How does check.torproject.org know if you're using Tor?

In one line: they have a list of all the exit nodes (something like that).

more detailed:

I have seen this post demonstrates how to detect a Tor connection in php

function IsTorExitPoint(){
    if (gethostbyname(ReverseIPOctets($_SERVER['REMOTE_ADDR']).".".$_SERVER['SERVER_PORT'].".".ReverseIPOctets($_SERVER['SERVER_ADDR']).".ip-port.exitlist.torproject.org")=="127.0.0.2") {
        return true;
    } else {
       return false;
    } 
}

function ReverseIPOctets($inputip){
    $ipoc = explode(".",$inputip);
    return $ipoc[3].".".$ipoc[2].".".$ipoc[1].".".$ipoc[0];
}

A good references explain what it does are available here:

  • The list of the exit nodes.
  • Here is a page maintained by the Tor project, that explains how to determine if it is Tor.

Update:

From Tor offical doc that descirbes the TorDNSEL method that mitigates the drawbacks of the old method of testing exitnodes ip list:

It is useful for a variety of reasons to determine if a connection is coming from a Tor node. Early attempts to determine if a given IP address was a Tor exit used the directory to match IP addresses and exit policies. This approach had a number of drawbacks, including false negatives when a Tor router exits traffic from a different IP address than its OR port listens on. The ​Tor DNS-based Exit List was designed to overcome these problems and provide a simple interface for answering the question: is this a Tor exit?

In ruby you have a cool Tor.rb gem that implements this technique:

Tor::DNSEL.include?("208.75.57.100")               #=> true
Tor::DNSEL.include?("1.2.3.4")                     #=> false

They know what are the Tor exit nodes addresses. So they just check your address and see if it matches with one of the exit nodes.

Exit nodes are known to the whole Tor network, if you decide to run one exit node, then you should advertise it right? Or else no one will use it. Then people will know your IP is a Tor exit node. Simple.


You can check if a connection is a tor exit point by using TorDNSEL; Thus a script can be coded to check every connection.

"TorDNSEL is an implementation of the active testing, DNS-based exit list for Tor exit nodes. "

Tags:

Anonymity

Tor

Recent Posts