AWS WAF Specifically block TOR

Question

I'm trying to block Tor only connections against my aws resource using the AWS WAF rule group managed by AWS called AWS-AWSManagedRulesAnonymousIpList (https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-ip-rep.html )

At the the top they say "These include requests from VPNs, proxies, Tor nodes, and hosting providers" but when descreibing AnonymousIPList labels you said "Inspects for a list of IP addresses of sources known to anonymize client information, like TOR nodes, temporary proxies, and other masking services." so its not clear if VPN is a masking service or not for me since the description is seems pretty broad and non specific

Answer

Hi,

VPN is considered a masking service as your actual IP address and online actions are virtually untraceable. You can run a test by yourself:
- Create a web service for example a 3tier app using ALB (Application Load balancer)
- Attach WAF managed rule set to the ALB and only activate Anonymous IP list.
- While adding the managed rule set you can be more specific to only block action using the edit option for Anonymous IPlist [There is edit tab in front of the Capacity unit].
- Try connecting the App using a VPN service externally.

If you wanted to just block the Tor nodes and let VPN permit, that level of granularity is not available in this managed rule.

Thanks

Answer

You can leverage the [IP list parser](https://docs.aws.amazon.com/solutions/latest/security-automations-for-aws-waf/component-details.html#ip-list-parser) where the Lambda function will gathers and parses data from [tor exit nodes](https://check.torproject.org/exit-addresses) and the other 3rd party sources.

AWS WAF Specifically block TOR

Contenido relevante