Is it possible to block Tor users?

Question

Would it be possible to block Tor users? (https://www.torproject.org/)

Due to the nature of the site I run I should do all I can to stop multiple accounts and block cert

Answer 1

(This was written for a PHP specific question that was subsequently deleted and linked here as a duplicate).

Disclaimer: Consider the impact of blocking all Tor users as raised in the best answer here. Consider only blocking functions such as registration, payment, comments etc and not a blanket block on everything.

--

Here are two pure PHP solutions. The first downloads and caches a Tor node list and compares the visitor IP against the list. The second uses the Tor DNS Exit List project to determine if the visitor is using Tor via DNS lookups.

Method #1 (Checking IP against a Tor relay list):

Using the following set of functions we can determine if an IP belongs to the Tor network by checking it against a dynamic exit list that gets downloaded and cached for 10 minutes. Feel free to use this list but please cache for 10 minutes when possible.

Where you want to enforce the Tor check, you can simply use:

$isTorUser = isTorUser($_SERVER['REMOTE_ADDR']);

if ($isTorUser) {
    // blocking action
}

Here is the code which you can put in a separate functions file and include when you want to run the check. Note, you may want to adjust some of it to change the path to the cache file.

 1){
        $probe = ($high + $low) / 2;
        if ($haystack[$probe] < $needle){
            $low = $probe;
        } else{
            $high = $probe;
        }
    }

    if ($high == count($haystack) || $haystack[$high] != $needle) {
        return false;
    } else {
        return $high;
    }
}

Method #2 (Checking IP against the Tor DNS Exit List Project):

The DNS exit check is a bit more robust in that it takes into account the relay's exit policy and looks at what IP and port on your server the client is connecting to and if such exit traffic is permitted, it will return a match. The potential downfall is that if the DNS project is down temporarily, DNS requests can hang before timing out slowing things down.

For this example, I will use a class from a library I wrote and maintain called TorUtils.

First, you'll need to install it with Composer using composer require dapphp/torutils and include the standard vendor/autoloader.php code in your application.

The code for the check: $isTor = false;

try {
    // check for Tor using the remote (client IP)
    if (TorDNSEL::isTor($_SERVER['REMOTE_ADDR'])) {
        // do something special for Tor users
    } else {
        // not using Tor, educate them! :-D
    }
 } catch (\Exception $ex) {
     // This would likely be a timeout, or possibly a malformed DNS response
     error_log("Tor DNSEL query failed: " . $ex->getMessage());
 }

if ($isTor) {
    // blocking action
}

Additional Considerations

If your application uses PHP sessions, I'd highly suggest caching the "isTorUser" response into the session (along with the source IP) and only run the check initially or when the IP changes (e.g. $_SERVER['REMOTE_ADDR'] != $_SESSION['last_remote_addr']) as not to perform many duplicated lookups. Even though they try to be very efficient, it's a waste to do over and over for the same IP.