Block TOR exit nodes inbound to a rule?

We have a public facing server that is being being hammered from TOR exit nodes. I'd like to block these IP's inbound to this rule. As a last resort, I can add the exit IP list to the Default Threat Protection blocked sites list, but I'd prefer to just limit it to this one rule. Talking to a colleague, he had said that his firewall systems include TOR in his geo blocking rules which would make it easy, but alas, it appears Watchguard does not have this ability.

Any suggestions on short of adding hundreds of IP's and networks to the blocked sites list?

Best Answer

Answers

  • James_CarsonJames_Carson WatchGuard Representative

    Hi @CraigS

    You can quickly import items to blocked sites by using the import button (in policy manager.)

    Go to Setup -> Default Threat Protection -> Blocked Sites, and click import.

    The file needs to be formatted as one IP per line, as so. You can add a comment by using this character with the comment following: |comment

    Like this:
    1.2.3.4
    64.74.30.0/24|comment

    I would suggest checking out application control first, as there is a definition for TOR under Tunneling and Proxy services. You may be able to simply drop that traffic using app control.

    Thank you,

    -James Carson
    WatchGuard Customer Support

  • I'm familiar with importing IP's to the blocked sites list, but I was hoping for a more surgical method than blocking TOR exit node IP's across the board.

    This is an inbound connection I'm attempting to limit the traffic on, application control wouldn't help in this case.

  • You could create an alias (under setup -> aliases) and use that in the from field instead of any external.

    For example:
    Rule - Name - From - To
    1 - Webserver From TOR nodes - TOR Node Alias - SNAT external -> 192.168.10.252
    2 - Webserver All Others - Any External - SNAT external -> 192.168.10.252

    For Traffic management action, you could rate limit per IP address (so multiple clients using the same TOR node would effectively divide up whatever you assigned/gave them.)

    Yes, that's it! I had forgotten about creating an alias list and using that as a deny rule. This is what I as looking for (although maintaining the TOR list will require diligence).

  • Did you implement this ? I was concerned that the number of addresses that needs to be checked against would result in latency or the size of the list would be problematic for the size of the firewall config.
    https://isc.sans.edu/api/threatlist/torexit/

  • Yes we did implement it. We have 2,275 addresses (TOR and Compromised Hosts) in our alias list. We have 210 rules and the only slowdown we see is while opening the Firewall Policy Manager (M370).

Sign In to comment.