In a nutshell, the flow control algorithm was designed with trustworthy peers in mind and buffering on a node was controlled by signals sent by its peers. This allowed a misbehaving peer to spam buffer commands, exhausting available memory on the target node. An attacker who carefully chose their targets could force a TOR user to use a specific route, thereby de-anonymizing them.
Really just seems like TOR's version of slowloris. I'm rather disappointed they didn't call it slowtoris.
> ... found that we could disable each of the fastest guard and the fastest exit relay in a range of 1-18 minutes.
> We also found that the entire group of the top 20 exit relays, representing roughly 35% of Tor bandwidth capacity at the time of the analysis, could be disabled in a range of 29 minutes to 3 hours and 50 minutes.
Really just seems like TOR's version of slowloris. I'm rather disappointed they didn't call it slowtoris.