User activity from Tor

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect user activity from suspicious IPs, specifically the Tor anonymisation network.

This may highlight malicious activity that a user doesn’t want to be linked to their real IP address.

Strategy

Correlate traces tagged with a user with the Threat Intelligence qualification of their IP address.

Require the trace to be flagged, either by a user event or by an In-App WAF attack.

A Low signal is then generated.

Triage and response

  1. Investigate the activity and validate that it is legitimate.
  2. Review activity from Tor IPs (@threat_intel.ip:tor) to evaluate if you’re under attack.
  3. Consider blocking the user if the activity is suspicious.
PREVIEWING: mervebolat/span-id-preprocessing