Wednesday, January 30, 2008

Limiting Tor access with ISA 2004/2006

If you have looked into "The onion ring", or just "Tor", you have probably wondered if it would be wise to block access from these anonymous servers (or maybe just the exit nodes). I am not gonna talk about how the encrypted Tor network works, as a great deal of info can be found "out there". Main source should be: - and perhaps WikiPedia.

As a security guy (or ISA administrator maybe), you ask yourself "why do these people want to be anonymous"? In this case "anonymous" means that "they" don't want targets on the Internet to see the originating IP address (the source). A "target" is typically a web site or some other web service.

The answer? Well, first you gotta ask yourself: "who are they"? And there's really no good answer to that question I guess - who really knows? All we can do is guess, so let me turn these questions around: if I were to try out a hack, or some new exploit, would I do it directly over my personal WAN IP? Or would I try to "hide" my originating IP? If you look at it in that perspective Tor networks are GREAT for hiding out - the whole idea is that it shouldn't be possible to track the communication. What you don't know can hurt you, right? I'm not saying all Tor users are hackers or anything, because they are not, but you have to look at the odds... What do you think? I cant help thinking, that if you hide from someone you have something (bad) to hide - but hey, it could be a Christmas present, right?

Anyway - you have to decide - do I want these people to be able to access my web sites and services or not? I'm not going to decide on your behalf - that's politics!

So, what can we do about it if we want them out? Well, after reading Thomas Shinders Blog entry "HammerOfGod Computer Sets — Block and Log by Country" I got an idea. How about downloading a list of Tor servers, import it into a Computer Set (CS) and make sure that CS is an Exception on all of you Published services? This way hackers out there, behind Tor servers, won't be able to poke around your IIS servers or whatever you have.


So, I started a search for Tor lists - the best thing would probably be to create it yourself dynamically - but that would take programming skills that I unfortunately haven't got. I'm just a scripting kinda guy... The thing is, you would need to have a Tor client installed and from that extract the list once in a while - not possible for me (maybe you can do it easily - please post a "how to" then).

But, then I found a list on - this list it updated regularly - the only thing is, that this list is formatted for easy import on Apache servers, definitely not ISA. But hey, we can change the formatting in a script and then call the "AddComputersToComputerSet.vbs" script from Microsoft... Simple, all we have to do then, is to configure the CS exceptions on our ISA rules, schedule the script and never touch it again!

So, I created a simple script for:

a) Downloading the latest Tor server list from
b) After the download it creates a new file with the correct format (machine_name<tab>IP_address)
c) And then it calls the AddComputersToComputerSet.vbs with the correct parameters

You can download the script here - also download the script from MS (link above) and place them in the same directory. You will need a bit of VBS knowledge to "tweak" the script(s), but I've tried to make the code "easy understandable". Now, make sure you can run it from your ISA box (it downloads over HTTP), and then schedule the thing (oh, and remember to remove the Msgbox "Done!" line if you want this as a scheduled task).

If you want it to run from another machine, take a look at the link to the AddComputersToComputerSet I provided above (some changes are needed).

Please report back if you have any bug reports or ideas! It provided "As Is" - after downloading you're on your own :)


The dynamically created/updated ISA Computer Set:


The ISA Rule/Publishing Exceptions:


What's missing?
I can think of a lot of things I'd like to add in there - but the idea with this blog entry is to "spread the word" and a Proof of Concept.

Personally I want to add logging of script actions, email alerts if the list is unavailable or some other errors occur. Also, there's a weakness in case the downloadable list is compromised somehow. Say someone adds Internal/Private/"not-Tor" IPs etc. to the list, it just might give some strange results for your users. So, we have to trust the list is OK secure - but it would be a good idea to put in some sort of validation on what IP addresses are put into this particular CS.


Hope you can use this :)