Tor – the good, the bad, and the ugly

Tor offers anonymous browsing capabilities to people across the world. Users located in countries with strict censorship laws can use it to access restricted sites like Facebook, Google, foreign news websites or forums privately.

Tor directs Internet traffic through a free, worldwide, volunteer network consisting of more than seven thousand relays to conceal a user’s location and traffic from anyone surveilling the network with traffic analysis.

Tor encrypts data, including the destination IP address, multiple times and sends it through a virtual circuit of randomly selected relays. Each relay decrypts a single layer of encryption to reveal only the next relay of the circuit in order to pass the remaining encrypted data onwards. The final relay decrypts the innermost layer of encryption and sends the original unencrypted data to its destination without any knowledge of the source IP address.

Tor also provides hidden services that allow users to publish websites and services without revealing their location or the identity of their owners. These sites are often called the dark web or deep web.

To keep it simple, using Tor makes it more difficult (but not impossible) for Internet activity to be traced back to the user.

The dark side of the web

Individuals can use Tor to prevent websites from tracking them or to access websites blocked by their local Internet providers. Journalists, dissidents, and non-governmental organizations all use Tor for sensitive communications or for bypassing laws in countries where the internet is tightly regulated by the government. These are what Tor was built for, and are only a fraction of the legitimate use cases for Tor.

Despite these noble goals Tor also has a dark side. Obviously, the convenient (and relative) anonymity attract people with some less honorable intentions.

Recent studies have revealed that a large amount of the content hosted on Tor’s hidden services is linked to suspicious or illegal activities such as black market drugs, illegal firearms and extreme pornography. Tor is also used increasingly often to perform cyber-attacks.

Hidden threats

Tor is somewhat slow by design. Bouncing your traffic between three nodes before sending it out to the wider internet (6 nodes when you include the response ) adds a significant amount of latency to the round trip time. This implies that high rate Dos / DDoS attacks over Tor are not efficient if even possible.

However, for low bandwidth and slow distributed attacks (for example Slowloris, SlowLoris and PyLoris) the Tor network is indeed a very useful medium. It conveniently provides two important things to the attackers: a large number of exit relays and anonymity.

Even worse, IBM reported an increasing number of cyber attacks coming from the dark web, mostly through the Tor network. This report exposes new techniques where cyber-thieves use Tor hidden services for their ransomware campaigns.

Hackers have automated the whole process of taking over legitimate websites to victimize unwitting visitors with ransomware using botnets like SoakSoak and exploit kits like Neutrino. Such botnets are constantly scanning websites over Tor for vulnerabilities they can exploit with host redirection scripts.

In many cases, it only takes a few days before a new website is scanned by hackers for vulnerabilities.

Theory meets reality

Sqreen intends to monitor and protect your web application and users from potential threats wherever they come from. We did not see the urge of pushing active features related to Tor users, at first.

We started to look at the data a bit further when a customer came to us with this specific request.

As of today, the number of connection attempts to our customers apps coming from the Tor network make up about 6 percent of the total number of connection attempts. Surprisingly, 99.7 percent of the time the credentials supplied from Tor Users are incorrect (For comparison our overall authentication failure rate is less than 23 percent).

This first insight was enough to pique curiosity and to encouraged us to dig further in order to figure out what was going on.

Percentage of failed Tor connections
Failed connection attempts – Almost all attempts from Tor fail.

This subset of data on app usage comes from over a hundred of apps – mostly Rails or Python – that are protected and monitored by Sqreen on a daily basis. The stats are pretty consistent across all apps.

The number of successful connections through Tor network was only significant for one notable customer. Our study has shown that in this case, the company behind the web application was using the Tor distributed network for running parallel benchmarks and automated release tests to assert its scalability. This is almost the only legitimate Tor use case we could find.

When we looked at specific attacks on our customers’ apps, we identified that authentication attacks (brute force attack on a specific user account, or accounts enumeration) are performed 6.5 times more frequently by IPs registered as Tor exit nodes on average. These scans also last 29.5 percent longer on average.

users with tor and without tor
A user coming from Tor is between 6 and 8 times more likely to perform an attack.

Path scanning and SQL/NoSQL injections are also popular methods for discovering web application vulnerabilities. These kinds of attacks are up to 8 times more frequent over the Tor network. This trend indicates that Tor usage is closely linked to suspicious activity on our customers’ applications.

In the end, connections through Tor – even if underrepresented – are responsible for nearly 30 percents of all attacks encountered by our customers including password brute force attacks, account enumerations, and fraudsters.

Tackling the issue

The Tor Network’s goal is to provide anonymity and circumvention for the users in need of them. Deploying any kind of attack is abusing this service.

Fortunately, the Tor project provides a regularly updated list of exit nodes that can access your IP here, so you can monitor what is going on and eventually set up countermeasures quite easily.

You might be tempted to block users from accessing your website over Tor. Then you should first take a look at the Tor project’s official position. It may seem quite radical but if Tor is a real issue for you banning IPs is the simplest way to get rid of the threat. To achieve this, you will need to use online services like TorDNSEL or the list of exit nodes provided above.

If you use the exit nodes list be sure to frequently download a fresh copy of the list and don’t forget to clean your blacklists since the list of IPs changes continuously. Moreover, be aware that as there may be hundreds or even thousands of nodes so adding them to iptables can hurt your server’s network performance. Tools like ipset may be helpful in this case

Conclusion

As we have seen, banning Tor users from your application could be a crucial point in securing your business, but setting up a homemade solution can be somewhat complicated and painful.

I would love to hear your thoughts and experiences with the Tor network. How is Tor traffic impacting the security of your application? Is your app getting a lot of legitimate or illegitimate traffic from Tor?

At Sqreen we listen to the needs of our customers, as we aim to constantly improve our product. Sqreen recently added a feature to display connections coming from the Tor network. It will tell you which of your users are using Tor and whether or not they are performing malicious activities. Only 30 seconds are needed to get started with Sqreen, so try it out today!

About the author

Christophe is the lead data scientist at Sqreen. He has a PhD in Computer Science and is passionate about cryptography and deep learning­. He has worked for several successful startups as a back-end engineer and data scientist. When he is not thinking distributively, he dreams of electric sheep.

Further reading