Slashdot Mirror
IBM Tells Administrators To Block Tor On Security Grounds
Mickeycaskill writes: IBM says Tor is increasingly being used to scan organizations for flaws and launch DDoS, ransomware and other attacks. Tor, which provides anonymity by obscuring the real point of origin of Internet communications, was in part created by the US government, which helps fund its ongoing development, due to the fact that some of its operations rely on the network. However, the network is also widely used for criminal purposes. A report by the IBM says administrators should block access to Tor , noting a "steady increase" an attacks originating from Tor exit nodes, with attackers increasingly using Tor to disguise botnet traffic. "Spikes in Tor traffic can be directly tied to the activities of malicious botnets that either reside within the Tor network or use the Tor network as transport for their traffic," said IBM. "Allowing access between corporate networks and stealth networks can open the corporation to the risk of theft or compromise, and to legal liability in some cases and jurisdictions."
Internet is also used for all kind of attacks. So I guess it should be banned too!
Not clear from TFS whether they're talking inbound or outbound. Inbound blocking makes sense for anything not open to the general public. Oubound blocking? Good luck with that, IBM.
TOR has been blocked in China for many years, but it still works. There's been a blocking/stenography arms race happening between the Great Wall and TOR for years. I don't know anything about the technical details, but it seems a safe guess that TOR "bridge" connections successfully bypass all the easy or obvious ways of blocking TOR. Of course, a whitelist of allowed outbound sites will always work.
Socialism: a lie told by totalitarians and believed by fools.
Yes, I know some people just use Tor because they don't want the government watching them, but I block Tor on general principal. Most of the traffic coming out of Tor is malicious. The only exception would be if I was running a site with information I wanted to provide to oppressed countries.
I presume the enterprising TOR user could set up a couple of machines A and B somwhere on the internetz to act as a personal TOR entry and exit point. VPN to A. A TORs to B. B talks to the internetz.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
Blocking Tor doesn't do a damm thing for real security. It won't stop the "attacks". There are plenty of other avenues for malicious parties to use. The idea that getting rid of Tor somehow will stop the attack is just plain silly. It might sound good to the CEO, protect your job, etc. It won't actually improve security. If you want to improve security start with ridding your company of the proprietary software whose holes *can't* and won't be fixed. Fund *bug hunting*, reduce the bloat in your applications, etc. Those are the things that will help security. If your concerned with DDoS attacks which are genuine concerns (even if not really a security issue) then go sign up for Cloud Flair or a similar service- you don't even need to enable it by default- just set it up so upon a DDoS being directed at your company you can *bring it up*.
If security on these public and private-sector networks weren't so flaky, botnets wouldn't be such a problem. Remember all it took to compromise SONY was one malicious email attachment. Make you wonder how Internet security got so bad considering folks like the NSA helps these organizations securing their 'computers'.
If it can be blocked, or even if it's visible at all, it is dangerous for the user. If you can't blend in, you're gonna stick out..
“He’s not deformed, he’s just drunk!”
You know, there's a completely different potential meaning between "IBM Tells Administrators to Block..." vs "IBM Tells Companies to Block..." I initially though IBM was discussing an internal policy, but they're advocating that OTHER companies simply block access to TOR nodes, in case it's not clear.
Still, blocking these nodes seems like a fairly weak approach to security, doesn't it? It's not like you can't disguise your movement by utilizing a botnet server. It's sort of like saying "we could improve our security by banning all incoming traffic from China and Russia". Well, sure, if you're willing to just block lots of legitimate users in the meantime. It would be far better to try to implement better technologies and policies that actually improve computer security, rather than feel-good measures like this.
For starters: eliminate dependence on old, out-of-data, vulnerable web based technologies. There are many corporate customers who still must use specific VULNERABLE versions of the Java plug-in, for instance. Oh, wait though... that would cost money! Nevermind, just block the TOR nodes, ok?
Irony: Agile development has too much intertia to be abandoned now.
Is it possible to add a proxy after a Tor node exit, bypassing the current "Ban Tor exit nodes" thus blending with traffic? So, in theory, blocking Tor exit nodes only blocks those who only use Tor .. isn't it (Ex: Not hardcode hackers, but only Tor kiddies)?
I can't call that English
From the summary: "A report by _the_ IBM..."
As opposed to just an IBM?
Goodbye Slashdot. You've changed.
We say we want anonymity on the internet (and we do).
Yet we don't want people wearing ski-masks entering banks or gas stations.
The thing that sucks about anonymity is a small percent of people will utter destroy it. Tragedy of the commons, I guess.
This won't work. There is a component within the pluggable transports component called meek which basically creates a bridge for users of shared services. The core of what the pluggable transport plug-in does is disguise the traffic to look like other types of traffic. By combining this with other services an adversary can't tell the difference between Tor traffic and non-Tor traffic and combined with something called meek any blocking of a meek-bridge would have significant collateral damage anyway. There are bridges for Amazon, Azure, Google, and others. Blocking of these would cause serious economic damage. China has presumably accidentally caused such damage already. They blocked HSBC and those in China couldn't access it for days as a result. HSBC is a major major international bank.
"IBM said its data shows a “steady increase” over the past few years in attacks originating from Tor exit nodes, with attackers increasingly using Tor to disguise botnet traffic."
What part of "exit node" does IBM not understand?
Once the traffic hits an exit node, it's no longer in Tor. It's also more or less impossible to "disguise botnet traffic" using Tor, since it's not like the botnet is running an entry or exit node.
At worst, a bot on one of your servers will hit a Tor entry node in order to disguise that the traffic is coming from *your* server, as opposed to somewhere else. Frankly, if you have a bot on one of your servers doing this (which makes really no sense, since there's really no economic value in protecting individual bots from discovery of their identity), the problem isn't Tor, it's that you've allowed your server to become a bot in the first place.
Why IBM is involved in this anti-Tor scare tactic is anyones guess... but if you wonder about something like that, you should probably follow the money, since blocking the Tor protocol only buys you the ability to prevent entry or exit nodes on your network, and seriously, no one is going to trust an unvalidated entry/exit node enough that they'd be willing to peer with the thing in the first place.
It's sort of like saying "we could improve our security by banning all incoming traffic from China and Russia". Well, sure, if you're willing to just block lots of legitimate users in the meantime. It would be far better to try to implement better technologies and policies that actually improve computer security, rather than feel-good measures like this.
Yes, in a perfect world, companies would have perfect device security and it wouldn't matter from which direction an attack came.
But here in the real world, there is no such thing as perfect security, and every little bit helps. They aren't suggesting you block TOR and ignore your firewall and stop updating patches, just that among other security measures, this might help.
Anyway, what possible legitimate use could TOR have in a corporate environment outside of a media organization?
Once again proving that anything that can be abused, will be abused. The spammers, scammers, and scum of the Earth will use anything they can to steal whatever they can.
Just cruising through this digital world at 33 1/3 rpm...
China is getting pretty good at it though. What is working may be blocked in 6-8 hours. It is a cat and mouse game, but that cat is getting quick, and the mice population is dwindling.
In general, if there are a lot of different connections made by different browsers [1] coming from one IP, it is suspect, and a site needs to go like Google and have a CAPTCHA before someone can move past the intro screen. CloudFlare is a good front gate to have for almost any website because of this.
As for blocking exit nodes, it is a common sense thing to block them via the router, OS stack, and application. In fact, if a node winds up on TOR at all, it winds up getting blocked just in case. This, combined with common sense IP geoblocking, cuts down enormously on the amount of attacks a site has to deal with.
[1]: Try eff.org's Panopticlick. There is yet to be a functional Web browser that isn't uniquely identified.
Whatever is scary enough to convince us to give up privacy, that's the threat of the day. Nothing is your own except the few cubic centimetres inside your skull.
Isn't TOR a little slow and lacking bandwidth to make a good hacking front?
"If any question why we died, Tell them because our fathers lied."
Once the traffic hits an exit node, it's no longer in Tor. It's also more or less impossible to "disguise botnet traffic" using Tor, since it's not like the botnet is running an entry or exit node.
Did you even read the paper? Botnets are using Tor to scan and attack corporate networks. Blocking Tor exit nodes will block those scans and attacks.
Yes. I did. They implied but didn't specifically state, in a single sentence (the one I quoted in fact) blocking of exit nodes. All of the other sentences suggested "block Tor", which implies the protocol (which -- did you even read what I wrote? -- is pretty stupid advice).
Do you really expect people to be able to implement TorDNSEL DNS lookups on reverse addresses for all incoming connections, or that if people start using this for blocking, that it will continue to be published? Or that if people start really banging on it with queries, it won't simply go down? Because continuing to publish as soon as even a single major ISP starts blocking on behalf of all their customers would be pretty critically stupid on the part of the Tor project, don't you think?
You are also aware that it is at best 30 minutes out of date at all times, right?
Also -- you are aware it's possible to run a private Tor network, since the software is Open Source, and deploy via Amazon or similar services, using stolen credit cards, so blocking the official Tor exit nodes is unlikely to be nothing more than a trigger to escalate the arms race, right?
I believe that most Tor users aren't criminals
What substantiates your belief?
"I don't know, therefore Aliens" Wafflebox1