There’s been a lot of heated discussion in the Tor community about cloud security services blocking access to Tor users. In an effort to block Tor, some heavy-handed decisions have adversely affected a lot of legitimate users.

We believe there is a way to protect sites and allow users to browse in the manner they choose.

What is Tor?

If you are unfamiliar with Tor, the EFF describes it as “a powerful tool that helps you stay anonymous online. It can protect your privacy as you browse the Internet and circumvent government censorship of the webpages you visit.”

Who uses Tor?

Anyone can use Tor. People who are concerned with privacy and censorship actively use it for their daily web browsing. However, because of its ability to keep users and their web browsing history anonymous, Tor is also used for malicious activity by hackers and cybercriminals.

While Tor’s intent is to offer an alternative anonymity service to the general public, its website acknowledges the potential for abuse of its platform by criminals who are looking to hide their tracks. In a moment, we’ll tell you how we’re able to determine legitimate users and block criminals.

Determining the intent of all users, including Tor users

Providing security at scale is a complicated task. The constant struggle between false positives and false negatives can cause a lot of injuries in the virtual playing field.

The fear (nervousness?) that some services have of not being able to address bad actors properly can sometimes lead to excessive security measures that cause more harm than good.

That’s similar to what can happen when you use a very blunt tool for a very delicate task, like relying heavily on IP reputation to whitelist or blacklist visitors, or just serving CAPTCHAs to everyone without taking into consideration the business needs.

Imperva Incapsula, on the other hand, uses a multi-dimension, surgical approach to profiling visitors and requests to determine the lowest-suitable action needed to block bad traffic to sustain a minimal configuration, no-UX-impact solution.

How Incapsula handles Tor

Our approach to creating rules for blocking distributed denial of service (DDoS) attacks is multilayered. It includes a strong reliance on client classification, a behavioral approach to determine “risky” behavior, and a supporting use of IP reputation as indicators of impending threats.

This approach gives us a fine granularity on who we challenge.

Our progressive challenge approach helps us avoid interrupting UX by using subtle challenges to transparently vet visitors. We only use CAPTCHA when we determine there’s a small chance of it being served to a legitimate human visitor. We believe that CAPTCHA is a blunt tool for mitigating bad traffic.

layer-7-ddos-client-classification

For example, when a Tor user enters a website, in a majority of cases, we won’t take any special action, and will only profile its behavior from a security perspective like any other visitor. We will never use anything that violates anyone’s privacy or that de-anonymizes them.

Even if a site that leverages Tor is under DDoS attack, our client classification engine and context-aware approach will allow us to differentiate between good and bad Tor users. In this way, we avoid the “group punishment” approach.

What’s your opinion on Tor? Do you think the privacy rights of individuals outweigh the potential for criminals to use Tor anonymously to launch attacks? We believe there is a way to both respect user privacy and weed out the criminals.


Would you like to write for our blog? We welcome stories from our readers, customers and partners. Please send us your ideas: blog@incapsula.com