To some, the Tor network is believed to be a haven for threat actors, as well as a platform for launching web based attacks. Tor is an anonymous network designed for those who seek anonymity while browsing. It was conceived as a way for political dissidents and marginalized members of society, living under oppressive regimes, to use the Internet without fear of government surveillance and reprisal.
Today CloudFlare is under fire for blacklisting Tor exit node IP addresses. Blocking them prevents site access by Tor users, who tend to be from developing and third world nations. CloudFlare is drawing accusations of discrimination because of its wholesale action.
Here is a diagram showing how clients reach web servers over Tor:
CloudFlare has an aggressive Tor IP blacklisting agenda, going so far as to publish data claiming that 94% of Tor traffic is malicious (mostly automated attacks). The company’s blog reads:
“Like all IP addresses that connect to our network, we check the requests that they make and assign a threat score to the IP. Unfortunately, since such a high percentage of requests that are coming from the Tor network are malicious, the IPs of the Tor exit nodes often have a very high threat score.”
The problem is that CloudFlare’s data isn’t representative of Tor traffic. Rather, it’s based on the percentage of observed exit nodes that spread malicious traffic. It’s guilt by association.
The Tor Project blog refutes CloudFlare’s claims. “The underlying issue is CloudFlare's design assumption that an IP address represents a single user. Yet there may be millions of users behind a handful of IP addresses.”
Are all Tor users bad?
CloudFlare argues that Tor is overrun with spammers and various threat actors. Tor has also been vilified for enabling various underground, or dark web, activities. It has hosted the infamous Silk Road, as well as sites that distribute pirated content, credit card swapping (carding) forums, and other forms of illicit activity.
The Tor Project points out that its network is also used by human rights defenders, diplomats, government officials, and people of all walks wanting to browse the Internet free of surveillance, thus ensuring their privacy.
In the post-Snowden world, even Americans have turned to anonymous browsing options like Tor. A Pew Research Center study reveals that roughly 9% have adopted sophisticated measures, such as using Tor, to shield their interaction with the Internet.
What does the data say?
In blocking all Tor traffic, CloudFlare is painting with too broad a brush, according to our data. Collected from our customer base, it's a sampling of almost 10,000 IPs and over 40 million page requests over a two week period.
We found that Tor node requests are malicious 48% of the time. (True, this was a higher rate of malicious requests as compared to other proxy networks, those equating to 38%.) So by keeping out Tor users, CloudFlare is blocking legitimate users about half the time.
The problem with IP blocking
All organizations use IP blocking in some form. IP blacklists are a staple in the security world, appearing in firewalls, intrusion prevention systems, web application firewalls, fraud prevention, bot mitigation, and more. It’s where many organizations start their security efforts.
The problem is that attackers aren’t dependent on single IPs to carry out attacks. Our 2016 Bad Bot Landscape Report shows that 70% of automated attacks in 2015 used multiple IPs, and 20% of automated attacks used over 100 IPs.
Marty Boos, StubHub’s Director of Technology Operations, explains in his video testimonial, “It takes a matter of seconds, once we block someone on an IP basis, for them to move somewhere else. We found people going from 10k hits for one IP to 2 hits from 10k IPs per hour.”