Guide to Blocking TOR IPs in IIS with URLrewriteRSS

0 replies

Last post May 15, 2017 11:19 PM by Rovastar

  • Rovastar Rovastar

    5457 Posts

    MVP

    Moderator

    Guide to Blocking TOR IPs in IIS with URLrewrite

    May 15, 2017 11:19 PM|Rovastar|LINK

    Recently I had a need to block people using the TOR/Onion network dark web from access our sites.

    Often traffic via TOR network not desirable to hit websites and is mostly used for nefarious purposes.

    The TOR network users different IPs all the time to connect these are commonly referred to as exit nodes.

    These change periodically but luckily there are resources on the web to help us.

    https://www.dan.me.uk is a really useful site that complies a list of current exit node IPs for you. There are hundreds of these IPs and do change regularly.

    https://www.dan.me.uk/torlist/?exit

    Next we need a rewrite rule and a rewrite map of these IPs.

    The rewrite rule looks like the following (To be placed in your applicationhost or web.config)

    	<rule name="Block TOR IP Edge nodes" stopProcessing="true">
                <match url=".*" />
                <conditions>
                <!-- This will lookup the 'TOR_IPs' rewriteMap below and compare it to the REMOTE_ADDR which is the requesting IP -->
                   <add input="{TOR_IPs:{REMOTE_ADDR}}" pattern="1" />
                </conditions>             
                <action type="CustomResponse" statusCode="403" subStatusCode="99" statusReason="ForbiddenTOR" statusDescription="ForbiddenTOR" />             
            </rule>
    


    This will reject these with a 403.50 error code. You can pick any response you like like "abort request" however I think it better to have more information and it can be more useful. As I will explain more later.

    Then you need the rewrite map.
    Rewrite maps a just a list of values that map to a result. Ours is very simple it is a list of IPs that map to the number "1"

    Now I took the list of TOR exit nodes from www.dan.me.uk and converted them into the URLrewrite map format.
    So it needs to go from the list like:

    103.234.220.197
    103.236.201.110
    103.250.73.6
    103.27.124.82
    ..
    snip
    ..
    96.64.149.101
    96.66.15.147
    97.74.237.196

    becomes

    <rewriteMaps>
    	<rewriteMap name="TOR_IPs">
    		<add key="103.234.220.197" value="1" />
    		<add key="103.236.201.110" value="1" />
    		<add key="103.250.73.6" value="1" />
    		<add key="103.27.124.82" value="1" />
    ..
    snip
    ..
    		<add key="96.64.149.101" value="1" />
    		<add key="96.66.15.147" value="1" />
    		<add key="97.74.237.196" value="1" />
    	  </rewriteMap>
          </rewriteMaps>

    I used a simple macro in a text editor (notepad++ in my case) to quickly change the <IP> to <add key=<IP> value="1" />

    Now why the custom response.

    Well this is for few reasons.

    I have chosen a unique error code that IIS natively does not return. This is so I can find the response in the IIS logs. Searching for HTTP status code 403 and substatus 99 will be unique to this scenario. And this means I can track it rather than (more CPU efficient) "abort request" where it gets lost.

    Also there is another reason for this unique HTTP status code so I can (if desired) have a custom error page in IIS. (Custom error pages are a whole other topic......)
    So creating a simple JPG ("C:\Inetpub\Error\TORblock.jpg") so when any legit customers who might have been using TOR know (and the customer services was aware it is unique/different error)

    under

    <httpErrors
      <error statusCode="403" subStatusCode="99" path="C:\Inetpub\Error\TORblock.jpg" responseMode="File" />

    And finally as the list can change periodically then you will need to refresh the TOR exit nodes data to keep it up to date.

    Troubleshoot IIS in style
    https://www.leansentry.com/