Block it, Track it or Use it. But first, know it!
The Internet is a vast, exponentially increasing and never to cease invention in our lives. Nearly half of the world’s population is always connected to the internet. Collecting and spreading each device on the floor may end up covering a city or who knows maybe even a small state. But figuring out who is using what and who is where is just a matter of seconds for almost everybody. Now, how is that possible? It is because of the way the Internet is structured. Each query or search is done in a very orderly manner. Given the brains and access to a high level infrastructure, one can easily figure out anything that is required.
Isn’t that good when it comes to catching bad guys? Yes, But only till a certain extent. The digital world is full of vultures such as spammers, attackers, troll armies, digital marketing firms and many more whose only objective is to use/violate our private data for their gain. Even governments are known to spy on people to meet their political needs. Many journalists, activists and researchers work has been exploited due to such a vulnerable structure. However even in today’s world anonymity could be achieved with few private network implementations. One such private network implementation is the TOR Network.
TOR Network, as defined by the official website is a group of volunteer operated servers that improve the privacy and security of one’s data. A series of virtual tunnels are created between all nodes (also known as relays) of the TOR network, and for each data transmission a random path of tunnels (known as the relay path) is chosen. Encryption and decryption mechanism is used in an onion routing fashion to limit the knowledge of each node about the data that passes through it. Each node will only know the relay path in which it is involved, but not the whole path from the source to destination.
What is a TOR circuit?
TOR anonymity works by transmitting data though a TOR circuit which is a key component of TOR that appends to onion routing mechanism. A TOR circuit is the combination of entry/guard relay, middle relay and the exit relay. Some transmissions also involve Bridge nodes (Such occurrences are only observed when the known entry and exit nodes are blocked by a certain party like a government or a corporate organization)
What is an Entry/Guard Relay?
It is the entry point to the TOR Network. Each client that wants to connect to the TOR network will first connect to the guard node meaning, they can see the real IP Address of the client who is attempting to connect. The list of guard nodes is available in the public list of TOR nodes and are updated almost every minute. Few websites to check the currently available guard nodes and their details are dan.me.uk/, torstatus.blutmagie.de/, check.torproject.org/. There are cases where attackers have control or observe certain relays and they can be used to see the victim’s browsing. Also, when you try changing the circuit in your current session, it only changes the relays and not the guard node (in order to protect against known anonymity-breaking attacks). The guard node typically changes in every 2–3 months. (you can read further about it at here).
What is a Middle Relay?
Middle relays cover most part of the Tor circuit in any given transmission. They consist of relays through which data is passed in encrypted format and no node knows more than its predecessor and descendant. All the available middle relay nodes show themselves to the guard and exit nodes so that any may connect to them for transmission. Even if any middle relay is known to transmit malicious traffic (such as attacker’s exploit or the attack itself) they’re not held responsible as they’re neither the source nor destination of the traffic. A middle relay will never be allowed to act as an exit node. It is most suitable for users who want to utilize TOR from home or workplace (if it’s allowed).
What is an Exit Relay?
The exit relay is the final relay in the TOR circuit. They are the nodes that send the data to the destination and are often considered the culprit because the Exit node is perceived as the origin of the traffic. Therefore, the exit node’s IP will be directly visible to the destination and often receive multiple complaints, legal notices, take down notices etc. In order to host an End node one must be ready to handle problems such as, Legal issues like take-downs or DMCA notices, Own a dedicated IP and make sure their reverse DNS is easily discovered, setting up a Exit Node Hosting notice (the most important step) etc.
What is a Bridge Node?
Bridge nodes are the nodes which are not listed on the public directory of TOR nodes. Most of the entry and exit nodes are publicly available on the internet and therefore they can be blocked if one wishes to restrict the usage of TOR. Many ISPs, Corporate Organizations and even Governments have filters set to ban the usage of TOR. For example, the Chinese government has blocked all publicly available nodes on their country level firewall. To avoid such a scenario, there are Bridge nodes. You will need to follow a different configuration settings in order to connect to the TOR network via a Bridge node (which shall be discussed in the upcoming articles).
Detecting TOR usage in your environment
Understanding how the TOR network works makes it much simpler to detect but, knowing what services are being availed by its users isn’t quite possible yet. Be it a country’s government or a corporate organization, they can always choose to monitor or block the usage of TOR. However, there are limitations when it comes to blocking TOR completely and that is due to the existence of bridge nodes as discussed in the previous section. Even the introduction of Bridge nodes did not stop certain organizations and governments from trying to detect and block the usage of TOR. Here are few ways to block the usage of TOR:
- Block the publicly available list of TOR Nodes. Few websites to check the currently available nodes and their details are https://www.dan.me.uk/tornodes, https://torstatus.blutmagie.de/, https://check.torproject.org/cgi-bin/TorBulkExitList.py.
- Create Application Filter Policies in Firewalls where only certain approved networks (LAN Networks) will be able to utilize proxy services. The same can be implemented as a rule in SIEM solutions and Intrusion detection systems.
- Create a SSL Decryption policy on your Firewall, IDS/IPS which can be used to decrypt SSL certificates and detect traffic related to websites hosted on TOR.
- TOR browsing involves usage of two types of ports i.e. ORPort and DirPort. ORPorts are usually used to make connections and transmissions where as DirPorts are used to fetch updates from the directory servers. The ORPorts usually include ports 80 & 443 but can also be changed with advanced proxy settings while DirPorts include port 9001 and port 9003. Firewall and IDS filters can be configured to monitor any traffic going towards or coming from the ports 9001 and 9003.
Implementing any or all of the above steps may block the usage of TOR but only till a certain extent. In addition to the existence of Bridge nodes, it also depends upon how the organization’s policies and applications are configured.
Now that we’ve come to the end, I hope the above article has added a cent to everyone's pocket. Please feel free to post any questions, suggestions or topics that you’re interested. I’d be happy to write and learn different stuff with the reader-based interests!