I have been seeing TOR on IPS again

JonathanLee

Has anyone else noticed the increase of your IPS blocking out TOR attempting to use proxy chains on your systems?

I have been seeing this address being the invasive actor

192.42.116.214

Again if IPS sees it as a TOR exit node it is bouncing off of this address from somewhere else.

04/17/24-14:25:28.464596 ,1,2522061,5497,"ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 62",TCP,192.42.116.214,20003,REDACTED,41,0,Misc Attack,2,alert,Allow

04/17/24-14:25:28.464596 ,1,2520061,5497,"ET TOR Known Tor Exit Node TCP Traffic group 62",TCP,192.42.116.214,20003,REDACTED,41,0,M

Last time I saw this activity there was major issues with attacks, anyone else see this going on again? Thank you Snort for blocking it!!!

SteveITS

@JonathanLee We block TOR using pfBlocker feeds so don't see it in Suricata logs. To be honest though I'd expect a constant stream of probes and scans 24x7.

https://betanews.com/2024/04/16/bots-account-for-half-of-all-web-traffic/

johnpoz

@JonathanLee well there is this going on right now, which could account for seeing more hits from tor exit nodes

https://blog.talosintelligence.com/large-scale-brute-force-activity-targeting-vpns-ssh-services-with-commonly-used-login-credentials/

These attacks all appear to be originating from TOR exit nodes and a range of other anonymizing tunnels and proxies.

I am with @SteveITS on this - why would you ever allow a TOR exit node to even see your ports that are open, let alone talk to them... I have zero use for anyone using any such services to talk to any of my services I expose to the public.

Its quite easy to create lists that would contain the vast majority of such IPs, and just drop them before they even get to your open ports.. This is much easier solution than running an IDS/IPS if you ask me.

edit: I just added the list of IPs they list in the above article to my scan deny list.

Updating: pfB_ScanDeny_v4
3786 addresses added.

JonathanLee

@johnpoz I have some information from various sources that police dispatch systems are down as well as ransomware that is spreading inside remote systems, the timelines and what you just sent and what the IPS systems are seeing are pointing to TOR being used and detected. I think it's a nation state actor. Thanks for the info John. I wonder how they will fix this I assume not everyone uses IPS/IDS systems.

JonathanLee

@johnpoz I added that IP to the list it was missing that address for some reason it skipped that one weird, it went from the IP before and after it but not that IP address

johnpoz

@JonathanLee said in I have been seeing TOR on IPS again:

that IP to the list it was missing that address for some reason it skipped that one weird

That IP you listed is a tor exit node

"192.42.116.214",
hostname:"17.tor-exit.nothingtohide.nl",

It would never be able to talk to any of my ports anyway - because its not US based IP. I only allow specific IPs and US based IPs to even talk to any of my services I expose.

JonathanLee

@johnpoz yes it is, however it was not in the Talos Cisco IP list yet. I submitted a request to add that specific IP. That link you sent me has a IP list with a lot of them except it was missing that one address.