Identify Tor connections in Node.js with Tor-test

We released a new feature to our web-application protection tool: Sqreen now monitors the user traffic originated from Tor. All security events linked to such connections is highlighted, and particular attention is given to security events linked with such connections.
We decided to open-source part of the logic powering this feature.

A few days ago, we published an article about the Tor network. We saw that accepting users from Tor could entail security threats over your applications.

This week, Sqreen is happy to release its latest Node.js project: tor-test:

Each day, Sqreen publishes a public freshly updated list of Tor exit nodes on an easy to use WebService. Tor-test can fetch the updated list from this Web Service and allow you to test if an IP address is a Tor exit node.

Tor-test is open source (published under MIT license). You can check and contribute to the code on the project’s Github repository.

How to use it

The module exposes a very simple API with two methods:

  • TorTest.fetch(callback): to update the list of Tor exit nodes in the module’s cache.
  • TorTest.isTor(ip, callback): to test an ip address.

A complete documentation can be found in the README file.

Usage example: monitor requests from Tor

This example is extracted from the project’s cookbook.

Let’s assume we have a server object created thanks to http.createServer or any other method to instantiate a Node.js server.

Logging all requests is as simple as:

// `server` is the Node.js http Server
server.on('request', (req) => {  
  
    const ipAddr = req.connection.remoteAddress;
        TorTest.isTor(ipAddr, (err, isTor) => {   
 
            if (err) { 
                console.error(err);
                return ;
             }
            if (isTor) {
                console.log(`Tor connection from ${ipAddr}`);
            }
        });
});

On the first call to isTor the package will fetch the exit nodes list.In real life, we would also want to refresh the exit nodes list once a day:

In real life, we would also want to refresh the exit nodes list once a day:

const refresh = setInterval(() => {    

    TorTest.fetch();
}, 8.64e7);  //  24 hours in milliseconds 

refresh.unref(); // unref the timer to prevent it from blocking the server.

Note that you have to unref the Interval. Otherwise , the Interval will not keep the event loop active (see http://nodejs.org/dist/latest-v6.x/docs/api/timers.html#timers_timeout_unref ).

Implementation example

At Sqreen, we integrated this module to showcase Tor connections inside a user detail. Connecting from Tor isn’t a risk in itself, but correlating this information to attacks performed, connections from multiple locations, account farming, etc. is helpful to identify suspicious user activities. This can be used to detect fraud or account takeovers.

In this example, we see the User panel of the dashboard. Sqreen tracks user connections to your app and gives you information regarding what happens in term of login:

User detail with tor connection

In the right-hand side, we see that the user connected from Tor once:

Tor connection Detail

The risk level associated with this user is increased. It does not mean Sqreen will take action against this user. However, special attention should be given to this user’s behavior in the future.

Conclusion

You can use this Node.js package to check if a connection to your application is originating from Tor. Then you can decide which action you want to make.

You might only want to log this information, use it through the onboarding process, or simply monitor the activity of some users more closely. You might restrict the actions allowed on your app or send this to your support/CRM platform.

With this package, you can take a decision that makes sense regarding the access of Tor users to your application.

Do not hesitate to contribute to the project on Github. I would also love to get your comments and feedback regarding this project.

Also, if Node.js application security is important to you, you definitely should take a look at Sqreen. We protect Node.js applications from attacks at runtime and detect suspicious user activities (including Tor connections).

About the Author

Vladimir is a software engineer at Sqreen.io with a background in cyber-security. He is involved in diverse open-source projects in JavaScript (mostly within the hapijs project) and has recently contributed to the Node.js core. He is currently working at Sqreen and is responsible for the Node.js instrumentation.