AWS WAF Specifically block TOR

Question

I'm trying to block Tor only connections against my aws resource using the AWS WAF rule group managed by AWS called AWS-AWSManagedRulesAnonymousIpList (https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-ip-rep.html )

At the the top they say "These include requests from VPNs, proxies, Tor nodes, and hosting providers" but when descreibing AnonymousIPList labels you said "Inspects for a list of IP addresses of sources known to anonymize client information, like TOR nodes, temporary proxies, and other masking services." so its not clear if VPN is a masking service or not for me since the description is seems pretty broad and non specific

AWS-CSingh · Answer

Hi,

VPN is considered a masking service as your actual IP address and online actions are virtually untraceable. You can run a test by yourself:
- Create a web service for example a 3tier app using ALB (Application Load balancer)
- Attach WAF managed rule set to the ALB and only activate Anonymous IP list.
- While adding the managed rule set you can be more specific to only block action using the edit option for Anonymous IPlist [There is edit tab in front of the Capacity unit].
- Try connecting the App using a VPN service externally.

If you wanted to just block the Tor nodes and let VPN permit, that level of granularity is not available in this managed rule.

Thanks

AWS-User-3413787 · Answer

You can leverage the [IP list parser](https://docs.aws.amazon.com/solutions/latest/security-automations-for-aws-waf/component-details.html#ip-list-parser) where the Lambda function will gathers and parses data from [tor exit nodes](https://check.torproject.org/exit-addresses) and the other 3rd party sources.

AWS WAF Specifically block TOR

Añade tu respuesta

Contenido relevante