The Analyze IP addresses for TOR exit node detection of volunteer-run servers that obfuscates the source and destination of network connections. This obfuscation provides an additional layer of security and anonymity for online activities. However, it can be abused for a variety of malicious activities including credential stuffing and account takeovers. Identifying Tor usage is critical for threat detection as it may indicate that a connection is likely fraudulent.

The use of the Tor network can be detected in logs from firewalls, endpoint and proxy systems using both indicator-based and behavioral approaches. Indicator-based solutions leverage SIEMs to detect patterns in application traffic and protocol usage associated with Tor client software. Behavior-based approaches search for Tor-related activity within firewall and proxy logs, endpoint configurations, and anomalous behaviors such as DNS tunneling.

How to Identify VPN and Proxy Traffic with IP Analysis

In order to monitor or block connections to Tor exit nodes, a list of public known Tor exit node IP addresses needs to be maintained. This can be accomplished by either downloading a list from the Tor Project as a file or by using a service that performs a DNS lookup to determine if an IP address is on the Tor exit node list for a particular date.

A combination of the two approaches is recommended for the most effective detection of TOR activity on networks. The most restrictive mitigation practices involve blocking all traffic to and from the public Tor entry and exit node IP addresses (see table 1). For those organizations that do not want to implement such restrictive mitigation, monitoring and logging of all connections to/from known Tor nodes will allow for rapid identification and response to malicious activity.…