How to Use Falco for TOR IP Detection

TOR, the Onion Router, is an encrypted network of computers that anonymizes your Internet connections. While it was created with privacy in mind, criminals can also use it to hide their identity online and carry out malicious activities. Detecting and blocking connections to the TOR network may be important for your organisation’s security tools. In this article, we will show you how to detect inbound and outbound connections through the TOR network using Falco.

The TOR project provides a list of current Tor exit nodes as a file and as a DNS lookup service. This approach has 2 drawbacks: 1) it relies on a static set of IP addresses, and 2) the list is updated manually. For organisations who need to identify connections from the Tor network, it is preferable to use a real-time solution that can identify connections as they occur, rather than relying on a static set of IP addresses.

Threat intelligence providers such as Snort and Suricata can detect TOR traffic by monitoring DNS queries for connections to onion sites. They can then compare the IP address of the query to a list of known Tor exit nodes and alert on any matches. However, this requires a layer 3 or 4 network device such as a firewall or router to be configured with the Tor IP detection. In addition, it will need to be regularly refreshed to reflect the latest list of exit nodes.

A more reliable way to detect TOR IP detection traffic is to use Falco, which monitors all traffic across the Internet for a specific pattern and flags it if it appears to be attempting to connect to the Tor network. Falco is available as a python script that can be run on any Windows, Linux, or MacOS device, and it will alert on both inbound and outbound TOR connections. Falco can also be deployed as a plugin in existing network devices such as firewalls, routers, and web application firewalls.

An additional benefit of using Falco to detect TOR traffic is that it can be used as an alternative to blocking Tor connections in your organisation. This allows your security team to determine whether a block is appropriate, or whether it would be better to use a more targeted method of detection.

Piotr Duszynski, a security consultant, recently revealed how to reveal someone’s real IP address even when they are using the Tor network. This attack is not only a privacy issue, but it highlights how sophisticated threat actors can be when conducting reconnaissance, exploitation, C2 and data exfiltration. Network defenders should closely inspect evidence of substantial transactions with Tor exit nodes in netflow, packet capture (PCAP) and web server logs for indications of malicious behaviour. Ideally, this should be done alongside other indicators such as DNS lookups for Tor, browser fingerprinting, and malware on a user’s system. This will allow them to quickly pinpoint if a Tor connection is being used by a threat actor and take the appropriate action.