List not differentiating between TOR RELAY and EXIT nodes

[danhusan]

Would be great not having the TOR relay nodes on the list as they are not a threat.

[danhusan]

I think you misunderstand what a relay does. Someone using TOR will never send traffic OUT from a relays IP address. Hence no need for blocking it in the enterprise firewall. A relay only relays traffic between TOR nodes. What will happen is that if user X runs a TOR relay at home behind his router running NAT it will be blacklisted in all enterprises using your list. Then he will not be able to access those enterprises services when surfing normally (outside of TOR) and creating noise for the enterprises.

I completely agree that blocking TOR exits could be smart - but blocking people running relays is just unnecessary.

[jtschichold]

Hi @danhusan, please take a look at MineMeld (https://github.com/PaloAltoNetworks/minemeld). With the blutmagie feeds you can now differentiate exit nodes from all the TOR nodes.