Thursday, April 28, 2016

Tor, CloudFlare Spar Over Malicious Traffic | SecurityWeek.Com

Tor, CloudFlare Spar Over Malicious Traffic | SecurityWeek.Com

Tor, CloudFlare Spar Over Malicious Traffic

Internet Firms Clash Over Malicious Traffic and Access

Tor Urges Sites to Switch CDNs After CloudFlare Says Most Traffic Is Malicious

Content delivery network (CDN) CloudFlare says it's working on making it easier for Tor users to access the websites it protects, but it's not an easy task. In the meantime, the Tor Project has advised website owners to either whitelist access over Tor or switch to a Tor-friendly service provider.

CloudFlare CEO Matthew Prince published a blog post on Wednesday detailing the "trouble with Tor." After many individuals who use the Tor network to protect their identity complained that they are having a hard time accessing important websites due to CAPTCHAs and other restrictions, Prince attempted to provide an explanation and outline the steps being taken by his company to address the issue.

According to Prince, 94 percent of requests that CloudFlare sees across the Tor network are "per se malicious," including vulnerability scanning, spam, ad click fraud, and content scraping. This results in very high threat scores being assigned to the IP addresses of Tor exit nodes, which in turn results in Tor users having to complete numerous CAPTCHAs before they can access websites.Tor vs CloudFlare

CloudFlare has recently started allowing customers to specify how they want to handle traffic coming from Tor by treating Tor exit nodes as a "country" of their own. Website owners can whitelist all Tor traffic, use CAPTCHAs to verify if a user is human, block all traffic, or use a JavaScript challenge that checks the user's browser before redirecting them to the requested site.

On the long term, CloudFlare believes there are two viable methods that can be used to distinguish automated, malicious traffic from legitimate traffic coming from Tor. One solution would be for CloudFlare customers to create a .onion version of their website, which would only be accessible via Tor. Facebook launched such a website in November 2014 to make it easier for Tor users to access the social media platform.

Another solution proposed by some members of the CloudFlare team is to get the Tor Browser to make the distinction between human and automated traffic.

"The Tor browser could allow users to do a sort of proof-of-work problem and then send a cryptographically secure but anonymous token to services like CloudFlare in order to verify that the request is not coming from an automated system," Prince explained.

"CloudFlare is working to reduce the impact of CAPTCHAs on Tor users without in any way compromising their anonymity and without exposing our customers to additional risk. Over the coming weeks and months we will roll out changes designed to make the lives of legitimate Tor Browser users easier while keeping our customers safe," Prince said.

Tor Project publishes CloudFlare fact sheet

After CloudFlare published its blog post, the Tor Project released a fact sheet detailing CloudFlare's impact on Tor users. The organization behind the anonymity network says CloudFlare prevents users from reaching important websites, including the ones of Amnesty International, online activist network Avaaz, Q&A community website Stack Exchange, Planned Parenthood, and various major news sites.

These websites are often inaccessible from both the desktop and mobile versions of the Tor Browser. The Project has pointed out that the Web is often accessed from Android phones in developing countries, and many users have complained that there is a growing number of websites they cannot access due to CloudFlare.

On one hand, the problematic CAPTCHAs might get users to access websites via unsafe browsers that can reveal their location, which can represent a serious risk for human rights activists and other groups for which anonymity is crucial. On the other hand, new users might believe they are not using Tor correctly, which could lead to them abandoning Tor altogether.

"CloudFlare's CAPTCHA system results in de facto censorship, since Tor users either cannot access a site or are deterred from using a site because of the obstacles presented by the CAPTCHAs. Tor users have complained that they can circumvent China's Great FireWall, but not CloudFlare," the Tor Project said.

The Tor Project says it's displeased with the fact that CloudFlare hasn't taken proper steps to address the problem, despite knowing about it since at least 2013. The anonymity network has advised companies that want to support Tor user access to their websites to either whitelist access over Tor, or switch to a content delivery provider that supports Tor.

While CloudFlare claims 94 percent of the Tor traffic it sees is malicious, the Tor Project has argued that the abuse is actually likely coming from a "tiny fraction of the millions of daily Tor users."

"When a connection to a website travels over Tor, it will exit the network via one of the thousand exit relays set up by volunteers all over the world. The largest exit nodes transport more than 70,000 connections at a given moment. If a small number of these connections contains what CloudFlare qualifies as 'malicious traffic' (spam, typically), CloudFlare will consider any subsequent connection as 'malicious'," the Tor Project said. "Because exit relays are picked (usually at random) by the Tor client, a single bad guy could have all relays qualified as transporting 'malicious traffic'."

Previous Columns by Eduard Kovacs:


Scanner: export custom devices list

"00:1D:CF:8D:1B:11" = {
deviceType = TV;
"00:61:71:7E:49:BB" = {
deviceType = Mac;
"5C:96:9D:06:C6:2C" = {
deviceType = Mac;
"74:75:48:01:00:98" = {
deviceType = iPad;
"F4:3E:9D:00:64:10" = {
deviceType = Wireless;

Wednesday, April 27, 2016


17 Arrested, 400 Tor sites seized

DailyDDoSe: 17 Arrested, 400 Tor sites seized

17 Arrested, 400 Tor sites seized

THE HAGUE, NETHERLANDS (BNO NEWS) — Authorities in Europe and the United States have arrested 17 people and seized more than 400 sites in a coordinated action against markets offering weapons and drugs through anonymity network Tor, officials announced on Friday, just a day after a major drugs market was taken down.

The latest operation took place on Thursday when authorities in the United States and more than a dozen European countries executed 13 search warrants and arrested 17 people after an investigation into darknet marketplaces. On these marketplaces, which can only be accessed through Tor, people can purchase weapons, drugs and even contract killers.

Ulf Bergström, a spokesman for Eurojust, the European Union's judicial cooperation unit, said 414 hidden sites were seized during Thursday's operation, which was dubbed Operation Onymous. Also seized was hardware, digital media, drugs, gold, silver, 180,000 euros ($223,500) in cash, and Bitcoins worth approximately 1 million U.S. dollars.

"Users, vendors and those hosting these hidden services were – until now – believed to be relatively safe from prosecution. This action will shake that belief," Bergström said. He said several vendors and administrators were arrested during the operation, but there was no immediate word on whether any users of Tor sites had been identified.

Sites seized during the operation include "Pandora," "Blue Sky," "Hydra," and "Cloud Nine," all of which offered an extensive range of illegal goods and services for sale, including drugs, stolen credit card data, counterfeit currency, and fake identity documents. Also seized was "Executive Outcomes," which specialized in firearm trafficking, and "Super Notes Counter," which offered to sell counterfeit euros and U.S. dollars in exchange for Bitcoin.

Countries involved in 'Operation Onymous' include Bulgaria, the Czech Republic, Finland, France, Germany, Hungary, Ireland, Latvia, Lithuania, Luxembourg, the Netherlands, Romania, Spain, Sweden, Switzerland, the United Kingdom, and the United States.

Thursday's operation came just a day after 26-year-old Blake Benthall, who is known as 'Defcon' online, was arrested in San Fransisco for allegedly running the hidden site 'Silk Road 2.0,' which was launched in November 2013 after its predecessor was shut down by law enforcement. Benthall's site is alleged to have enabled more than 100,000 people to buy and sell illegal drugs.

"Underground websites such as Silk Road and Silk Road 2 are like the Wild West of the Internet, where criminals can anonymously buy and sell all things illegal," said Peter Edge, of Homeland Security Investigations (HSI) at the U.S. Immigration and Customs Enforcement (ICE). "We will continue to use all of our resources and work closely with our U.S. and international law enforcement partners to shut down these hidden black market sites, and hold criminals accountable who use anonymous Internet software to peddle their illegal activities."

Tor, which is an acronym for the Onion Router, is a network designed to hide users' real IP address by routing all traffic through the many servers of the Tor network, making it practically impossible to physically locate the computers hosting or accessing the sites. Although Tor is also used for legitimate purposes, criminals take advantage of Tor for a range of illicit purposes, including drugs, weapons, money laundering, and child pornography.


Sunday, April 10, 2016 Blacklist Details Blacklist Details



Information on is slightly sparse. According to independent research, has been run by the 510 Software Group since February of 2001. This DNS blacklist is a culmination of 13 total sub lists, all operating under the same zone, each returning a different IP address return code for classification. is generally thought of to have a high false positive rate, making it a viable candidate for score based systems, but not a good match for direct and outright blocking. One reason for the high rate of false positives is their position that "bulk mailers that don't require closed loop confirmation opt-in from all their customers." be listed by default. This means that there is high chance many thousands of senders are listed, though they have never sent a single piece of spam. The senders are listed because they have chosen to not mandate a double opt-in process for mailing lists and marketing mailers.

The policies of any DNS based blacklist are entirely up to the maintainer of the blacklist. should be looked at with caution if to be used on a commercial or public email server in which delivery of legitimate email is of high importance. For a personal server, in which you are at liberty to control only your own personal mail, may be a more appropriate match.

Listing criteria

Specific listing criteria are defined by the nature of each blacklist that operates. While some are obvious, others could be considered ambiguous. Regardless of your choice to use one, or many of the possible IP address return codes, it is advised to run each in a logging only or test mode before using in production.

Zones is a single zone that can be queried in standard reversed IP lookup format. The IP address returned is in the format of 127.0.0.x, where the x defines which blacklist the sender is in. Each of the possible return codes are as follows:

unused - This return code is currently not in use.

spam - Sources of spam that have sent email to Also listed here are IP's that have been determined to be spammers from discussions on the usenet discussion group. Often times, being listed in "spam" can simply be the result of inheriting someone else's IP space which was at one time deemed dirty by

dialup - Previously a list of dialup based IP addresses. As with almost all other dialup lists, or DUL's as they are sometimes referred to, this list has been discontinued stating too much administrative work for too little actual spam prevention.

bulk - describes a bulk mailer as anyone who does not require closed loop confirmed opt-in from all users. A closed loop confirmed opt-in is also known throughout the bulk mail industry as a double opt-in. In the past, a user would ask to receive emails, and taking no further action would begin the process of their membership in a mailing list. To pass a closed loop, or double opt-in, you must not only ask for subscription, but must specifically confirm your subscription a second time.

The closed loop system provides assurance that the person asking to be subscribed to a mailing list did so on their own behalf. It also affords the maintainer of the system the ability to keep detailed records such as the date, time, and IP of when the requester first attempted membership.

multistage - A multistage open relay or proxy is a system of multiple machines all working together to send spam. Usually it involves one front line SMTP server that is under the control of a spammer group. That SMTP server then passes all its outbound mail through an open relay or open proxy that has been left unsecured. In this case, it is the output SMTP server, or the exploited servers IP address that will be listed.

singlestage - A single stage open relay or proxy is simply an unsecured host on a network. Any arbitrary spammer can connect directly to it and use it as a means to anonymously send large volumes of email through another network. "singlestage" lists IP addresses of open relays seen spamming.

spam-support - "spam-support" lists any network that supports a spammer in any form. appears to be extremely aggressive in their "spam-support" category. Any IP that is known to be part of an operation that supports spam will be listed. From basic connectivity, dns, email, sales, or even general service and support, providers that cater to spammers will be listed here. IP addresses generally do not leave the "spam-support" listing category; aside from organization wide policy change, changing service providers is generally the only effective way to bypass this listing.

webform - "webform" lists web servers running vulnerable versions of or other abusable web-to-mail gateways. This can also include smarthosts that play a role in delivering mail for the exploited web forms.

misc - The "misc" category lists IP ranges in groups of /24 CIDR style ranges. A listing is caused by one of more violations of the following:

  • Missing reverse DNS
  • Falsified reverse DNS
  • Domains with no attached web server
  • Domains with boilerplate content served from their web server
  • Suspect servers that are part of multistage open relays that could not be entirely confirmed for listing in "multistage"

klez - Most spammers will forge the return address of the emails they are sending, and set a custom "reply-to" address. If one of these forged messages hits a server that has anti-virus software installed on it, there is a chance that anti-virus software deliver an alert to the forged address, or worse, the reply-to address. While this is not technically spam, but more a misconfiguration or broken anti-virus tool, "klez" lists servers that exhibit this behavior.

tcpa - The TCPA, or Telephone Consumer Reporting Act was passed by US Congress in 1991. The TCPA established the "Do Not Call List", as well as many of the newer rules and regulations for telephone marketers. The "tcpa" list of will list the IP addresses of any organization that has been in violation of any of the TCPA provisions.

free - "free" list contains IP addresses of all large and well known free email providers. This would include common services such as gmail, hotmail, yahoo, aol, and many others.

cr - A challenge response system is a method that some end users choose to combat spam. If someone sends you an email and it is the first time that person has ever sent you an email, they will be delivered a challenge via email. If that sender chooses to do so, they solve the challenge, usually by clicking on a link, at which point, the original email will be delivered. Most people have learned that the sender of an email is not willing to put up with a challenge response system, and no longer deploy them. Those that do still use a challenge response system, will have their IP address listed in the "cr" category.

Removal Process

The website does not list any information on the removal process if your IP address is listed.

Related Articles