What is a Torshammer (Tor‘s Hammer) Attack? (2024)

A Torshammer attack is a Layer 7 Distributed Denial of Service (DDoS) attack that targets web and application servers. Torshammer initiates and executes a DDoS attack by using HTTP POST requests at a slow rate during the same HTTP session – typically between 0.5 and 3 seconds.

Anonymized DDoS attacks can also be carried out through the Tor Network using a native socks proxy integrated into Tor clients. This enables attackers to launch the attack from random source IP addresses, making the attacker nearly impossible to track.

How does a Tor‘s Hammer DDoS attack work?

In this type of attack, the attacker floods the target application and web servers with incomplete HTTP POST requests at a slow rate. The incomplete and slow HTTP POST requests cause the web and application server connection threads to wait for request completion. The connection requests are never completed, and this causes the exhaustion of the web and application server connection handling resources. The web and application servers thus enter a denial-of-service state for processing any new connections from legitimate traffic.

How is a Tor‘s Hammer attack mitigated?

Due to the unique nature of its mechanism, the best approach to mitigate a Torshammer attack is a combination of network and application layer security.

Network filtering focuses on and blocks attackers and IP addresses known to be associated with Tor’s Hammer. Application layer security focuses on patching vulnerabilities in web applications, implementing rate limits from known malicious addresses, and the use of CAPTCHA and bot mitigation. It also uses DDoS protection services, load balancers, and web application and API protection.

Organizations can take these steps to mitigate Tor’s Hammer attacks:

• Implement rate limiting: Rate limiting involves restricting incoming requests from any given IP address in order to prevent DDoS attacks such as those launched by HTTP Flood attackers. Note that, if anonymized, IP addresses could be spoofed which may lead to incorrect rate limits.
• Increase web and application server connection limits: This can help reduce vulnerability to Tor’s Hammer DDoS attacks by increasing the number of concurrent HTTP connections that may be processed. Additionally, timeouts may be implemented to free up web and application server connection resources.
• Use services such as cloud-based DDoS protection or botnet tracking: These solutions can help to identify suspicious activity quickly and respond appropriately.
• Use load balancers and web application firewalls (WAFs): WAFs help protect against HTTP Flood attacks using HTTP GET and POST by using various mechanisms such as CAPTCHA and crypto challenges, and applying bot mitigation techniques. Load balancers and reverse proxies can buffer connections and implement multiple connection management techniques to prevent HTTP GET and POST requests from affecting applications and web server resources.
• Always maintain Security best practices: Keep software updated and patch vulnerabilities regularly. This will help to minimize risk and protect against all types of threats, including those posed by malicious actors who use techniques like Tor’s Hammer DDoS attacks.
• Use Radware DDoS protection (DefensePro, Cloud DDoS Protection Service), WAAP and Cloud WAAP, and Alteon (with integrated WAAP) solutions: Mitigate Tor’s Hammer DDoS attacks by using approaches that block attacks without impacting legitimate traffic and use machine-learning and behavioral-based algorithms to understand what constitutes a legitimate user behavior profile. Then, automatically block malicious attacks while managing user connections effectively without impacting legitimate HTTP requests. This increases protection accuracy while minimizing false positives and disruption to legitimate users.