I can’t explain Tor hit patterns but like you, I block all Tor all the time, whether by a fragment in Hostname or an IP lookup. I also can’t understand why ISPs even host Tor accounts anymore. Project Honeypot always shows Tor hits to be nothing but garbage, loads and loads and loads of garbage.

Project Honeypot always shows Tor hits to be nothing but garbage

Correction - Project Honeypot shows garbage hits. ie: Garbage hits are all you will find, regardless of browser used.

Also, ISPs give internet access to people. What people do with it is on them but the ISP knows who is using TOR, it's not an illegal activity.

The people who use TOR browsers just don't want others to know who they are, including you. Why? I wouldn't assume it's always for nefarious reasons. People occasionally use TOR when traveling and on public(hotel, cafe, school, corporate, library etc) computers. Would you want to ban everyone in those locations?

By choosing to block them all you're sending your competitors legit users, too.

Just saying.

A better way - judge traffic by what it does and limit how often it can try to do it.
- You went for my admin files, goodbye
- You're a known spam bot, sayonara.
- You're using TOR... all eyes on what you're doing, stranger.

As for the spikes in TOR node hits, they may not be nefarious either. A quick look at the news will show you many regions where people aren't exactly free to browse the internet without repercussions as gov and protesters protest each other.(2009 article, not much has changed unfortunately) [eff.org...]

WHY a visitor is using TOR isn't a big concern, what they are doing to your site with it is. I am not supporting TOR here, just the PEOPLE using it because they feel they need to. By all means find and block the spammers and hackers. I hope this helped enlighten.

Cheers!

FWIW, since 2016 when I started recording Tor hits, my experience on my primary site is that the conduct of 100% of Tor-related 'visitors' has been bad news. Whether an unwitting Tor user's UA/platform is compromised or their aims are intentionally nefarious, the hits are disallowed because of bad conduct, just like everybody else.

> ISPs give internet access to people. What people do with it is on them but the
> ISP knows who is using TOR, it's not an illegal activity.

I don't believe I've ever seen (and hence block) a tor exit node on a consumer broadband IP. IE Verizon comcast Bell Rogers etc.

Edit: Actually, I wouldn't know if a hit from consumer broadband space WAS a tor exit node. You wouldn't know it from the rDNS. How easy or hard is it to operate an exit node on a consumer broadband dynamic IP? Or once you are part of a tor network (by using a tor browser?) you can be an exit node? I'm not up on how tor works, especially for end users.

[check.torproject.org...] << Opa!

There are thousands of TOR IPs. There are lists of them on GitHub published by various parties.

I block them with WordFence using a wildcard in the Custom Blocking tool in the hosts field.

Is there a way to do the same with .htacess, to block hosts that have *.tor as the host?

I block them with WordFence using a wildcard in the Custom Blocking tool in the hosts field.

Is there a way to do the same with .htacess, to block hosts that have *.tor as the host?

Probably, but reporters doing research in dangerous areas use it a lot to get the news out. Even the NYTimes has run a TOR service for years, with good reason. Do you want to block NYTimes readers maybe? - [open.nytimes.com...]

IMO it's best not to judge by the browser, but by the actions.

[edited by: Sgt_Kickaxe at 10:10 pm (utc) on Jan 8, 2023]

Then again, does one routinely admit masked strangers into the house without identifying them first?

All of us keep and use logs for a reason.

Just sayin'...

Then again, does one routinely admit masked strangers into the house without identifying them first?

All of us keep and use logs for a reason.

Just sayin'...

Not sure, my house isn't online, my logs don't detect faces, and my logs monitor behavior while on my site. No bad behavior, no problem, everyone is welcome.

I was curious as to where the fear of visitors who've done nothing wrong(or illegal) comes from, even the CIA offers a public TOR system to keep people safe - [cia.gov...]

TOR is not a nefarious, scary, dangerous tool and people using it aren't automatically 'a masked stranger in your house'. It's just a tool, hopefully you never need it.

I'm confused. Earlier you said:

- You're using TOR... all eyes on what you're doing, stranger

MEANWHILE, my experiences with tor-enabled has not been good---mostly bad actors. As with any webmaster, one manages what they perceive as undesired traffic for their specific site. We all do this, tor or not.