Traffic Studies Reveal Complex Picture of Tor's Role on 'Dark Web'
The focus on Tor's bad side has resulted in people wanting to shut down the Dark Net and, by extension, the Tor network, Eric Jardine, research fellow for the Centre for International Governance Innovation (CIGI), told eWEEK. More than 70 percent of people across the globe want to shutter the Dark Net, CIGI found in its annual 2016 CIGI-Ipsos Global Survey on Internet Security and Trust, which polled more than 24,000 Internet users. "A lot of people really don't know what the Tor network is as a technology and what its various functions are," he said. "And they see a news story—such as a child-abuse ring or an illegal marketplace—and they have a knee-jerk reaction, saying, 'We don't need this. Shut it down.'" Jardine argues that the Tor Network has a marketing problem. A simple name change—one online user proposed the "Freedom Network"—might go a long way toward changing opinions, he said. Considering that CIGI also found that only 38 percent of people trust that their activities on the Internet are not monitored, a continued focus on privacy should help as well. Looking at the data is unlikely to answer the question of whether Tor is a haven for bad actors or for people trying to fight oppression overseas. While CloudFlare's study arguably shows that a small number of automated systems can abuse the network to create a large number of attacks on Web sites, other studies have found different results.Akamai also, however, found that requests from Tor exit nodes had an equal likelihood as non-Tor traffic to conduct a legitimate commercial transaction, suggesting that Tor users may be just as valuable to business sites as non-Tor visitors are. "They are not just there to surf the Internet, but to shop the sites," Larry Cashdollar, an aptly named senior security response engineer for Akamai, told eWEEK. In a separate study, bot-blocker Distil Networks—whose data may be more comparable to CloudFlare's—found that 48 percent of traffic from Tor and other proxies violated its rules for legitimate traffic. A small number of users can easily create a large volume of malicious traffic, Rami Essaid, CEO of Distil, told eWEEK. "You can have a handful of bad actors that can pollute the Tor IPs, since the fundamental premise of Tor is to not assign a static IP [to] an individual," he said. CloudFlare's Prince recognizes that the company's study looks at a segment of Tor traffic that applies most to its customers. He stressed that the company's classification of requests from Tor likely represents only a minority of traffic going through the anonymizing network. In addition to all the traffic headed to Websites that does not consist of CloudFlare customers, about 60 percent of traffic on the Tor Network is peer-to-peer file-sharing, which is never seen by CloudFlare, he said. Furthermore, malware that uses Tor for command-and-control traffic would also not be visible to CloudFlare. "So inherently, we see only the sliver of Tor traffic that goes to HTTP and HTTPS sites," Prince said.
In its own look at Tor traffic, Akamai found that only 0.3 percent of requests coming from a Tor exit node attacked Web sites. Yet, Akamai focused on a narrow definition of attacks—requests that attempted to exploit a Web application, such as SQL injection, cross-site scripting and command injection. Such attacks tend to be much more focused and produce less bandwidth than the attacks viewed by CloudFlare.