Avatar of Pau Lo
Pau Lo

asked on 

VPN and Tor IP data

I’ve read a few conflicting and questionable articles online about this subject, so wanted some clarification and second opinions.
If you suspect a visitor to your website/app was using a VPN connection, or Tor Browser (or any new & more popular anonymity tools/techniques) to hide their location & details, if your site/application collects IP addresses for site visits and actions, e.g. form submission, would there be anyway from the IP address alone to suspect the use of VPN/Tor usage by the site visitor?
Secondly, if a user was using a VPN connection for anonymity objectives/to hide their true geo-location, does the IP address that would appear in the logs constantly update & change during a browsing session, or if for example they were browsing a site of the course of a couple of hours, would the logs always show the same address, or different?
NetworkingWeb BrowsersVPNSecurityWeb Servers

Avatar of undefined
Last Comment
btan
ASKER CERTIFIED SOLUTION
Avatar of Bembi
Bembi
Flag of Germany image

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of Pau Lo
Pau Lo

ASKER

That was what I was trying to understand, could you prove and filter from a sample of 100 users who have visited your site, based on the IP addresses, which are behind a VPN gateway, based on the IP detailed in your logs. That would be sufficient for what we need to prove, as it may be a red flag for progressing what they submit in a form. In layman's terms: how can you differentiate a VPN gateway IP in your access logs, as opposed to a user who is not accessing your site whilst using a VPN service? Or is it impossible to differentiate?
Avatar of Bembi
Bembi
Flag of Germany image

As I said, a VPN Gateway provider uses a defined address subnet, so you can indentify the single VPN provider.
With Tor it is much more difficult als you have to identify all tor gateways as they are selected by chance.
And as even tor gateways will change, you can identify a few, but possibly not all.  

SOLUTION
Avatar of btan
btan

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
Avatar of Dr. Klahn
Dr. Klahn

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Avatar of Pau Lo
Pau Lo

ASKER

as a subscription to one of the commercial blocking lists is required

can you suggest any of such lists please so I can look into them?
Avatar of btan
btan

Though the Blocklists of Suspected Malicious IPs can be helpful
Avatar of Bembi
Bembi
Flag of Germany image

Just be curious...Why do you want to block this traffic?
Avatar of Pau Lo
Pau Lo

ASKER

We don't want to block it, it would just be useful for some submissions on a web form to determine if the user(s) were using any obvious anonymity techniques to disguise their location.
Avatar of btan
btan

Not sure if sustainable if done on adhoc basis, useful guidance - https://us-cert.cisa.gov/ncas/alerts/aa20-183a

The list of Tor exit node IP addresses is actively maintained by the Tor Project’s Exit List Service, which offers both real-time query and bulk download interfaces (see https://blog.torproject.org/changes-tor-exit-list-service). Organizations preferring bulk download may consider automated data ingest solutions, given the highly dynamic nature of the Tor exit list, which is updated hourly. Network defenders should closely inspect evidence of substantial transactions with Tor exit nodes—revealed in netflow, packet capture (PCAP), and web server logs—to infer the context of the activity and to discern any malicious behavior that could represent reconnaissance, exploitation, C2, or data exfiltration.

Using a behavior-based approach, network defenders can uncover suspicious Tor activity by searching for the operational patterns of Tor client software and protocols. Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports commonly affiliated with Tor include 9001, 9030, 9040, 9050, 9051, and 9150. Highly structured Domain Name Service (DNS) queries for domain names ending with the suffix torproject.org is another behavior exhibited by hosts running Tor software. In addition, DNS queries for domains ending in .onion is a behavior exhibited by misconfigured Tor clients, which may be attempting to beacon to malicious Tor hidden services.

Different handling for considerations:

Most restrictive approach: Block all web traffic to and from public Tor entry and exit nodes. Organizations that wish to take a conservative or less resource-intensive approach to reduce the risk posed by threat actors’ use of Tor should implement tools that restrict all traffic—malicious and legitimate—to and from Tor entry and exit nodes. Of note, blocking known Tor nodes does not completely eliminate the threat of malicious actors using Tor for anonymity, as additional Tor network access points, or bridges, are not all listed publicly.  

Less restrictive approach: Tailor monitoring, analysis, and blocking of web traffic to and from public Tor entry and exit nodes. There are instances in which legitimate users may leverage Tor for internet browsing and other non-malicious purposes. For example, deployed military or other overseas voters may use Tor as part of the voting process to escape monitoring by foreign governments. Such users may use Tor when visiting elections-related websites, to check voter registration status, or to mark and then cast absentee ballots via email or web portal. Similarly, some users may use Tor to avoid tracking by advertisers when browsing the internet. Organizations that do not wish to block legitimate traffic to/from Tor entry/exit nodes should consider adopting practices that allow for network monitoring and traffic analysis for traffic from those nodes, and then consider appropriate blocking. This approach can be resource intensive but will allow greater flexibility and adaptation of defensive.

Blended approach: Block all Tor traffic to some resources, allow and monitor for others. Given the various licit and illicit uses of Tor, a blended approach may be an appropriate risk mitigation strategy for some organizations (i.e., intentionally allowing traffic to/from Tor only for specific websites and services where legitimate use may be expected and blocking all Tor traffic to/from non-excepted processes/services). This may require continuous re-evaluation as an entity considers its own risk tolerance associated with different applications. The level of effort to implement this approach is high.


Networking
Networking

Networking is the process of connecting computing devices, peripherals and terminals together through a system that uses wiring, cabling or radio waves that enable their users to communicate, share information and interact over distances. Often associated are issues regarding operating systems, hardware and equipment, cloud and virtual networking, protocols, architecture, storage and management.

102K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
Ask the experts
Read over 600 more reviews

TRUSTED BY

IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo