This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to block inbound network traffic from TOR exit nodes?

One of the recommendations in Steve Gibson's Security Now podcast Ep 731 to protect against the Sodinobiki ransomware is to block inbound network traffic from TOR exit nodes.

Security Now 731 Notes

How can I do this Sophos UTM? Have seen some old discussions here, but nothing definitive or recent.

Thanks, James.



This thread was automatically locked due to age.
Parents
  • Hi

    I've also been watching 'Security Now!' for many years and after watching that programme, I used 'Application Control' to block all TOR activity from traversing any network boundaries (I don't use TOR); see below image:

    I've been running UTM (with https inspection enabled) for over 3 years, but that was the first time that I'd tried the 'Application Control' feature (thus the Facebook entry to test and familiarise myself with the feature; that one certainly seems to work very well).

    Kind regards,

    Briain (UTM Home user)

  • Thanks Briain.

    I thought about using Application Control, but I don't think it will work. Correct me if I'm wrong, but that will stop a user running the TOR browser. However ransomware is not using the TOR browser, but communicating using the TOR network.

    So this will not block traffic from a TOR exit node to the malware, will it?

    Thanks again.

Reply
  • Thanks Briain.

    I thought about using Application Control, but I don't think it will work. Correct me if I'm wrong, but that will stop a user running the TOR browser. However ransomware is not using the TOR browser, but communicating using the TOR network.

    So this will not block traffic from a TOR exit node to the malware, will it?

    Thanks again.

Children
  • Hi

    Having just thought more carefully about it, I suspect that you might indeed be correct, but I cannot think of any other way to practically do this and as you'll see from the below, I have [many] more questions than I do answers.

    It was only a brief statement (pasted in italics, below this paragraph) and speaking personally, given the brevity of the below information, I am not at all clear about exactly how and where the TOR network comes into play in the attack procedure (my assumption, noted a few paragraphs down, could be totally incorrect):

    The incident responders who managed the ransomware infections on behalf of these 22 Texas municipalities did publish some advice last week for companies and governments to follow.  They had five points.  They said:  "Only allow authentication to remote access software from inside the provider's network."  That, it turns out, was one of the problems.  And actually one of our listeners had some detailed feedback about this particular instance which I've been unable to verify independently, and we'll share that when we get to it.

    They also said:  "Use two-factor authentication on remote admin tools and Virtual Private Network tunnels rather than remote desktop protocols."  So that's interesting.  You know, if we read between the lines, that suggests that maybe the problem was an RDP-based attack.  But that's not what the feedback we have received suggests.  So that's not clear, either.  They also said:  "Block inbound network traffic from Tor Exit Nodes.  Block outbound network traffic to Pastebin.  And use Endpoint Detection and Response (EDR) to detect PowerShell running unusual processes."  So some good feedback from those guys.

    (Above extracted from the text transcriptions of the Security Now! podcast: https://www.grc.com/sn/sn-731.txt)

    Application control is the first thing that came to mind, but perhaps - as you say - it is not what we need in this case? Whilst I am vaguely aware of how TOR works, it's not something that I've paid much attention to, so I'm not even aware of how many TOR exit nodes exist (my assumption would be that it is a heck of a lot, so attempting to create one's own personal list of exit nodes might be completely impractical). I am also completely unaware of exactly how UTM's Application Control feature actually functions; my guess was that it perhaps communicates with a Sophos server, containing a list of the sites associated with the selected categories, so perhaps in this case (with TOR selected) that would be a list of many TOR nodes? We'd really need someone from Sophos (or one of the many experts who contribute to this forum) to tell us if that is how it actually functions when the TOR category has been selected.

    Your point about the browser is also an interesting and very valid one. I'm using UTM in transparent mode, but I also use a PAC file to send the 'Proxy Auto Configuration' to machines (and their browsers) on my network (so from a browser's perspective, non-http/s ports are blocked) but I doubt that would help in this case. My (likely flawed) assumption was that if TOR system is involved as a part of the malware distribution process, the only way it could impact me (by getting past NAT) would be if an already infected machine (on my internal network) was reaching out to a malicious server via the TOR network, thus the responses being classed as solicited traffic, but even if that assumption is correct (and assuming TOR uses ports other than 80 and 443; again, I do not know that) I somehow doubt that the malware would respect my Proxy Auto Configuration file! :-)

    Sorry, but the more that I think about it, the more questions pop into my own mind, but assuming that there are lots and lots of them, I cannot think how else one could practically attempt to 'block TOR exit nodes' (though as soon as time permits, I'll at least try to find out the how many of them there actually are).

    Kind regards,

    Briain