back to article Tor users are actively discriminated against by website operators

Computer scientists have documented how a large and growing number of websites discriminate against people who browse them using Tor. Tor is an anonymity service that is maintained with assistance from the US State Department and designed in part to allows victims of censorship in countries like China and Iran to surf the web …

  1. djack

    Understandable..

    It is understandable that website operators will want to protect themselves from attack. When 100% (or near enough) of traffic from ToR is malicious then it seems reasonable to assume that you treat that traffic as though it is hostile.

    It is a shame and operators are aware that it inconveniences the (potentially tiny) group of legitimate users who use ToR, but until there is universal support for the evil bit then you have to use imperfect methods to identify potentially damaging traffic.

    Similarly, many sites choose to blacklist traffic from certain countries, as none of their users live there and all such traffic is hostile and unwanted.

    1. Pascal Monett Silver badge

      Indeed. If you come in on the same bus as the hooligans, you can't play surprise at being looked at with suspicion from the store owners.

    2. Anonymous Coward
      Anonymous Coward

      Re: Understandable..

      Yep, that's the reasoning where I work. No legitimate traffic comes via TOR, it's all malicious, (to be fair, our customer's websites are not the sort of thing one would usually use TOR to access).

      For the same reason we block the entire Chinese IP range, our customers are in the UK, so we only get attacks from there, no legit traffic.

      I don't agree personally, but that's the official policy here.

      1. Ole Juul

        Re: Understandable..

        Yep, that's the reasoning where I work. No legitimate traffic comes via TOR, it's all malicious, (to be fair, our customer's websites are not the sort of thing one would usually use TOR to access).

        What kind of websites do you operate that would cause somebody who prefers to browse anonymously to change browser for your sake? I'm guessing what you're missing is that many people use Tor to protect themselves from the sites they visit.

        1. Pascal Monett Silver badge

          There are obviously some Tor champions out there who consider that 99% of Tor users are perfectly legit and restricting Tor IPs is a direct attack on Freedom and thus to be downvoted without fail and stomped on with great virtue.

          Yes, Tor is used to protect anonymity. Yes, there are perfectly innocent people who use it legitimately. They are apparently 10% of Tor traffic. Those are not the people website owners are trying to protect themselves from.

          If I can pin 90% of malicious traffic to one IP, I'm sorry but I'm blocking that IP.

        2. Anonymous Coward
          Anonymous Coward

          Re: Understandable..

          "What kind of websites do you operate that would cause somebody who prefers to browse anonymously to change browser for your sake?"

          Staying annon, so I'm going to be vague, but one of them is home furnishings. I can't think of a reason most people would find it necessary to use TOR to buy a nice cushion. Plus their user demographics don't really overlap with hardcore privacy campaigners, in fact I'm surprised most of them can operate a computer in the first place.

          The upside to us is drastically reducing the logs full of brute force ssh attempts and so forth that we have to check (and obviously we don't have ssh accessible from the internet in the first place, but people still keep trying).

          1. Ole Juul

            Re: Understandable..

            Staying annon, so I'm going to be vague, but one of them is home furnishings. I can't think of a reason most people would find it necessary to use TOR to buy a nice cushion. Plus their user demographics don't really overlap with hardcore privacy campaigners, in fact I'm surprised most of them can operate a computer in the first place.

            I get what you're saying about overlap, though I would think that other "privacy campaigners" like myself would also go shopping for cushions and the like. I can't be the only one.

            I'm sure your sites are fine, but many in that category are full of trackers and other privacy antagonizers. It is a good idea to use Tor Browser when going to all kinds of places. Besides, why shift from one browser to another all the time when it's easier to just use Tor Brower for everything. It's not a matter of even needing a reason to use Tor to go to your sites, but just as much that there is no reason to change browser to go there.

    3. Aitor 1

      Re: Understandable..

      I used to block:

      Russia

      China

      Japan

      Korea

      Tor

      And the hacking attacks diminisshed by more than 50%, no legitimate user was affected.

      Had it been possible, I would had blocked the US and UK, and then almost all malicious attacks would have stopped.

      1. Ole Juul

        Re: Understandable..

        I don't find it so easy to understand, especially since these web site owners seem to be keeping mum about exactly what kinds of attacks they're dealing with. As the administrator of numerous web sites I am well aware of the volume of malicious traffic that servers face, but I have a feeling that this is about something else.

      2. Crazy Operations Guy

        would had blocked the US and UK, and then almost all malicious attacks would have stopped.

        How about blocking the entire internet, then you won't see a single attack.

        Rather than blocking countries, you'd get better value out of spending your time ensure that your web-facing services are properly written.

        Those countries that you listed make up nearly 75% of internet users. Interestingly enough, if you actually look at the ratio of normal users vs. malicious users, those countries are much cleaner than the Western nations...

        1. djack

          Re: would had blocked the US and UK, and then almost all malicious attacks would have stopped.

          "How about blocking the entire internet, then you won't see a single attack."

          That's precisely what I do. For services where no legitimate traffic originates from the Internet, that whole outside world is blocked. Pretty much anyone running a boundary firewall has been doing that for years. ... which leads me back to my original point, locations from which you are not getting any legitimate traffic can and should be blocked.

      3. Greg D

        Re: Understandable..

        And the point of running the website would then be what? Since no one can access it :P

        Unless you're running some kind of invite only service, with whitelists, that seems a little overkill.

    4. Anonymous Coward
      Anonymous Coward

      Re: Understandable..

      I use Tor quite a bit.

      Until recently, I had no problems. Then came the hidden service ddos attacks, starting March last year.

      Another storm came about November last year.

      Since then I got faced by access denied, CAPTCHAs and the rest

      I have to wonder though, that if the powers that be wanted to restrict the utility of a service that gave anonymity when they didn't want it, the best thing that they could do would make it seem to be malicious, and make the information providers restrict the utility of this service.

    5. Flywheel

      Re: Understandable..

      "When 100% (or near enough) of traffic from ToR is malicious"

      Proof? Links? Sources?

  2. Alister

    It is a shame that this is the case, but unfortunately, because the TOR network provides a level of anonymity, it is used quite frequently for malicious purposes. It is not a deliberate policy of active discrimination on the part of websites and CDNs - it is a purely defensive move.

    As someone who manages a large number of public facing servers, if I see traffic repeatedly trying to access my servers maliciously from a given IP - dictionary attacks on mail servers, etc - I'm likely to block that traffic by IP.

    I don't have the time to bother whether it might be a TOR exit node, and even if I did, if the traffic is such that it's impairing the performance of my servers, then it's going to be blocked regardless.

    I also don't have time to repeatedly review these IPs, so once it's blocked, it will probably stay that way.

    I don't go looking up Tor exit node IPs and blocking them deliberately, I just block malicious traffic, and I'm sure the same is true for CDNs and other Internet suppliers.

    1. FreeTard

      You don't have to permanently block IP's you know. It is fairly trivial to detect sucpicious traffic (as you currently do) but rather than permenently blocking them, you could automate it to disable the block once a timer has exceeded. Fail2ban (among other solutions) come to mind.

      1. Alister

        @FreeTard

        So at the moment I have to work with what I've got, which means Cisco ASA firewalls on the network edge. These don't have posh IDS / IDP solutions, and using fail2ban etc at a server level means that the traffic is still impacting on the server's performance. So I block at the firewall, manually.

  3. frank ly

    Zenmate plugin has similar problem

    I use the Zenmate browser plugin, to access a couple of particular sites on a regular weekly basis. If I forget to turn it off then I'm often blocked from some common popular websites that use CDNs. I suspect this is a similar thing.

  4. Anonymous Coward
    Anonymous Coward

    Useless

    Years ago I thought it might be wise to block IPs in the Tor exit node blacklists. That's useless against all the attacks coming directly from pwned Wordpress sites nowadays, however.

    1. Anonymous Coward
      Anonymous Coward

      Re: Useless

      That's useless against all the attacks coming directly from pwned Wordpress sites nowadays, however.

      That is, however, quite a useful strategy to prevent said WP sites from being pwned in the first place. I have a couple of websites which are low volume, and I can see exactly who bounces off the security measures.

      Most of the attempts come from China, Russia/Ukraine, OVH in France (whose network I will probably block in full), AWS and Azure (also worthy of a full block because there are no *users* there) and the odd bored US citizen, and Tor nodes. I honestly have not seen any *legitimate* web access come from Tor, so as soon as one shows up in the alert logs it gets blacklisted.

      If there was a list of Tor nodes I'd block the lot of them by default.

    2. WatAWorld

      Re: Useless

      You might not mean it, but the phrasing gives the impression you'll only consider actions that solve all your problems.

      Life is not so easy. Removing FlashPlayer doesn't fix java vulnerabilities and vice versa. You didn't need me to tell you that. Often separate problems require separate solutions.

      That single solutions don't fix everything doesn't make them useless.

      In reply to, "Years ago I thought it might be wise to block IPs in the Tor exit node blacklists. That's useless against all the attacks coming directly from pwned Wordpress sites nowadays, however."

      1. Anonymous Coward
        Anonymous Coward

        Re: Useless

        You might not mean it, but the phrasing gives the impression you'll only consider actions that solve all your problems.

        Nope, it's a week-by-week updated strategy.

        The Tor decision was taken after going through a full year's worth of data from multiple sites. If not one site visit came from a Tor node, but a substantial amount of breach attempts I would be a fool not to take the easy way out. Some sites also have geo-blocks in place for traffic from China, for instance. There is no way they will have any business with China, so why expose the site to risk from there?

        It's either that or maintain long blacklists - geo-based blocking is more efficient.

  5. WatAWorld

    In Canada on very cold days many of those who work or play outdoors wear ski masks.

    I live in Canada and on very cold days many of those who work or play outdoors wear ski masks.

    However we have the common sense not to walk into a bank wearing a ski mask.

    Of course a person can forget, and that is unfortunate. But Canada is not other countries and mostly you simply take the ski mask off and you can do business.

  6. Wiltshire

    My Day Job website with several 100,000s of users doesn't block TOR traffic - but it does red-flag any such users as suspects, with good reason. All of the latest attempts at creating users with identity-fraud have come from a TOR source.

    Then we resort to software tactics to make the connection and session look bad. Better to make the suspect users think it's just a crap website than letting them realise they've been rumbled.

    1. Anonymous Coward
      Anonymous Coward

      Then we resort to software tactics to make the connection and session look bad. Better to make the suspect users think it's just a crap website than letting them realise they've been rumbled.

      Got any hints to what you're using? It would be cool to have such measures as WP and Joomla plugins. I have often been toying with the idea to tarpit such connections, but I can't do that on the ISP hosted sites as you need to alter the IP stack to control ACK signals (I think, it's been a while since I looked at defences based on deception and offender resource depletion :) ).

      I might just rent a VM and cook up a few sites for the hell of it, worth getting my hands dirty for :).

      1. Wiltshire

        Got any hints to what you're using?

        Yes. :-)

        Perhaps it depends a lot on the site architecture, but in our case, all content is personalised for each user through a server-side Base Class. That handles all the lookup of user profiles and content before rendering the page. So we're not talking about anything in the client-side code, like Javascript. We wrote a small add-in to our Base Class, so that for any user flagged as a "Tor Suspect", we added delay loops (to deliberately slow the response to a crawl) and a bastardised CSS class (to make the page layout look terrible)

        We were actually inspired to do this by one of the best parts of that classic hacking real-life story "The Cuckoo's Egg" by Clifford Stoll. IIRC, he used something like a bunch of keys to randomly short-out pins on the incoming RS232 dial-up modem connection the hacker was using, making the connection seem bad.

        https://en.wikipedia.org/wiki/The_Cuckoo's_Egg

        1. Anonymous Coward
          Anonymous Coward

          > we added delay loops (to deliberately slow the response to a crawl)

          Last I checked, Tor does that for you... as in 1-minute page loads, if you're running a bloated modern site like the rest of us. Screwing with the CSS, though, that's a total a dick move that won't even affect skiddie tools. Not cache-friendly either...

    2. Flywheel
      Facepalm

      " red-flag any such users as suspects, with good reason"

      And what would that good reason be? There seem to be a lot of people where who keep talking about the evil that Tor users do to their web site, but no-one has come up with any concrete examples yet. Give me some and I'll happily discuss.

      1. Wiltshire

        Err, I did come up with a concrete example, in the very next line.

        "All of the latest attempts at creating users with identity-fraud have come from a TOR source."

  7. Adam 52 Silver badge

    "researchers scanned the entire IPv4"

    Well, I think we've discovered one reason why Tor exit nodes look suspicious if people are doing whole internet port scans from them.

    On a related note Akamai, Fastly and Cloudfront don't seem to block Tor, so I wonder what they do differently.

    Lovehoney do though, so I buy sex toys from Amazon and eBay.

    1. DropBear

      Re: "researchers scanned the entire IPv4"

      Hold on, let me get this straight - so you insist keeping your anonymity on a website that you subsequently entrust with your credit card details and your shipping address...? I'm a bit confused, I think I need to lie down a bit...

      1. asdf

        Re: "researchers scanned the entire IPv4"

        >Hold on, let me get this straight - so you insist keeping your anonymity on a website that you subsequently entrust with your credit card details ...

        Well does keep your ISP and everyone but the website at least from knowing you buy sex toys on the first Thursday of the month or whatever.

    2. Natasha Live

      Re: "researchers scanned the entire IPv4"

      I thought this was a bit suss as well. I wonder if they scanned the entire IPv4 address set from their normal IP as well, or did they fear being flagged for it.

  8. Anonymous Coward
    Anonymous Coward

    I am Human Blockchain

    Surely some form of crypto hash could be embedded in the web browser that signifies that their behaviour is human. Then whenever a page is served up hash can be verified (against a blockchain) and treated as human. The has can be exchanged for a new hash frequently by the browser (protecting identity), but allowing proof of human. Any bad behaviour, can be marked to the hash, good behaviour as well, giving the rotating hash a score for "human-like". Then groups like cloud flare and others can mine the hash, allowing exchange of hash (along with others), and update of score to human score to hash. Providing them with a simple way of determining human-like behaviour, and anonymity. Only issue is processing time for the "I am human check", but I am sure this can be solved.

    1. Frozit

      Re: I am Human Blockchain

      Any such "I am human" algorithm can be spoofed by software. The attackers have the advantage. You make a defence, and they keep poking around at the edges until they find a weak spot.

  9. Tikimon
    Thumb Down

    "Most traffic is malicious" argument does not hold up

    I haven't checked the current numbers, but at one time about 85% of all e-mail was SPAM or malware-bait. By the rationale of "malicious traffic", it would have been fine to block e-mail entirely. Just think of all the hacking activity that would have been stopped in its tracks.

    Blocking IP addresses is roughly equivalent to using them to identify file-sharing pie-rats. They're not unique identifiers.

    1. Anonymous Coward
      Anonymous Coward

      Re: "Most traffic is malicious" argument does not hold up

      I would have agreed with you if I hadn't done the analysis.

      I don't get visitors from Tor nodes, period. All I get from Tor nodes is attempts to breach the websites I keep an eye on, and most of that is scripted garbage that immediately bounces into 404 because I don't keep CMS admin on default URLs. The next thing I get is attempts to gather intelligence about site ownership by polling author IDs 1..3, and that doesn't work because I changed the default structure - again a 404 hit.

      Thus, based on what *I* get on *my* websites (note the conditionals) I deem it perfectly acceptable to ban Tor nodes from *my* websites. Your mileage may differ, but why should I run a breach risk?

    2. Alister

      Re: "Most traffic is malicious" argument does not hold up

      I haven't checked the current numbers, but at one time about 85% of all e-mail was SPAM or malware-bait. By the rationale of "malicious traffic", it would have been fine to block e-mail entirely.

      That's a nonsensical strawman.

      What actually happens, if you administer mail servers, is you routinely block large parts of the IPv4 address space, to cut down the spam and malware. This is necessary, and normal practice for hundreds of mail server administrators.

      Blocking IP addresses is roughly equivalent to using them to identify file-sharing pie-rats. They're not unique identifiers.

      If you are receiving malicious traffic from a specific IP then it absolutely is a unique identifier, it's the IP the traffic is coming from. I neither know nor care whether that IP is assigned to a specific person, I just want to stop that traffic hitting my servers.

      1. Charles 9

        Re: "Most traffic is malicious" argument does not hold up

        "If you are receiving malicious traffic from a specific IP then it absolutely is a unique identifier, it's the IP the traffic is coming from. I neither know nor care whether that IP is assigned to a specific person, I just want to stop that traffic hitting my servers."

        Not necessarily. It could be a co-opted IP that's ALSO being used for legitimate traffic. Or worse, spoofed. Blocking such an IP would be like throwing out the baby with the bathwater. Expect defections.

        1. Alister

          Re: "Most traffic is malicious" argument does not hold up

          Not necessarily. It could be a co-opted IP that's ALSO being used for legitimate traffic. Or worse, spoofed. Blocking such an IP would be like throwing out the baby with the bathwater. Expect defections.

          In the short term, I still don't care. if I'm getting high volume malicious traffic from an IP address - for instance as I have said, a dictionary attack on an email server, where hundreds of connections are being attempted every second, then a deny rule in the firewall stops that traffic dead, and prevents the server being overwhelmed.

          It doesn't matter if it's an IP that belongs to someone's infected computer, a Tor exit node, or is spoofed, the deny rule stops the traffic hitting the server, and that's my primary objective.

  10. Jungleland

    In Australia ISPs are already collecting and storing peoples' internet records so I use the TOR browsers as much as possible. The only sites I visit regularly that give me grief are the Linux Mint forums and El Reg

    The Mint forums are not a big issue as I have been thinking about using a new distro anyway but El Reg is a major PITA. I no longer visit as often as I used to. As a result I have the site locked down and there is no way the Register is going to get any advertising or other crap in my browser so they end up losing out ore than I do.

    What is the Register going to do when the Snoopers Charter comes in and more of their usual readers are using TOR/VPNs?

    1. Adam JC

      FYI, AdblockPlus and Ghostery take care of any and all adverts on TheRegister... no need for ToR..

      1. Eltonga
        Thumb Up

        Heh... I have AdblockPlus installed since it first came out to light and never noticed El Reg has annoying advertising :)

  11. Crazy Operations Guy

    Defeating the purpose

    "With abuse-based blocking, we need solutions to enable precise filtering beyond IP address blocking of Tor exit nodes, so that benign Tor users don’t have to suffer from the abusive actions of other Tor users sharing the same exit node." ®

    So the solution is to implement would be some sort of token to identify users to differentiate them as 'trustworthy'; which would be kind of defeating the purpose of Tor as an anonymizing service...

  12. AustinTX

    HELLO I AM TOR ENDPOINT LOL

    If TOR endpoints don't want to be discriminated preemptively, they ought to not register a domain name that has the string tor (or snowden, etc.) embedded in it, and they should opt-out of being listed on the web page that shows endpoint status.

    1. Anonymous Coward
      Anonymous Coward

      Re: HELLO I AM TOR ENDPOINT LOL

      >they ought to not register a domain name that has the string tor

      Doesn't matter if their target network is using decent IDS - Tor traffic is easy to detect from Cert IDs.

      1. AustinTX

        Re: HELLO I AM TOR ENDPOINT LOL

        Well, that's if the discriminator is inspecting packets. Inspecting host names is trivial. I've paid attention to this when I've encountered "you can't tor us" messages. Refresh the 'identity' a number of times and you'll find that the one they accept doesn't have 'tor' in it as I said.

  13. Anonymous Coward
    Anonymous Coward

    The idea that large-scale attacks, outside of the Tor network, are coming from Tor is not credible to me. I don't host much myself, 4 or 5 business websites and a couple of FTP sites. They are all constantly under attack but a brief look at the logs and quick whois shows it is botnets and other compromised computers outside of Tor that are doing the work. The only attacks I see coming from Tor are manual attacks by bored teenagers and protecting against those only requires minor effort during website construction (and the occasional patch). Tor is not fast enough to be the best option for doing real damage.

    Post Snowden droves of 'normal' people are using the Tor Browser for 'normal' browsing. Of course a lot of websites have a profit motive to block those users.

    1. Anonymous Coward
      Anonymous Coward

      >The idea that large-scale attacks, outside of the Tor network, are coming from Tor is not credible to me.

      Really? Easily a third of hostile traffic here and botnets which aren't using Tor for C&C are a rarity these days. From a commercial PoV - legitimate Tor clicks don't create ad revenue, Tor visitors don't buy stuff.

      Wikipedia, BBC, Universities, Gov and other public interest sites should arguably bite the bullet, but most commercial websites that don't already will block Tor sooner or later.

  14. emmanuel goldstein

    Don't forget...

    TOR is also used by people who are unfortunate enough to live in countries governed by repressive and generally unpleasant regimes (the U.K. for instance) that want to restrict access. By blocking TOR traffic, website operators are facilitating this and I think they should think twice before doing so.

    1. Charles 9

      Re: Don't forget...

      "TOR is also used by people who are unfortunate enough to live in countries governed by repressive and generally unpleasant regimes (the U.K. for instance) that want to restrict access."

      But since the state owns the backbones, they can always nip it in the bud by, for example, simply banning any and all encryption that doesn't use their keys (and then sanitizing text and mangling images and videos to head off steganography). The state itself could be filling TOR with garbage to make it useless to dissidents, and there's no practical way to prevent this since the states hold sovereign power.

  15. Cucumber C Face

    Plausible deniability?

    I run a website (medical educational) on which we reluctantly decided to block the entire list of Tor exit nodes. Tor publishes a list of their current exit nodes http://torstatus.blutmagie.de/ . Our site sees almost exclusively vulnerability scans, sql injection attempts, scraping, referer spam etc from >many< but not all Tor exit nodes.

    The dismal status of many of these exit node IP addresses can be confirmed here http://www.projecthoneypot.org/search_ip.php

    We suspect this abusive traffic is mostly not routed through the Tor network itself at all. (The bandwidth is pretty poor). Instead I guess they install and host a Tor exit node on the server, throttle it down to a trickle, and then let their bots rip [and if their ISP or LEA intervenes] they can blame all traffic emanating from their box on naughty anonymous cowards.

  16. Anonymous Coward
    Anonymous Coward

    I block TOR access, with VERY good reason.

    I run around a dozen websites, including their servers.

    Having monitored and analysed the logs for over a year, I decided to block all TOR access, and with VERY good reason.

    Out of all the traffic coming via TOR, guess how much was legitimate visitor traffic?

    0%.

    Not a single valid TOR visitor.

    ALL of the TOR traffic was malicious. Every single hit.

    So I blocked all TOR access and guess what?

    Over 90% of all malicious hits have disappeared overnight. And not one single solitary legitimate visitor was lost in the process.

    Now, tell me again why I should not block TOR?

    1. Anonymous Coward
      Anonymous Coward

      Re: I block TOR access, with VERY good reason.

      Loving the thumb down!

      So tell me, with which part do you disagree?

      Given each point I made is factually accurate, I'm curious...

    2. The Rope

      Re: I block TOR access, with VERY good reason.

      I think it was your mum.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like