How To Detect TOR Traffic

How To Detect TOR Traffic
  • Published: December 21, 2022

TOR (The Onion Router) is a network that routes traffic through a series of servers, known as nodes, in order to obscure the user's true IP address and location. The TOR network is often used to protect privacy and anonymity online, however it is also often abused for scams, hacking and other malicious activities.

So how can you detect TOR users and traffic coming from the TOR network? We will look at two methods of detecting TOR users and explain their advantages and disadvantages.

Method 1: Check if the client IP address belongs to a TOR exit node

One way that TOR traffic can be identified is through the IP address. While TOR routes internet traffic through multiple servers, the traffic must still pass through a exit node before reaching its final destination. The IPs of the TOR exit nodes are known and the TOR project publishes a list of TOR exist nodes at https://check.torproject.org/torbulkexitlist.

However, IP addresses of TOR exit nodes change fast and frequently. Using the Focsec TOR IP Detection API provides a more reliable way of checking if the IP address belongs to a TOR exit node, since Focsec constantly monitors all TOR exit nodes and tracks any changes.

Method 2: Browser Fingerprinting

Using browser fingerprinting methods, you can check for distinct features of the TOR browser. Please note that browser fingerprinting tends to be unreliable, produce false positives and may not accurately detect the use of the TOR Browser. Also the TOR network can be used without the TOR Browser. Some properties of TOR Browser that can be detected using browser fingerprinting techniques:

  • TOR Browser returns a blank image (RGB 255, 255, 255) when trying to extract the base64-encoded value of a HTML5 canvas element. However this behavior may also be enforced by non-TOR browsers.
  • Plugins are disabled by default, so the navigator.plugins value will be empty (but some users might have re-enabled plugins again).
  • TOR Browser will report a User-Agent header with the latest Firefox ESR version on a certain OS, currently Windows 7 32-bit (but some users might change this).

Summary

It's important to note that detecting TOR usage is not always straightforward, as users may attempt to obscure their TOR usage or use VPNs or other methods to hide their activity. The IP Check method is the more reliable method of detecting TOR usage and we recommend using our TOR IP Detection API that offers a easy way to find out if a IP address is part of the TOR network.

Want to detect VPNs, Proxies, TOR, Bots, Hackers and more?

The Focsec API detects VPNs, TOR, Proxies and Bots. It helps prevent fraud and protect against suspicious logins and attacks.

Read more »