Tor Exit Node

• Source IP matches the public Tor exit node list (updated every 30 minutes by the Tor Project)
• HTTP requests lack typical browser fingerprint characteristics (no cookies, unusual UA strings, no referrer)
• Traffic arrives exclusively over HTTPS — Tor users rarely use plaintext HTTP
• Repeated access attempts across many accounts in short succession (credential stuffing pattern)
• Requests for sensitive paths (/admin, /api/auth, /checkout) without prior browsing history
• IP geolocation resolves to a known Tor Project exit node AS (e.g., AS7922, AS9009, various European hosters)

Check if an IP is a Tor exit node

# Query Tor Project's exit list API
TOR_IP="185.220.101.1"
curl -s "https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1" \
  | grep "^$TOR_IP$" && echo "Tor exit node" || echo "Not a Tor exit node"

# Using dan.me.uk DNS-based lookup
host -t A "$( echo $TOR_IP | awk -F. '{print $4"."$3"."$2"."$1}' ).dnsel.torproject.org" \
  && echo "Tor exit node"

Real-time block list download

# Download current exit node list and load into ipset
curl -s https://check.torproject.org/torbulkexitlist > /tmp/tor_exits.txt
ipset create tor_exits hash:ip
while read ip; do ipset add tor_exits "$ip" 2>/dev/null; done < /tmp/tor_exits.txt

# Block or tag traffic from Tor exits
iptables -I INPUT -m set --match-set tor_exits src -j LOG --log-prefix "TOR_EXIT: "

Nginx — log and conditionally block Tor exits

geo $is_tor {
    default 0;
    include /etc/nginx/tor_exit_nodes.conf;  # generated from Tor bulk list
}

server {
    if ($is_tor) {
        return 403;  # or set a flag for application-level handling
    }
}

1. Use Tor Project's bulk exit list: Integrate the Tor exit node list (updated every 30 minutes) into your WAF, firewall, or application middleware to tag or block traffic as needed.
2. Apply risk-based controls: Rather than blanket blocking, consider step-up authentication challenges (CAPTCHA, MFA) for Tor exit traffic, allowing legitimate privacy-conscious users while raising the cost for abusers.
3. Rate-limit Tor exits aggressively: Apply stricter rate limits (requests per minute, login attempts) to Tor exit IPs than to normal traffic.
4. Disable credential-sensitive functions: For high-risk operations (account login, payment processing), require non-Tor connections or implement additional verification steps.
5. Monitor for credential stuffing patterns: Alert on multiple failed authentication attempts across different accounts originating from Tor exit nodes within a short window.
6. Document your policy: Clearly communicate your Tor access policy to users. Some legitimate users — journalists, activists, privacy advocates — have valid reasons to use Tor.
7. Consider per-service decisions: A news site may want to allow Tor access; a financial services platform may need to block it for regulatory compliance.

Reddit Tor Blocking (2015): Reddit temporarily blocked all access from Tor exit nodes after a surge in vote manipulation and spam campaigns traced to Tor exit IPs. The block was controversial given Reddit's role as a platform for privacy-sensitive discussions. Reddit later implemented per-subreddit Tor access policies.

Credential Stuffing via Tor (2019–ongoing): Security researchers at Shape Security documented credential stuffing operators routing attacks through Tor exit nodes to distribute the apparent source of login attempts across thousands of IPs, making traditional IP rate-limiting ineffective. This forced affected organizations (airlines, retail, streaming services) to adopt behavioral biometrics and device fingerprinting instead.