CISA Offers Official Cybersecurity Tips for Tor-Based Attacks

Protecting against modern Tor-based attacks

Cybersecurity attack vectors occur from many different places. One such area is the anonymous browser extension, Tor. Tor is a notorious part of the dark web and considered dangerous to normal cybersecurity operations.

The Cybersecurity and Infrastructure Agency is offering tips and guidelines to defend against attacks originating from Tor. Because Tor promises total anonymity, it’s a popular mechanism for digital attackers.

On its own, Tor is not a malicious program, encrypting and protecting user information as they browse the web. However, it’s notorious for dark web operations such as cyber-attacks. Both individuals and businesses are vulnerable.

When a Tor user conducts a form of cyberattack, their IP is hidden, creating challenges to protect against them. Because of the escalating threat, CISA has worked in conjunction with the FBI to provide useful defense strategies.

Attack Types

According to the FBI and CISA, common attacks originating from Tor nodes are as follows:

Data manipulation
Performing reconnaissance and collecting information
Penetration attacks and sniffing for network vulnerabilities
DDoS (direct denial of service) attacks
Ransomware/malware attacks and malware payload delivery

They have also noted an attack pattern that indicates how an attack will occur from a Tor node.

Attackers identify a target.
Attackers begin gathering information about the target, either through research or data sniffers.
Once the research is conducted, attackers identify a weak point in a network or system.
Attackers break through and gain control of a system in part or whole.
Malicious actors may implement several methods of attack, from encrypting parts of the system, connecting the network to a malicious proxy, or simply taking command of the infected system.
The attackers perform operations and leave the network.
Damage impacts the targeted network/system.

Defending against a Tor-based attack

Protecting against Tor attacks follows similar philosophies to good cybersecurity strategies. There are some key differences, however. CISA recommends that businesses need to assess their risk and likelihood of suffering a Tor-based attack.

They should also assess the chances a Tor-based attack would be successful. It’s recommended to conduct a penetration test for this method. There are other suggestions to help detect Tor-based attacks as well:

Identifying and searching for unusually high traffic levels with Tor exit nodes, meaning activity that indicates a user has a Tor extension when leaving a company network
Use web logs to track activity flagged as abnormal and to identify dangerous traits (such as activity indicating data sniffing)
Analyzing traffic data that is in congruence with malicious activity

CISA also recommends looking for behavior reports involving different Tor, such as the increased use of TCP and UDP ports.

The ports are usually as follows: 9001, 9030, 9040, 9050, 9051, and 9150.

CISA also recommends using firewalls. Hybrid firewalls can also provide additional detection and network control options for identifying unusual activity and blocking it. It’s important to understand your company’s current defense capabilities since Tor activity is based on detection evasion.

Protective measures

CISA and FBI recommended several things to deploy when protecting your network. It’s important to make sure you don’t unintentionally lock legitimate users out of a network or prevent system access. Additionally, take note if your company or staff utilizes Tor nodes and extensions to conduct legitimate business activity.

Maximum Security

For this method, companies block any and all traffic related to Tor nodes. This, however, is not a guaranteed fix.

Less Security

A thorough but resource-intensive approach. Designed to block access from Tor nodes after analyzing network activity for malicious entry points. Incorporates traffic analysis methods.