I've done a bit of work in this space, wont elaborate ..... but here are some thoughts :

* many less-engaged or new pedophiles may indeed search such content in the clear, however ....
* the persistent abusers tend to form communities within TOR hidden services, making them difficult to find. Most are likely just consumers of the material, but many are producers (inc kidnappers)
* some underground communities require that prospective members contribute new abuse imagery/videos in order to prove they are not law enforcement. Tragically this encourages abusers to abuse a family member
* other communities have plenty of essays espousing the viewpoint that such behavior is quite natural, which does convince some to excuse their behavior. This content itself does have the ability to convert non-offenders to offenders, IMHO.
   - The following article discuss these communities and their underlying agendas. I'll warn you that you may need therapy after reading it ..... 
         * http://www.cracked.com/personal-experiences-1760-5-things-i-learned-infiltrating-deep-web-child-molesters.html
* Some of the content is indeed quite traumatic - it's as bad as they say it is, and many people working in this space have long-term psychological problems
* While many of these communities hide in TOR, making it difficult to find the perpetrators, many of the images there actually link to images hosted in public-facing image-hosting servers. This means that the abusers access it through 3 hops through the proxy network instead of 6, for hidden servers.

This means that indeed, the majority of people accessing that content on your network may be doing so from hotlinks posted to a hidden server somewhere. You may see them primarily being accessed via known TOR exit nodes.

My recommendations :
* First, reach out to NCMEC for guidance on filtering/logging
* Second, Ive done a teensy bit of work for these guys at Thorn (Ashton Kutchers nonprofit). They have an interesting program that attempts to recognize people searching for abuse imagery, and redirects them to material urging them to seek psychological help for their problem. : https://www.wearethorn.org/deterrence-prevent-child-sexual-abuse-imagery/




On Fri, Dec 7, 2018 at 11:32 AM Lotia, Pratik M <Pratik.Lotia@charter.com> wrote:
Very well explained, Max!


With Gratitude,
Pratik Lotia

“Information is not knowledge.”

On 12/7/18, 13:16, "NANOG on behalf of nanog@jack.fr.eu.org" <nanog-bounces@nanog.org on behalf of nanog@jack.fr.eu.org> wrote:

    Well said


    On 12/07/2018 07:48 PM, Max Tulyev wrote:
    > Hi All,
    >
    > we are fighting with censorship in our country. So I have something to say.
    >
    > First, censorship is not just "switch off this website and that
    > webpage". No magic button exist. It is more complex, if you think as for
    > while system.
    >
    > Initially, networks was build without systems (hardware and software)
    > can block something.
    >
    > Yes, you may nullroute some IP with some site, but as the collateral
    > damage you will block part of Cloudflare or Amazon, for example. So you
    > have to buy and install additional equipment and software to do it a bit
    > less painful. That's not so cheap, that should be planned, brought,
    > installed, checked and personal should be learned. After that, your
    > system will be capable to block some website for ~90% of your customers
    > will not proactively avoid blocking. And for *NONE* who will, as CP
    > addicts, terrorists, blackmarkets, gambling, porn and others do.
    >
    > Yep. Now you network is capable to censor something. You just maid the
    > first step to the hell. What's next? Some people send you some websites
    > to ban. This list with CP, Spamhaus DROP, some court orders, some
    > semi-legal copyright protectors orders, some "we just want to block it"
    > requests... And some list positions from time to time became outdated,
    > so you need to clean it from time to time. Do not even expect people
    > sent you the block request will send you unblock request, of course.
    > Then, we have >6000 ISPs in our country - it is not possible to interact
    > with all of them directly.
    >
    > So, you end up under a lot of papers, random interactions with random
    > people and outdated and desyncronized blocking list. It will not work.
    >
    > Next, government realizes there should be one centralized blocking list
    > and introduces it.
    >
    > Ok. Now we have censored Internet. THE SWITCH IS ON.
    >
    > In a very short time the number of organizations have permission to
    > insert something in the list dramatically increases. Corruption rises,
    > it becomes possible, and then becomes cheap to put your competitor's
    > website into the list for some time. And of course, primary target of
    > any censorship is the elections...
    >
    > What about CP and porn addicts, gamblers, killers, terrorists? Surprise,
    > they are even more fine than at the beginning! Why? Because they learned
    > VPN, TOR and have to use it! Investigators end up with TOR and VPN exit
    > IP addresses from another countries instead of their home IPs.
    >
    > Hey. It is a very very bad and very very danger game. Avoid it.
    > Goal of that game is to SWITCH ON that system BY ANY REASON. CP, war,
    > gambling - any reason that will work. After the system will be switched
    > on - in several months you will forget the initial reason. And will
    > awake in another world.
    >
    > 07.12.18 08:06, Lotia, Pratik M пише:
    >> Hello all, was curious to know the community’s opinion on whether an ISP
    >> should block domains hosting CPE (child pornography exploitation)
    >> content? Interpol has a ‘worst-of’ list which contains such domains and
    >> it wants ISPs to block it.
    >>
    >> On one side we want the ISP to not do any kind of censorship or
    >> inspection of customer traffic (customers are paying for pipes – not for
    >> filtered pipes), on the other side morals/ethics come into play. Keep in
    >> mind that if an ISP is blocking it would mean that it is also logging
    >> the information (source IP) and law agencies might be wanting access to it.
    >>
    >> 
    >>
    >> Wondering if any operator is actively doing it or has ever considered
    >> doing it?
    >>
    >> 
    >>
    >> Thanks.
    >>
    >> 
    >>
    >> 
    >>
    >> With Gratitude,
    >>
    >> * *
    >>
    >> *Pratik Lotia*     
    >>
    >> 
    >>
    >> “Information is not knowledge.”
    >>
    >> The contents of this e-mail message and
    >> any attachments are intended solely for the
    >> addressee(s) and may contain confidential
    >> and/or legally privileged information. If you
    >> are not the intended recipient of this message
    >> or if this message has been addressed to you
    >> in error, please immediately alert the sender
    >> by reply e-mail and then delete this message
    >> and any attachments. If you are not the
    >> intended recipient, you are notified that
    >> any use, dissemination, distribution, copying,
    >> or storage of this message or any attachment
    >> is strictly prohibited.



E-MAIL CONFIDENTIALITY NOTICE:
The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited.