tor-webwml.git

en/faq-abuse.wml   1) ## translation metadata

en/faq-abuse.wml   2) # Revision: $Revision$

en/faq-abuse.wml   3) # Translation-Priority: 3-low

abuse.html         4) 

en/faq-abuse.wml   5) #include "head.wmi" TITLE="Abuse FAQ"

faq-abuse.html     6) 

abuse.html         7) <div class="main-column">
abuse.html         8) 

faq-abuse.html     9) <!-- PUT CONTENT AFTER THIS TAG -->
faq-abuse.html    10) 

en/faq-abuse.wml  11) <h2>Abuse FAQ</h2>

faq-abuse.html    12) <hr />
faq-abuse.html    13) 

faq-abuse.html    14) <a id="WhatAboutCriminals"></a>
faq-abuse.html    15) <h3><a class="anchor" href="#WhatAboutCriminals">Doesn't Tor enable criminals to do bad things?</a></h3>

abuse.html        16) 

faq-abuse.html    17) <p>Criminals can already do bad things. Since they're willing to
faq-abuse.html    18) break laws, they already have lots of options available that provide
faq-abuse.html    19) <em>better</em> privacy than Tor provides. They can steal cell phones,
faq-abuse.html    20) use them, and throw them in a ditch; they can crack into computers
faq-abuse.html    21) in Korea or Brazil and use them to launch abusive activities; they

faq-abuse.html    22) can use spyware, viruses, and other techniques to take control of
faq-abuse.html    23) literally millions of Windows machines around the world. </p>

abuse.html        24) 

faq-abuse.html    25) <p>Tor aims to provide protection for ordinary people who want to follow

en/faq-abuse.wml  26) the law. Only criminals have privacy right now, and we need to fix that. </p>

faq-abuse.html    27) 

faq-abuse.html    28) <p>Some advocates of anonymity explain that it's just a tradeoff &mdash;

en/faq-abuse.wml  29) accepting the bad uses for the good ones — but there's more to it
en/faq-abuse.wml  30) than that.

faq-abuse.html    31) Criminals and other bad people have the motivation to learn how to

faq-abuse.html    32) get good anonymity, and many have the motivation to pay well to achieve
faq-abuse.html    33) it. Being able to steal and reuse the identities of innocent victims
faq-abuse.html    34) (identify theft) makes it even easier. Normal people, on the other hand,

en/faq-abuse.wml  35) don't have the time or money to spend figuring out how to get

faq-abuse.html    36) privacy online. This is the worst of all possible worlds. </p>
faq-abuse.html    37) 
faq-abuse.html    38) <p>So yes, criminals could in theory use Tor, but they already have
faq-abuse.html    39) better options, and it seems unlikely that taking Tor away from the
faq-abuse.html    40) world will stop them from doing their bad things. At the same time, Tor
faq-abuse.html    41) and other privacy measures can <em>fight</em> identity theft, physical
faq-abuse.html    42) crimes like stalking, and so on. </p>
faq-abuse.html    43) 

en/faq-abuse.wml  44) <!--
en/faq-abuse.wml  45) <a id="Pervasive"></a>
en/faq-abuse.wml  46) <h3><a class="anchor" href="#Pervasive">If the whole world starts using
en/faq-abuse.wml  47) Tor, won't civilization collapse?</a></h3>
en/faq-abuse.wml  48) -->
en/faq-abuse.wml  49) 

faq-abuse.html    50) <a id="DDoS"></a>
faq-abuse.html    51) <h3><a class="anchor" href="#DDoS">What about distributed denial of service attacks?</a></h3>

abuse.html        52) 

faq-abuse.html    53) <p>Distributed denial of service (DDoS) attacks typically rely on having a group

faq-abuse.html    54) of thousands of computers all sending floods of traffic to a victim. Since
faq-abuse.html    55) the goal is to overpower the bandwidth of the victim, they typically send
faq-abuse.html    56) UDP packets since those don't require handshakes or coordination. </p>
faq-abuse.html    57) 

faq-abuse.html    58) <p>But because Tor only transports correctly formed TCP streams, not

faq-abuse.html    59) all IP packets, you cannot send UDP packets over Tor. (You can't do
faq-abuse.html    60) specialized forms of this attack like SYN flooding either.) So ordinary
faq-abuse.html    61) DDoS attacks are not possible over Tor. Tor also doesn't allow bandwidth
faq-abuse.html    62) amplification attacks against external sites: you need to send in a byte

faq-abuse.html    63) for every byte that the Tor network will send to your destination. So

faq-abuse.html    64) in general, attackers who control enough bandwidth to launch an effective
faq-abuse.html    65) DDoS attack can do it just fine without Tor. </p>
faq-abuse.html    66) 

faq-abuse.html    67) <a id="WhatAboutSpammers"></a>
faq-abuse.html    68) <h3><a class="anchor" href="#WhatAboutSpammers">What about spammers?</a></h3>

abuse.html        69) 

faq-abuse.html    70) <p>First of all, the default Tor exit policy rejects all outgoing

faq-abuse.html    71) port 25 (SMTP) traffic. So sending spam mail through Tor isn't going to

en/faq-abuse.wml  72) work by default. It's possible that some relay operators will enable

faq-abuse.html    73) port 25 on their particular exit node, in which case that computer will
faq-abuse.html    74) allow outgoing mails; but that individual could just set up an open mail

faq-abuse.html    75) relay too, independent of Tor. In short, Tor isn't useful for spamming,

en/faq-abuse.wml  76) because nearly all Tor relays refuse to deliver the mail. </p>

faq-abuse.html    77) 

faq-abuse.html    78) <p>Of course, it's not all about delivering the mail. Spammers can use

faq-abuse.html    79) Tor to connect to open HTTP proxies (and from there to SMTP servers); to
faq-abuse.html    80) connect to badly written mail-sending CGI scripts; and to control their
faq-abuse.html    81) botnets — that is, to covertly communicate with armies of
faq-abuse.html    82) compromised computers that deliver the spam.

faq-abuse.html    83) </p>
faq-abuse.html    84) 

faq-abuse.html    85) <p>
faq-abuse.html    86) This is a shame, but notice that spammers are already doing great
faq-abuse.html    87) without Tor. Also, remember that many of their more subtle communication
faq-abuse.html    88) mechanisms (like spoofed UDP packets) can't be used over Tor, because
faq-abuse.html    89) it only transports correctly-formed TCP connections.
faq-abuse.html    90) </p>

abuse.html        91) 

faq-abuse.html    92) <a id="ExitPolicies"></a>
faq-abuse.html    93) <h3><a class="anchor" href="#ExitPolicies">How do Tor exit policies work?</a></h3>

abuse.html        94) 

en/faq-abuse.wml  95) <p>Each Tor relay has an exit policy that specifies what sort of
en/faq-abuse.wml  96) outbound connections are allowed or refused from that relay. The exit

faq-abuse.html    97) policies are propagated to the client via the directory, so clients
faq-abuse.html    98) will automatically avoid picking exit nodes that would refuse to exit
faq-abuse.html    99) to their intended destination. </p>
faq-abuse.html   100) 

en/faq-abuse.wml 101) <p>This way each relay can decide the services, hosts, and networks

faq-abuse.html   102) he wants to allow connections to, based on abuse potential and his own
faq-abuse.html   103) situation. </p>

abuse.html       104) 

faq-abuse.html   105) <a id="HowMuchAbuse"></a>
faq-abuse.html   106) <h3><a class="anchor" href="#HowMuchAbuse">Does Tor get much abuse?</a></h3>

abuse.html       107) 

faq-abuse.html   108) <p>Not much, in the grand scheme of things. We've been running the network
faq-abuse.html   109) since October 2003, and it's only generated a handful of complaints. Of
faq-abuse.html   110) course, like all privacy-oriented networks on the net, we attract our
faq-abuse.html   111) share of jerks. Tor's exit policies help separate the role of "willing
faq-abuse.html   112) to donate resources to the network" from the role of "willing to deal

faq-abuse.html   113) with exit abuse complaints," so we hope our network is more sustainable

faq-abuse.html   114) than past attempts at anonymity networks. </p>

abuse.html       115) 

en/faq-abuse.wml 116) <p>Since Tor has
en/faq-abuse.wml 117) <a href="<page overview>">many good uses as

faq-abuse.html   118) well</a>, we feel that we're doing pretty well at striking a balance
faq-abuse.html   119) currently. </p>
faq-abuse.html   120) 

faq-abuse.html   121) <a id="TypicalAbuses"></a>

en/faq-abuse.wml 122) <h3><a class="anchor" href="#TypicalAbuses">So what should I expect if I run an exit relay?</a></h3>

abuse.html       123) 

en/faq-abuse.wml 124) <p>If you run a Tor relay that allows exit connections (such as the

faq-abuse.html   125) default exit policy), it's probably safe to say that you will eventually

faq-abuse.html   126) hear from somebody. Abuse

faq-abuse.html   127) complaints may come in a variety of forms. For example: </p>

abuse.html       128) <ul>

faq-abuse.html   129) <li>Somebody connects to Hotmail, and sends a ransom note to a

faq-abuse.html   130) company. The

en/faq-abuse.wml 131) FBI sends you a polite email, you explain that you run a Tor relay,

faq-abuse.html   132) and they say "oh well" and leave you alone. [Port 80]</li>
faq-abuse.html   133) <li>Somebody tries to get you shut down by using Tor to connect to Google
faq-abuse.html   134) groups and post spam to Usenet, and then sends an angry mail to

faq-abuse.html   135) your ISP about how you're destroying the world. [Port 80]</li>

faq-abuse.html   136) <li>Somebody connects to an IRC network and makes a nuisance of

faq-abuse.html   137) himself. Your ISP gets polite mail about how your computer has been

faq-abuse.html   138) compromised; and/or your computer gets DDoSed. [Port 6667]</li>

faq-abuse.html   139) <li>Somebody uses Tor to download a Vin Diesel movie, and

en/faq-abuse.wml 140) your ISP gets a DMCA takedown notice. See EFF's

en/faq-abuse.wml 141) <a href="<page eff/tor-dmca-response>">Tor DMCA Response

en/faq-abuse.wml 142) Template</a>, which explains why your ISP can probably ignore

faq-abuse.html   143) the notice without any liability. [Arbitrary ports]</li>

abuse.html       144) </ul>

faq-abuse.html   145) 

en/faq-abuse.wml 146) <p>You might also find that your Tor relay's IP is blocked from accessing

faq-abuse.html   147) some Internet sites/services. This might happen regardless of your exit
faq-abuse.html   148) policy, because some groups don't seem to know or care that Tor has
faq-abuse.html   149) exit policies. (If you have a spare IP not used for other activities,

en/faq-abuse.wml 150) you might consider running your Tor relay on it.) For example, </p>

faq-abuse.html   151) 

abuse.html       152) <ul>

faq-abuse.html   153) <li>Because of a few cases of anonymous jerks messing with its web

en/faq-abuse.wml 154) pages, Wikipedia is currently blocking many Tor relay IPs from writing

faq-abuse.html   155) (reading still works). We're talking to Wikipedia about how they might
faq-abuse.html   156) control abuse while still providing access to anonymous contributors,
faq-abuse.html   157) who often have hot news or inside info on a topic but don't want to risk
faq-abuse.html   158) revealing their identities when publishing it (or don't want to reveal
faq-abuse.html   159) to local observers that they're accessing Wikipedia). Slashdot is also
faq-abuse.html   160) in the same boat.</li>

en/faq-abuse.wml 161) 

en/faq-abuse.wml 162) <li>SORBS is putting some Tor relay IPs on their email

faq-abuse.html   163) blacklist as well. They do this because they passively detect whether your

en/faq-abuse.wml 164) relay connects to certain IRC networks, and they conclude from this that
en/faq-abuse.wml 165) your relay is capable of spamming. We tried to work with

en/faq-abuse.wml 166) them to teach them that not all software works this way,
en/faq-abuse.wml 167) but we have given up. We recommend you avoid them, and <a
en/faq-abuse.wml 168) href="http://paulgraham.com/spamhausblacklist.html">teach your friends
en/faq-abuse.wml 169) (if they use them) to avoid abusive blacklists too</a>.</li>
en/faq-abuse.wml 170) 

abuse.html       171) </ul>
abuse.html       172) 

faq-abuse.html   173) <a id="IrcBans"></a>
faq-abuse.html   174) <h3><a class="anchor" href="#IrcBans">Tor is banned from the IRC network I want to use.</a></h3>

abuse.html       175) 

faq-abuse.html   176) <p>Sometimes jerks make use of Tor to troll IRC channels. This abuse
faq-abuse.html   177) results in IP-specific temporary bans ("klines" in IRC lingo), as the
faq-abuse.html   178) network operators try to keep the troll off of their network. </p>
faq-abuse.html   179) 
faq-abuse.html   180) <p>This response underscores a fundamental flaw in IRC's security model:
faq-abuse.html   181) they assume that IP addresses equate to humans, and by banning the

faq-abuse.html   182) IP address they can ban the human. In reality this is not the case —

faq-abuse.html   183) many such trolls routinely make use of the literally millions of open
faq-abuse.html   184) proxies and compromised computers around the Internet. The IRC networks
faq-abuse.html   185) are fighting a losing battle of trying to block all these nodes,
faq-abuse.html   186) and an entire cottage industry of blacklists and counter-trolls has
faq-abuse.html   187) sprung up based on this flawed security model (not unlike the antivirus
faq-abuse.html   188) industry). The Tor network is just a drop in the bucket here. </p>
faq-abuse.html   189) 
faq-abuse.html   190) <p>On the other hand, from the viewpoint of IRC server operators, security
faq-abuse.html   191) is not an all-or-nothing thing.  By responding quickly to trolls or
faq-abuse.html   192) any other social attack, it may be possible to make the attack scenario
faq-abuse.html   193) less attractive to the attacker.  And most individual IP addresses do
faq-abuse.html   194) equate to individual humans, on any given IRC network at any given time.
faq-abuse.html   195) The exceptions include NAT gateways which may be allocated access as
faq-abuse.html   196) special cases. While it's a losing battle to try to stop the use of open
faq-abuse.html   197) proxies, it's not generally a losing battle to keep klining a single
faq-abuse.html   198) ill-behaved IRC user until that user gets bored and goes away. </p>
faq-abuse.html   199) 
faq-abuse.html   200) <p>But the real answer is to implement application-level auth systems,
faq-abuse.html   201) to let in well-behaving users and keep out badly-behaving users. This
faq-abuse.html   202) needs to be based on some property of the human (such as a password he
faq-abuse.html   203) knows), not some property of the way his packets are transported. </p>
faq-abuse.html   204) 
faq-abuse.html   205) <p>Of course, not all IRC networks are trying to ban Tor nodes. After
faq-abuse.html   206) all, quite a few people use Tor to IRC in privacy in order to carry
faq-abuse.html   207) on legitimate communications without tying them to their real-world
faq-abuse.html   208) identity. Each IRC network needs to decide for itself if blocking a few
faq-abuse.html   209) more of the millions of IPs that bad people can use is worth losing the
faq-abuse.html   210) contributions from the well-behaved Tor users. </p>
faq-abuse.html   211) 
faq-abuse.html   212) <p>If you're being blocked, have a discussion with the network operators
faq-abuse.html   213) and explain the issues to them. They may not be aware of the existence of
faq-abuse.html   214) Tor at all, or they may not be aware that the hostnames they're klining
faq-abuse.html   215) are Tor exit nodes.  If you explain the problem, and they conclude that
faq-abuse.html   216) Tor ought to be blocked, you may want to consider moving to a network that
faq-abuse.html   217) is more open to free speech.  Maybe inviting them to #tor on irc.oftc.net

faq-abuse.html   218) will help show them that we are not all evil people. </p>

faq-abuse.html   219) 

faq-abuse.html   220) <p>Finally, if you become aware of an IRC network that seems to be

faq-abuse.html   221) blocking Tor, or a single Tor exit node, please put that information on <a

en/faq-abuse.wml 222) href="https://wiki.torproject.org/wiki/TheOnionRouter/BlockingIrc">The Tor

faq-abuse.html   223) IRC block tracker</a>

faq-abuse.html   224) so that others can share.  At least one IRC network consults that page

faq-abuse.html   225) to unblock exit nodes that have been blocked inadvertently. </p>

abuse.html       226) 

faq-abuse.html   227) <a id="SMTPBans"></a>
faq-abuse.html   228) <h3><a class="anchor" href="#SMTPBans">Your nodes are banned from the mail server I want to use.</a></h3>

abuse.html       229) 

faq-abuse.html   230) <p>Even though <a href="#WhatAboutSpammers">Tor isn't useful for
faq-abuse.html   231) spamming</a>, some over-zealous blacklisters seem to think that all

faq-abuse.html   232) open networks like Tor are evil — they attempt to strong-arm network

faq-abuse.html   233) administrators on policy, service, and routing issues, and then extract

faq-abuse.html   234) ransoms from victims. </p>
faq-abuse.html   235) 
faq-abuse.html   236) <p>If your server administrators decide to make use of these

faq-abuse.html   237) blacklists to refuse incoming mail, you should have a conversation with

faq-abuse.html   238) them and explain about Tor and Tor's exit policies. </p>

abuse.html       239) 

faq-abuse.html   240) <a id="Bans"></a>
faq-abuse.html   241) <h3><a class="anchor" href="#Bans">I want to ban the Tor network from my service.</a></h3>

abuse.html       242) 

en/faq-abuse.wml 243) <p>We're sorry to hear that. There are some situations where it makes
en/faq-abuse.wml 244) sense to block anonymous users for an Internet service. But in many
en/faq-abuse.wml 245) cases, there are easier solutions that can solve your problem while
en/faq-abuse.wml 246) still allowing users to access your website securely.</p>
en/faq-abuse.wml 247) 

faq-abuse.html   248) <p>First, ask yourself if there's a way to do application-level decisions
faq-abuse.html   249) to separate the legitimate users from the jerks. For example, you might
faq-abuse.html   250) have certain areas of the site, or certain privileges like posting,

en/faq-abuse.wml 251) available only to people who are registered. It's easy to build an
en/faq-abuse.wml 252) up-to-date list of Tor IP addresses that allow connections to your
en/faq-abuse.wml 253) service, so you could set up this distinction only for Tor users. This
en/faq-abuse.wml 254) way you can have multi-tiered access and not have to ban every aspect
en/faq-abuse.wml 255) of your service. </p>
en/faq-abuse.wml 256) 
en/faq-abuse.wml 257) <p>For example, the <a
en/faq-abuse.wml 258) href="http://freenode.net/policy.shtml#tor">Freenode IRC network</a>
en/faq-abuse.wml 259) had a problem with a coordinated group of abusers joining channels and
en/faq-abuse.wml 260) subtly taking over the conversation; but when they labelled all users
en/faq-abuse.wml 261) coming from Tor nodes as "anonymous users," removing the ability of the
en/faq-abuse.wml 262) abusers to blend in, the abusers moved back to using their open proxies
en/faq-abuse.wml 263) and bot networks. </p>
en/faq-abuse.wml 264) 

en/faq-abuse.wml 265) <p>Second, consider that hundreds of thousands of
en/faq-abuse.wml 266) people use Tor every day simply for

en/faq-abuse.wml 267) good data hygiene — for example, to protect against data-gathering
en/faq-abuse.wml 268) advertising companies while going about their normal activities. Others
en/faq-abuse.wml 269) use Tor because it's their only way to get past restrictive local
en/faq-abuse.wml 270) firewalls. Some Tor users may be legitimately connecting

faq-abuse.html   271) to your service right now to carry on normal activities. You need to
faq-abuse.html   272) decide whether banning the Tor network is worth losing the contributions

en/faq-abuse.wml 273) of these users, as well as potential future legitimate users. (Often
en/faq-abuse.wml 274) people don't have a good measure of how many polite Tor users are
en/faq-abuse.wml 275) connecting to their service — you never notice them until there's
en/faq-abuse.wml 276) an impolite one.)</p>

faq-abuse.html   277) 

faq-abuse.html   278) <p>At this point, you should also ask yourself what you do about other
faq-abuse.html   279) services that aggregate many users behind a few IP addresses. Tor is
faq-abuse.html   280) not so different from AOL in this respect.</p>
faq-abuse.html   281) 

en/faq-abuse.wml 282) <p>Lastly, please remember that Tor relays have <a
en/faq-abuse.wml 283) href="#ExitPolicies">individual exit policies</a>. Many Tor relays do

en/faq-abuse.wml 284) not allow exiting connections at all. Many of those that do allow some
en/faq-abuse.wml 285) exit connections might already disallow connections to

faq-abuse.html   286) your service. When you go about banning nodes, you should parse the
faq-abuse.html   287) exit policies and only block the ones that allow these connections;
faq-abuse.html   288) and you should keep in mind that exit policies can change (as well as

en/faq-abuse.wml 289) the overall list of nodes in the network).</p>

faq-abuse.html   290) 

faq-abuse.html   291) <p>If you really want to do this, we provide a

en/faq-abuse.wml 292) <a href="https://check.torproject.org/cgi-bin/TorBulkExitList.py">Tor
en/faq-abuse.wml 293) exit relay list</a> or a
en/faq-abuse.wml 294) <a href="<page tordnsel/index>">DNS-based list you can query</a>.

faq-abuse.html   295) </p>

faq-abuse.html   296) 

en/faq-abuse.wml 297) <p>
en/faq-abuse.wml 298) (Some system administrators block ranges of IP addresses because of
en/faq-abuse.wml 299) official policy or some abuse pattern, but some have also asked about
en/faq-abuse.wml 300) whitelisting Tor exit relays because they want to permit access to their

en/faq-abuse.wml 301) systems only using Tor. These scripts are usable for whitelisting as well.)

en/faq-abuse.wml 302) </p>
en/faq-abuse.wml 303) 

faq-abuse.html   304) <a id="TracingUsers"></a>
faq-abuse.html   305) <h3><a class="anchor" href="#TracingUsers">I have a compelling reason to trace a Tor user. Can you help?</a></h3>
faq-abuse.html   306) 
faq-abuse.html   307) <p>
faq-abuse.html   308) There is nothing the Tor developers can do to trace Tor users. The same
faq-abuse.html   309) protections that keep bad people from breaking Tor's anonymity also
faq-abuse.html   310) prevent us from figuring out what's going on.
faq-abuse.html   311) </p>
faq-abuse.html   312) 
faq-abuse.html   313) <p>
faq-abuse.html   314) Some fans have suggested that we redesign Tor to include a <a

en/faq-abuse.wml 315) href="<page faq>#Backdoor">backdoor</a>.

faq-abuse.html   316) There are two problems with this idea. First, it technically weakens the
faq-abuse.html   317) system too far. Having a central way to link users to their activities
faq-abuse.html   318) is a gaping hole for all sorts of attackers; and the policy mechanisms
faq-abuse.html   319) needed to ensure correct handling of this responsibility are enormous
faq-abuse.html   320) and unsolved. Second, the bad people <a href="#WhatAboutCriminals">aren't
faq-abuse.html   321) going to get caught by this anyway</a>, since they will use other means
faq-abuse.html   322) to ensure their anonymity (identity theft, compromising computers and
faq-abuse.html   323) using them as bounce points, etc).
faq-abuse.html   324) </p>
faq-abuse.html   325) 
faq-abuse.html   326) <p>
faq-abuse.html   327) But remember that this doesn't mean that Tor is invulnerable. Traditional
faq-abuse.html   328) police techniques can still be very effective against Tor, such as
faq-abuse.html   329) interviewing suspects, surveillance and keyboard taps, writing style
faq-abuse.html   330) analysis, sting operations, and other physical investigations.
faq-abuse.html   331) </p>
faq-abuse.html   332) 

faq-abuse.html   333) <a id="LegalQuestions"></a>
faq-abuse.html   334) <h3><a class="anchor" href="#LegalQuestions">I have legal questions about Tor abuse.</a></h3>

abuse.html       335) 

faq-abuse.html   336) <p>We're only the developers. We can answer technical questions, but
faq-abuse.html   337) we're not the ones to talk to about legal questions or concerns. </p>
faq-abuse.html   338) 

en/faq-abuse.wml 339) <p>Please take a look at the

en/faq-abuse.wml 340) <a href="<page eff/tor-legal-faq>">Tor Legal FAQ</a>,

faq-abuse.html   341) and contact EFF directly if you have any further legal questions. </p>

abuse.html       342) 

faq-abuse.html   343)   </div><!-- #main -->