IBM Tells Administrators To Block Tor On Security Grounds

Mickeycaskill writes: IBM says Tor is increasingly being used to scan organizations for flaws and launch DDoS, ransomware and other attacks. Tor, which provides anonymity by obscuring the real point of origin of Internet communications, was in part created by the US government, which helps fund its ongoing development, due to the fact that some of its operations rely on the network. However, the network is also widely used for criminal purposes. A report by the IBM says administrators should block access to Tor , noting a "steady increase" an attacks originating from Tor exit nodes, with attackers increasingly using Tor to disguise botnet traffic. "Spikes in Tor traffic can be directly tied to the activities of malicious botnets that either reside within the Tor network or use the Tor network as transport for their traffic," said IBM. "Allowing access between corporate networks and stealth networks can open the corporation to the risk of theft or compromise, and to legal liability in some cases and jurisdictions."

Re: See..

[Anonymous Coward]

Internet is also used for all kind of attacks. So I guess it should be banned too!

Re:

[lgw]

Not clear from TFS whether they're talking inbound or outbound. Inbound blocking makes sense for anything not open to the general public. Oubound blocking? Good luck with that, IBM.

TOR has been blocked in China for many years, but it still works. There's been a blocking/stenography arms race happening between the Great Wall and TOR for years. I don't know anything about the technical details, but it seems a safe guess that TOR "bridge" connections successfully bypass all the easy or obvious ways of blo

Re:

[Anonymous Coward]

This won't work. There is a component within the pluggable transports component called meek which basically creates a bridge for users of shared services. The core of what the pluggable transport plug-in does is disguise the traffic to look like other types of traffic. By combining this with other services an adversary can't tell the difference between Tor traffic and non-Tor traffic and combined with something called meek any blocking of a meek-bridge would have significant collateral damage anyway. There

Re:

[Anonymous Coward]

China is getting pretty good at it though. What is working may be blocked in 6-8 hours. It is a cat and mouse game, but that cat is getting quick, and the mice population is dwindling.

In general, if there are a lot of different connections made by different browsers [1] coming from one IP, it is suspect, and a site needs to go like Google and have a CAPTCHA before someone can move past the intro screen. CloudFlare is a good front gate to have for almost any website because of this.

As for blocking exit no

Duh

[Calsar]

Yes, I know some people just use Tor because they don't want the government watching them, but I block Tor on general principal. Most of the traffic coming out of Tor is malicious. The only exception would be if I was running a site with information I wanted to provide to oppressed countries.

Re:

[Anonymous Coward]

Your an idiot. Blocking Tor *won't* do a damm thing at actually solving the security problem. All it does is give you the illusion of security when you don't know what your doing.

Re:

[Anonymous Coward]

I don't see why you're downvoted. This is true. Blocking tor isn't a solution. You should be patching your systems and not have crappy apps.

If you have a smart load balancer that decides to threshold block tor nodes, that's fine. But explicitly blocking all tor nodes is just lazy and doesn't fix the problem.

Re:Duh

[Calsar]

I didn't say blocking Tor made you secure, I simply said traffic coming out of Tor is malicious and should be blocked. If you think blocking Tor makes no difference you are wrong. A lot of attacks are coming out of Tor and you can eliminate them with little effort.

Re:

[Anonymous Coward]

I sympathize with your position, I really do, but where does that argument end? A lot of email is malicious too--should we just start blocking that? Webpages are often malicious as well. Come to think of it, maybe we should just keep all of our networks local.

Tor has lots of good purposes also. Blocking it completely seems like an indiscriminate solution.

Re:

[orlanz]

On a personal network... I don't care, your choice. But on a business network, this is a no brainer. Its clearly from IBM's "No shit Sherlock" department. Some intern needed to write a security recommendation. Few enterprises have a business need for Tor, so why not block it? What good reason is there to have it unblocked?

As for where it stops ummm... when it actually hinders your business? If you business doesn't have ANY need to load webpages (ie: the book network at a stock exchange), then yes, you

Re:

[by (1706743)]

Your an idiot.

...don't know what your doing.

Good effort, but next time go for the triple combo!

Anonymity is a paradox

[Anonymous Coward]

We say we want anonymity on the internet (and we do).

Yet we don't want people wearing ski-masks entering banks or gas stations.

The thing that sucks about anonymity is a small percent of people will utter destroy it. Tragedy of the commons, I guess.

Re:

[X.25]

Yes, I know some people just use Tor because they don't want the government watching them, but I block Tor on general principal. Most of the traffic coming out of Tor is malicious. The only exception would be if I was running a site with information I wanted to provide to oppressed countries.

You have access to all outgoing Tor traffic?

Nice.

Another layer

[TechyImmigrant]

I presume the enterprising TOR user could set up a couple of machines A and B somwhere on the internetz to act as a personal TOR entry and exit point. VPN to A. A TORs to B. B talks to the internetz.

 

Re: Another layer

[Anonymous Coward]

That would defeat the purpose and isn't how Tor works.

Re:

[TechyImmigrant]

Yes. It's just an indirection to prevent attacks or filters at the entry and exit points.

Re:

[Nutria]

I believe that most Tor users aren't criminals

What substantiates your belief?

Re:

[TechyImmigrant]

You could read the paper and see if the data speaks for itself.

Re:

[TechyImmigrant]

Then machine "B" gets nailed by every LEO from Interpol down to the local dogcatcher.

The best way is to have an account with a VPN service, and use TOR in front. The VPN's IP space will be viewed as dodgy, but not outright banned like all TOR nodes tend to be.

I wasn't proposing that as a way to conduct illegal activities. I was proposing that as a way of getting around your employers TOR block. Practically you only need machine A for most situations.

Re:

[Swave An deBwoner]

Why not try an all meat diet? Smarter people than you do: http://www.jbc.org/content/87/... [jbc.org]

Interestingly that article you link to was published in February 1930, right near the start of the "Great Depression" and states that "These studies were supported in part by a research grant from the Institute of American Meat Packers". They were probably scared stiff that nobody would be left with enough pennies in their pocket to buy meat.

You want smart people? "It is my view that the vegetarian manner of li

This isn't security it's security theatre

[Anonymous Coward]

Blocking Tor doesn't do a damm thing for real security. It won't stop the "attacks". There are plenty of other avenues for malicious parties to use. The idea that getting rid of Tor somehow will stop the attack is just plain silly. It might sound good to the CEO, protect your job, etc. It won't actually improve security. If you want to improve security start with ridding your company of the proprietary software whose holes *can't* and won't be fixed. Fund *bug hunting*, reduce the bloat in your applications

Re:This isn't security it's security theatre

[TheCarp]

> Blocking Tor doesn't do a damm thing for real security. It won't stop the "attacks". There are plenty of other avenues for malicious parties to use.

While mostly true, you do have to consider that exit nodes that are on your internal network are probably bad juju.

Personally, I am all for using tor, but I wouldn't want to see random users putting up exit nodes inside my network. Exit nodes really should be setup with a bit more care to make sure they can't be used to access internal hosts, especially if internal networks have public IPs, which while less common these days, is not unheard of.

My previous 2 employers both used public IPs on their internal networks (and each had their own class public B). So, by default, a tor exit node would constitute a hole in the firewall unless specifically setup to restrict access to "local" IPs.

Not unmanagaeble at all if you want to manage it, but, not something you want to leave in the hands of Bob in accounting.

Blame TOR malicious botnets ..

[nickweller]

If security on these public and private-sector networks weren't so flaky, botnets wouldn't be such a problem. Remember all it took to compromise SONY was one malicious email attachment. Make you wonder how Internet security got so bad considering folks like the NSA helps these organizations securing their 'computers'.

Re:

[Nutria]

considering folks like the NSA helps these organizations securing their 'computers'.

All of the technical acumen in the world can't defend against a PHB running XP who clicks on everything.

Tor is useless

[fustakrakich]

If it can be blocked, or even if it's visible at all, it is dangerous for the user. If you can't blend in, you're gonna stick out..

Changed Headline - Now 50% Less Clear!

[Dutch Gun]

You know, there's a completely different potential meaning between "IBM Tells Administrators to Block..." vs "IBM Tells Companies to Block..." I initially though IBM was discussing an internal policy, but they're advocating that OTHER companies simply block access to TOR nodes, in case it's not clear.

Still, blocking these nodes seems like a fairly weak approach to security, doesn't it? It's not like you can't disguise your movement by utilizing a botnet server. It's sort of like saying "we could improve our security by banning all incoming traffic from China and Russia". Well, sure, if you're willing to just block lots of legitimate users in the meantime. It would be far better to try to implement better technologies and policies that actually improve computer security, rather than feel-good measures like this.

For starters: eliminate dependence on old, out-of-data, vulnerable web based technologies. There are many corporate customers who still must use specific VULNERABLE versions of the Java plug-in, for instance. Oh, wait though... that would cost money! Nevermind, just block the TOR nodes, ok?

Incremental improvements are a good thing

[sirwired]

It's sort of like saying "we could improve our security by banning all incoming traffic from China and Russia". Well, sure, if you're willing to just block lots of legitimate users in the meantime. It would be far better to try to implement better technologies and policies that actually improve computer security, rather than feel-good measures like this.

Yes, in a perfect world, companies would have perfect device security and it wouldn't matter from which direction an attack came.

But here in the real world, there is no such thing as perfect security, and every little bit helps. They aren't suggesting you block TOR and ignore your firewall and stop updating patches, just that among other security measures, this might help.

Anyway, what possible legitimate use could TOR have in a corporate environment outside of a media organization?

Re:

[Spy Handler]

Yes, in a perfect world, companies would have perfect device security and it wouldn't matter from which direction an attack came.

But here in the real world, there is no such thing as perfect security, and every little bit helps. They aren't suggesting you block TOR and ignore your firewall and stop updating patches, just that among other security measures, this might help.

Anyway, what possible legitimate use could TOR have in a corporate environment outside of a media organization?

Exactly right. Every little bit helps.

If your company has no Chinese customers or suppliers or employees and does no business in China whatsoever, why not block China from your network? It's simple to do and costs nothing. Nobody is suggesting that you drop all your other security practices and rely just on blocking Chinese IPs.

Re:

[Dutch Gun]

I suppose it depends entirely on whether you run a consumer-facing website or not. I was initially thinking about this from the perspective of companies that run such sites, in which case it doesn't make a lot of sense. However, if you're in an entirely corporate-oriented company who typically doesn't deal directly with the general public, it probably makes some sense to do so. No client of yours is going to be running a TOR browser. IBM is among those types of companies, so I guess this advice makes se

Tor noob question

[GerardAtJob]

Is it possible to add a proxy after a Tor node exit, bypassing the current "Ban Tor exit nodes" thus blending with traffic? So, in theory, blocking Tor exit nodes only blocks those who only use Tor .. isn't it (Ex: Not hardcode hackers, but only Tor kiddies)?

Re:

[GerardAtJob]

I guess I was too technical, but it's possible.

http://unix.stackexchange.com/... [stackexchange.com]

"A report by the IBM..."

[jfbilodeau]

From the summary: "A report by _the_ IBM..."

As opposed to just an IBM?

Re:

[by (1706743)]

Yeah, The International Business Machine. It's run by President and Commander in Chief Executive Officer Donald Trump.

What part of "exit node" does IBM not understand?

[tlambert]

"IBM said its data shows a “steady increase” over the past few years in attacks originating from Tor exit nodes, with attackers increasingly using Tor to disguise botnet traffic."

What part of "exit node" does IBM not understand?

Once the traffic hits an exit node, it's no longer in Tor. It's also more or less impossible to "disguise botnet traffic" using Tor, since it's not like the botnet is running an entry or exit node.

At worst, a bot on one of your servers will hit a Tor entry node in order

Re:

[tlambert]

Once the traffic hits an exit node, it's no longer in Tor. It's also more or less impossible to "disguise botnet traffic" using Tor, since it's not like the botnet is running an entry or exit node.

Did you even read the paper? Botnets are using Tor to scan and attack corporate networks. Blocking Tor exit nodes will block those scans and attacks.

Yes. I did. They implied but didn't specifically state, in a single sentence (the one I quoted in fact) blocking of exit nodes. All of the other sentences suggested "block Tor", which implies the protocol (which -- did you even read what I wrote? -- is pretty stupid advice).

Do you really expect people to be able to implement TorDNSEL DNS lookups on reverse addresses for all incoming connections, or that if people start using this for blocking, that it will continue to be published? Or that if people sta

Once again proving....

[JustAnotherOldGuy]

Once again proving that anything that can be abused, will be abused. The spammers, scammers, and scum of the Earth will use anything they can to steal whatever they can.

Re:

[JustAnotherOldGuy]

And since ANY check ultimately requires code to execute the check, and a 0/1 response, and since I can trivially NOP out your code

Exactly...and this is why DRM will always ultimately fail.

It may take time to crack, but there's always a way around it, even if you have to tap into the analog output of whatever it is.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[JustAnotherOldGuy]

Now, now. That is no way to talk about your government.

Sure it is. ;)

Hackers? Let's not forget the terrorists!

[jareth780]

Whatever is scary enough to convince us to give up privacy, that's the threat of the day. Nothing is your own except the few cubic centimetres inside your skull.

Hmm

[koan]

Isn't TOR a little slow and lacking bandwidth to make a good hacking front?