07-01-2013 06:37 AM - edited 03-11-2019 07:05 PM
Hello Group. I am looking into to methods to block TOR network activity both inbound and outbound. Outbound is pretty straightforward by utilizing IPS and AV signatures. Inbound seems to be a little more involved. Preventing inbound traffic requires blocking all of the TOR exiit nodes which comprise a list of multiple thousands of IPs including small percentage that are dynamic. Does the ASA Botnet Filter encompass these IPs?
Thanks in advance for any input.
/JT
07-02-2013 04:24 PM
Hi,
One of the sources that the Botnet traffic filter uses is senderbase.org (also it uses many others)so you can evaluate one of the IP address that you know that belongs to the TOR network and see what reputation it has (to see if the botnet feature will catch it); but remember that the main idea behind this feature is the botnet detection; and I don't think we can qualify this site as a botnet site.
Thanks,
Luis Silva
"If you need PDI (Planning, Design, Implement) assistance feel free to reach"
http://www.cisco.com/web/partners/tools/pdihd.html
10-19-2014 06:50 PM
My way to block tor is this
http://nbctcp.wordpress.com/2014/10/20/blocking-tor-browser-in-cisco-asa-5505/
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide