Tor Detector
Free Tor Exit Node IP Checker Tool
Use our free Tor detector to instantly check if an IP is a Tor exit node. This Tor IP checker queries the official Tor exit node list in real time using DNSEL to detect Tor traffic, flag anonymous connections, and protect your network from fraud.
Quick Answer: What Is a Tor Detector?
A Tor detector is a free tool that checks if an IP address belongs to the Tor network. It identifies active Tor exit nodes — the servers where encrypted Tor traffic exits to the public internet. Use this Tor exit node checker to detect anonymous traffic, prevent fraud, block scraping, and protect your website from abuse originating through The Onion Router.
Robert Harrison
OSINT & Network Utility Expert
Robert specializes in OSINT investigations, Tor network forensics, and IP threat intelligence. He helps businesses identify anonymous traffic patterns and build defense strategies against dark web threats.
View All Articles by Robert HarrisonWhat Is a Tor Detector and Why Does It Matter?
A Tor detector is a security tool that checks if an IP address belongs to the Tor network — specifically whether it is an active Tor exit node. The Tor (The Onion Router) network allows users to browse the internet anonymously by routing their traffic through multiple encrypted relay servers. While Tor serves legitimate privacy needs, exit nodes are frequently used for fraud, automated scraping, credential stuffing attacks, and payment abuse.
Every website owner and network administrator needs a way to detect Tor traffic. When someone connects through Tor, your server logs show the exit node's IP address instead of the user's real IP. Our free Tor exit node checker queries the official Tor Project database in real time to give you an instant answer: is this IP a Tor node, or a regular connection?
Unlike static blocklists that go stale within hours, our Tor detector uses DNSEL (DNS-based Exit List) queries — the same method recommended by the Tor Project itself. This ensures you get the most accurate and current results possible.
Key Fact: According to Wikipedia's Tor network documentation, the Tor network was originally developed by the U.S. Naval Research Laboratory in the 1990s to protect government intelligence communications. Today, over 2 million people use Tor daily worldwide.
How Does the Tor Network Work? The Three Relay Layers
To understand what our Tor detector identifies, you need to know how Tor routes traffic. When a user connects through the Tor Browser, their data passes through three encrypted layers — which is why it is called The Onion Router.
Layer 1: The Entry Guard (Guard Node)
The guard node is the first relay your traffic hits. It knows your real IP address but has no idea what website you are visiting. It peels the first layer of encryption and passes the data to the middle relay.
Layer 2: The Middle Relay
The middle relay is a blind conduit. It knows which guard node sent the data and which exit node to forward it to, but it cannot see the user's real IP or the destination website. This separation is the core of Tor's anonymity.
Layer 3: The Exit Node (Exit Relay)
This is what our Tor exit node checker detects. The exit node strips the final layer of encryption and sends the request to the public internet. Its IP address is what appears in your server logs. The exit node can see the destination but not the original user.
Important: No single Tor relay knows both the source and destination of the traffic. This three-layer design makes Tor extremely difficult to trace, which is why detecting exit nodes at your server level is the most practical defense.
How Does Tor Exit Node Detection Work? DNSEL Explained
Our Tor detector does not rely on outdated static lists. It uses the Tor Project's official DNS-based Exit List (DNSEL) — a real-time service that confirms whether an IP is currently operating as a Tor exit node.
The DNSEL Query Process
- Step 1: You enter an IP address into our Tor checker.
- Step 2: The tool reverses the octets of the target IP (for example, 185.220.101.101 becomes 101.101.220.185).
- Step 3: A DNS query is sent to
ip-port.exitlist.torproject.org. - Step 4: If the response returns 127.0.0.2, the IP is confirmed as an active Tor exit node.
This method is more accurate than downloading the Tor exit node list because Tor nodes can go online and offline within minutes. For additional IP intelligence, pair this with our IP Geolocation Lookup Tool to see where the exit node is physically located.
Why Should You Detect Tor Traffic? Security Risks Explained
While Tor is a legitimate privacy tool used by journalists, activists, and researchers, the anonymity provided by exit nodes is frequently abused. If you run a website, e-commerce store, or API, here are the top risks from undetected Tor traffic:
Credential Stuffing Attacks
Hackers use Tor to test thousands of stolen username and password combinations across multiple exit nodes. Each login attempt comes from a different IP, making the attack look like legitimate users from different countries. Use our IP Fraud Score Analysis Tool to cross-reference suspicious IPs.
Automated Web Scraping
Competitors use Tor to crawl your pricing data, product listings, and content without being blocked by traditional IP-based rate limiting. Since each request comes from a new exit node, your firewall treats them as separate users.
Payment Fraud and Chargebacks
Fraudsters use Tor to place orders with stolen credit cards, hiding their real location from payment processors. Detecting Tor connections at checkout lets you require additional verification like 3D Secure or SMS codes.
Fake Account Creation and Spam
Tor allows spammers to create hundreds of accounts from unique IP addresses. Detecting Tor exit nodes on your registration page lets you add CAPTCHA challenges or block signups entirely from anonymous sources.
Warning: Not all Tor users are malicious. Journalists, whistleblowers, and citizens in authoritarian countries rely on Tor for safety. A blanket block may harm legitimate users. Always use a tiered approach: detect first, then decide how to respond.
Tor vs VPN: What Is the Difference for Security Teams?
Both Tor and VPNs hide a user's real IP address, but they work very differently. Understanding the difference between Tor and VPN helps you decide which type of anonymous traffic to flag.
| Feature | Tor Network | VPN Service |
|---|---|---|
| Architecture | Decentralized, 3 relay hops | Centralized, 1 server hop |
| Trust Model | No single point of trust | Must trust the VPN provider |
| Speed | Very slow (3+ relay hops) | Fast (single server) |
| Anonymity Level | Very high (no single node sees full path) | Medium (provider can log traffic) |
| Detection | Exit nodes are public and detectable | Server IPs are harder to detect |
| Common Abuse | Fraud, scraping, attacks | Geo-spoofing, streaming access |
To check if an IP is using a VPN instead of Tor, use our WebRTC Leak Detection Test. For proxy detection, try our Browser Privacy Leak Checker.
How to Build a Tor-Aware Defense Strategy for Your Website
As a security professional, I do not recommend blocking Tor traffic entirely. Instead, use a tiered "detect and challenge" approach that stops automated abuse while allowing legitimate privacy-conscious users through.
Step 1: Detect Tor Exit Nodes in Real Time
Use our Tor detector or integrate Tor DNSEL queries into your server-side code. Flag every incoming connection from a known Tor exit node before it reaches your application logic.
Step 2: Add Friction, Not a Hard Block
Instead of returning a 403 error, present Tor users with a CAPTCHA challenge. This stops automated bots but lets real humans pass. Most credential stuffing bots cannot solve CAPTCHAs, so this single step eliminates the majority of automated Tor abuse.
Step 3: Require Extra Verification for Sensitive Actions
If a Tor user tries to make a payment, log in to a high-value account, or change credentials, require additional 3D Secure verification, SMS OTP, or email confirmation. Always check the IP format using our IPv6 Address Expansion Tool if the connection uses IPv6.
Pro Tip: Combine Tor detection with our IP Fraud Score Tool and IP Blacklist Checker for a complete risk assessment. A Tor exit node that also appears on fraud blocklists is a very strong signal of malicious intent.
How to Block Tor Traffic on Your Firewall and Web Server
If your security policy requires blocking Tor traffic entirely, here are the commands for popular firewalls and web servers. First, download the current Tor exit node list from the Tor Project.
Download the Tor Exit Node List
# Download the current list of Tor exit node IP addresses
curl -s https://check.torproject.org/torbulkexitlist > /tmp/tor-exit-nodes.txt
# Schedule hourly updates via cron job
0 * * * * curl -s https://check.torproject.org/torbulkexitlist > /tmp/tor-exit-nodes.txt
Block Tor with iptables (Linux Firewall)
# Block each Tor exit node IP using iptables
while read ip; do
iptables -A INPUT -s "$ip" -j DROP
done < /tmp/tor-exit-nodes.txt
Block Tor with Nginx
# In your nginx.conf server block
# Generate deny list from exit node file
while read ip; do echo "deny $ip;"; done < /tmp/tor-exit-nodes.txt > /etc/nginx/tor-block.conf
# Include in server block
include /etc/nginx/tor-block.conf;
For network engineers who need to calculate IP ranges for bulk blocking, use our CIDR Range Calculator and Subnet Calculator Tool.
Tor Bridges and Hidden Relays: What Our Detector Cannot See
In countries with heavy internet censorship like China, Iran, and Russia, governments block access to the public Tor network. Users in these countries use Tor Bridges — hidden relay servers that are not listed in the public Tor directory.
Our Tor detector identifies public exit nodes listed in the official Tor Project database. Bridge relays are private by design and require advanced behavioral traffic analysis to detect, which is beyond the scope of IP-based detection tools.
Also be aware that some sophisticated users combine Tor with a VPN (known as "Tor over VPN"). In this configuration, your server sees the VPN provider's IP instead of a Tor exit node. To spot these patterns, run the IP through our Cloud Provider IP Detection Tool to see if it belongs to a known hosting or VPN provider.
The Danger of Malicious Tor Exit Nodes
Not all Tor exit nodes are run by well-meaning volunteers. Some are operated by attackers who exploit the exit node position to intercept unencrypted traffic.
Man-in-the-Middle (MitM) Attacks
Because the exit node strips the final layer of Tor encryption, it can see any traffic that is not protected by HTTPS. A malicious exit node operator can inject malware, steal credentials, or redirect users to phishing sites. This is why using HTTPS everywhere is critical.
SSL Stripping
Some malicious exit nodes perform SSL stripping — downgrading HTTPS connections to HTTP so they can read the traffic in plain text. Always verify your certificate health with our SSL Certificate Checker and test for browser vulnerabilities using our Font-Based Leak Detection Test.
Security Warning: In 2020, a single threat actor was found to be running over 380 malicious Tor exit nodes — roughly 23 percent of all exit capacity at the time. Always assume Tor exit traffic could be monitored by the node operator.
How Many Tor Exit Nodes Exist? Network Statistics
The Tor network is entirely volunteer-operated. Here are the current approximate statistics:
| Metric | Approximate Value |
|---|---|
| Total Relays | 6,500 - 7,500 |
| Exit Nodes | 1,000 - 2,000 |
| Guard Nodes | 2,500 - 3,500 |
| Bridge Relays (Private) | 1,500 - 2,500 |
| Daily Users | 2+ million |
| Daily Bandwidth | 300+ Gbit/s |
These numbers change constantly as volunteers add and remove their relays. Use our WHOIS Domain Lookup to investigate the hosting organization behind any Tor exit node IP you detect. For domain registration details, our DNS Lookup Tool provides full record analysis.
Is Using Tor Illegal? Legal Status Around the World
A common question we receive is: is Tor illegal? In most Western democracies, using Tor is perfectly legal. However, the activities you perform through Tor are still subject to the law.
- Legal in: United States, United Kingdom, European Union, Canada, Australia, Japan, and most democracies.
- Restricted in: China (heavily blocked), Russia (restricted since 2021), Iran (blocked, users rely on Bridges), Belarus, and Turkmenistan.
- Running an exit node: Legal in most countries but risky. All traffic from your exit node appears to originate from your IP. If a user commits a crime through your node, law enforcement may investigate you first.
If you need to verify the geographic location of a suspicious IP, use our IP Geolocation Lookup Tool. To see if the IP is registered to a hosting provider or residential ISP, run our WHOIS Lookup.
Tor Detection for Developers: DNSEL Query Code Examples
If you want to integrate Tor detection into your own application, here is how to perform a DNSEL query programmatically.
PHP: Check If IP Is Tor Exit Node
# PHP DNSEL Query Example
$target_ip = '185.220.101.101';
$reversed = implode('.', array_reverse(explode('.', $target_ip)));
$query = $reversed . '.80.1.0.0.127.ip-port.exitlist.torproject.org';
$result = gethostbyname($query);
$is_tor = ($result === '127.0.0.2');
Python: Check If IP Is Tor Exit Node
# Python DNSEL Query Example
import socket
target = '185.220.101.101'
reversed_ip = '.'.join(target.split('.')[::-1])
query = f'{reversed_ip}.80.1.0.0.127.ip-port.exitlist.torproject.org'
try:
result = socket.gethostbyname(query)
is_tor = (result == '127.0.0.2')
except: is_tor = False
For more advanced network analysis, explore our HTTP Headers Analyzer, JA3 TLS Fingerprint Analysis Tool, and HTTP Referrer Leak Test.
Tor Detector: Frequently Asked Questions
What is a Tor detector used for?
A Tor detector checks if an IP address belongs to the Tor network. It identifies active Tor exit nodes so website owners can detect anonymous traffic, prevent fraud, block automated scraping, and protect against credential stuffing attacks.
How do I check if an IP address is a Tor exit node?
Enter the IP address into our free Tor exit node checker tool above. It performs a real-time DNSEL query against the official Tor Project database. If the result is 127.0.0.2, the IP is a confirmed active Tor exit node.
Is using the Tor network illegal?
Tor is legal in most countries including the US, UK, and EU. It was developed by the US Naval Research Laboratory for secure communications. However, illegal activities performed through Tor are still prosecuted under the law, regardless of the network used.
What is the difference between Tor and a VPN?
A VPN routes traffic through one server owned by a single provider you must trust. Tor routes through three independent volunteer relays with layered encryption. No single Tor node knows both the source and destination. Tor provides stronger anonymity but is much slower.
How many Tor exit nodes exist?
The Tor network has approximately 1,000 to 2,000 active exit nodes at any time, from a total of roughly 7,000 relays. Numbers change constantly as volunteers add or remove their servers.
Should I block all Tor traffic on my website?
Not always. Blocking all Tor traffic also blocks journalists, activists, and legitimate privacy users. Use a tiered approach: detect Tor connections first, then add CAPTCHA challenges for general browsing and extra verification for sensitive actions like payments or login attempts.
What is a Tor exit node?
A Tor exit node is the final relay in a Tor circuit. It strips the last layer of encryption and sends the user's request to the destination website. The exit node's IP address is what appears in server logs — not the original user's real IP.
Can Tor traffic be used for fraud?
Yes. Tor is commonly used for credential stuffing, payment fraud with stolen cards, automated scraping, fake account creation, and spam. Detecting Tor exit nodes helps flag high-risk transactions before they cause damage to your business.
Related Security and Privacy Tools
Complete your security audit with our comprehensive free toolkit.
Detect Tor Exit Nodes Now
Free Tor IP Checker Tool
Protect your website from anonymous threats. Check if any IP address is a Tor exit node instantly with our free Tor detector. No signup, no download — just enter an IP and get real-time results.