Official Tor Hidden Service for the Kiwi Farms

    • t.me/kiwifarms is our Telegram for downtime and announcements.
    • The .is domain is disabled due to issues with the CDN and having multiple domains.

Fek

What could possibly go wrong?
True & Honest Fan
kiwifarms.net
Joined
May 7, 2019
Much appreciated.
 

Lucario

kiwifarms.net
Joined
Jul 18, 2021
That's what I said. The onion-location header is proper, the 302 redirect isn't.
Only the Cloudflare (kiwifarms.net) domain has the forced 302 redirect, but not the others I tested (.top and .ru), those have the Onion-Location header:
Screenshot from 2021-07-24 21-07-29.png

Screenshot from 2021-07-24 21-16-02.png

I think Null has the forced 302 redirect on the .net site since Cloudflare forces you to go through captcha most of the time when you try to access the site, preventing you from having the option to go the .onion right when you go into the site; And not redirecting a Tor user immedietly if they have "Prioritize .onion sites..." to "Always."
 

Tachibana

kiwifarms.net
Joined
Jul 7, 2020
The onion site doesn't work for me on Brave. I just get:

Details: 0xF0 — The requested onion service descriptor can't be found on the hashring and therefore the service is not reachable by the client.
 
  • Agree
Reactions: Fek

Tachibana

kiwifarms.net
Joined
Jul 7, 2020
I'm still having issues with the onion site. Although I understand the issues Null is going through with the non-stop ddos attacks. I'm just throwing this up there in case anyone is wondering.
 

Radical Cadre

kiwifarms.net
Joined
Mar 12, 2020
The Tor hidden service is being used to conduct a DDoS attack (2000r/s, bypasses traditional filtering due to lack of an IP address) and will be disabled until I can look into mitigating it.
@Null

So, wait how the fuck does that work? It sounds like an interesting strategy to use but I don't know enough to understand why.
 

somecryptoneet

kiwifarms.net
Joined
Mar 23, 2020

TheSkoomer

Ahahahahahhahahahahahahahahahahahahahahhahahahahah
kiwifarms.net
Joined
Feb 4, 2020
Here's a github project for it: https://github.com/r3nt0n/torDDoS

Thing with TOR is that you can send a ton of requests from the same server and the hidden service cannot practically differentiate them. Makes an attack very easy.

Tor blog post about mitigating DDoS: https://blog.torproject.org/stop-the-onion-denial
I would recommend that @Null create an I2P hidden service at this point.
Unlike Tor, I2P has extensive bandwidth controls, and you can even limit the number of GET requests and POST requests per minute on a per-user basis.
I2P is also fully decentralized, not depending on index servers like Tor does; on I2P, every user is their own index server.
geti2p.net

InB4:
>lol it's written in Java hurrrrr durrr...
Yeah, I know, I know... There's a C++ implementation, but the C++ implementation of I2P does not have all the fancy bandwidth controls yet (that I know of.)
 

AnOminous

I hated Woody Woodpecker and Scooby-Doo.
Retired Staff
True & Honest Fan
kiwifarms.net
Joined
Dec 28, 2014
Here's a github project for it: https://github.com/r3nt0n/torDDoS

Thing with TOR is that you can send a ton of requests from the same server and the hidden service cannot practically differentiate them. Makes an attack very easy.

Tor blog post about mitigating DDoS: https://blog.torproject.org/stop-the-onion-denial
It's also asymmetrical, i.e., the cost of actually sending disruptive packets is less than the damage to the site to process them. Imagine being so pathetic that your entire life is desperately attacking a lolcow site to get it down for a few hours a couple times a month.
 

hundredpercent

kiwifarms.net
Joined
Jun 9, 2020
Here's a github project for it: https://github.com/r3nt0n/torDDoS

Thing with TOR is that you can send a ton of requests from the same server and the hidden service cannot practically differentiate them. Makes an attack very easy.

Tor blog post about mitigating DDoS: https://blog.torproject.org/stop-the-onion-denial
There is some more stuff you can do to mitigate. There's a script that basically replicates CloudFlare's CAPTCHA, can be modified to use JavaScript instead. That makes DDoS attacks much harder. You still need to protect yourself against Level 3 attacks (people attacking the CAPTCHA itself, which is just a static page), but Level 7 attacks basically go away.

This is what darknet markets use to protect against $100k+ extortion attacks, so it's reasonably solid.