Get IRON Safe Today!
The unintended consequences of the sacred proxy
Over the past six months we have closely monitored the impact of chronic automated attacks found with the use of proxy services.
Two proxy services dominated our findings:
- Tor Exits – Represents almost 97% of all chronic proxied attacks
- Tor is a proxy network designed to create the maximum amount of anonymity to not only web browsers but also websites that want their true origins hidden. The initial purpose of Tor Exists was to allow journalists and whistle blowers the opportunity to anonymously pass information in hostile environments. Unfortunately now it’s more commonly known as the “dark web” and is being used for countless illegal activities. Terrorist groups like ISIS and AL Qaeda use Tor as a communication network to foster attacks and other agendas around the world.
- We found that less than ½ of 1% of the traffic from known Tor project IPs was found to be clean requests against our clients’ sites. Essentially +99.5% of all Tor traffic (where Tor was not explicitly dropped by configuration) was found to commit some blockable offense.
- This network has grown in size given virtually any computing device (smart phone) can join the network. Most join under the guise they’re doing good unaware they’re breaking the terms of service of most providers.
- VPN Services – Represents about 1.3% of all chronic proxied attacks
- VPN or “tunneling” service allows your outbound internet traffic to be proxied through another network to hide your origin. These services do have legitimate uses like bypassing country censorship.
- In our clean traffic audits, we were unable to detect any clean traffic from these services.
- Most of these services use untraceable crypto currencies like Bitcoin to allow daily usage for a few euros/day. Since most of these botnet operators have large Bitcoin stashes it’s easy to “churn ‘n burn” these by the hundreds daily.
In total, Tor Exits and VPN Services accounted for roughly a third of all chronic problems (attacks that did not stop after a month after reporting to the respective hosts) while providing virtually non-existent legitimate service.
How we gathered data for our metrics
- We downloaded and compiled Tor route logs for the trial period making a daily list of Tor exits for that day.
- We then parsed web logs into 6 categories, Tor clean, non-Tor clean, known VPN clean, Tor attack detected, and non-Tor attack detected, known VPN attack detected. Tor was flagged if that IP was a found Tor exit on that day.
- Calculated total hits from logs.
Despite these persistent ongoing issues many networks feel they should be immune from the abuse they proxy. Imagine outside your favorite bank a shadowy figure was handing out free masks to people entering the bank in complete secret and offering to remove all traces of who you are and how you got to the bank. The bank gets robbed over and over and all witnesses state they all wore the same mask handed out as they walked in. The cops say “oh well, that’s ok, it’s a Tor exit”, just leaves, and never files a report. In the real world this wouldn’t stand, but online it does. Tor is allowed by major universities, like the University of Michigan whose Tor exit routinely makes our overall top 100 unresolved abuse list, and large providers like online.fr and OVH. Both seem to give free passes to Tor exits despite clear violations in their terms of service agreements. A security professional at OVH stated recently “Tor saves lives”.
We are not quite sure how allowing large volumes of automated abuse “saves lives” but we can definitely see how it can ruin the day or lives of millions of site owners on a daily basis.
We have been tracking several hostile bots running through Tor for over a year now!
WordPress login attack bots (attempting to get admin access to your sites):
Malware, Search Engine Spam, and Web Spam bot:
A new anonymizing Tor based messenger service using the popular Jabber protocol was just release as beta on October 29th 2015. This gives a fully anonymous multi-layer encryption to instant messaging service to anyone, anywhere in the world. This new service will make it easier for terrorist groups to have a faster communication tool and protected with immunity from any internet connected devices, like a Wi-Fi connected cell phone.
Reponses from Tor exit maintainers is that it is the responsibility of web site owners to block Tor and not the Tor project’s responsibility as they just run a proxy. They offer a DNSRBL (a host lookup service using DNS) but in our experience it lacks many exit nodes and using a DNSRBL for anything time sensitive, like handling web requests, is extremely impractical. The server overhead on every request along with the lookup latency would make even the fastest websites extremely slow. They also offer a query service that gives the nodes that can relay to your IP, but also like the first option this also lacks all Tor exit nodes. Both of these options require site owners to edit the code of their website to implement, creating an unrealistic expectation that is completely out of reach for the vast majority of site owners. In additon, large amounts of DNSRBL lookups can be a hardship for DNS resolution servers, given the increased workload on the network for which it was not designed for.
An alternative solution in the right direction could be to allow site owners to post IPs they wish not to be proxies as a sort of “Do not proxy” list. This can be used as a DNSRBL type of system queried by the Tor entry points to see if they should allow the intended target to get proxied or not.
Another alternative might be a response header generated by the Web server on regular non-encrypted requests signaling that the server wishes not to receive Tor traffic. These configuration changes can be easily made by server administrators and does not require code changes to websites or maintaining a list, which some Tor operators feel is censorship.
The Tor project developers seem more than capable of implementing either of the solutions without much effort. Both of these solutions leave resolution of issues to just the Tor code base and not hundreds of millions of sites that do not wish to get attacked.
According to Wikipedia 80% (or 2 million dollars) of Tor’s proxy funding comes directly from the US government in form of yearly grants. Yes as Americans we pay to be attacked with immunity.
Also worth noting, our abuse mail server and home site was DDoS attacked days after we publicly set our “no free passes” policy in response to e-mails requesting free passes for abuse from Tor exits. Impact was minimal and all abuse e-mail was sent successfully. However, it does lead one to wonder who is responsible for Tor these days. Is it the crooks of the “dark web” or the freedom fighters the network was originally intended for?