I have someone attacking my site and it would seem some of the IPs are Tor exit nodes.
Is there somewhere I can input an IP and definitively see if it's registered as a Tor exit node?
Asked
Active
Viewed 2.9k times
5 Answers
9
The Tor Project has a tool to do this at:
https://exonerator.torproject.org/
For automated lookups, they also provide a DNSBL-based lookup; information on that is available at:
-
How can I setup an API like what exonerator has? the TorDNSEL docs aren't super clear to me – Anthony Sep 19 '17 at 04:19
-
@Antoine You don't have to set up an API, it's already provided. – gxx Sep 19 '17 at 09:14
-
How can I use it like the exonerator though, where I plug in an IP and receive word back on whether it's an exit node? This API: `[service port].[reversed service address].ip-port.exitlist.torproject.org` isn't super clear to me, what's a reversed service address in this instance? – Anthony Sep 19 '17 at 18:15
-
@Antoine Read the web page for DNSEL, under "What do the received answers mean?". – Sep 19 '17 at 18:23
-
@Antoine you can use https://github.com/assafmo/IsTorExit – assafmo Mar 28 '18 at 05:30
3
I actually implemented the solution @duskwuff suggested.
Check it out at - https://github.com/assafmo/IsTorExit
CLI:
npm install -g istorexit
istorexit [ip...]
NodeJs:
const IsTorExit = require("istorexit");
IsTorExit("104.200.20.46").then(console.log); // true
IsTorExit("1.1.1.1").then(console.log); // false
assafmo
- 139
- 3
2
https://www.ipqualityscore.com/tor-ip-address-check/lookup
On this link you can check if IP is an tor exit node.
NotImportant
- 21
- 1
1
Here's a perl solution based on https://github.com/assafmo/IsTorExit
my @ips = ('1.1.1.1','1.2.1.1','1.3.1.1','1.4.1.1','1.5.1.1','104.200.20.46');
foreach (@ips)
{
print("IP: $_\n");
# Build the command by reversing the IP address (ie. 1.5.1.1 to 1.1.5.1)
# Checking 1.5.1.1 via 1.1.5.1.dnsel.torproject.org
# (https://2019.www.torproject.org/projects/tordnsel.html.en - How can I query the public TorDNSEL service?)
# Lookup from a linux system using dig (+short to have a light answer)
my $cmd = "dig +short ".join(".", reverse split(/\./, $_)).".dnsel.torproject.org";
my $res = `$cmd`;
$res =~ s/^\s^|\s+$//g;
print(" Command: [$cmd] ; Result: [$res]\n");
# A records inside net 127/8, except 127.0.0.1, are reserved for future use
# and should be interpreted by clients as indicating an exit node
# (https://2019.www.torproject.org/projects/tordnsel.html.en - What do the received answers mean?)
my $is_tor = 0;
$is_tor = 1 if ($res =~ /^127\.0\.0\./ && $res ne "127.0.0.1");
print(" Is Tor? [$is_tor]\n");
}
DKH
- 111
- 2
1
Download the list of all exit node IPs from https://check.torproject.org/torbulkexitlist and check whether the IP is in the list.
Alternatively, you can do a DNS query to check a single IP address. Make a DNS A query to [reverse ip address].dnsel.torproject.org. If it returns 127.0.0.2, then the IP is a Tor exit IP address. For example, to check the 12.34.56.78 address, you can run this console command:
nslookup 78.56.34.12.dnsel.torproject.org
If it returns Address: 127.0.0.2, then it's a Tor IP.
Finesse
- 141
- 3
-
The list does not have ipv6 and is only about 1.3k items, other sources are showing 10k exit nodes...? – jjxtra May 03 '22 at 16:39
-
I was thinking the same. Did you come to a conclusion or know more details in the meantime? – davidman77 Sep 13 '22 at 01:34