CloudFlare says 94% of Tor requests are malicious
CloudFlare says 94 % of the requests coming from the Tor Network are automated malicious communications, but this doesn’t tell the entire story. For a week in March CloudFlare analyzed the traffic of its customer’s sites from the Tor Network.
The results of the study show the two-way street of online anonymity. In this case the company found that almost 94 % of the requests to CloudFlare customer’s websites coming from the Tor Network were automated and malicious, with comment spam, vulnerability scanning, advertising click-fraud, content scraping, and brute force log in attempts topping the list of attacks from the network.
These types of attacks produce a lot of requests, so an attacker can use automation to create a large footprint; co-founder and CEO of CloudFlare, Mathew Prince told eWEEK.
“It doesn’t mean that 94 % of users are bad, or that 94 % of Tor traffic is bad. It is a very small universe of bad actors that is causing this large problem for our customers.”
Tor Project criticized CloudFlare’s approach to web security. Tor users have complained that sites that use CloudFlare often throw up CAPTCHAs that can block people from reaching those sites. Mike Perry, Tor performance developer stated in a blog post responding to CloudFlares data.
“ We suspect this figure is based on a flawed methodology by which CloudFlare labels all traffic from an IP address that has ever sent spam as malicious. Tor IP addresses are conduits for millions of people who are then blocked from reaching websites under CloudFlare’s system.”
Prince denied Perry’s assertion, but offered only general points about how the company measures bots online, saying that the company uses a variety of techniques to determine whether a request is automated, including creating content that is visible only to bots and turning off CloudFlare protections on certain internet servers to use as controls.
CloudFlares study is unlikely to settle the debate over the pros and cons of using the Tor Network. Because hiding in a crowd of users works only if there are a crowd of users, the US government, through grands from the National Science Foundation, continues to support the Tor Project. Right now there are about 2 million daily Tor users.
The benefits of the Tor network rarely catch media attention. Coverage is domination by news reports of the seedier side of the network, the Dark Net. These include the takedown of online markets for drugs and other illegal goods like Silk Road Marketplace, the multitudes of child porn rings using Tor, and the use of the network for malware communications.
The focus on the misuse of Tor has led people to want to shut down the Dark Net, and by extension the Tor Network itself. Eric Jardine, research for the Center of International Governance Innovation told eWEEK, “More than 70 % of people across the globe want to shut down the Dark Net. GICI found this out from its annual 2016 CIGI-Ipsos Global Servey on Internet Security and Trust.
“A lot of people really don’t know what the Tor Network is as a technology and what its various functions are,” he said. “And they see a news story, such as a child abuse ring or an illegal marketplace, and they have a knee jerk reaction, saying, ‘We don’t need this, shut it down.’” Jardine argued that the network has a marketing problem. A simple name change, one online user proposed the ‘Freedom Network’, might go a long way toward changing people’s opinions. Considering that CIGI also found that only 38 % of the people trust that their activities on the internet are not being monitored, a continued focus on privacy should help as well. Looking at the data is not going to answer the question of whether Tor is a haven for bad actors or for people trying to fight oppression overseas. While CloudFlares study arguably shows a small number of automated systems can abuse the network to create a large number of attacks on websites, other studies have found different results.
In its own look into Tor traffic , Akamai found that only 0.3 % of the requests coming from a Tor exit node attacked websites. Akamai focused on a narrow definition of attacks, requests that attempted to exploit a web application, such as SQL injection, cross site scripting, and command injection. These attacks tend to be much more focused and produce less bandwidth than the attacks viewed by CloudFlare. Akamai also found that requests from Tor exit nodes had an equal likelihood as no Tor traffic to conduct a legitimate commercial transaction. This suggests that Tor users may be just as valuable to business sites as non Tor visitors are.
They are not just there to surf the internet, but to shop the sites,” Larry Cashdollar, a senior security response engineer for Akamai told eWEEK.
A separate study done by Distil Networks, found that 48 % of the Tor traffic and other proxies traffic violated its rules for legitimate traffic. A small number of users can easily create a large volume of malicious traffic, CEO of Distil, Rami Essaid told eWEEK.
“You can have a handful of bad actors that can pollute the Tor IPs, since the fundamental premise of Tor is to not assign a static IP to any individual,” he said.
Prince recognizes that the company’s study looks at the segment of Tor traffic that applies most to its customers. He stressed that CloudFlares classification of requests from Tor likely represents only a minority of traffic going through the anonymizing network. In addition to all traffic headed to websites that do not consists of CloudFLare customers, about 60 % of traffic from Tor is peer to peer sharing, which is never seen by CloudFlare. Malware that uses Tor for command and control traffic would also not be visible to CloudFlare.
“So inherently, we see only a sliver of Tor traffic that goes to HTTP and HTTPS sites,” Prince said.