9

I've heard that many DoS attacks and general "black hat hacking" attempts occur over the Tor network. Is it possible for me to dynamically block source Is by their presence in a botnet or similar list?

  • How effective would this in thwarting DDoS or black hat/covert activities?

  • How would I implement such a solution? (I'm open to free or paid solutions here)

Edit

Assume that the users of this web site (or other network resource) should not be anonymous. This could either be by company policy, in the terms of service, etc.

This is an exercise in limiting risk for the service provider.

Improve this question
3
  • 1
    What you want to do is not possible. If it were then TOR would be useless because everyone would block it. If this a website that is designed to be only accessed from the internal network for a comapny it is possible. The simple solution to to block every address except the internal ip addresses you assign.
    – Ramhound
    Commented Mar 19, 2012 at 13:08
  • @Ramhound, we can just block all the TOR exit nodes right?
    – Pacerier
    Commented Jul 17, 2012 at 20:35
  • "Assume that the users of this web site (or other network resource) should not be anonymous" => there is a huge difference between being onymous (e.g. financial services regulations) and using a privacy-protected connection. For example, Facebook requires you to use real name and may challenge you to show government ID, but they are still accessible at facebookcorewwwi.onion
    – usr-local-ΕΨΗΕΛΩΝ
    Commented Sep 29, 2020 at 14:05

4 Answers 4

Reset to default
10

My first thought is that if it's a DDoS attack, the source is most likely going to be infected zombie machines that the operator could care less whether they're traceable because they won't lead back to him. I'm sure a good number of black hat users use Tor to try and cover their tracks, but I'm also willing to bet there are more legitimate users on Tor than not. So essentially you could block all Tor traffic, but in the end you might end up blocking more good guys than bad guys.

Improve this answer
4
  • I updated the question... assume part of the Terms of Service or Corporate policy is that TOR must not be used.
    – makerofthings7
    Commented Mar 16, 2012 at 14:39
  • 1
    @Safado, why does legitimate users need to user Tor in the first place?
    – Pacerier
    Commented Jul 17, 2012 at 20:36
  • 2
    Do you honestly think that only bad guys use Tor?
    – Safado
    Commented Jul 17, 2012 at 22:48
  • 5
    @Pacerier, why do we need laws against random police officers searching random houses without any reason at all other than "You do not have anything to hide, do you?" Using Tor for legitimate purposes is good because it makes the usage of Tor less of a red flag. If Tor was only used for illegal tasks (such as reporting of human rights violation, circumventing censorship by the USA or their own countries), the risks would be even higher.
    – Hendrik Brummermann
    Commented Aug 10, 2012 at 6:27
9

I would like to encourage you to take a look at the following links:

The Tor project has an entire FAQ page concerning abuse including a section called "I want to ban the Tor network from my service." where they elaborate on how to identify and block Tor exit nodes and what alternatives there might be to doing so.

Also there are currently 400k people using Tor, the USA being #1 with around 14% (60k). This might have a bad impact on your company's image. ("They are contra-privacy!" "They are in favour of warantless wiretapping!", ...)

Improve this answer
0

A serious attack would swamp your ISP, so your local solutions would be irrelevant. Your ISP might cut you off and/or expect you to pay outrageous excess bandwidth fees.

Even one determined attacker can cause a lot of problems for a site that runs on ordinary hardware, so preparing defenses based on blocking particular IP addresses is still worthwhile.

You should also note that what you perceive as an attack is more likely just a misconfigured web crawler or other relatively innocent program misbehavior. That's good, because simple blocking is likely to be effective.

Improve this answer
-2

I have been intermittently hit by what appeared it may be a botnet. There was no logic to what it was doing in many cases, often hitting the same URLs 10,000s of times per day.

It came and went. But recently I was hit by a giant number of IPs, with up to 1,000 requests per second, i.e. enough to kill my server. It was not apparent if this was web scraping, DDOS or something else.

It followed the same footprint as the previous hits; that is the bulk of the requests came from Vietnam, Thailand, Korea, Japan, Indonesia, Brazil, Serbia, Pakistan and The US.

However this time there were evidently IPs from more or less every country, all residential.

From reading I have heard reports of a similar problem for others. The solution is to block certain AS number ranges of IPs. This can be done in CloudFlare, like:

(ip.geoip.asnum in {17451 17974 17586 41786 3786 17506 4721 17511 2497 63859 2514 45899 8452 7552 4766 3462 7713 29614 39832 26599 4760 12389 9829 9299 18403 45015 198961 36947 24560 9318 36903 23969 55836 47331 45758 45595 6697 45609 25019 8048 8151 27775 9304 28573 17552 132199 5384 4788 263535 9121 133481 4713 37457 6830 17501 4804 17488 38266 28885 16735 17676 6147 3215 24086 53006 24309 17924 34984 3320 4609 9198 8708 24863 38264 29975 2516 45271 131269 16190 10620 29465 23700 131090 22047 3352 8402 24835 35819 262186 18881 16509 50710 30722 17917 9541 17639 58224 3269 6799 2905 36873 17858 268030 18809 266532 30986 39891 2119 45629 12479 13999 27699 24186 23860 10139 204578 6400 53180 133982 7738 263137 14618 13489 42298 45916 22085 16010 22927 11796 10481 15895 23889 5617 29256 39651 22884 3243 8400 11427 36925 31549 5410 2527 33771 2860 27747 1267 12880 15399 200064 132165 31042 9329 6849 52760 37168 14117 36992 13188 25229 131596 23693 37705 9506 7418 37105 16135 3301 24940 262617 9269 9498 14754 2609 17465 8376 43766 4775 139526 18207 8369 17072 6805 37075 21003 198668 5769 3209 45769 27947 15802 8386 23674 12353 24757 12430 28548 1136 12322 19429 12083 17809 9009 7303 8167 264158 35805 42961 17882 15704 42863 15557 47524 17665 23944 3816 37611 8473 33915 9824 264527 31334 1299 45543 35699 10318 36884 44244 45143 18209 8544 4780 25144 37693 38623 37492 29518 45011 18001 8881 16086 12252 4771 8346 25472 5416 3329 29119 5391 4761 6821 12978 55430 36351 18126 37347 131207 45903 24323 9050 45184 12578 26615 27831 9873 12735 6713 21299}) or (ip.geoip.asnum in {10297 7922 35862 701 577 5089 1221 20115 20001 209 22773 6128 7545 7018 6327 5650 2856 20057 13285 11796 10796 35228})

That is a list of most AS number that are hitting me.

If you are not using CloudFlare take those numbers and make rules for your server from here:

https://www.enjen.net/asn-blocklist/

I pass them over to JS browser testing in CloudFlare, which is blocking about 99% of the attack.

I suspect this is a service, like Proxy Rack, which is paying ISPs for use of their IPs. So by blocking/bot testing all traffic from those ISPs, you stop the attack and the vast majority of your traffic is unaffected.

Improve this answer
4
  • Blocking an ASN is a blunt instrument to block large sections of IPs indiscriminately. This is not a solution to block Tor traffic or botnets.
    – schroeder
    Commented Sep 29, 2020 at 14:28
  • @schroeder I am passing them to a JS bot test, which is blocking most of the attack while having virtually no effect on other traffic. What else would you suggest if you're being attacked by millions of IPs from several hundred ISPs? They apparently have access to all the IPs from these ISPs. So I can't block them individually. I've spent the last month constantly switching in new block rules to various footprints which no longer exist; to the cost of about $10,000. There are a number of services that offer huge numbers of residential IPs to web scrappers etc. I can't see any other way...
    – Kohjah Breese
    Commented Sep 29, 2020 at 19:07
  • to block them other than find the ISP ASNs. If I'd started with this I wouldn't have wasted so much time, lost ad revenue and had the server crashed with corrupt DBs.
    – Kohjah Breese
    Commented Sep 29, 2020 at 19:08
  • That's a solution to your problem. That's not an answer to the question asked.
    – schroeder
    Commented Sep 29, 2020 at 19:29

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .