0

I have just implemented a new web-filtering proxy system for my organisation, and I was wondering what the recommendations would be to test the use of Tor through this web-proxy.

We are doing SSL inspection, but I was wondering if I would see any material difference in the traffic that was going through, and even if I could tell if it was Tor or not ?

Thoughts?

forest
  • 64,616
  • 20
  • 206
  • 257
KingJohnno
  • 1,155
  • 2
  • 11
  • 19
  • It shouldn't be possible to tell if traffic is coming from Tor unless you have a list of exit nodes - and there aren't any such lists (that are reliable, anyway) available to the public. – KnightOfNi Mar 18 '15 at 23:22
  • @KnightOfNi [This](https://check.torproject.org/exit-addresses) isn't a reliable list of exit nodes? – cpast Mar 22 '15 at 21:59
  • @cpast I stand corrected! – KnightOfNi Mar 22 '15 at 22:33

2 Answers2

1

From Detecting TOR Communication in Network Traffic:

A successful method for detecting Tor traffic is to instead utilize statistical analysis of the communication protocol in order to tell different SSL implementations apart. One of the very few tools that has support for protocol identification via statistical analysis is CapLoader.

Clearly, this is a difficult task and probably not altogether reliable.

There is, however, a public list of Tor Exit Nodes. Which may help! Others have also noted that many exit nodes identify themselves with a Tor related name. More information is available in a previous answer "Detecting Tor proxy by reading request headers".

forest
  • 64,616
  • 20
  • 206
  • 257
Julian Knight
  • 7,092
  • 17
  • 23
0

Many application aware firewalls and proxies can detect Tor and alert or block on it on their own.

Also, you could implement Bro-IDS with Critical Stack Intel and use their updated tor exit node list to alert or report on.

https://intel.criticalstack.com/

tyh
  • 36
  • 2