The Tor (The Onion Router) network is designed to provide anonymity by routing internet traffic through multiple encrypted relays worldwide. While this is beneficial for privacy-focused users, it also presents security and compliance challenges for businesses, schools, and other organizations. Many administrators seek to block TOR to prevent unauthorized or potentially malicious activities.
A common question among IT and security professionals is whether DNS filtering can block TOR. While DNS-based filtering is useful for many types of content and security enforcement, it is not effective against TOR. This article explains why and provides effective alternatives for blocking TOR on your network.
Effective Ways to Block TOR
To effectively prevent TOR usage, system administrators should implement a combination of network-based measures:
1. Blocking TOR Directory Authorities
TOR clients must connect to directory authorities to learn about relays. These directory authorities have fixed IP addresses that can be blocked.
- Solution: Use a firewall or router to block the following directory authority IPs:
- TOR Directory Authorities List
- Example (iptables rule):
iptables -A OUTPUT -d <TOR_AUTHORITY_IP> -j DROP- Example (pfSense):
pfctl -t tor_blacklist -T add <TOR_AUTHORITY_IP>2. Blocking Known TOR Exit Nodes
TOR publishes a list of its public exit nodes, which can be periodically downloaded and blocked.
- Solution:
- Obtain the latest exit node list from TOR’s API
- Block these IPs on your firewall or router ACLs.
Example (using iptables):
curl -s https://check.torproject.org/torbulkexitlist | while read ip; do
iptables -A INPUT -s $ip -j DROP
done
3. Deep Packet Inspection (DPI)
TOR traffic has distinct patterns that can be identified using DPI tools.
- Solution:
- Enable TLS fingerprinting or DPI filtering on firewalls such as Palo Alto, Fortinet, or Cisco.
- Use Suricata or Snort with TOR detection rules.
Example (Suricata rule to detect TOR traffic):
alert tcp any any -> any any (msg:"TOR Traffic Detected"; content:"|160301|"; depth:3; flow:to_server,established; sid:2021001; rev:1;)
4. Enforcing Layer 7 (Application-Level) Filtering
Since TOR often operates on common ports (443, 9001, 9003), blocking these ports entirely is impractical. Instead, use Layer 7 filtering to detect and block TOR.
- Solution:
- Deploy proxy-based filtering (e.g., Squid, pfSense, or Fortigate) to inspect encrypted connections.
- Configure SSL inspection and block unknown encrypted protocols.
5. Blocking Pluggable Transports
TOR uses pluggable transports like Meek, Obfs4, and Snowflake to bypass filtering.
- Solution:
- Monitor traffic for suspicious long-lived TLS connections to CDNs like Amazon, Google, and Cloudflare.
- Use machine-learning based network anomaly detection to detect and block these transports.
Example (Snort rule for Meek traffic):
alert tcp any any -> any any (msg:"Possible Meek Traffic Detected"; content:"Host: meek.azureedge.net"; sid:2021002; rev:1;)
6. Blocking TOR Browser Downloads
Preventing users from downloading and installing TOR in the first place can also help.
- Solution:
- Use web filtering solutions to block TOR downloads from official sites.
- Block access to
https://www.torproject.org/.
Monitoring for TOR Usage
Even with strong blocks, some users may attempt to circumvent restrictions. Monitoring and alerting on potential TOR activity is crucial.
- Monitor Firewall Logs: Look for repeated failed connections to blocked TOR nodes.
- SIEM Integration: Use tools like Splunk, Graylog, or ELK to correlate suspicious traffic.
- Check for High Entropy Traffic: TOR encryption results in highly randomized traffic, which can be flagged by entropy analysis tools.
Example (Splunk query for TOR exit node traffic):
index=firewall_logs src_ip=* dest_ip= [inputlookup tor_exit_nodes]
While DNS-based blocking is useful for content filtering, it is ineffective against TOR due to its reliance on hardcoded IPs, bridge relays, and encrypted traffic methods. Instead, administrators should implement a multi-layered approach, including:
- Blocking directory authorities and exit nodes via firewall rules.
- Using DPI to detect and block TOR traffic patterns.
- Deploying Layer 7 filtering to block obfuscated transports.
- Preventing TOR browser downloads to reduce user access.
By combining these strategies, organizations can effectively prevent unauthorized TOR usage while maintaining network security and compliance.