North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Tor and network security/administration

  • From: Kevin Day
  • Date: Sat Jun 17 09:49:54 2006

On Jun 17, 2006, at 8:29 AM, Jeremy Chadwick wrote:

Apologies if this has been brought up before.

Being as I'm not a network administrator myself (although I do filter
some stuff using pf and ipfw on my severs), I'm curious what NAs
think of the following technology:

The problem I see is that this technology will be used (literally,
not ideally) solely for harassment (especially via IRC).  I do not
see any other practical use for this technology other than that.
The whole "right to privacy/anonymity" argument is legitimate, but I
do not see people using* Tor for legitimate purposes.

We've had considerable problems with Tor.

Idiots who like to use stolen credit cards to buy things online find Tor a nice haven of deniability and covering their tracks. Before we got a little more proactive with it, about 20% of our credit card fraud was coming through IPs that we could confirm were Tor hosts.

I spent a few hours with a sheriff in Alabama trying to explain how Tor worked, why people used it, and why that even though he had an IP address of who used a 75 year old woman's credit card number to spend a few hundred dollars on one of our client's sites, it wasn't really their IP.

Our IRC servers, and discussion sites also have had to ban all Tor IPs that we've seen because of troublemakers using them to evade bans. Specifically because of the totally unregulated/uncontrolled nature of Tor, they're finding themselves banned from a great many things, which is probably hurting the people it was designed for. Because of one jerk who hopped from one Tor host to the next to get around IP bans on our site, all those IPs are banned now, preventing any legit use of Tor on any of our sites.

I don't find the anonymity a bad thing, but I would be a whole lot happier if the default configuration for people running Tor servers included an option to add HTTP headers saying that it's going through Tor, so we could decide if we wanted to conduct financial transactions with them or not.