Skip to main content
Threat Detection

Tor Exit Node Detection Database

Identify traffic originating from the Tor anonymity network with a comprehensive, self-hosted database of exit nodes and relays. Download it, query it locally, and keep all user data on your own servers.

View Pricing All Threat Types
10K+
Exit Nodes Tracked
~100%
Public exit node coverage
Monthly
Database Updates

How Tor exit node detection works

The Tor network routes traffic through multiple encrypted relays before exiting through an "exit node." It is the exit node's IP address that your server sees. By maintaining a database of all known exit nodes, you can identify Tor traffic on every incoming request.

1

Tor Directory Monitoring

We monitor the Tor network's directory authorities and consensus documents, which list every relay and exit node in the network. This data is the authoritative source for active Tor infrastructure.

2

Exit Node Classification

Not all Tor relays can be used to reach your server. We specifically identify exit nodes (which route traffic to the public internet), guard nodes (entry points), and bridge relays (unlisted entry points used to circumvent censorship).

3

Historical Tracking

Tor nodes frequently change IP addresses or go offline and come back. We maintain historical records so you can identify IPs that were recently used as exit nodes, even if they are temporarily offline.

4

Exit Policy Analysis

Each Tor exit node declares which ports it allows outbound traffic on. We include exit policy data so you can determine whether a specific node could have been used to access your service on a given port.

Understanding Tor network architecture

User's device

Tor Browser connects to a guard node

Guard node (entry relay)

Knows the user's real IP, encrypts and forwards to middle relay

Middle relay

Forwards encrypted traffic between guard and exit node

Exit node

Decrypts final layer and connects to your server. This is the IP you see.

Your server

Sees the exit node's IP. Query the AntiProxies database to identify it as Tor.

What's included in the database

The Tor Exit Node database is delivered as CSV and JSON files. Each record represents a known Tor node with its classification, location, and operational status.

Field Type Description
ip_address string The IP address of the Tor exit node (IPv4 or IPv6)
node_type enum Classification: exit_node, relay, bridge, guard
nickname string The self-reported nickname of the Tor relay operator
country string Country where the exit node is physically located (ISO 3166-1 alpha-2)
bandwidth_mbps integer Advertised bandwidth capacity of the node in Mbps
first_seen date Date the node was first observed in the Tor network
last_seen date Date the node was last confirmed active
is_active boolean Whether the node is currently active in the Tor network
exit_policy string Summary of which ports the exit node allows traffic on
10K+
Exit Nodes
CSV & JSON
Data Formats
Monthly
Update Frequency

Use cases for Tor detection

Tor provides strong anonymity, but that anonymity can be exploited for fraud, abuse, and attacks. Knowing when traffic comes from Tor lets you apply appropriate security policies.

Financial Services Compliance

Many financial regulations require identifying and flagging anonymous access. Detect Tor-originating logins and transactions to meet KYC/AML requirements and compliance mandates.

Account Takeover Prevention

Tor is frequently used for account takeover attacks because it hides the attacker's real IP. Flag login attempts from Tor exit nodes for additional verification steps.

E-Commerce Fraud Prevention

Tor is commonly used to place fraudulent orders with stolen credit cards. Add Tor detection to your checkout flow to trigger additional verification or manual review.

Content Access Control

Control access to restricted or geo-fenced content from Tor users. Apply appropriate access policies when traffic originates from the Tor network.

Abuse & Harassment Mitigation

Tor is sometimes used to post abuse, threats, or harassment while hiding identity. Flag Tor-originating user-generated content for moderation review.

Security Threat Monitoring

Monitor and log Tor traffic as part of your security operations. Tor access attempts can be an early indicator of reconnaissance by threat actors probing your infrastructure.

Detect Tor traffic with a local lookup

Load the Tor exit node database into any data store. Since Tor nodes are individual IPs (not ranges), lookups are extremely fast - perfect for real-time request filtering.

PHP - MySQL Tor Detection 
prepare(
        "SELECT node_type, nickname, country, is_active
         FROM tor_nodes
         WHERE ip_address = :ip
           AND node_type = 'exit_node'"
    );
    $stmt->execute(['ip' => $ip]);
    return $stmt->fetch(PDO::FETCH_ASSOC) ?: null;
}

$ip = $_SERVER['REMOTE_ADDR'];
$tor = is_tor_exit($pdo, $ip);

if ($tor) {
    // Traffic is coming from a Tor exit node
    if ($tor['is_active']) {
        // Active exit node - apply your Tor policy
        // Options: block, require CAPTCHA, require 2FA, or just log
        log_security_event('tor_access', [
            'ip' => $ip,
            'node' => $tor['nickname'],
            'country' => $tor['country'],
        ]);

        // Example: require additional verification for sensitive actions
        if (is_sensitive_action()) {
            require_two_factor_auth();
        }
    }
}
Python - Redis Hash Lookup 
import redis
import csv

# One-time: load the AntiProxies Tor CSV into Redis
# Using a Redis hash gives O(1) lookups per IP

def load_tor_nodes(redis_client, csv_path: str):
    """Load Tor exit nodes into Redis for fast lookups."""
    with open(csv_path) as f:
        reader = csv.DictReader(f)
        pipe = redis_client.pipeline()
        count = 0
        for row in reader:
            if row["node_type"] == "exit_node":
                pipe.hset(f"tor:{row['ip_address']}", mapping={
                    "node_type": row["node_type"],
                    "country": row["country"],
                    "is_active": row["is_active"],
                    "nickname": row["nickname"],
                })
                count += 1
        pipe.execute()
    print(f"Loaded {count} Tor exit nodes into Redis")

def is_tor_exit(redis_client, ip: str) -> dict | None:
    """Check if an IP is a known Tor exit node. O(1) lookup."""
    data = redis_client.hgetall(f"tor:{ip}")
    return {k.decode(): v.decode() for k, v in data.items()} if data else None

# Usage in your web framework
r = redis.Redis()
tor_info = is_tor_exit(r, request.remote_addr)
if tor_info and tor_info["is_active"] == "1":
    # Apply Tor-specific security policy
    require_extra_verification()

Related reading

Blog

Proxy vs VPN vs Tor: Understanding the Differences

How each anonymization technology works and the best detection approach for each.

 Blog

GDPR-Compliant Bot Protection

How to block Tor and other anonymization tools while staying GDPR compliant.

 Glossary

Tor Network

How onion routing works, legitimate vs malicious uses, and detection methods.

 Blog

Credential Stuffing: Anatomy of an Attack

How attackers use Tor and proxies to distribute credential stuffing attempts.

Want to see what's in the database?

Download once, query as many times as you need. €99/year for all 22 databases, unlimited servers, and a full year of monthly updates. No usage limits, no per-query fees, no data leaving your servers.

View Pricing Contact Us
30-day money-back guarantee
All databases included
Monthly updates