Lalithya Divi
Application Protocol Engineer

Can You Mitigate a Torshammer DDoS?

July 27, 2016 by Lalithya Divi


The online hacktivist collective known as Anonymous recently relaunched operation OpIcarus and directed a series of distributed denial-of-service attacks (DDoS) at the Bank of Greece amongst others, forcing the servers to remain offline for days. Since then, massive DDoS attacks have been launched on various financial institutions worldwide. In investigating the attacks, I discovered that the tool of choice was one of the popular tools called Torshammer—a python script that uses the TOR network to launch Slow POST DDoS Attacks. The attack can be visualized as shown below:



The anonymity feature of the Tor protocol is completely exploited by the attacker to launch these attacks. The attacker logs into the TOR network by creating an anonymous identity. They then use the script “” to launch the attack. is a modification of the well-known Slow Post attack that can be configured to connect to the Tor network. Once we have this script and Tor installed, all that is needed is to set the proxy settings correctly and launch the Slow Post attack. The default thread count is set at 256, but increasing it to 1024 will take down most standalone servers from a single attacker.

Let’s analyze the problem from the victim’s point of view. The attack will look like incomplete HTTP GET and POST requests originating from TOR exit node IP addresses.


The Server i2_default can be viewed as the victim receiving traffic from the TOR exit nodes.


We have designed a test scenario that can be used to emulate the same type of attack. The Breaking Point network neighborhood for such a scenario would be as shown below. Notice how we leverage the use of a virtual router to support multiple discontinuous IP addresses “behind” it. This technique allows us to not only emulate the application layer of the attack, but also provide the correct IP reputation.


This is a simple scenario to emulate the traffic coming from the TOR exit nodes. The exit node list can be obtained from and then it could be parsed into the static hosts with base IP addresses set to the exit node list to simulate the attack. You can also leverage a test like this to evaluate IP reputation engines that should flag the source IP addresses.

This is just another example of the research we are doing at Ixia to make sure you get the latest in attacks, content, and emulation.

Leverage Subscription Service to Stay Ahead of Attacks

The Ixia BreakingPoint Application and Threat Intelligence (ATI) Subscription provides bi-weekly updates of the latest application protocols and attacks for use with Ixia platforms.