple servers, requiring attackers to flood multiple introduction points simultaneously. For highest-value hidden services, private introduction points (using client authorization to restrict who can create introduction circuits) prevent public DDoS entirely but limit public accessibility.