How to Detect and Block TOR Browser traffic
Tor is free software and an open network that helps you defend against a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships
or protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location. Tor works with many of your existing applications, including web browsers, instant messaging clients, remote login, and other applications based on the TCP protocol.
you can downlaod TOR browser from the following link [1]
after discovering which destination this TOR browser is trying to connect to , we made a list with and and we added it in firewall address list
ip firewall address-list add address=98.206.110.253 comment="" disabled=no list=TOR-SERVERS add address=80.237.226.75 comment="" disabled=no list=TOR-SERVERS add address=199.48.147.35 comment="" disabled=no list=TOR-SERVERS add address=173.254.192.37 comment="" disabled=no list=TOR-SERVERS add address=88.198.35.251 comment="" disabled=no list=TOR-SERVERS add address=77.247.181.164 comment="" disabled=no list=TOR-SERVERS add address=173.254.192.38 comment="" disabled=no list=TOR-SERVERS add address=192.251.226.205 comment="" disabled=no list=TOR-SERVERS add address=85.112.165.71 comment="" disabled=no list=TOR-SERVERS add address=76.73.48.211 comment="" disabled=no list=TOR-SERVERS add address=217.115.137.222 comment="" disabled=no list=TOR-SERVERS add address=76.73.48.210 comment="" disabled=no list=TOR-SERVERS add address=199.48.147.41 comment="" disabled=no list=TOR-SERVERS add address=83.142.228.14 comment="" disabled=no list=TOR-SERVERS add address=77.247.181.163 comment="" disabled=no list=TOR-SERVERS add address=188.138.82.143 comment="" disabled=no list=TOR-SERVERS add address=77.247.181.165 comment="" disabled=no list=TOR-SERVERS add address=184.172.20.159 comment="" disabled=no list=TOR-SERVERS add address=199.48.147.38 comment="" disabled=no list=TOR-SERVERS add address=173.254.192.36 comment="" disabled=no list=TOR-SERVERS add address=87.225.253.174 comment="" disabled=no list=TOR-SERVERS add address=216.17.108.63 comment="" disabled=no list=TOR-SERVERS add address=137.56.163.46 comment="" disabled=no list=TOR-SERVERS add address=199.48.147.36 comment="" disabled=no list=TOR-SERVERS add address=204.45.133.189 comment="" disabled=no list=TOR-SERVERS add address=91.143.81.16 comment="" disabled=no list=TOR-SERVERS add address=85.228.194.157 comment="" disabled=no list=TOR-SERVERS add address=213.103.195.84 comment="" disabled=no list=TOR-SERVERS add address=137.56.163.64 comment="" disabled=no list=TOR-SERVERS add address=82.94.251.204 comment="" disabled=no list=TOR-SERVERS add address=199.48.147.40 comment="" disabled=no list=TOR-SERVERS add address=195.242.152.250 comment="" disabled=no list=TOR-SERVERS add address=74.120.13.132 comment="" disabled=no list=TOR-SERVERS add address=62.220.135.129 comment="" disabled=no list=TOR-SERVERS add address=204.8.156.142 comment="" disabled=no list=TOR-SERVERS add address=199.48.147.46 comment="" disabled=no list=TOR-SERVERS add address=68.169.35.41 comment="" disabled=no list=TOR-SERVERS add address=94.75.215.53 comment="" disabled=no list=TOR-SERVERS add address=85.17.97.19 comment="" disabled=no list=TOR-SERVERS add address=74.120.12.135 comment="" disabled=no list=TOR-SERVERS add address=87.225.253.173 comment="" disabled=no list=TOR-SERVERS add address=199.48.147.42 comment="" disabled=no list=TOR-SERVERS add address=91.143.90.155 comment="" disabled=no list=TOR-SERVERS add address=38.229.70.42 comment="" disabled=no list=TOR-SERVERS add address=188.72.225.172 comment="" disabled=no list=TOR-SERVERS add address=188.40.41.115 comment="" disabled=no list=TOR-SERVERS add address=87.118.104.203 comment="" disabled=no list=TOR-SERVERS add address=62.141.58.13 comment="" disabled=no list=TOR-SERVERS add address=199.48.147.39 comment="" disabled=no list=TOR-SERVERS add address=93.11.116.22 comment="" disabled=no list=TOR-SERVERS add address=96.236.44.173 comment="" disabled=no list=TOR-SERVERS add address=76.73.85.122 comment="" disabled=no list=TOR-SERVERS add address=199.48.147.37 comment="" disabled=no list=TOR-SERVERS add address=188.104.135.148 comment="" disabled=no list=TOR-SERVERS add address=188.40.51.232 comment="" disabled=no list=TOR-SERVERS add address=188.40.32.154 comment="" disabled=no list=TOR-SERVERS add address=178.162.166.13 comment="" disabled=no list=TOR-SERVERS add address=178.63.16.48 comment="" disabled=no list=TOR-SERVERS add address=83.169.0.7 comment="" disabled=no list=TOR-SERVERS add address=38.229.70.47 comment="" disabled=no list=TOR-SERVERS add address=38.229.70.34 comment="" disabled=no list=TOR-SERVERS add address=109.201.131.11 comment="" disabled=no list=TOR-SERVERS add address=38.229.70.33 comment="" disabled=no list=TOR-SERVERS add address=38.229.70.32 comment="" disabled=no list=TOR-SERVERS add address=38.229.70.31 comment="" disabled=no list=TOR-SERVERS add address=38.229.70.37 comment="" disabled=no list=TOR-SERVERS add address=38.229.70.46 comment="" disabled=no list=TOR-SERVERS add address=38.229.70.51 comment="" disabled=no list=TOR-SERVERS add address=38.229.70.52 comment="" disabled=no list=TOR-SERVERS add address=38.229.70.53 comment="" disabled=no list=TOR-SERVERS add address=38.229.70.54 comment="" disabled=no list=TOR-SERVERS add address=68.169.35.42 comment="" disabled=no list=TOR-SERVERS add address=74.120.12.140 comment="" disabled=no list=TOR-SERVERS add address=74.120.12.131 comment="" disabled=no list=TOR-SERVERS add address=74.120.12.130 comment="" disabled=no list=TOR-SERVERS add address=74.120.12.129 comment="" disabled=no list=TOR-SERVERS add address=76.73.85.123 comment="" disabled=no list=TOR-SERVERS add address=76.73.85.124 comment="" disabled=no list=TOR-SERVERS add address=76.73.85.125 comment="" disabled=no list=TOR-SERVERS add address=76.73.85.126 comment="" disabled=no list=TOR-SERVERS add address=80.237.226.72 comment="" disabled=no list=TOR-SERVERS add address=80.237.226.73 comment="" disabled=no list=TOR-SERVERS add address=80.237.226.74 comment="" disabled=no list=TOR-SERVERS add address=80.237.226.76 comment="" disabled=no list=TOR-SERVERS add address=80.237.226.77 comment="" disabled=no list=TOR-SERVERS add address=80.237.226.78 comment="" disabled=no list=TOR-SERVERS add address=80.237.226.79 comment="" disabled=no list=TOR-SERVERS add address=82.94.251.206 comment="" disabled=no list=TOR-SERVERS add address=87.225.253.172 comment="" disabled=no list=TOR-SERVERS add address=173.254.216.67 comment="" disabled=no list=TOR-SERVERS add address=192.251.226.204 comment="" disabled=no list=TOR-SERVERS add address=193.23.244.0/24 comment="" disabled=no list=TOR-SERVERS add address=199.48.147.34 comment="" disabled=no list=TOR-SERVERS add address=199.48.147.43 comment="" disabled=no list=TOR-SERVERS add address=199.48.147.44 comment="" disabled=no list=TOR-SERVERS add address=199.48.147.45 comment="" disabled=no list=TOR-SERVERS add address=217.115.137.220 comment="" disabled=no list=TOR-SERVERS add address=217.115.137.219 comment="" disabled=no list=TOR-SERVERS add address=66.230.230.230 comment="" disabled=no list=TOR-SERVERS add address=173.254.216.69 comment="" disabled=no list=TOR-SERVERS add address=91.208.34.12 comment="" disabled=no list=TOR-SERVERS add address=188.40.172.119 comment="" disabled=no list=TOR-SERVERS
we note also that TOR browser is using port 22 and 443
so now we can match on users that is using TOR browser by the following rules
ip firewall mangle add action=add-src-to-address-list address-list="New Tor-Users" \ address-list-timeout=5m chain=prerouting comment="New Tor Version" \ disabled=no dst-port=22 protocol=tcp add action=add-src-to-address-list address-list=Tor-Users \ address-list-timeout=5m chain=prerouting comment="Tor Users" disabled=no \ dst-address-list=TOR-SERVERS dst-port=443 protocol=tcp
and then we can block all traffic that is coming from TOR users by the following rules
ip firewall filter add action=drop chain=forward comment="Drop new TOR version" disabled=no \ src-address-list="New Tor-Users" add action=drop chain=forward comment="Block TOR browser" disabled=no \ src-address-list=Tor-Users
also note that these rules we have applied on Mikrotik ROS 3.30 only , but we think it may work out on newer versions
Post a Comment