Block Tor network with Asuswrt-Merlin

[JohnDrake]

Merlin:

Many thanks for your great firmware solution!

Many users are concerned about malware using the Tor servers:

http://www.ibtimes.co.uk/ibm-warns-...ace-corporate-ransomware-ddos-attacks-1517367

Is there an easy way to block access to Tor using an Asus router and Asuswrt-Merlin firmware?

Thanks in advance.

 

[ColinTaylor]

What type of users are you thinking about?

That article is aimed at a corporate environment, where the IT department might not have complete control over what its users are doing. These organisations won't be using ASUS routers.

In a typical home scenario, if a user is deliberately installing TOR proxy software they must understand and accept responsibility for any consequences.

The other scenario that comes to mind is that of a parent that doesn't trust their children. Perhaps education would be better than a technical solution in this case.

Regards

 

[System Error Message]

If you have users using TOR that you want to prevent you can block it. In some routers you can add a protocol by adding specific information or you can take out some information from the layer 3 packet that may indicate a layer 4 packet that relates to TOR and blocking it. Some routers already have the protocol available for use in firewall rules. RMerlin's firmware has IPTables that you would want to use in this case. Im not exactly sure if TOR is layer 4 or layer 7 but if it is layer 7 simply adding the layer 7 hash would allow you to detect it and block it.

Whether the router you're using is ASUS or a linux router, RMerlin's firmware has IPTables that a linux server would have in routing. The only difference is that an x86 linux server would perform much faster with the firewall than an ARM A9 router.

TOR is something that shouldnt be used not just because of the content on it but also because the feds always spy on that network and own as many nodes as possible and not only is malware the only concern but also the company being held responsible for their misuse of their internet connection.

Network antivirus and firewalls cannot filter TOR traffic because it is encrypted from computer to end point but all their packets should bear the same layer 7 hash and you can use that hash to filter the traffic not for the content but for the headers and to act on it. Its the same with skype that you can use skype's reverse engineered layer 7 hash and prevent file transfers from skype and other p2p chat programs.

You first need to detect what you can of TOR traffic and the best way to do this is to have a computer connected to a sniffer using TOR only and identify the elements you can to identify it and apply it to your firewall to drop those packets. Avoid destination and ports, it is the headers that you want or the headers from the data payload which means looking at readable part of data. Looking for guides may also help.

 

[ColinTaylor]

There appears to already be a TOR pattern file for iptable's l7-filter on the ASUS. I haven't tried using it though.

 

[System Error Message]

I still wish the business sector would stop using consumer routers. They need to use a proper router. RMerlin's firmware even if providing IPTables is no substitute for a proper router. The huge amount of DDoS and botnets are proof that security is very lacking globally in both businesses and homes.

 

[JohnDrake]

Thanks for all the great replies guys.

I appreciate that businesses should use enterprise-class routers and firewalls whenever possible. However, a small-business owner with 5-to-10 staff is just not going to pay $1,000 for a SonicWall firewall. I figured that a $200 Asus router with Merlin's firmware is a step up from the cheap modem/router combo that the local ISP supplies. Am I wrong?

 

[JohnDrake]

Thanks for the tip, I will look in to the IPtables solution.

I'd like to block Tor to prevent a small network of 5-to-10 users becoming infected with crypto-ransomware. CryptoWall cannot encrypt data files without contacting command-and-control servers via Tor:

https://heimdalsecurity.com/blog/se...4-0-new-enhanced-and-more-difficult-to-detect

I find that user education has no effect whatsoever on users. A large consulting firm recently found that 45% of their staff clicked on test phishing e-mails, even after an extensive education campaign.

 

[System Error Message]

Not all routers cost money. pfsense has some protective capabilities and some UTMs are free though require x86 hardware. In my opinion its the lack of knowledge of free or cheap solutions available and the lack of expertise for smaller businesses and the consumer router manufacturers marketing their routers for SOHO or SMEs.

If you spent $200 on a router you could've gotten ubiquiti or mikrotik and have even better firewalls but they both require technical expertise as well.

Even though pfsense does sell hardware now it is still cheaper and faster to build your own x86 platform and install pfsense on it.

for example you dont know what IPTables is but it is a commonly used firewall on linux.

 

[Nullity]

AFAIK, you cannot block Tor, but the best place to start is blocking the default ports. Though, when Tor cannot connect via default ports it will just use ports like 443. Even if you finger-print the Tor bootstrap traffic, a user can just use a Tor bridge and get to Tor that way.


The malware is using Tor only to hide the location of the c&c server. The malware could just as easily use a hacked server accessed through standard HTTPS. Blocking access to tor will not decrease the threat of malware by any useful amount.

 

[sfx2000]

Here's a list of all the TOR nodes updated every half an hour. https://www.dan.me.uk/tornodes this SHOULD include the exit,entries and bridge nodes used to connect and browse through tor, then...

perl -lne 'print $& if /(\d+.){3}\d+/' downloadedwebpage.html > listofips.out

you can update your IP tables accordingly...

The entry/exit nodes - TOR publishes them - https://check.torproject.org/exit-addresses

TOR isn't anonymous - it's has to come out somewhere to find the public internet...

 

[cockytrumpet]

Merlin:

Many thanks for your great firmware solution!

Many users are concerned about malware using the Tor servers:

http://www.ibtimes.co.uk/ibm-warns-...ace-corporate-ransomware-ddos-attacks-1517367

Is there an easy way to block access to Tor using an Asus router and Asuswrt-Merlin firmware?

Thanks in advance.

I think you can use this guide on the wiki, https://github.com/RMerl/asuswrt-merlin/wiki/Using-ipset , and change iptables -I INPUT to OUTPUT.

Edit: Please disregard what I said. That would only block access to exit nodes, which no one on your LAN would be connecting to directly.

 

[sfx2000]

No, that is the whole idea behind Tor's Hidden Services. Anonymity for both client and server.

Drug Dealers, Kiddie Porn, Identity Thieves, spies... - all in the 'dark net'... not the only traffic, but the 'hidden services' are a den of folks that don't want to be found...

DO you think, even for a minute, that using TOR doesn't put one on a radar scope somewhere? And, considering, what I mentioned earlier, that even a mid-sized Telecom doesn't have the tools to see what's on their network?

I'm assuming you know that risk, because, I'm telling you, they know what's going on, because someone always screws up...

 

[cockytrumpet]

Drug Dealers, Kiddie Porn, Identity Thieves, spies... - all in the 'dark net'... not the only traffic, but the 'hidden services' are a den of folks that don't want to be found...

I can live with all of that if governments can never turn this world into 1984.

DO you think, even for a minute, that using TOR doesn't put one on a radar scope somewhere?

Nope, far too many "normal" people use it that they couldn't possibly filter the noise. Even then they just know encrypted stuff happened. Unless, you live in a repressive authoritarian regime you're good.

 

[Nullity]

TOR isn't anonymous - it's has to come out somewhere to find the public internet...

Incorrect. Tor's Hidden Services (*.onion addresses) are entirely contained within Tor's network and are not accessed through Exit Nodes. The intention is to give anonymity to both client and server. Unless explicitly setup to do so, Hidden Services are not accessible outside the Tor network.

 

[coxhaus]

Incorrect. Tor's Hidden Services (*.onion addresses) are entirely contained within Tor's network and are not accessed through Exit Nodes. The intention is to give anonymity to both client and server. Unless explicitly setup to do so, Hidden Services are not accessible outside the Tor network.

I don't know about Tor but this makes sense. If a packet comes out on the public internet all the data headers have to be readable so a data packet can return. This would allow all the address nodes to be readable.

Unless Tor owns all there own fiber then the phone company could track it down if they wanted to.

 

[Nullity]

I don't know about Tor but this makes sense. If a packet comes out on the public internet all the data headers have to be readable so a data packet can return. This would allow all the address nodes to be readable.

Unless Tor owns all there own fiber then the phone company could track it down if they wanted to.

Why post if you are unfamiliar with the topic?
Edit: Sorry, the above seems a bit callous. I only meant that it would have been much more helpful if you could researched Tor and it's design before posting.

Tor is not a physical network, but a virtual one. The malware uses Hidden Services to keep the c&c server anonymous.

 

[Nullity]

Drug Dealers, Kiddie Porn, Identity Thieves, spies... - all in the 'dark net'... not the only traffic, but the 'hidden services' are a den of folks that don't want to be found...

DO you think, even for a minute, that using TOR doesn't put one on a radar scope somewhere? And, considering, what I mentioned earlier, that even a mid-sized Telecom doesn't have the tools to see what's on their network?

I'm assuming you know that risk, because, I'm telling you, they know what's going on, because someone always screws up...

(I reposted a paraphrased version of the post you quoted, because my post got flagged as spam. This messed up the order of our conversation. )

If a user "screws up", that is not a flaw in Tor's design. Using a user's mistake as an argument that Tor is broken is illogical. Is the hammer considered faulty when I accidently strike my thumb with it?



Anyway, the malware still uses Tor Hidden Services in attempt to keep the c&c server hidden.

Whether Tor is capable of preserving anonymity is a conversation for another time, since it has little to no effect on the concerns of the OP.

 

[Bonez]

Without all of the back/forth, I found this thread looking to do one thing - block my underage kid from working to circumnavigate my protections and access things he shouldn't be. Talking with him has impact for awhile but he always returns to it..taking hordes of consequences in between. TorBrowser is latest find. grrr. (yet somehow proud at the same time)

Nevertheless, I either find a way to block or I pull his internet-connected devices permanently...which I'd like to avoid.

sfx2000 had the answer - though I think using ipset may be better if I'm understanding things correctly.

The first example at this link looks to be a workable solution and the csv file it reads in appears to be maintained (and you get as a bonus blocking China, Pakistan and Microsoft telemetry): https://github.com/RMerl/asuswrt-merlin/wiki/Using-ipset

What I can't tell (as I'm not an expert) is how or whether it updates the list of IPs... I think it might be doing a compare and then running again but can't tell for sure. Can someone help? Or if it isn't doing a regular update, maybe some sort of cron job syntax to help create a job that will update it at some frequency? (unfortunately, since Merlin, my router tends to reboot for firmware updates or config changes )

thanks,
Bonez

 

[Nullity]

According to my last thing I read on this topic, the complete Tor Bridges list is a closely guarded secret. There have been attacks that used super-fast port scanners (zmap?) to scan the entire internet for the common Tor Bridge listening ports, but that list is also unavailable to the public, I think.

Sadly (or happily) you cannot block Tor nor can you block a resourceful user without resorting to drastic measures. You could perhaps use whitelist filtering (vs blacklist); only allow access to specific IPs and ports, but this has obvious drawbacks.

Personally, I would block any untrusted user from all access.


Edit: For more information on Bridges, please read http://jordan-wright.com/blog/2015/05/09/how-tor-works-part-two-relays-vs-bridges/
Actually, read all his posts if you want to know more.

 

[ColinTaylor]

Thanks Nullity for the heads-up about Tor Bridges (https://www.torproject.org/docs/bridges.html.en). I didn't know such a thing existed.

Given that it is so easy to setup bridges in the Tor Browser it seems almost certain that blocking the exit nodes (sfx2000) or l7-filter (myself) would be pointless.