Real-Time Tor Detection
with Subnet Clustering

Tor plays a vital role in online privacy, but it also creates blind spots for businesses. Attackers use it to mask credential stuffing, scraping, and credit card fraud.

The problem is that most detection methods are blunt and outdated. Security teams rely on public "Exit Node Lists" that are often 24 hours old. CandycornDB takes a different approach: using Subnet Clustering to detect anonymized traffic nodes before they appear on public lists.

Why Public Tor Lists Are Not Enough

Most fraud prevention tools rely on static text files of known exit nodes. This approach has three fatal flaws:

• Latency: It takes time for a new node to be indexed. A "fresh" Tor node can operate for hours before it appears on a blocklist.
• Rotation: Sophisticated attackers rotate exit nodes rapidly to evade static detection.
• Bridges & Relays: Non-exit relays can still be used for certain types of probing attacks, often slipping past "Exit Only" filters.

The Solution: Subnet Clustering

Tor nodes don't exist in a vacuum. They are hosted on physical infrastructure—often cheap VPS providers or specific "bulletproof" hosting ranges.

By analyzing the neighborhood (the /24 subnet) of known Tor nodes, we can infer the risk of new, unknown IPs appearing in that same space.

Real-Time, Risk-Weighted Scoring

Instead of a binary flag ("Tor" or "Not Tor"), we assign a weighted risk score. This gives you nuance.

Start Detecting Smarter

If your current fraud stack is still using raw IP blocklists to detect Tor traffic, you’re missing the hidden threats. CandycornDB offers a real-time, intelligence-led advantage to help you block threats without blocking legitimate privacy-conscious users.