Dark web spaces play host to a long list of hidden websites culminating in a diverse community of online users. While some of these netizens are only looking to buy or sell wares off the darknet, some users are out to destroy existing markets and forums for economic gain.
The constant state of vigilance on the dark web is attributed to a culture of competition that, in some instances, boils over to motivate a section of users to go on the full offensive. This aspect, coupled with the unregulated nature of the dark web ecosystem, has created vast possibilities for opportunistic cybercriminals.
One such opportunity for threat actor action against dark web markets and forums is through distributed denial-of-service (DDoS) attacks whose aim is to frustrate victim networks into submitting to extortionist advances.
Just recently, the Dread forum suffered a DDoS attack, which adds up to the troubled history of dark web markets and forums being targeted in DDoS attacks from threat actors.
Information concerning the latest DDoS attack was shared through an announcement by an admin of the Dread forum, /u/Paris, who admitted to the attacks and revealed that the forum had suffered network stability issues as a result.
Dread admin /u/Paris went on to encourage the site’s users to look out for possible signs of threat actor activities targeting users, including the occurrence of phishing campaigns designed to exploit the forum’s situation.
The admin made it clear that the Dread forum has only one onion address, and that anyone peddling an alternative address may be aiming to trick users in harvesting their data. In addition, the announcer pointed out that the Dread forum would be running tests on Tor’s alternative, the i2P network.
Dread Keeps Getting Hit by DDoS Attacks
The recent DDoS problem was finally solved as the Dread forum admin regained control of the site.
Still, /u/Paris raised alarm over the current high alert considering no one really knows whether the Dread attacker will make a return. This fear stems from past experiences involving DDoS attackers who had brought the forum to its knees. Had it not been for the swift action of the site’s operators, the DDoS attackers would have easily obliterated the platform.
One October 2019 event involved mass cybercriminal exploitation of a Tor vulnerability to launch DDoS attacks against the Dread forum and other major dark web sites. Dread was also effectively forced to go on and off intermittently last February in a major DDoS attack that was felt even in the entire Tor network.
Then, a Dread admin made an announcement on Reddit detailing scale and severity of the attack. As illustrated on the clearnet forum, an unknown threat actor was persistently overloading the site, and consequently created a DDoS-influenced platform downtime crisis.
The event drove the forum operators to work tirelessly to configure new servers in an effort to spread out the negative load, even though the co-admin noted the limited nature of the technique as a sure-fire way to mitigate the DDoS – the volume of the attack was too massive.
Importantly, the poster seemed on edge about the possible outcomes of Dread’s response. On one hand, scaling up (of the forum’s capabilities) would possibly put the attacker off and result in a return to normalcy. This action will be pegged on new DDoS requirements that would block the attacker and free up the network.
Otherwise, a scenario where the attacker would bolster their attack machinery would spell doom for the Dread forum as it would experience total failure in dealing with the DDoS event.
As such, the February event highlighted a rather worrying reality that Dread is still vulnerable to DDoS attacks. This is especially true in reflection of the Reddit post where the co-admin asserted the low possibility that a cyberattack of this nature may not actually serve to benefit its orchestrators in a substantial way.
In the past, the Dread forum was able to get in touch with a DDoS attacker and managed to come to a truce. DDoS events of the recent nature are definitely more devastation because a site is forced to “wait out” the attack while fearing that it could be a malicious action by a competing dark web forum or even law enforcement.
Dread’s DDoS Filter
In May 2020, Dread announced a DDoS protection mechanism called “EndGame” that would be availed for free to the forum’s community. The anti-DDoS mechanism was the product of shared efforts involving White House Market, Big Blue Market and the now-defunct Empire Market.
Generally, EndGame denotes a collection of tech tools tailored for DDoS prevention on the front end to benefit all classes of dark web services and interested third parties. The project seemed to have been the culmination of several months of planning and testing; its co-creator noted the “thousands of lines of code” involving 8 open source projects, 6 open source NGINX modules, and 6 open source libraries.
Then, various cybersecurity commentators noted the fact that the EndGame project was not open source, the tool’s contents had not been released to the public. A Dread moderator chimed in to the buss by reporting that EndGame’s creators opted to delay its release to the public as a feedback collection mechanism – they first gathered insights from early users before creating a GitHub project for the tool.
Apart from the fact that EndGame is free for all interested persons to use, some of its advertised features and merits include:
- An easy to be configured front system for protecting the core application servers on a hidden service while prioritizing safety and privacy.
- The tool is locally compiled and locally operated without the need of involving a middle party.
- A collation of multiple technologies that have been designed to operate together harmoniously.
- Its provision for scalability in instances where an operator will need to deploy it on blank Debian 10 systems.
- Well-packed NGINX LUA script designed to filter packets and provide a captcha directly using the NGINX layer.
DDoS Attacks Are Here to Stay
As reported by Security Magazine, EndGame’s launch was meant to expose the dark web ecosystem to a wealth of opportunities. It’s expected that if the tool becomes a popular product with many people, which would translate to the increase in number of dark web marketplaces and forums implementing the anti-DDoS filter.
Nonetheless, even in light of the thousands of lines of code and months of working on the filter, the threat of DDoS is still here to stay – the latest event provides solid proof that the attacks will still keep coming.
This conclusion is based on the fact that threat actors will still be hard at work looking for system vulnerabilities to help them gain access to exposed dark web sites. The threat may decrease if anti-DDoS mechanisms will be created to offer a time and money barrier to cybercriminals; a threat actor will most likely give a website a pass if its protection features will cost them significant direct costs.