[AnthonyMouse]

It seems like we know how to solve this. Put a CAPTCHA on account creation, then allow users to flag posts and auto-ban fresh accounts with high flag rates.

I'm honestly kind of surprised that there isn't more spam from attackers who compromise something close enough to a backbone provider that they can spoof arbitrary IP addresses and still see the return traffic.

[nickpsecurity]

Those are possibilities. As is Disqus-style moderation. Nonetheless, it's a lot of extra work with nothing to show for it and possibly dangerous to site experience. That's the problem Tor poses.

[AnthonyMouse]

The problem isn't unique to Tor. It's anything that allows a spammer to use the same IP address as innocent people, including things that aren't exactly legal, like compromised PCs and routers. Which means blocking Tor blocks the people who follow the law but not the people who break the law.

And the problem is going to get worse as a result of IPv4 address exhaustion because some ISPs are going to have to start using carrier grade NAT (and some already are). The answer to that is IPv6 as ever, but that has the opposite problem. IPv6 addresses are too cheap to meter and using a thing for proof of stake requires the thing to be scarce.

So the thing to show for it is that you can field test your solution prior to the day of Spam Armageddon when a spammer realizes they have a botnet with access to a million billion IPv6 addresses.

[nickpsecurity]

"The problem isn't unique to Tor. It's anything that allows a spammer to use the same IP address as innocent people, including things that aren't exactly legal, like compromised PCs and routers. "

That's sort of true. It's technically true that any I.P. address might be the source of malice. Yet, Tor's I.P. addresses will steadily be the source of a ton of malice with no resolution of that problem. Quite different than what happens when someone's ISP tells them there's malware on their machine. There's also economics involved where people have to pay for those machines and are therefore more likely to use them for other, profitable activities. Probably why we see less spam from those accounts.

What remains are WiFi hotspots, libraries, etc. Apparently, they're not drowning services in hatemail and spam because they're still allowed. They could but few are complaining about them.

"And the problem is going to get worse as a result of IPv4 address exhaustion because some ISPs are going to have to start using carrier grade NAT (and some already are). "

Good call. I saw this coming. There were already talks by Ross Anderson IIRC about how critical it was for forensics to get the port number and time-stamp since CG-NAT would make I.P.'s useless. Already is in some areas.

"So the thing to show for it is that you can field test your solution prior to the day of Spam Armageddon when a spammer realizes they have a botnet with access to a million billion IPv6 addresses."

Haha. Interesting way of looking at it. I'm more worried about the routing tables, though, if IPv6 got massive surge of traffic. Never looked to see if they fixed early concerns about how well Tier 1-3 HW would handle it vs IPv4.

[AnthonyMouse]

> It's technically true that any I.P. address might be the source of malice. Yet, Tor's I.P. addresses will steadily be the source of a ton of malice with no resolution of that problem.

Which makes blocking Tor seem attractive until you still need some defense against the attacks from arbitrary other IP addresses, and once you have those defenses you can use them against malicious Tor traffic and no longer need to block its legitimate users.

> Good call. I saw this coming. There were already talks by Ross Anderson IIRC about how critical it was for forensics to get the port number and time-stamp since CG-NAT would make I.P.'s useless. Already is in some areas.

And even then it's assuming the carrier has port-level logs to compare against. If you have ten million customers who on average make one connection every ten seconds and a connection log entry is 50 bytes then you're writing 50MB/sec of log entries, i.e. >4TB/day. If they keep them at all it's not going to be for very long.

It seems like it would be a lot easier to move identities to some kind of proof of work based pseudonyms than to keep trying to force IP addresses to serve a role they were never designed for and the casting into of which causes no small amount of collateral damage.

> I'm more worried about the routing tables, though, if IPv6 got massive surge of traffic. Never looked to see if they fixed early concerns about how well Tier 1-3 HW would handle it vs IPv4.

Part of it is that IPv6 addresses are allocated in larger blocks, which means less address space fragmentation because nobody runs out and has to come back for another non-contiguous block, which means more addresses per routing table entry. And the rest of it is that memory is cheaper than it used to be.

[nickpsecurity]

"and once you have those defenses you can use them against malicious Tor traffic and no longer need to block its legitimate users."

What's your recommendation for a low-cost, low-effort method that solves the Tor and every other I.P. user problem? It has to provide a reduction just as good as blocking Tor with similar effort by admin.

[AnthonyMouse]

> What's your recommendation for a low-cost, low-effort method that solves the Tor and every other I.P. user problem?

The first step is realizing that you have a behavior problem, not an IP address problem. There is no silver bullet against an adaptive adversary, but this is the sort of thing that proof of stake or proof of work is well suited for. If the user wants to do more than read your website then they need to post some collateral. In the small time case this is just putting a CAPTCHA on account creation. If you're a bank or something then nobody gets in the door unless they have an account with you which has been verified against their government ID etc.

Then anybody who misbehaves forfeits their collateral, i.e. you close their account. Which for normal people never happens, but for malicious parties is designed to happen before the profit from their malice exceeds the value of the collateral. Spammers aren't going to be willing to solve CAPTCHAs all day just to post one message at a time which will be deleted in twenty minutes.

And then the administrative cost disappears because the spammers realize it isn't worth doing and you don't have to spend time deleting spam once they stop posting it.

> It has to provide a reduction just as good as blocking Tor with similar effort by admin.

To which a large point is that blocking Tor isn't particularly effective. People make a lot of noise about the fact that a Tor IP address is some large factor more likely than average to have malicious traffic, but it also represents a larger number of people than most IP addresses. If you look instead at the percentage of all malicious traffic that comes from Tor, it's a minority.

And even allowing Tor traffic and then trying to measure what percentage of all malicious traffic is from Tor is over-representing the effectiveness of blocking Tor by counting malicious traffic that comes from Tor if you allow it but would still come from somewhere else if you didn't.

Net result being that blocking Tor might get you something like a single digit reduction in malicious traffic. Now you need to do something about the other 90%. CAPTCHAs and pseudonym reputation systems and so on. But those things work about as well against traffic from Tor as traffic from anywhere else, which cuts a nice chunk out of the remaining single digit percentage improvement you had been getting by blocking Tor.

Net result is you end up blocking a lot of innocent people to get something like a 2% overall reduction in malicious traffic. And the better you get at solving the problem in other ways, the smaller the benefit of blacklisting IP addresses becomes.