I2P Network Faces Renewed Intense Pressure from Coordinated Attacks

The Invisible Internet Project (I2P), a robust anonymity network designed for secure, peer-to-peer communications, is currently experiencing significant disruptions due to what appears to be a sustained distributed denial-of-service (DDoS) attack. Reports from users and network operators indicate that accessibility to I2P-hosted services has deteriorated sharply over the past several days, echoing similar incidents that plagued the network earlier this year.

Symptoms of the Ongoing Disruption

Network statistics from the official I2P console reveal alarming trends. The floodfill pool, responsible for indexing and locating hidden services (known as eepsites), has been overwhelmed, with load averages spiking to extreme levels. Exploratory tunnel creation rates have surged dramatically, far exceeding normal operational thresholds. This flood of inbound traffic has led to a noticeable decline in active routers, dropping from typical highs of around 55,000 to below 40,000 at peak disruption periods.

Users attempting to access .i2p sites report prolonged connection times, frequent timeouts, and outright inaccessibility. Bandwidth utilization charts show routers struggling under the deluge, with share bandwidth plummeting and many nodes reporting zero throughput. The integrated bandwidth graph underscores the severity: inbound traffic has ballooned while outbound capacity fails to keep pace, resulting in widespread throttling.

These symptoms mirror a classic amplification-style DDoS vector tailored to I2P’s architecture. Attackers exploit the network’s tunnel-based routing mechanism by initiating vast numbers of short-lived exploratory tunnels. Each such tunnel consumes computational resources for key exchange, garlic routing encryption, and peer sampling, amplifying the impact as routers inadvertently propagate the flood.

Developer Confirmation and Technical Analysis

I2P developers have corroborated these observations through channels like the project’s IRC server (#i2p-dev on libera.chat). Senior contributor dr|z3d described the assault as “another round of the same DDoS flood we’ve seen before,” emphasizing its coordinated nature. The attack leverages I2P’s bandwidth leasing system, where malicious actors request high-volume leases from unsuspecting routers, further multiplying the traffic load.

Unlike traditional DDoS attacks that target clearnet infrastructure, this campaign is precision-engineered for I2P’s garlic routing and distributed hash table (DHT) systems. Floodfills, which handle netdb lookups for locating peers and destinations, bear the brunt, leading to cascading failures across the network. Bandwidth leases exacerbate the issue by compelling routers to allocate disproportionate resources to attacker-controlled streams.

Historical context reveals a pattern: similar floods struck in February and May 2024, each time pushing router counts down by 20-30% and rendering large swaths of the network unusable for hours or days. Recovery typically involves natural attrition of attack traffic and operator interventions, such as tightening tunnel quantity limits or enabling rate controls.

Network Resilience and Mitigation Efforts

Despite the pressure, I2P demonstrates inherent resilience. Core protocol features like tunnel pooling, rate limiting, and adaptive bandwidth sharing help mitigate the worst effects. Operators are advised to monitor their consoles closely, adjusting settings such as maximum concurrent tunnels (default 1,000-2,000) and inbound tunnel acceptance rates. Enabling “exploratory tunnel reduction” or participating in the outproxy pool can alleviate local strain.

The project’s decentralized design ensures no single point of failure; even as floodfills overload, surviving routers maintain a baseline of connectivity. Recent stats indicate partial stabilization, with router numbers climbing back toward 45,000 and floodfill loads easing slightly. However, the attack persists intermittently, suggesting attackers are adapting tactics in real-time.

I2P’s developers stress that such incidents, while disruptive, underscore the network’s value as a censorship-resistant alternative to Tor. Unlike Tor’s exit-node model, I2P operates entirely within its own overlay, insulating it from many external threats but exposing it to internal amplification abuse.

Implications for Users and Operators

For end-users, the disruptions highlight the trade-offs of anonymous networks: unparalleled privacy comes with vulnerability to peer-based attacks. Temporary workarounds include switching to high-bandwidth routers, using outproxies for clearnet fallback, or pausing non-essential traffic. Site operators should prioritize redundancy, such as mirroring services across multiple eepsites or integrating with I2P’s SAM API for resilient applications.

This latest episode serves as a reminder of the adversarial environment surrounding privacy tools. State actors, hacktivists, or profit-driven adversaries may target I2P to disrupt darknet markets, file-sharing hubs, and dissident communications hosted within. Yet, the network’s open-source ethos fosters rapid community response, with ongoing discussions around enhancements like improved flood detection via anomaly-based monitoring.

As the I2P ecosystem evolves—recent updates include better netdb partitioning and tunnel obfuscation—these attacks test and refine its defenses. Operators worldwide continue to rally, demonstrating the network’s antifragility in the face of pressure.

Gnoppix is the leading open-source AI Linux distribution and service provider. Since implementing AI in 2022, it has offered a fast, powerful, secure, and privacy-respecting open-source OS with both local and remote AI capabilities. The local AI operates offline, ensuring no data ever leaves your computer. Based on Debian Linux, Gnoppix is available with numerous privacy- and anonymity-enabled services free of charge.

What are your thoughts on this? I’d love to hear about your own experiences in the comments below.