TOR Nodes Explained!

Raja Srivathsav
Apr 14, 2018 · 6 min read
Image for post
Image for post

Block it, Track it or Use it. But first, know it!

The Internet is a vast, exponentially increasing and never to cease invention in our lives. Nearly half of the world’s population is always connected to the internet. Collecting and spreading each device on the floor may end up covering a city or who knows maybe even a small state. But figuring out who is using what and who is where is just a matter of seconds for almost everybody. Now, how is that possible? It is because of the way the Internet is structured. Each query or search is done in a very orderly manner. Given the brains and access to a high level infrastructure, one can easily figure out anything that is required.

Buy best Software deals

Isn’t that good when it comes to catching bad guys? Yes, But only till a certain extent. The digital world is full of vultures such as spammers, attackers, troll armies, digital marketing firms and many more whose only objective is to use/violate our private data for their gain. Even governments are known to spy on people to meet their political needs. Many journalists, activists and researchers work has been exploited due to such a vulnerable structure. However even in today’s world anonymity could be achieved with few private network implementations. One such private network implementation is the TOR Network.

What is a TOR circuit?

TOR anonymity works by transmitting data though a TOR circuit which is a key component of TOR that appends to onion routing mechanism. A TOR circuit is the combination of entry/guard relay, middle relay and the exit relay. Some transmissions also involve Bridge nodes (Such occurrences are only observed when the known entry and exit nodes are blocked by a certain party like a government or a corporate organization)

Image for post
Image for post
A basic TOR Circuit

What is an Entry/Guard Relay?

It is the entry point to the TOR Network. Each client that wants to connect to the TOR network will first connect to the guard node meaning, they can see the real IP Address of the client who is attempting to connect. The list of guard nodes is available in the public list of TOR nodes and are updated almost every minute. Few websites to check the currently available guard nodes and their details are dan.me.uk/, torstatus.blutmagie.de/, check.torproject.org/. There are cases where attackers have control or observe certain relays and they can be used to see the victim’s browsing. Also, when you try changing the circuit in your current session, it only changes the relays and not the guard node (in order to protect against known anonymity-breaking attacks). The guard node typically changes in every 2–3 months. (you can read further about it at here).

What is a Middle Relay?

Middle relays cover most part of the Tor circuit in any given transmission. They consist of relays through which data is passed in encrypted format and no node knows more than its predecessor and descendant. All the available middle relay nodes show themselves to the guard and exit nodes so that any may connect to them for transmission. Even if any middle relay is known to transmit malicious traffic (such as attacker’s exploit or the attack itself) they’re not held responsible as they’re neither the source nor destination of the traffic. A middle relay will never be allowed to act as an exit node. It is most suitable for users who want to utilize TOR from home or workplace (if it’s allowed).

What is an Exit Relay?

The exit relay is the final relay in the TOR circuit. They are the nodes that send the data to the destination and are often considered the culprit because the Exit node is perceived as the origin of the traffic. Therefore, the exit node’s IP will be directly visible to the destination and often receive multiple complaints, legal notices, take down notices etc. In order to host an End node one must be ready to handle problems such as, Legal issues like take-downs or DMCA notices, Own a dedicated IP and make sure their reverse DNS is easily discovered, setting up a Exit Node Hosting notice (the most important step) etc.

What is a Bridge Node?

Bridge nodes are the nodes which are not listed on the public directory of TOR nodes. Most of the entry and exit nodes are publicly available on the internet and therefore they can be blocked if one wishes to restrict the usage of TOR. Many ISPs, Corporate Organizations and even Governments have filters set to ban the usage of TOR. For example, the Chinese government has blocked all publicly available nodes on their country level firewall. To avoid such a scenario, there are Bridge nodes. You will need to follow a different configuration settings in order to connect to the TOR network via a Bridge node (which shall be discussed in the upcoming articles).

Detecting TOR usage in your environment

Understanding how the TOR network works makes it much simpler to detect but, knowing what services are being availed by its users isn’t quite possible yet. Be it a country’s government or a corporate organization, they can always choose to monitor or block the usage of TOR. However, there are limitations when it comes to blocking TOR completely and that is due to the existence of bridge nodes as discussed in the previous section. Even the introduction of Bridge nodes did not stop certain organizations and governments from trying to detect and block the usage of TOR. Here are few ways to block the usage of TOR:

  • Create Application Filter Policies in Firewalls where only certain approved networks (LAN Networks) will be able to utilize proxy services. The same can be implemented as a rule in SIEM solutions and Intrusion detection systems.
  • Create a SSL Decryption policy on your Firewall, IDS/IPS which can be used to decrypt SSL certificates and detect traffic related to websites hosted on TOR.
  • TOR browsing involves usage of two types of ports i.e. ORPort and DirPort. ORPorts are usually used to make connections and transmissions where as DirPorts are used to fetch updates from the directory servers. The ORPorts usually include ports 80 & 443 but can also be changed with advanced proxy settings while DirPorts include port 9001 and port 9003. Firewall and IDS filters can be configured to monitor any traffic going towards or coming from the ports 9001 and 9003.

Coinmonks

Coinmonks is a non-profit Crypto educational publication.

Sign up for Coinmonks

By Coinmonks

A newsletter that brings you week's best crypto and blockchain stories and trending news directly in your inbox, by CoinCodeCap.com Take a look

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

Raja Srivathsav

Written by

CHFI, ECIH and CEH || Security Analyst by profession || Admirer and practitioner of lucid writing!

Coinmonks

Coinmonks

Coinmonks is a non-profit Crypto educational publication. Follow us on Twitter @coinmonks Our other project — https://coincodecap.com

Raja Srivathsav

Written by

CHFI, ECIH and CEH || Security Analyst by profession || Admirer and practitioner of lucid writing!

Coinmonks

Coinmonks

Coinmonks is a non-profit Crypto educational publication. Follow us on Twitter @coinmonks Our other project — https://coincodecap.com

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store