← Back to Blog

How to Detect Tor Traffic in Real Time (Without Relying on Public Blocklists)

Tor exit nodes change constantly. Public lists lag behind. And for security teams, that means gaps in detection and exposure to risk. At CandycornDB, we use a smarter method — one built on behavior, not just lists.

The Limitations of Tor Blocklists

Public blocklists of Tor exit nodes are easy to access — and just as easy to evade. They only update periodically, and threat actors know how to stay one step ahead by cycling infrastructure or using “fresh” relays.

New Tor nodes can appear and disappear in hours
Blocklists can miss exit relays using clean IP space
False positives can block privacy-conscious users unnecessarily

How CandycornDB Detects Tor in Real Time

We don’t rely on third-party blocklists. Instead, CandycornDB detects Tor behavior dynamically by analyzing the network fingerprint of the IP itself:

Subnet clustering of known anonymizers
ASN reputation scoring and threat density
Observed behavior across request patterns

This allows us to detect likely Tor exit traffic in milliseconds — even if it’s a new IP or not yet on any public list.

// Example: Check an IP for Tor-like behavior
fetch('https://candycorndb.com/api/public/check/185.220.101.1', {
  method: 'GET',
  headers: {
    'X-API-Key': 'your_api_key_here'
  }
})
.then(res => res.json())
.then(data => {
  if (data.data.torScore && data.data.torScore > 80) {
    // High confidence this is Tor traffic
  }
});
    

Use Cases: Where Real-Time Tor Detection Matters

Developers and security teams use our Tor detection to:

Flag high-risk logins or signups in real-time
Protect payment flows from anonymity abuse
Segment and throttle suspicious API usage

Skip the Static Lists — Start Scoring Smarter

You don’t need to block every privacy tool — you need to understand the risk behind the IP. That’s what CandycornDB delivers. Try our API and get insight that evolves as the network does.

→ Start free or talk to sales