Priveon Labs Security Blog

For those not familiar with TOR, it is an open source anonymity service that allows users to connect to a volunteer network and browse the internet without their identity being revealed.

TOR is a service for those who want to hide their identity or just don’t want their internet usage tracked by marketing companies or other sources. It can also be a possible liability in the corporate environment. This is the result of potential data leakage through to a difficult to trace destination.

TOR currently uses a set list of servers. If you can get this information you can block all TLS/SSL traffic and stop users from using TOR from inside of your networks via firewall, IPS or other methods such as products that leverage NetFlow data such as Arbor SP or Arbor Peakflow X.

The TOR community is working towards making the detection TOR usage even more complicated. One of the methods would involve giving the ability for any system to act as a bridge. This would allow you to setup your home system as a bridge to the TOR network hidding the connection to the TOR servers. This of course would make it impossible to stop via IP addresses.

Another idea that was expressed is making TOR look more like other applications so traffic analysis tools cannot be used to detect its use.