Menu
What's new
By:
Filters Better Search

Block Tor network with Asuswrt-Merlin

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

What type of users are you thinking about?

That article is aimed at a corporate environment, where the IT department might not have complete control over what its users are doing. These organisations won't be using ASUS routers.

In a typical home scenario, if a user is deliberately installing TOR proxy software they must understand and accept responsibility for any consequences.

The other scenario that comes to mind is that of a parent that doesn't trust their children. Perhaps education would be better than a technical solution in this case.

Regards
 
If you have users using TOR that you want to prevent you can block it. In some routers you can add a protocol by adding specific information or you can take out some information from the layer 3 packet that may indicate a layer 4 packet that relates to TOR and blocking it. Some routers already have the protocol available for use in firewall rules. RMerlin's firmware has IPTables that you would want to use in this case. Im not exactly sure if TOR is layer 4 or layer 7 but if it is layer 7 simply adding the layer 7 hash would allow you to detect it and block it.

Whether the router you're using is ASUS or a linux router, RMerlin's firmware has IPTables that a linux server would have in routing. The only difference is that an x86 linux server would perform much faster with the firewall than an ARM A9 router.

TOR is something that shouldnt be used not just because of the content on it but also because the feds always spy on that network and own as many nodes as possible and not only is malware the only concern but also the company being held responsible for their misuse of their internet connection.

Network antivirus and firewalls cannot filter TOR traffic because it is encrypted from computer to end point but all their packets should bear the same layer 7 hash and you can use that hash to filter the traffic not for the content but for the headers and to act on it. Its the same with skype that you can use skype's reverse engineered layer 7 hash and prevent file transfers from skype and other p2p chat programs.

You first need to detect what you can of TOR traffic and the best way to do this is to have a computer connected to a sniffer using TOR only and identify the elements you can to identify it and apply it to your firewall to drop those packets. Avoid destination and ports, it is the headers that you want or the headers from the data payload which means looking at readable part of data. Looking for guides may also help.
 
Last edited:
There appears to already be a TOR pattern file for iptable's l7-filter on the ASUS. I haven't tried using it though.
 
I still wish the business sector would stop using consumer routers. They need to use a proper router. RMerlin's firmware even if providing IPTables is no substitute for a proper router. The huge amount of DDoS and botnets are proof that security is very lacking globally in both businesses and homes.
 
Thanks for all the great replies guys.

I appreciate that businesses should use enterprise-class routers and firewalls whenever possible. However, a small-business owner with 5-to-10 staff is just not going to pay $1,000 for a SonicWall firewall. I figured that a $200 Asus router with Merlin's firmware is a step up from the cheap modem/router combo that the local ISP supplies. Am I wrong?
 
Thanks for the tip, I will look in to the IPtables solution.

I'd like to block Tor to prevent a small network of 5-to-10 users becoming infected with crypto-ransomware. CryptoWall cannot encrypt data files without contacting command-and-control servers via Tor:

https://heimdalsecurity.com/blog/se...4-0-new-enhanced-and-more-difficult-to-detect

I find that user education has no effect whatsoever on users. :) A large consulting firm recently found that 45% of their staff clicked on test phishing e-mails, even after an extensive education campaign.
 
Not all routers cost money. pfsense has some protective capabilities and some UTMs are free though require x86 hardware. In my opinion its the lack of knowledge of free or cheap solutions available and the lack of expertise for smaller businesses and the consumer router manufacturers marketing their routers for SOHO or SMEs.

If you spent $200 on a router you could've gotten ubiquiti or mikrotik and have even better firewalls but they both require technical expertise as well.

Even though pfsense does sell hardware now it is still cheaper and faster to build your own x86 platform and install pfsense on it.

for example you dont know what IPTables is but it is a commonly used firewall on linux.
 
Last edited:
AFAIK, you cannot block Tor, but the best place to start is blocking the default ports. Though, when Tor cannot connect via default ports it will just use ports like 443. Even if you finger-print the Tor bootstrap traffic, a user can just use a Tor bridge and get to Tor that way.


The malware is using Tor only to hide the location of the c&c server. The malware could just as easily use a hacked server accessed through standard HTTPS. Blocking access to tor will not decrease the threat of malware by any useful amount.
 
Here's a list of all the TOR nodes updated every half an hour. https://www.dan.me.uk/tornodes this SHOULD include the exit,entries and bridge nodes used to connect and browse through tor, then...

perl -lne 'print $& if /(\d+.){3}\d+/' downloadedwebpage.html > listofips.out

you can update your IP tables accordingly...

The entry/exit nodes - TOR publishes them - https://check.torproject.org/exit-addresses

TOR isn't anonymous - it's has to come out somewhere to find the public internet...
 
JohnDrake said:
Merlin:

Many thanks for your great firmware solution! :)

Many users are concerned about malware using the Tor servers:

http://www.ibtimes.co.uk/ibm-warns-...ace-corporate-ransomware-ddos-attacks-1517367

Is there an easy way to block access to Tor using an Asus router and Asuswrt-Merlin firmware?

Thanks in advance.
Click to expand...

I think you can use this guide on the wiki, https://github.com/RMerl/asuswrt-merlin/wiki/Using-ipset , and change iptables -I INPUT to OUTPUT.

Edit: Please disregard what I said. That would only block access to exit nodes, which no one on your LAN would be connecting to directly.
 
Last edited:
Nullity said:
No, that is the whole idea behind Tor's Hidden Services. Anonymity for both client and server.
Click to expand...

Drug Dealers, Kiddie Porn, Identity Thieves, spies... - all in the 'dark net'... not the only traffic, but the 'hidden services' are a den of folks that don't want to be found...

DO you think, even for a minute, that using TOR doesn't put one on a radar scope somewhere? And, considering, what I mentioned earlier, that even a mid-sized Telecom doesn't have the tools to see what's on their network?

I'm assuming you know that risk, because, I'm telling you, they know what's going on, because someone always screws up...
 
sfx2000 said:
Drug Dealers, Kiddie Porn, Identity Thieves, spies... - all in the 'dark net'... not the only traffic, but the 'hidden services' are a den of folks that don't want to be found...
Click to expand...

I can live with all of that if governments can never turn this world into 1984.

DO you think, even for a minute, that using TOR doesn't put one on a radar scope somewhere?
Click to expand...

Nope, far too many "normal" people use it that they couldn't possibly filter the noise. Even then they just know encrypted stuff happened. Unless, you live in a repressive authoritarian regime you're good.
 
sfx2000 said:
TOR isn't anonymous - it's has to come out somewhere to find the public internet...
Click to expand...

Incorrect. Tor's Hidden Services (*.onion addresses) are entirely contained within Tor's network and are not accessed through Exit Nodes. The intention is to give anonymity to both client and server. Unless explicitly setup to do so, Hidden Services are not accessible outside the Tor network.
 
Nullity said:
Incorrect. Tor's Hidden Services (*.onion addresses) are entirely contained within Tor's network and are not accessed through Exit Nodes. The intention is to give anonymity to both client and server. Unless explicitly setup to do so, Hidden Services are not accessible outside the Tor network.
Click to expand...

I don't know about Tor but this makes sense. If a packet comes out on the public internet all the data headers have to be readable so a data packet can return. This would allow all the address nodes to be readable.

Unless Tor owns all there own fiber then the phone company could track it down if they wanted to.
 
coxhaus said:
I don't know about Tor but this makes sense. If a packet comes out on the public internet all the data headers have to be readable so a data packet can return. This would allow all the address nodes to be readable.

Unless Tor owns all there own fiber then the phone company could track it down if they wanted to.
Click to expand...

Why post if you are unfamiliar with the topic?
Edit: Sorry, the above seems a bit callous. I only meant that it would have been much more helpful if you could researched Tor and it's design before posting.

Tor is not a physical network, but a virtual one. The malware uses Hidden Services to keep the c&c server anonymous.
 
Last edited:
sfx2000 said:
Drug Dealers, Kiddie Porn, Identity Thieves, spies... - all in the 'dark net'... not the only traffic, but the 'hidden services' are a den of folks that don't want to be found...

DO you think, even for a minute, that using TOR doesn't put one on a radar scope somewhere? And, considering, what I mentioned earlier, that even a mid-sized Telecom doesn't have the tools to see what's on their network?

I'm assuming you know that risk, because, I'm telling you, they know what's going on, because someone always screws up...
Click to expand...

(I reposted a paraphrased version of the post you quoted, because my post got flagged as spam. This messed up the order of our conversation. :()

If a user "screws up", that is not a flaw in Tor's design. Using a user's mistake as an argument that Tor is broken is illogical. Is the hammer considered faulty when I accidently strike my thumb with it?



Anyway, the malware still uses Tor Hidden Services in attempt to keep the c&c server hidden.

Whether Tor is capable of preserving anonymity is a conversation for another time, since it has little to no effect on the concerns of the OP.
 
Without all of the back/forth, I found this thread looking to do one thing - block my underage kid from working to circumnavigate my protections and access things he shouldn't be. Talking with him has impact for awhile but he always returns to it..taking hordes of consequences in between. TorBrowser is latest find. grrr. (yet somehow proud at the same time)

Nevertheless, I either find a way to block or I pull his internet-connected devices permanently...which I'd like to avoid.

sfx2000 had the answer - though I think using ipset may be better if I'm understanding things correctly.

The first example at this link looks to be a workable solution and the csv file it reads in appears to be maintained (and you get as a bonus blocking China, Pakistan and Microsoft telemetry): https://github.com/RMerl/asuswrt-merlin/wiki/Using-ipset

What I can't tell (as I'm not an expert) is how or whether it updates the list of IPs... I think it might be doing a compare and then running again but can't tell for sure. Can someone help? Or if it isn't doing a regular update, maybe some sort of cron job syntax to help create a job that will update it at some frequency? (unfortunately, since Merlin, my router tends to reboot for firmware updates or config changes :) )

thanks,
Bonez
 
According to my last thing I read on this topic, the complete Tor Bridges list is a closely guarded secret. There have been attacks that used super-fast port scanners (zmap?) to scan the entire internet for the common Tor Bridge listening ports, but that list is also unavailable to the public, I think.

Sadly (or happily) you cannot block Tor nor can you block a resourceful user without resorting to drastic measures. You could perhaps use whitelist filtering (vs blacklist); only allow access to specific IPs and ports, but this has obvious drawbacks.

Personally, I would block any untrusted user from all access.


Edit: For more information on Bridges, please read http://jordan-wright.com/blog/2015/05/09/how-tor-works-part-two-relays-vs-bridges/
Actually, read all his posts if you want to know more.
 
Last edited:
You must log in or register to reply here.

Similar threads

RMerlin
  • Locked
Beta Asuswrt-Merlin 386.13 beta is now available for AC models
2
Replies
32
Views
5K
RMerlin
RMerlin
RMerlin
Release Asuswrt-Merlin 386.13 / 386.13_2 is now available for AC models
2 3 4
Replies
77
Views
14K
L&LD
L&LD
S
Asus merlin: How to block communication between two device on the network?
Replies
14
Views
961
sudodavi
S
T
ASUS RT-AX88U with Asuswrt-Merlin firmware - Few queries
Replies
17
Views
2K
bennor
B
C
RT-AC68P and Merlin
Replies
2
Views
671
ika
I
Similar threads
Thread starter Title Forum Replies Date
C isp block dns over tls and poison any unencrypted dns resolution Asuswrt-Merlin 14
S Asus merlin: How to block communication between two device on the network? Asuswrt-Merlin 14
T Block YouTube from specific devices only Asuswrt-Merlin 2
Bieniu How to block access to specific IP addresses for OpenVPN clients? Asuswrt-Merlin 0
D Solved Can I reach my TOR enabled Asuswrt-merlin router from within TOR? Asuswrt-Merlin 4
R Basic info on tor on ASUS 11000pro Asuswrt-Merlin 7
G Access webserver on lan synology from guest network on AX88u router Asuswrt-Merlin 1
V Asus Ax86 pro and AC86u 2 pack aimesh network Asuswrt-Merlin 17
SevenFactors Clients Unable to Connect to Guest Network After Firmware Upgrade Asuswrt-Merlin 2
SanPe RT-AC86U network drops when using syncthing or soulseek Asuswrt-Merlin 3

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 808 (members: 32, guests: 776)
Top