Tor node blocking with Datto Threat Intelligence

ENVIRONMENT: Datto Partner Portal

This article describes how the Datto Partner Portal blocks traffic from known Tor nodes and blocklists their IP addresses.

What are Tor nodes?

Tor Nodes are servers that pass traffic anonymously from the Tor Network (commonly known as the Dark Web). Each Tor node works as part of a Tor circuit which uses a series of these nodes to hide the origin IP of traffic over the Tor Network. Traffic passed through the Tor network can contain malicious or illegal information.

How does the Datto Partner Portal block inbound traffic from Tor nodes?

  • Although the origin IP address for Tor traffic is not known, The IP address of the exit relay—the node on the Tor circuit from which the traffic passes outward—is visible.
  • Internet security companies compile and maintain lists of known Tor exit relay IP addresses, often updated by the minute.
  • Datto Threat Intelligence scans a database of these lists every 30 minutes and automatically blocklists IP addresses appearing on these lists.

How can I see the number of blocked Tor nodes?

Datto Threat Intelligence is always enabled. You can see the number of blocked Tor nodes on the Organization Settings page of the Partner Portal, at the top of the Blocklisted IPs card.

mceclip1.png
Figure 1: Organization Settings: the Blocklisted IPs card

Refer to Tor Nodes Explained (external link) for additional information.