From zdnet.com
The Tor Project is preparing a fix for a bug that has been abused for the past years to launch distributed denial of service (DDoS) attacks against dark web (.onion) websites.Barring any unforeseen problems, the fix is scheduled for the upcoming Tor protocol 0.4.2 release, according to a bug report seen by ZDNet.
HOW THE DOS BUG WORKS
In information security (infosec) terms, the bug is a “denial of service” (DoS) issue that crashes the Onion service running on a web server hosting a .onion website.
More specifically, in a simplified explanation of what happens during this bug, an attacker can initiate thousands of connections to a targeted website hosted on the dark web, but leave the connections hanging.
For each connection, the remote Onion service must negotiate a complex circuit through the Tor network that secures the connection between the remote user and its server. This process is CPU intensive, and with enough connections, the server processor is maxed out at 100% and can’t accept new connections.