clean up faq-abuse page; add anchors.
Roger Dingledine

Roger Dingledine commited on 2005-06-07 19:34:41
Zeige 1 geänderte Dateien mit 213 Einfügungen und 62 Löschungen.

... ...
@@ -43,109 +43,260 @@
43 43
 <h2>Abuse FAQ for Tor Server Operators</h2>
44 44
 <hr />
45 45
 
46
-
47
-<p> </p>
48
-
46
+<a name="WhatAboutCriminals"></a>
49 47
 <h3>Doesn't Tor enable criminals to do bad things?</h3>
50 48
 
51
-<p>Criminals can already do bad things. Since they're willing to break
52
-laws, they already have lots of options available that provide <em>better</em> privacy than Tor provides. They can steal cell phones, use them, and throw them in a ditch; they can crack into computers in Korea or Brazil and use them to launch abusive activities; they can spread viruses that take control of literally millions of Windows machines around the world. </p>
53
-<p>Tor aims to provide protection for ordinary people who want to follow the law. Only criminals have privacy right now; we need to fix that. </p>
54
-<p> </p>
49
+<p>Criminals can already do bad things. Since they're willing to
50
+break laws, they already have lots of options available that provide
51
+<em>better</em> privacy than Tor provides. They can steal cell phones,
52
+use them, and throw them in a ditch; they can crack into computers
53
+in Korea or Brazil and use them to launch abusive activities; they
54
+can spread viruses that take control of literally millions of Windows
55
+machines around the world. </p>
55 56
 
57
+<p>Tor aims to provide protection for ordinary people who want to follow
58
+the law. Only criminals have privacy right now; we need to fix that. </p>
59
+
60
+<a name="Tradeoff"></a>
56 61
 <h3>Isn't it just a tradeoff: accepting the bad uses for the good ones?</h3>
57 62
 
58 63
 <p>No, we don't think that's how it works in the case of Tor. </p>
59
-<p>There are lots of ways to get anonymity on the net, some legal and some illegal. As we explained above, many of the illegal approaches can provide stronger anonymity than Tor can provide, because they can control literally millions of computers via spyware, viruses, and other techniques. </p>
60
-<p>Criminals and other bad people have the motivation to learn how to get good anonymity, and many have the motivation to pay well to achieve it. Being able to steal and reuse the identities of innocent victims (identify theft) makes it even easier. Normal people, on the other hand, don't typically have the time or money to spend figuring out how to get privacy online. This is the worst of all possible worlds. </p>
61
-<p>So yes, criminals could in theory use Tor, but they already have better options, and it seems unlikely that taking Tor away from the world will stop them from doing their bad things. At the same time, Tor and other privacy measures can <em>fight</em> identity theft, physical crimes like stalking, and so on. </p>
62
-<p> </p>
63 64
 
65
+<p>There are lots of ways to get anonymity on the net, some legal and
66
+some illegal. As we explained above, many of the illegal approaches
67
+can provide stronger anonymity than Tor can provide, because they can
68
+control literally millions of computers via spyware, viruses, and other
69
+techniques. </p>
70
+
71
+<p>Criminals and other bad people have the motivation to learn how to
72
+get good anonymity, and many have the motivation to pay well to achieve
73
+it. Being able to steal and reuse the identities of innocent victims
74
+(identify theft) makes it even easier. Normal people, on the other hand,
75
+don't typically have the time or money to spend figuring out how to get
76
+privacy online. This is the worst of all possible worlds. </p>
77
+
78
+<p>So yes, criminals could in theory use Tor, but they already have
79
+better options, and it seems unlikely that taking Tor away from the
80
+world will stop them from doing their bad things. At the same time, Tor
81
+and other privacy measures can <em>fight</em> identity theft, physical
82
+crimes like stalking, and so on. </p>
83
+
84
+<a name="DDoS"></a>
64 85
 <h3>What about distributed denial of service attacks?</h3>
65 86
 
66
-<p>Distributed denial of service attacks typically rely on having a group of thousands of computers all sending floods of traffic to a victim. Since the goal is to overpower the bandwidth of the victim, they typically send UDP packets since those don't require handshakes or coordination. </p>
67
-<p>But because Tor only transports correctly-formed TCP streams, not all IP packets, you cannot send UDP packets over Tor. (You can't do specialized forms of this attack like SYN flooding either.) So ordinary DDoS attacks are not possible over Tor. Tor also doesn't allow bandwidth amplification attacks against external sites: you need to send in a byte for every byte which the Tor network will send to your destination. So in general, attackers who control enough bandwidth to launch an effective DDoS attack can do it just fine without Tor. </p>
68
-<p>And if this argument doesn't convince you, go try Tor and see how much aggregate throughput you can eke out of it, then come back to us if you're still worried. </p>
69
-<p> </p>
70
-
87
+<p>Distributed denial of service attacks typically rely on having a group
88
+of thousands of computers all sending floods of traffic to a victim. Since
89
+the goal is to overpower the bandwidth of the victim, they typically send
90
+UDP packets since those don't require handshakes or coordination. </p>
91
+
92
+<p>But because Tor only transports correctly-formed TCP streams, not
93
+all IP packets, you cannot send UDP packets over Tor. (You can't do
94
+specialized forms of this attack like SYN flooding either.) So ordinary
95
+DDoS attacks are not possible over Tor. Tor also doesn't allow bandwidth
96
+amplification attacks against external sites: you need to send in a byte
97
+for every byte which the Tor network will send to your destination. So
98
+in general, attackers who control enough bandwidth to launch an effective
99
+DDoS attack can do it just fine without Tor. </p>
100
+
101
+<p>And if this argument doesn't convince you, go try Tor and see how
102
+much aggregate throughput you can eke out of it, then come back to us
103
+if you're still worried. </p>
104
+
105
+<a name="WhatAboutSpammers"></a>
71 106
 <h3>What about spammers?</h3>
72 107
 
73
-<p>The default Tor exit policy rejects all outgoing port 25 (SMTP) traffic. So sending spam mail through Tor isn't going to work. It's possible that some server operators will enable port 25 on their particular exit node, in which case only that computer will allow outgoing mails; but that individual could just set up an open mail relay too, independent of Tor. </p>
74
-<p>So far, no Tor server has enabled outgoing port 25 in his exit policy. </p>
108
+<p>The default Tor exit policy rejects all outgoing port 25 (SMTP)
109
+traffic. So sending spam mail through Tor isn't going to work. It's
110
+possible that some server operators will enable port 25 on their
111
+particular exit node, in which case only that computer will allow outgoing
112
+mails; but that individual could just set up an open mail relay too,
113
+independent of Tor. </p>
114
+
115
+<p>So far, no Tor server has enabled outgoing port 25 in his exit
116
+policy. </p>
117
+
75 118
 <p>In short, Tor isn't useful for spammers. </p>
76
-<p> </p>
77 119
 
120
+<a name="ExitPolicies"></a>
78 121
 <h3>How do Tor exit policies work?</h3>
79 122
 
80
-<p>Each Tor server has an exit policy that specifies what sort of outbound connections are allowed or refused from that server. The exit policies are propagated to the client via the directory, so clients will automatically avoid picking exit nodes that would refuse to exit to their intended destination. </p>
81
-<p>This way each server can decide the services he wants to allow connections to, based on abuse potential and his own situation. </p>
82
-<p> </p>
123
+<p>Each Tor server has an exit policy that specifies what sort of
124
+outbound connections are allowed or refused from that server. The exit
125
+policies are propagated to the client via the directory, so clients
126
+will automatically avoid picking exit nodes that would refuse to exit
127
+to their intended destination. </p>
128
+
129
+<p>This way each server can decide the services he wants to allow
130
+connections to, based on abuse potential and his own situation. </p>
83 131
 
132
+<a name="HowMuchAbuse"></a>
84 133
 <h3>Does Tor get much abuse?</h3>
85 134
 
86
-<p>Not much, in the grand scheme of things. We've been running the network since October 2003, and it's only generated a handful of complaints. Of course, like all privacy-oriented networks on the net, we attract our share of jerks. Tor's exit policies help separate the role of "willing to donate resources to the network" from the role of "willing to deal with exit abuse complaints", so we hope our network is more sustainable than past attempts at anonymity networks. </p>
87
-<p>Since Tor has <a href="http://tor.eff.org/cvs/tor/doc/tor-doc.html">many good uses as well</a>, we feel that we're doing pretty well at striking a balance currently. </p>
88
-<p> </p>
135
+<p>Not much, in the grand scheme of things. We've been running the network
136
+since October 2003, and it's only generated a handful of complaints. Of
137
+course, like all privacy-oriented networks on the net, we attract our
138
+share of jerks. Tor's exit policies help separate the role of "willing
139
+to donate resources to the network" from the role of "willing to deal
140
+with exit abuse complaints", so we hope our network is more sustainable
141
+than past attempts at anonymity networks. </p>
89 142
 
143
+<p>Since Tor has <a
144
+href="http://tor.eff.org/cvs/tor/doc/tor-doc.html">many good uses as
145
+well</a>, we feel that we're doing pretty well at striking a balance
146
+currently. </p>
147
+
148
+<a name="TypicalAbuses"></a>
90 149
 <h3>So what should I expect if I run a server?</h3>
91 150
 
92
-<p>If you run a Tor server that allows exit connections (such as the default exit policy), it's probably safe to say that you will eventually hear from somebody. Abuse complaints can come in a variety of forms. The main ones so far have taken the following form: </p>
151
+<p>If you run a Tor server that allows exit connections (such as the
152
+default exit policy), it's probably safe to say that you will eventually
153
+hear from somebody. Abuse complaints can come in a variety of forms. The
154
+main ones so far have taken the following form: </p>
93 155
 <ul>
94
-<li><p> Somebody connects to hotmail, and sends a criminal mail somewhere. The FBI sends you a polite email, you explain that you run a Tor server, and they say 'oh well' and leave you alone. [Port 80] </p>
95
-</li>
96
-<li><p> Somebody tries to get you shut down by using Tor to connect to google groups and posting spam to usenet, and then sending an angry mail to your ISP about how you're destroying the world. [Port 80] </p>
97
-</li>
98
-<li><p> Somebody connects to an irc network and makes a nuisance of himself. Your ISP gets polite mail about how your computer has been compromised; and/or your computer gets ddosed. [Port 6667] </p>
99
-</li>
100
-<li><p> Somebody uses Tor to download a Vin Diesel movie, and your ISP gets a DMCA takedown notice. According to our lawyers (and this convinced the Harvard general counsel), your ISP can totally ignore this notice with no liability problems. See <a href="http://tor.eff.org/eff/tor-dmca-response.html">Tor DMCA Response</a>. [Arbitrary ports] </p>
101
-</li>
156
+<li>Somebody connects to hotmail, and sends a criminal mail somewhere. The
157
+FBI sends you a polite email, you explain that you run a Tor server,
158
+and they say 'oh well' and leave you alone. [Port 80]</li>
159
+<li>Somebody tries to get you shut down by using Tor to connect to google
160
+groups and posting spam to usenet, and then sending an angry mail to
161
+your ISP about how you're destroying the world. [Port 80]</li>
162
+<li>Somebody connects to an irc network and makes a nuisance of
163
+himself. Your ISP gets polite mail about how your computer has been
164
+compromised; and/or your computer gets ddosed. [Port 6667]</li>
165
+<li>Somebody uses Tor to download a Vin Diesel movie, and
166
+your ISP gets a DMCA takedown notice. According to our lawyers
167
+(and this convinced the Harvard general counsel), your ISP can
168
+totally ignore this notice with no liability problems. See EFF's <a
169
+href="http://tor.eff.org/eff/tor-dmca-response.html">Tor DMCA
170
+Response Template</a>. [Arbitrary ports]</li>
102 171
 </ul>
103
-<p>You might also find that your Tor server's IP is blocked from accessing some Internet sites/services. This might happen regardless of your exit policy, because some groups don't seem to know or care that Tor has exit policies. (If you have a spare IP not used for other activities, you might consider running your Tor server on it.) For example, </p>
172
+
173
+<p>You might also find that your Tor server's IP is blocked from accessing
174
+some Internet sites/services. This might happen regardless of your exit
175
+policy, because some groups don't seem to know or care that Tor has
176
+exit policies. (If you have a spare IP not used for other activities,
177
+you might consider running your Tor server on it.) For example, </p>
178
+
104 179
 <ul>
105
-<li><p> Wikipedia is currently blocking many Tor server IPs from writing (reading still works), because they haven't figured out internally how to deal with the fact that they want to provide open access but they also have no ways to control abuse to their website. We're working with them to resolve this. </p>
106
-</li>
107
-<li><p> It seems that SORBS is putting some Tor server IPs on their email blacklist as well. They do this because they passively detect whether your server connects to certain IRC networks, and they conclude from this that your server is capable of spamming. We're working with them to teach them that not all software works this way. Until then, we recommend you avoid them, and teach your friends (if they use them) to avoid them too. </p>
108
-</li>
180
+<li>Wikipedia is currently blocking many Tor server IPs from writing
181
+(reading still works), because they haven't figured out internally how
182
+to deal with the fact that they want to provide open access but they
183
+also have no ways to control abuse to their website. We're working with
184
+them to resolve this.</li>
185
+<li>It seems that SORBS is putting some Tor server IPs on their email
186
+blacklist as well. They do this because they passively detect whether your
187
+server connects to certain IRC networks, and they conclude from this that
188
+your server is capable of spamming. We're working with them to teach them
189
+that not all software works this way. Until then, we recommend you avoid
190
+them, and teach your friends (if they use them) to avoid them too.</li>
109 191
 </ul>
110
-<p> </p>
111 192
 
193
+<a name="IrcBans"></a>
112 194
 <h3>Tor is banned from the IRC network I want to use.</h3>
113 195
 
114
-<p>Sometimes jerks make use of Tor to troll IRC channels. This abuse results in IP-specific temporary bans ("klines" in IRC lingo), as the network operators try to keep the troll off of their network. </p>
115
-<p>This response underscores a fundamental flaw in IRC's security model: they assume that IP addresses equate to humans, and by banning the IP address they can ban the human. In reality this is not the case -- many such trolls routinely make use of the literally millions of open proxies and compromised computers around the Internet. The IRC networks are fighting a losing battle of trying to block all these nodes, and an entire cottage industry of blacklists and counter-trolls has sprung up based on this flawed security model (not unlike the antivirus industry). The Tor network is just a drop in the bucket here. </p>
116
-<p>On the other hand, from the viewpoint of IRC server operators, security is not an all-or-nothing thing.  By responding quickly to trolls or any other social attack, it may be possible to make the attack scenario less attractive to the attacker.  And most individual IP addresses do equate to individual humans, on any given IRC network at any given time.  The exceptions include NAT gateways which may be allocated access as special cases. While it's a losing battle to try to stop the use of open proxies, it's not generally a losing battle to keep klining a single ill-behaved IRC user until that user gets bored and goes away. </p>
117
-<p>But the real answer is to implement application-level auth systems, to let in well-behaving users and keep out badly-behaving users. This needs to be based on some property of the human (such as a password he knows), not some property of the way his packets are transported. </p>
118
-<p>Of course, not all IRC networks are trying to ban Tor nodes. After all, quite a few people use Tor to IRC in privacy in order to carry on legitimate communications without tying them to their real-world identity. Each IRC network needs to decide for itself if blocking a few more of the millions of IPs that bad people can use is worth losing the contributions from the well-behaved Tor users. </p>
119
-<p>If you're being blocked, have a discussion with the network operators and explain the issues to them. They may not be aware of the existence of Tor at all, or they may not be aware that the hostnames they're klining are Tor exit nodes.  If you explain the problem, and they conclude that Tor ought to be blocked, you may want to consider moving to a network that is more open to free speech.  Maybe inviting them to #tor on irc.oftc.net helps them show that we are not all evil people. </p>
196
+<p>Sometimes jerks make use of Tor to troll IRC channels. This abuse
197
+results in IP-specific temporary bans ("klines" in IRC lingo), as the
198
+network operators try to keep the troll off of their network. </p>
199
+
200
+<p>This response underscores a fundamental flaw in IRC's security model:
201
+they assume that IP addresses equate to humans, and by banning the
202
+IP address they can ban the human. In reality this is not the case --
203
+many such trolls routinely make use of the literally millions of open
204
+proxies and compromised computers around the Internet. The IRC networks
205
+are fighting a losing battle of trying to block all these nodes,
206
+and an entire cottage industry of blacklists and counter-trolls has
207
+sprung up based on this flawed security model (not unlike the antivirus
208
+industry). The Tor network is just a drop in the bucket here. </p>
209
+
210
+<p>On the other hand, from the viewpoint of IRC server operators, security
211
+is not an all-or-nothing thing.  By responding quickly to trolls or
212
+any other social attack, it may be possible to make the attack scenario
213
+less attractive to the attacker.  And most individual IP addresses do
214
+equate to individual humans, on any given IRC network at any given time.
215
+The exceptions include NAT gateways which may be allocated access as
216
+special cases. While it's a losing battle to try to stop the use of open
217
+proxies, it's not generally a losing battle to keep klining a single
218
+ill-behaved IRC user until that user gets bored and goes away. </p>
219
+
220
+<p>But the real answer is to implement application-level auth systems,
221
+to let in well-behaving users and keep out badly-behaving users. This
222
+needs to be based on some property of the human (such as a password he
223
+knows), not some property of the way his packets are transported. </p>
224
+
225
+<p>Of course, not all IRC networks are trying to ban Tor nodes. After
226
+all, quite a few people use Tor to IRC in privacy in order to carry
227
+on legitimate communications without tying them to their real-world
228
+identity. Each IRC network needs to decide for itself if blocking a few
229
+more of the millions of IPs that bad people can use is worth losing the
230
+contributions from the well-behaved Tor users. </p>
231
+
232
+<p>If you're being blocked, have a discussion with the network operators
233
+and explain the issues to them. They may not be aware of the existence of
234
+Tor at all, or they may not be aware that the hostnames they're klining
235
+are Tor exit nodes.  If you explain the problem, and they conclude that
236
+Tor ought to be blocked, you may want to consider moving to a network that
237
+is more open to free speech.  Maybe inviting them to #tor on irc.oftc.net
238
+helps them show that we are not all evil people. </p>
239
+
120 240
 <p>Finally, if you become aware of an IRC network which seems to be
121
-blocking Tor, or a single Tor exit node, please put that information on
122
-<a href="http://wiki.noreply.org/wiki/TheOnionRouter/BlockingIrc">BlockingIrc</a> so that others can share.  At least one IRC network consults that page to unblock exit nodes which have been blocked inadvertently. </p>
123
-<p> </p>
241
+blocking Tor, or a single Tor exit node, please put that information on <a
242
+href="http://wiki.noreply.org/wiki/TheOnionRouter/BlockingIrc">BlockingIrc</a>
243
+so that others can share.  At least one IRC network consults that page
244
+to unblock exit nodes which have been blocked inadvertently. </p>
124 245
 
246
+<a name="SMTPBans"></a>
125 247
 <h3>Your nodes are banned from the mail server I want to use.</h3>
126 248
 
127
-<p>Even though <a href="http://wiki.noreply.org/wiki/TheOnionRouter/TorFAQ#WhatAboutSpammers">Tor isn't useful for spamming</a>, some over-zealous blacklisters seem to think that all open networks like Tor should be boycotted. They don't understand how Tor works (e.g. that it has exit policies), and don't seem to care to understand it. If your server administrators decide to make use of these blacklists to refuse incoming mail, you should have a conversation with them and explain how Tor works. </p>
128
-<p> </p>
249
+<p>Even though <a href="#WhatAboutSpammers">Tor isn't useful for
250
+spamming</a>, some over-zealous blacklisters seem to think that all
251
+open networks like Tor should be boycotted. They don't understand how
252
+Tor works (e.g. that it has exit policies), and don't seem to care to
253
+understand it. If your server administrators decide to make use of these
254
+blacklists to refuse incoming mail, you should have a conversation with
255
+them and explain how Tor works. </p>
129 256
 
257
+<a name="Bans"></a>
130 258
 <h3>I want to ban the Tor network from my service.</h3>
131 259
 
132
-<p>First, ask yourself if there's a way to do application-level decisions to separate the legitimate users from the jerks. For example, you might have certain areas of the site, or certain privileges like posting, available only to people who are registered. You could set up this distinction only for certain IP addresses such as Tor exit nodes. This way you can have multi-tiered access and not have to ban everything. </p>
133
-<p>Second, consider that thousands of people use Tor every day to protect against data-gathering corporations like Doubleclick while going about their normal  activities. Some Tor users may be legitimately connecting to your service right now to carry on normal activities. You need to decide whether banning the Tor network is worth losing the contributions of these users, as well as potential future such users. </p>
134
-<p>Lastly, please remember that Tor servers have individual exit policies. Many Tor servers do not allow exiting connections at all. Many of those that do, probably already disallow connections to your service. When you go about banning nodes, you should parse the exit policies and only block the ones that allow these connections; and you should keep in mind that exit policies can change (as well as the overall list of nodes in the network). </p>
135
-<p>If you really want to do this, there is a python script to parse the Tor directory <a href="http://tor.eff.org/cvs/tor/contrib/exitlist">here</a>. </p>
136
-<p> </p>
137
-
260
+<p>First, ask yourself if there's a way to do application-level decisions
261
+to separate the legitimate users from the jerks. For example, you might
262
+have certain areas of the site, or certain privileges like posting,
263
+available only to people who are registered. You could set up this
264
+distinction only for certain IP addresses such as Tor exit nodes. This
265
+way you can have multi-tiered access and not have to ban everything. </p>
266
+
267
+<p>Second, consider that thousands of people use Tor every day to protect
268
+against data-gathering corporations like Doubleclick while going about
269
+their normal  activities. Some Tor users may be legitimately connecting
270
+to your service right now to carry on normal activities. You need to
271
+decide whether banning the Tor network is worth losing the contributions
272
+of these users, as well as potential future such users. </p>
273
+
274
+<p>Lastly, please remember that Tor servers have individual exit
275
+policies. Many Tor servers do not allow exiting connections at
276
+all. Many of those that do, probably already disallow connections to
277
+your service. When you go about banning nodes, you should parse the
278
+exit policies and only block the ones that allow these connections;
279
+and you should keep in mind that exit policies can change (as well as
280
+the overall list of nodes in the network). </p>
281
+
282
+<p>If you really want to do this, there is a
283
+python script to parse the Tor directory <a
284
+href="http://tor.eff.org/cvs/tor/contrib/exitlist">here</a>. </p>
285
+
286
+<a name="LegalQuestions"></a>
138 287
 <h3>I have legal questions about Tor abuse.</h3>
139 288
 
140
-<p>We're only the developers. We can answer technical questions, but we're not the ones to talk to about legal questions or concerns. </p>
141
-<p>Please take a look at the <a href="http://tor.eff.org//eff/tor-legal-faq.html">Tor Legal FAQ</a>, and contact EFF directly if you have any further questions. </p>
142
-<p> </p>
289
+<p>We're only the developers. We can answer technical questions, but
290
+we're not the ones to talk to about legal questions or concerns. </p>
291
+
292
+<p>Please take a look at the <a
293
+href="http://tor.eff.org//eff/tor-legal-faq.html">Tor Legal FAQ</a>,
294
+and contact EFF directly if you have any further questions. </p>
143 295
 
144 296
   </div><!-- #main -->
145 297
   </div>
146 298
     <div class="bottom" id="bottom">
147
-	<i><a href="mailto:tor-webmaster@freehaven.net" class="smalllink">Webmaster</a></i> -
148
-	$Id$
299
+      <i><a href="mailto:tor-webmaster@freehaven.net" class="smalllink">Webmaster</a></i> - $Id$
149 300
     </div>
150 301
 </body>
151 302
 </html>
152 303