SecureState Blog

Read SecureState's award winning blog.

How to prevent & detect attacks that utilize TOR

“TOR is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet,” according to TORProject.org. TOR is a type of Darknet or private network in which the network connections are only established between trusted pairs. Originally an extension of ARPANET, the government project which led to the current Internet, and developed by the United States Navy. TOR is the largest of these Darknets, publicly available, which are being used to access anonymous networks and permit individuals to access content in a discrete manor. All done in order to obscure the identity of the user and their associated Internet activity from any type of oversight. It is estimated that over a million users are currently utilizing TOR networks around the world. In the end, these types of Darknets create an unseen network bundled within the internet we all us every day.

Due to the original intent of Darknets, like TOR, to disguise data traffic within the Internet, it is extremely effective and just as equally harmful. Each node or dedicated system within the Darknet has a public IP address that relays encrypted communications from one node to another, between peers of the service, virtually anonymously. By design, these public IP addresses for the nodes are readily available through open source research, but these nodes, and the public information about them can change at any given moment. As a result, they are incredibly difficult to detect and block for any sustainable time by the typical blacklist methodologies. The use of TOR as the means to carryout cybercrimes and other malicious activities is not uncommon. An attacker will begin the attack by first getting access to TOR, which is quite easy with the software available today. Due to the sheer nature of these networks, criminals have adapted their tactics to use the anonymity and flexibility of the nodes to carry out all sorts of illegal activities, virtually unidentified. Attackers use TOR as a means to mask their activities by tunneling unseen through your network, as the traffic goes out and bounces from node to node, until reaching the end system. The receiving end is only able to see the exit node, it cannot tell where the call originated from nor the path taken. As a result, an organization cannot trace the attack back to an attacker. Many organizations can detect large attacks against their network resources, or even the exfiltration of large amounts of data, but the key is in the prevention of the initial connections outbound of the network. As mentioned earlier, the blacklisting of public IP space changes to frequently to be effective. What is see most commonly found in many organizations is the lack of preventative controls. Controls such as, the prevention of tunneling, whether through network segmentation and/or routing. Additionally, most organizations do not monitor their port traffic or systems which may be port hopping. Port hopping is similar to frequency hopping by incorporating the continuously changing of the port being used in order to bypass defenses or go under the radar of most monitoring currently being done. As you may have noted, these types of attacks are easily implemented so the focus needs to be on the prevention and early detection of the behavior demonstrated by these types of attacks.

While there are a variety of methods that can be used in the prevention and detection of attacks utilizing TOR, they can be time consuming and costly to initially set up. An equally effective, yet faster way to prevent these attacks is to begin with a list of all known TOR nodes and block them.  It is by no means a solution, but it will help in the initial phases of your defense. Normally this is a simple configuration setting within the firewall of your networks, but always be sure that alerts from the firewalls are set to trigger for any device attempting to connect to that list. The method to update this will depend on the firewall product you use, but most often requires manual review of the IPs and in turn add or remove IPs as needed. This will be a short time prevention by blocking any currently known nodes from establishing a connection with your networks. Additional, methods should include:

1. Deep-Packet Inspection

2. Filter Web traffic for malicious URLs or outbound attempts to IP addresses

3. Implement strict network segmentation

4. Split DNS zones to prevent DNS tunneling

5. Establish control of IMCP Zones to prevent ICMP tunneling