07-01-2013 06:37 AM - edited 03-11-2019 07:05 PM
Hello Group. I am looking into to methods to block TOR network activity both inbound and outbound. Outbound is pretty straightforward by utilizing IPS and AV signatures. Inbound seems to be a little more involved. Preventing inbound traffic requires blocking all of the TOR exiit nodes which comprise a list of multiple thousands of IPs including small percentage that are dynamic. Does the ASA Botnet Filter encompass these IPs?
Thanks in advance for any input.
/JT
07-02-2013 04:24 PM
Hi,
One of the sources that the Botnet traffic filter uses is senderbase.org (also it uses many others)so you can evaluate one of the IP address that you know that belongs to the TOR network and see what reputation it has (to see if the botnet feature will catch it); but remember that the main idea behind this feature is the botnet detection; and I don't think we can qualify this site as a botnet site.
Thanks,
Luis Silva
"If you need PDI (Planning, Design, Implement) assistance feel free to reach"
http://www.cisco.com/web/partners/tools/pdihd.html
10-19-2014 06:50 PM
My way to block tor is this
http://nbctcp.wordpress.com/2014/10/20/blocking-tor-browser-in-cisco-asa-5505/
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: