On 01/16/2016 05:20 AM, Elrippo wrote:
Well, you are forgetting that all TOR relays are using an IP, and these IP's are stored in a public list. So you do not have to check your logs as a network admin, you just have to download the list every 24H and wright and a simple script (and make use of iptables on a Unix Server) to deny the initiative connection to a TOR entry node, simple as that. It is more an attitude of the network setup and corporate understanding towards TOR.
Exactly. Furthermore, Tor clients make connections to Tor directory authorities in order to fetch the consensus documents, in the event that the client doesn't have the necessary network information. The IP addresses of the dirauths are hard-coded into Tor clients. System administrators can simply look for connections to these dirauths to discover new Tor clients. Existing clients can fetch new consensus data from existing Tor relays.
There are several ways to detect if someone is using Tor, and most of those methods can be thwarted by using a bridge with a pluggable transport, like obfs4. Tor relays should have reverse DNS and a nice landing page, possibly even one they wrote themselves. It just makes the whole network more friendly for the rest of the Internet.
It's "Tor", not "TOR".