Tor - The Onion Router

  • Published: Wednesday, July 29, 2020

Tor is software that will allow the user to move throughout the Internet anonymously. It will encrypt and use multiple layers of nodes and relays to avoid identification and censorship. The software is maintained by the Tor Project, a nonprofit organization, for the purpose of allowing users to have private access to an uncensored Internet.

However, Tor has become a useful tool for cyber criminals. Malicious actors can use Tor to conceal their activities and identity, therefore making it harder to track the origination of the activity. Tracing back to the originating IP will produce the IP address of one of the Tor exit nodes as opposed to the threat actor’s IP. 

This makes it difficult for organizations to mitigate and respond to attacks using Tor. Maintaining and reviewing logs is important to spot anomalies in network activity. More aggressive measures can be put into place as well..
You could block all Tor traffic based on published Tor entry and exit nodes. This is a very restrictive measure as this could inhibit legitimate traffic. 

Monitoring can be very resource intensive. Familiarize yourself with the activity used on these Tor TCP and UDP ports: 9001, 9030, 9040, 9050, as well as TCP ports 443 and 8443. Be sure to examine any large dataflows associated with these ports. Another indication of Tor activity can be found by querying for domains with the torproject.org suffix or a domain ending with .onion.

Understanding how Tor works can help you to navigate through a safe configuration of your network. 

Resources:
Defending Against Malicious Cyber Activity Originating from Tor
Tor Project