[nickpsecurity]

Or just block the sources of abuse while everyone else enjoys and can act on the content. Or just block comments from anonymous nets so they can at least read. Comment sections that are Wild West hurt branding too much for it to be an option.

[AnthonyMouse]

It seems like we know how to solve this. Put a CAPTCHA on account creation, then allow users to flag posts and auto-ban fresh accounts with high flag rates.

I'm honestly kind of surprised that there isn't more spam from attackers who compromise something close enough to a backbone provider that they can spoof arbitrary IP addresses and still see the return traffic.

[nickpsecurity]

Those are possibilities. As is Disqus-style moderation. Nonetheless, it's a lot of extra work with nothing to show for it and possibly dangerous to site experience. That's the problem Tor poses.

[AnthonyMouse]

The problem isn't unique to Tor. It's anything that allows a spammer to use the same IP address as innocent people, including things that aren't exactly legal, like compromised PCs and routers. Which means blocking Tor blocks the people who follow the law but not the people who break the law.

And the problem is going to get worse as a result of IPv4 address exhaustion because some ISPs are going to have to start using carrier grade NAT (and some already are). The answer to that is IPv6 as ever, but that has the opposite problem. IPv6 addresses are too cheap to meter and using a thing for proof of stake requires the thing to be scarce.

So the thing to show for it is that you can field test your solution prior to the day of Spam Armageddon when a spammer realizes they have a botnet with access to a million billion IPv6 addresses.

[nickpsecurity]

"The problem isn't unique to Tor. It's anything that allows a spammer to use the same IP address as innocent people, including things that aren't exactly legal, like compromised PCs and routers. "

That's sort of true. It's technically true that any I.P. address might be the source of malice. Yet, Tor's I.P. addresses will steadily be the source of a ton of malice with no resolution of that problem. Quite different than what happens when someone's ISP tells them there's malware on their machine. There's also economics involved where people have to pay for those machines and are therefore more likely to use them for other, profitable activities. Probably why we see less spam from those accounts.

What remains are WiFi hotspots, libraries, etc. Apparently, they're not drowning services in hatemail and spam because they're still allowed. They could but few are complaining about them.

"And the problem is going to get worse as a result of IPv4 address exhaustion because some ISPs are going to have to start using carrier grade NAT (and some already are). "

Good call. I saw this coming. There were already talks by Ross Anderson IIRC about how critical it was for forensics to get the port number and time-stamp since CG-NAT would make I.P.'s useless. Already is in some areas.

"So the thing to show for it is that you can field test your solution prior to the day of Spam Armageddon when a spammer realizes they have a botnet with access to a million billion IPv6 addresses."

Haha. Interesting way of looking at it. I'm more worried about the routing tables, though, if IPv6 got massive surge of traffic. Never looked to see if they fixed early concerns about how well Tier 1-3 HW would handle it vs IPv4.

[AnthonyMouse]

> It's technically true that any I.P. address might be the source of malice. Yet, Tor's I.P. addresses will steadily be the source of a ton of malice with no resolution of that problem.

Which makes blocking Tor seem attractive until you still need some defense against the attacks from arbitrary other IP addresses, and once you have those defenses you can use them against malicious Tor traffic and no longer need to block its legitimate users.

> Good call. I saw this coming. There were already talks by Ross Anderson IIRC about how critical it was for forensics to get the port number and time-stamp since CG-NAT would make I.P.'s useless. Already is in some areas.

And even then it's assuming the carrier has port-level logs to compare against. If you have ten million customers who on average make one connection every ten seconds and a connection log entry is 50 bytes then you're writing 50MB/sec of log entries, i.e. >4TB/day. If they keep them at all it's not going to be for very long.

It seems like it would be a lot easier to move identities to some kind of proof of work based pseudonyms than to keep trying to force IP addresses to serve a role they were never designed for and the casting into of which causes no small amount of collateral damage.

> I'm more worried about the routing tables, though, if IPv6 got massive surge of traffic. Never looked to see if they fixed early concerns about how well Tier 1-3 HW would handle it vs IPv4.

Part of it is that IPv6 addresses are allocated in larger blocks, which means less address space fragmentation because nobody runs out and has to come back for another non-contiguous block, which means more addresses per routing table entry. And the rest of it is that memory is cheaper than it used to be.

[nickpsecurity]

"and once you have those defenses you can use them against malicious Tor traffic and no longer need to block its legitimate users."

What's your recommendation for a low-cost, low-effort method that solves the Tor and every other I.P. user problem? It has to provide a reduction just as good as blocking Tor with similar effort by admin.

[Jordrok]

Ah yes, we can't sacrifice the all-important branding!

[nickpsecurity]

If you're a business, you can't. There's a decision to make:

1. Focus on benefiting anonymous people who either don't contribute shit back to the business or barely do. Freeloaders.

2. Focus on benefiting the founders, customers, and employees (in that order). If you loose some freeloaders, then so be it. If it's their design decision, then so be it time 10. They can always set up an unrestricted forum for people like them to discuss the article and deal with security headaches they bring in.

Wait, No 2 seems to work as most readers and the company are benefiting except for the few that choose not to.