TOR allows anyone to very easily hide their true IP address when accessing a website. This makes it very difficult to ban troublesome users from accessing your site by following the common practice of blocking traffic based on IP address.
How TOR Works
TOR achieves anonymity for a user by routing all traffic randomly between multiple nodes in the network (of other TOR users) before finally exiting the TOR network and reaching the final intended destination. Traffic only exits the TOR network from specifically designated exit nodes. Luckily for us, the TOR network infrastructure maintains a master list of all such exit nodes. The total number of the exit nodes is relatively small (less than 100,000 currently).
By maintaining a copy of the list of all TOR exit nodes in our server’s memory, we are able to screen all incoming web traffic against that list to effectively block all traffic coming from the TOR network. I have created a simple C# library which downloads the list of exit nodes, maintains a copy in server memory, and automatically keeps the list up to date. The project is available on GitHub at https://github.com/brianhama/TorExitNodeManager. To use the project, simply add a reference to your web application and use the following line of code to check if an incoming web request is from the TOR network:
Not all websites are good candidates for this solution. There are probably a number of legitimate reasons someone might need to use TOR, but I can’t really think of what they might be right now.