Slashdot Mirror

← Back to Stories (view on slashdot.org)

IBM Tells Administrators To Block Tor On Security Grounds

Posted by samzenpus on from the protect-ya-neck dept.

Mickeycaskill writes: IBM says Tor is increasingly being used to scan organizations for flaws and launch DDoS, ransomware and other attacks. Tor, which provides anonymity by obscuring the real point of origin of Internet communications, was in part created by the US government, which helps fund its ongoing development, due to the fact that some of its operations rely on the network. However, the network is also widely used for criminal purposes. A report by the IBM says administrators should block access to Tor , noting a "steady increase" an attacks originating from Tor exit nodes, with attackers increasingly using Tor to disguise botnet traffic. "Spikes in Tor traffic can be directly tied to the activities of malicious botnets that either reside within the Tor network or use the Tor network as transport for their traffic," said IBM. "Allowing access between corporate networks and stealth networks can open the corporation to the risk of theft or compromise, and to legal liability in some cases and jurisdictions."

12 of 70 comments (clear)

  1. Re:See.. by lgw · · Score: 2

    Not clear from TFS whether they're talking inbound or outbound. Inbound blocking makes sense for anything not open to the general public. Oubound blocking? Good luck with that, IBM.

    TOR has been blocked in China for many years, but it still works. There's been a blocking/stenography arms race happening between the Great Wall and TOR for years. I don't know anything about the technical details, but it seems a safe guess that TOR "bridge" connections successfully bypass all the easy or obvious ways of blocking TOR. Of course, a whitelist of allowed outbound sites will always work.

    --
    Socialism: a lie told by totalitarians and believed by fools.
  2. Another layer by TechyImmigrant · · Score: 2, Informative

    I presume the enterprising TOR user could set up a couple of machines A and B somwhere on the internetz to act as a personal TOR entry and exit point. VPN to A. A TORs to B. B talks to the internetz.

     

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    1. Re: Another layer by Anonymous Coward · · Score: 2, Informative

      That would defeat the purpose and isn't how Tor works.

  3. Blame TOR malicious botnets .. by nickweller · · Score: 5, Insightful

    If security on these public and private-sector networks weren't so flaky, botnets wouldn't be such a problem. Remember all it took to compromise SONY was one malicious email attachment. Make you wonder how Internet security got so bad considering folks like the NSA helps these organizations securing their 'computers'.

  4. Re:Duh by Anonymous Coward · · Score: 3, Insightful

    Your an idiot. Blocking Tor *won't* do a damm thing at actually solving the security problem. All it does is give you the illusion of security when you don't know what your doing.

  5. Changed Headline - Now 50% Less Clear! by Dutch+Gun · · Score: 2

    You know, there's a completely different potential meaning between "IBM Tells Administrators to Block..." vs "IBM Tells Companies to Block..." I initially though IBM was discussing an internal policy, but they're advocating that OTHER companies simply block access to TOR nodes, in case it's not clear.

    Still, blocking these nodes seems like a fairly weak approach to security, doesn't it? It's not like you can't disguise your movement by utilizing a botnet server. It's sort of like saying "we could improve our security by banning all incoming traffic from China and Russia". Well, sure, if you're willing to just block lots of legitimate users in the meantime. It would be far better to try to implement better technologies and policies that actually improve computer security, rather than feel-good measures like this.

    For starters: eliminate dependence on old, out-of-data, vulnerable web based technologies. There are many corporate customers who still must use specific VULNERABLE versions of the Java plug-in, for instance. Oh, wait though... that would cost money! Nevermind, just block the TOR nodes, ok?

    --
    Irony: Agile development has too much intertia to be abandoned now.
  6. Re:This isn't security it's security theatre by TheCarp · · Score: 5, Insightful

    > Blocking Tor doesn't do a damm thing for real security. It won't stop the "attacks". There are plenty of other avenues for malicious parties to use.

    While mostly true, you do have to consider that exit nodes that are on your internal network are probably bad juju.

    Personally, I am all for using tor, but I wouldn't want to see random users putting up exit nodes inside my network. Exit nodes really should be setup with a bit more care to make sure they can't be used to access internal hosts, especially if internal networks have public IPs, which while less common these days, is not unheard of.

    My previous 2 employers both used public IPs on their internal networks (and each had their own class public B). So, by default, a tor exit node would constitute a hole in the firewall unless specifically setup to restrict access to "local" IPs.

    Not unmanagaeble at all if you want to manage it, but, not something you want to leave in the hands of Bob in accounting.

    --
    "I opened my eyes, and everything went dark again"
  7. "A report by the IBM..." by jfbilodeau · · Score: 2

    From the summary: "A report by _the_ IBM..."

    As opposed to just an IBM?

    --
    Goodbye Slashdot. You've changed.
  8. Once again proving.... by JustAnotherOldGuy · · Score: 3, Insightful

    Once again proving that anything that can be abused, will be abused. The spammers, scammers, and scum of the Earth will use anything they can to steal whatever they can.

    --
    Just cruising through this digital world at 33 1/3 rpm...
  9. Re:See.. by Anonymous Coward · · Score: 3, Interesting

    China is getting pretty good at it though. What is working may be blocked in 6-8 hours. It is a cat and mouse game, but that cat is getting quick, and the mice population is dwindling.

    In general, if there are a lot of different connections made by different browsers [1] coming from one IP, it is suspect, and a site needs to go like Google and have a CAPTCHA before someone can move past the intro screen. CloudFlare is a good front gate to have for almost any website because of this.

    As for blocking exit nodes, it is a common sense thing to block them via the router, OS stack, and application. In fact, if a node winds up on TOR at all, it winds up getting blocked just in case. This, combined with common sense IP geoblocking, cuts down enormously on the amount of attacks a site has to deal with.

    [1]: Try eff.org's Panopticlick. There is yet to be a functional Web browser that isn't uniquely identified.

  10. Re:Duh by Calsar · · Score: 4, Insightful

    I didn't say blocking Tor made you secure, I simply said traffic coming out of Tor is malicious and should be blocked. If you think blocking Tor makes no difference you are wrong. A lot of attacks are coming out of Tor and you can eliminate them with little effort.

  11. Re:Duh by orlanz · · Score: 2

    On a personal network... I don't care, your choice. But on a business network, this is a no brainer. Its clearly from IBM's "No shit Sherlock" department. Some intern needed to write a security recommendation. Few enterprises have a business need for Tor, so why not block it? What good reason is there to have it unblocked?

    As for where it stops ummm... when it actually hinders your business? If you business doesn't have ANY need to load webpages (ie: the book network at a stock exchange), then yes, you block standard webpages. Of course if you business relies on Tor (clearly not a publicly traded company); then you wouldn't block it either. Additionally, you may not block it on your dev, guest, or honeypot network.