Cloudflare vs Tor: Is IP Blocking Causing More Harm than Good?

April 28, 2016 Peter Zavlaris

To some, the Tor network is believed to be a haven for threat actors, as well as a platform for launching web based attacks. Tor is an anonymous network designed for those who seek anonymity while browsing. It was conceived as a way for political dissidents and marginalized members of society, living under oppressive regimes, to use the Internet without fear of government surveillance and reprisal.

Today CloudFlare is under fire for blacklisting Tor exit node IP addresses. Blocking them prevents site access by Tor users, who tend to be from developing and third world nations. CloudFlare is drawing accusations of discrimination because of its wholesale action.

Here is a diagram showing how clients reach web servers over Tor:

Tor Network Diagram - Web Client to Web server connection

CloudFlare has an aggressive Tor IP blacklisting agenda, going so far as to publish data claiming that 94% of Tor traffic is malicious (mostly automated attacks). The company’s blog reads:

“Like all IP addresses that connect to our network, we check the requests that they make and assign a threat score to the IP. Unfortunately, since such a high percentage of requests that are coming from the Tor network are malicious, the IPs of the Tor exit nodes often have a very high threat score.”

The problem is that CloudFlare’s data isn’t representative of Tor traffic. Rather, it’s based on the percentage of observed exit nodes that spread malicious traffic. It’s guilt by association.

The Tor Project blog refutes CloudFlare’s claims. “The underlying issue is CloudFlare's design assumption that an IP address represents a single user. Yet there may be millions of users behind a handful of IP addresses.”

Are all Tor users bad?

CloudFlare argues that Tor is overrun with spammers and various threat actors. Tor has also been vilified for enabling various underground, or dark web, activities. It has hosted the infamous Silk Road, as well as sites that distribute pirated content, credit card swapping (carding) forums, and other forms of illicit activity.

The Tor Project points out that its network is also used by human rights defenders, diplomats, government officials, and people of all walks wanting to browse the Internet free of surveillance, thus ensuring their privacy.

In the post-Snowden world, even Americans have turned to anonymous browsing options like Tor. A Pew Research Center study reveals that roughly 9% have adopted sophisticated measures, such as using Tor, to shield their interaction with the Internet.

What does the data say?

In blocking all Tor traffic, CloudFlare is painting with too broad a brush, according to our data. Collected from our customer base, it's a sampling of almost 10,000 IPs and over 40 million page requests over a two week period.

We found that Tor node requests are malicious 48% of the time. (True, this was a higher rate of malicious requests as compared to other proxy networks, those equating to 38%.) So by keeping out Tor users, CloudFlare is blocking legitimate users about half the time.

Malicious Tor Node Traffic : Cloudflare vs Distil Networks Findings

The problem with IP blocking

All organizations use IP blocking in some form. IP blacklists are a staple in the security world, appearing in firewalls, intrusion prevention systems, web application firewalls, fraud prevention, bot mitigation, and more. It’s where many organizations start their security efforts.

The problem is that attackers aren’t dependent on single IPs to carry out attacks. Our 2016 Bad Bot Landscape Report shows that 70% of automated attacks in 2015 used multiple IPs, and 20% of automated attacks used over 100 IPs.

Marty Boos, StubHub’s Director of Technology Operations, explains in his video testimonial, “It takes a matter of seconds, once we block someone on an IP basis, for them to move somewhere else. We found people going from 10k hits for one IP to 2 hits from 10k IPs per hour.”

Further reading

Is IP blacklisting entirely obsolete? At Distil Networks, we don’t believe that to be the case. Access control lists (ACLs) such as blacklists are an important part of a sound security strategy.

Writing about the dynamic nature of IP ACLs, Rami Essaid, Distil’s CEO, lists the challenges of list maintenance and offers suggestions as to how to address them.

Previous Article
Distil Networks Turns Five – Where Did the Time Go?
Distil Networks Turns Five – Where Did the Time Go?

In five years, Distil Networks has grown from three people in an apartment to a multinational organization....

Next Article
June 12-15, 2017: Gartner Security & Risk Management Summit in Maryland
June 12-15, 2017: Gartner Security & Risk Management Summit in Maryland

Join Distil at the Gartner Security & Risk Summit June 12-15 for the latest threats, security architecture...