Anonymous users are being treated like second-class citizens, being blocked altogether by many sites, and being fed a degraded service or being forced to jump through hurdles like CAPTCHA on others, according to a recently published research paper.
This isn’t about hacktivists associated with Anonymous.
Rather, it’s about the lower-case version of anonymous, as in those who use Tor to help preserve anonymity.
According to the paper, titled Do You See What I See? Differential Treatment of Anonymous Users, 3.67% of the top 1,000 Alexa sites are blocking people using computers running known Tor exit-node IP addresses.
Anonymity networks – the “king” of which is Tor, to borrow the National Security Agency’s (NSA’s) description – already face a hostile environment that includes deanonymization attacks and government blocks.
This is a different type of threat. It involves giving Tor users crummy service or just blocking them outright.
The researchers, from the Universities of Cambridge and California-Berkeley, University College London, and International Computer Science Institute-Berkeley, said that the problem is amplified if it’s done by particular services:
The problem becomes amplified when ‘bottleneck’ web services (e.g., CloudFlare, Akamai) whose components are used by many other websites block or discriminate against Tor users, or when third-party blacklists used by a large number of websites include Tor infrastructure (in particular, exit node) IP addresses.
BestBuy.com is one example. It’s hosted on Akamai.
Like some other Akamai sites, BestBuy.com blocks over 60% of Tor exit nodes.
The researchers drew on several data sources: comparisons of internet-wide port scans from Tor exit nodes vs. from control hosts; scans of the home pages of top-1,000 Alexa websites through every Tor exit; and analysis of nearly a year of historic HTTP crawls from Tor network and control hosts.
They came up with methodologies to handle a few things: for example, how do you distinguish intentional degradation from incidental failures, such as packet loss or network outages?
For that matter, how do you deal with churn as services blink on and off?
And what about blocks that are aimed at abusive IP addresses – those involved in fraud or other crime – but which sweep up innocent users who just happen to be sharing the same exit node as the bad actors?
The researchers cited CloudFlare, a large content delivery network, as one of the most conspicuous examples of a phenomenon in which automated blocking systems are used.
Such systems don’t target Tor users, per se. They merely react to the consolidated traffic of the many users coming fron an exit node.
CloudFlare assigns a reputational score to each client IP address in terms of how much malicious traffic it sends. If the score’s low enough, some clients are banned outright.
CloudFlare explains it this way on a support page:
CloudFlare does not actively block visitors who use the Tor network.
Due to the behaviour of some individuals using the Tor network (spammers, distributors of malware, attackers, etc.), the IP addresses of Tor exit nodes generally earn a bad reputation.
CloudFlare challenges some low-reputational-score visitors to solve a CAPTCHA.
The CAPTCHAs are “awful,” Tor advocates complained in a sometimes heated discussion with CloudFlare that was sparked by the paper:
[CloudFlare doesn’t] appear open to working together in open dialog, they actively make it nearly impossible to browse to certain websites, they collude with larger surveillance companies (like Google), their CAPTCHAs are awful, they block members of our community on social media rather than engaging with them and frankly, they run untrusted code in millions of browsers on the web for questionable security gains.
Akamai-run sites, on the other hand, don’t make Tor users run the awful-CAPTCHA gauntlet. Rather, they often block Tor users outright with a 403 error that can’t be bypassed.
Other sites, such as Yelp and Craigslist, have their own block page.
Some websites, e.g., macys.com, return a redirect error that often leads to an infinite redirect loop.
On average, around 69 of the sites the researchers looked at block over 10-50% of Tor exit nodes. The majority of these websites are hosted on CloudFlare, they said.
To figure out if those sites are blocking Tor visitors because they’re associating them with abuse, vs. the sites blanket-blocking Tor, the team looked at the age and exit probability of exit nodes, going under the assumption that old or high-probability exit nodes have more opportunity to attract abuse.
The results weren’t consistent. Some sites, including CloudFlare sites, didn’t block exit nodes younger than 30 days. Akamai did, though.
There’s not much that can be done with sites that preemptively block all Tor exit traffic, beyond detecting the blockage and publicizing it, the researchers said.
As far as abuse-based blocking goes, harmless Tor users could be helped by more precise filtering, they said.
It’s important to figure out ways to keep innocent users from being lumped in with spammers, malware distributors and cyber attackers, they said, given that users in some countries rely on Tor to get content that hasn’t been scrubbed by the government:
While many websites block Tor to reduce abuse, doing so inadvertently impacts users from censored countries who do not have other ways to access censored internet content.
Anonymous communication on the internet is a critical resource for people whose access to the internet is restricted by governments.
However, the utility of anonymity networks is threatened by services on the internet that block or degrade requests from anonymous users.
Image of Onions courtesy of Shutterstock.com
Simon
You didn’t mention much of a solution other than “figure out ways” to avoid this. If I see traffic trying to get into my network that has bad intent (such as showing signs of attempted intrusion) I will block that IP permanently. Unfortunately tor is used by people who have bad intent and those people ruin it for my actual users that happen to be on tor.
I’m a big fan of tor and use it daily but I don’t know a solution to this problem when I’m defending my network.
Rudolph Haber
Falsa false false propaganda. TOR is pretty unusable for any kind of cyberattack. Its onion routing infrastructure is just too slow and overly crowded to serve that purpose. I am willing to bet my house that intel agencies flood the network to give corporations an excuse to block the Tor traffic. The bottom line is making the service unusable, thus people just renouncing to their incredibly important right to privacy.
Greg
They can what they want with their website, if they want to block TOR users then tough.
Use Your Illusion
Same as cops wanting to ID you when you’ve done nothing wrong and the law says they are doing something wrong by forcing you to be ID’d yet everyone accepts it because they have the power and are ‘defending’ something? Throwing the baby out with the bathwater is what happens to freedom when you trade freedom for the illusion of security.
jeff
I can’t help but wonder why the tor infrastructure doesn’t monitor itself and block criminals when detected. I want to use Tor as I want simple anonimity. But apparantly giant brother won’t allow that.
Spryte
” harmless Tor users could be helped by more precise filtering”…
Would not this defeat the purpose of Tor?
Bob
Craigslist won’t even let me use a VPN. The workaround is to turn off the VPN before logging in to CL, then turning it on after logging in.
cdoggyd
Unfortunately, Tor is used by a lot of bad actors that taint the whole user base. Think of it this way…
If you purchase a home in a high-crime neighborhood, you should expect to be inconvenienced by sirens and police cars (even if you aren’t committing the crimes).
Rudolph Haber
And you say this based on what kind of bogus nonsense info you have? False. Tor loose source route is unusable for cyberattacks due to its bandwidth. People just make up excuses to block the Tor traffic so that anonymity won’t become widespread.
Jorge Alba
I really don´t like Tor browser.
Jesse
I’ll be honest here. I blanket block TOR on all of my servers, specifically through the firewall itself. In which case, everything will just appear offline or “down” to them.
Rudolph Haber
We know you do “jesse” . We know every claim of cyberattack from Tor is BS. Thank you for making the internet a police state.
jesse
Part of the problem is also related to web site monopolies. Craigslist was great in the early years, as was ebay. The sites grow and attract more users (for good reason). Eventually they knock out the competition and become a monopoly. Then they start restricting things and adding rules. And then they suck. And we are stuck with them. Print classifieds are dead. Craigslist can do anything it wants. Until some innovative new site comes along…
Anonymous
JUST TRIED TOR, OMG. GOOGLE SEARCHs are blocked ? WTF. time too use ANY OTHER Search
Anonymous
use Duckduckgo; they value anonymity.
Pafka
A huge unwanted traffic comes from Tor unfortunately. I can’t see any reasonable solution so far to funnel the traffic and let a good go and bad to be rejected …. in this case unfortunately captcha is the only way, annoying but …. well, we can’t shut the business down. So better get some clients even if it will cost us a few seconds extra, than let idiots break our site. Recently I was experiencing a tons of attacks from China,Russia and few other places directly but also a lot trough Tor ….
Fish Tacos
It’s still an issue. Managed to get unblocked by one blacklist provider once to access a medical website (local) within 24 hours, and the site started working again. Unfortunately I had to stop my relay (not exit node… so nothing malicious is going to be transmitted directly from me to the Internet at large… only anonymizing) because it happened again with a different website last week.
I wish these blacklists were more selective. While I opposite them blanketly banning exit nodes (captcha works), what business do they have with relays that don’t exit? It doesn’t affect them at all, apart from the admins of these services being on powertrips about anonymity and holding their users hostage.
The alternative is to start running it and switching IPs after they get blacklisted so as to create pressure by these ISPs to unblock their subscribers blacklisted IP from the previous holder… but as a single person doing this, I don’t have the capacity to make a dent.
Anonymous
On Thor Browser:
Access Denied
You don’t have permission to access “http://www.sophos.com/” on this server.
Paul Ducklin
Indeed. AFAIK, our IT team investigated a case of recurring abuse of our server that was disguised via Tor. At the same time it checked how many requests via Tor appeared to be genuine users with genuine issues who were genuinely trying to get help anonymously. The imbalance was so enormous – Tor was, sadly, almost entirely associated with abuse against our servers – that we decided to block it for the greater good of the very many genuine people who were genuinely looking for help.
If you really needed our help and wanted to get in touch with us anonymously, there are ways you could do it, so we are not taking a “reject online anonymity altogether” stance, just being practical when it comes to our website.
HtH.
WP
If you use a browser that may have any propensity to enable bad actors, you automatically forfeit your right to unfettered access. You are second class travelers. Deal with it.
Paul Ducklin
Because no one ever did anything bad with any other browser?
Will Moore
There are shades in everything. I try to stay nearer the light.