A malicious attacker needs not to target the pool or hidden service;
since TOR is a relatively low bandwidth network it takes very few resources to grind all active onion routers to a halt.
All active router info is publicly available at directory server.
Every router merely knows the last and next hop, the origin of attack cannot be traced and it only shows up as large amounts of traffic & appears as a normal router
DoS against the entire TOR network is also cheaper than a well hosted single site with high bandwidth.
Even a 20gbps attack would render the network unusably slow. It is a brute force method but it will achieve the goal & make a pool unreachable.
It only needs to last as long as people switch to other pools, and if they come back, target the network again.
I think you are underestimating the Tor network.
As I mentioned in my previous post, Tor has some DDOS protections built-in, as described
here. These will make many forms of DDOS over Tor impossible or very hard to do. Tor only allows TCP connections through the network.
Currently, according to
this source, the Tor network is about 8.5 Gb/s. Obviously, this is less than 20 Gbps, but the Tor bandwidth is distributed across more than 2500 servers with multiple ISPs across the world. This arrangement would be cost prohibitive for slush to acquire on his own. Instead of messing with 1-2 ISPs, an attacker has to mess with 100s of them, including Amazon (yes, I saw some EC2 instances in the list) and universities, which tend to have some of the best connections. This will decrease the chance that the attack will work.
If the attacker is using a botnet, there is a higher chance that, for example, compromised machines with SBC Global IPs will be attacking Tor nodes that also have SBC Global IPs. This ISP now has an incentive to investigate and disconnect the compromised machines. Additionally, each ISP has it's own DDOS defense strategy. Some may fail, but some will work.
The public directory does not include Tor
bridges, which further adds security to the Tor network.
Mt. Gox's strategy with a few alterations would be perfect from a financial standpoint (maximum profit, lowest expenses, and highest uptime)
Pay ~30% of
Prolexic's charged rates to the biggest attacker, with an agreement of keeping other attackers away.
If 'offender' breaks the deal by demanding a bigger cut or by not being hostile towards other attackers, you siphon the extra to Prolexic and give nothing to the 'offender'.
'Offender' is forced to choose between earning $0 per month or convincing you to accept back the earlier rate, maybe lower.
I didn't know that Mt. Gox had that strategy, but you also have to consider motive. It appears that a major attacker would want to take down a mining pool so that the difficulty goes down and the attacker makes (or at least expects to make) more money. The attacker may even be aiming for 51% network power. So it may be more profitable for the attacker to continue attacking rather than take a relatively small amount of money from slush. But this is less likely to apply for Mt. Gox since attacks on exchanges would drive down the value of Bitcoin.
I also don't understand how one attacker can keep away other attackers given that attackers usually don't reveal themselves to each other. Also, the attacker isn't "forced to choose between earning $0 per month or convincing you to accept back the earlier rate, maybe lower" because they can choose to take the money they earned through extortion and invest it in attacking you. That's usually how extortion works. Once the gravy train starts flowing, it's hard to stop it.
