topic Re: Blocking Tor with Toro in Advanced Threat Prevention Discussions

Blocking Tor with Toro

jfolkins — Mon, 26 Nov 2018 03:40:49 GMT

I recently had to work with local and federal law enforcement to resolve the following.

http://www.ktvz.com/news/mtn-view-hs-bomb-threat-traced-to-eugene-14-year-old/653184885

Because of this, I've created a small piece of software (MIT Licensed) that caches the ip addresses of Tor exit nodes, and creates configuration files for different services (PaloAlto, Apache, Nginx, Iptables) in order to block Tor.

~~https://www.toro.tech~~

https://toro.threathound.com

Toro was built with the Go programming language, so consuming the Tor exit node ip addresses, updating the local database, and serving the configuration files over http all happen within a single process served by a single binary.

I realize that a truly motivated attacker won't be stopped by this but I think it will help weed out certain types of offenders and potentially lead to less wasted resources for certain threat models.

Feel free to ask questions.

Re: Blocking Tor with Toro

remerson — Tue, 20 Feb 2018 19:18:16 GMT

Okay to point a External Dynamic List entry to your directory for Palo Alto?

Re: Blocking Tor with Toro

jfolkins — Tue, 20 Feb 2018 21:13:59 GMT

It is a performant application, so if your threat model allows, feel free to consume the list directly. If things get crazy, I'll rate limit it to once every thirty minutes. Though I do not antipicate this.

Re: Blocking Tor with Toro

mivaldi — Tue, 20 Feb 2018 23:54:46 GMT

Thank you.

It looks like the EDL for Palo Alto Networks currently available at:

https://www.toro.tech/paloalto/minutes/1440

It would also look like the 1440 value in the URL is a value for 'last-n-minutes'. What does this refer to? Would an user benefit in any way by modifying this default value?

Re: Blocking Tor with Toro

jfolkins — Mon, 26 Nov 2018 03:44:32 GMT

> It would also look like the 1440 value in the URL is a value for 'last-n-minutes'. What does this refer to?

In plain english.

"Give me all the exit node IP addresses that were part of the network in the last day (1440 minutes)."

> Would an user benefit in any way by modifying this default value?

If you only want the freshest data then append https://toro.threathound.com/paloalto/minutes/15 minutes.

If you are paranoid and do not want any known associated node in the last year, append https://toro.threathound.com/paloalto/minutes/15 minutes.

The default of 1440 is simply the last day and seemed reasonable.

Re: Blocking Tor with Toro

mivaldi — Wed, 21 Feb 2018 01:54:18 GMT

Thank you for sharing!

Re: Blocking Tor with Toro

jfolkins — Wed, 21 Feb 2018 22:32:26 GMT

You are welcome.

Re: Blocking Tor with Toro

jfolkins — Sat, 07 Jul 2018 02:29:14 GMT

By popular demand, a powershell .ps1 script is now an option.

Re: Blocking Tor with Toro

jfolkins — Mon, 26 Nov 2018 03:42:15 GMT

The domain was going to cost too much for a free project. Added it as a sub domain. Still the same service with the same aggregated IP addresses in the database 🙂

https://toro.threathound.com