* The attack was more advanced than simply saturating the upstream with bandwidth/packets, but had proper handshakes with the Tor relays, trying to cause resource exhaustion on the application level (we have seen this pattern multiple times in the last 6+ months, but this one was much more massive in terms of incoming packets).
* The attack was very targeted, affecting only 2 IPs out of 25, consistently over some time. This indicates that either the position in the HSDir or specific connections or hidden services that were relayed over those nodes were the target – but note that these are only guesses, we don’t have hard data on the motivation of this targeting.
* The only motivations that come to mind are either de-anonymization attacks or take-downs of particular hidden services. These do not seem to be relevant for usual ransom DDoS botnet attackers, but more for political reasons.

https://infosec.exchange/@rene_mobile/111946225077294620