#CLUS About Garlic and Onions A little journey…
Tobias Mayer, Technical Solutions Architect BRKSEC-2011
#CLUS Me…
CCIE Security #14390, CISSP & Motorboat driving license… Working in Content Security & TLS Security tmayer{at}cisco.com Writing stuff at “blogs.cisco.com”
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 Agenda • Why anonymization? • Using Tor (Onion Routing)
• How Tor works • Introduction to Onion Routing • Obfuscation within Tor
• Detect Tor
• I2P – Invisible Internet Project • Introduction to Garlic Routing
• Conclusion
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 Cisco Webex Teams
Questions? Use Cisco Webex Teams (formerly Cisco Spark) to chat with the speaker after the session How 1 Find this session in the Cisco Events App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space
Webex Teams will be moderated cs.co/ciscolivebot#BRKSEC-2011 by the speaker until June 18, 2018.
#CLUS © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 5 Different Intentions
Hide me from Government! Hide me from ISP! Hide me from tracking!
Bypass Corporate Bypass Country Access Hidden policies restrictions (Videos…) Services
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 6 Browser Identity
Tracking does not require a “Name” Tracking is done by examining parameters your browser reveals https://panopticlick.eff.org
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 7 Proxies EPIC Browser
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 9 Firepower App Detector for Proxy Traffic
Traffic to external Proxy detected
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 10 VPN VPN
Combine VPN Service with Proxies Provides additional anonymization Layer You have to have trust in the VPN Provider that they do not log…
https://thatoneprivacysite.net/vpn-section/
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 12 Trust your VPN / Proxy?
• Statement from “Hide- my-Ass”
• “If you do illegal things, we cooperate with Law Enforcement”
• They track the User…
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 13 Trust your VPN / Proxy? https://thebestvpn.com/chrome-extension-vpn-dns-leaks/
• Chrome Browser leaking real IP because of DNS Prefetching • Despite using a VPN Service…
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 14 Deep Web / Dark Web The Deep Web / The Dark Web
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 16 The (partial) Reality https://gizmodo.com/the-deep-web-is-mostly-full-of-garbage-1786857267
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 17 About Tor The Onion router
Open source SW / public design specs Data is constantly encrypted at multiple layers Sent through multiple routers. Each router decrypts the outer layer and finds routing instructions Sends the data to the next router Result is a completely encrypted path using random routers
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 19 How is the Tor Network built?
• The Tor network consists of relays
• Relays are just nodes where the Tor software is installed
• They build encrypted connections to other relays, forming an overlay network
• Everyone can run a Tor relay and contribute to the network…
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 20 The Tor Browser – Connecting to the Tor Network
• Goal: Provide anonymity and access to censored and/or hidden resources
• Special browser based on mozilla firefox to establish a circuit through the Tor network
• Can connect directly or through proxies
• Often used in combination with VPNs
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 21 Tor Relay OR1
OR2
OR3 PK OR1
PK OR2
PK OR3
Tor Client selects 3 random Routers out of all Tor Relays and get their public keys
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 22 Tor Relay OR1
OR2
OR3 PK OR1
PK OR2
PK OR3
Tor Client sends DH Handshake to OR1, encrypted with public key of OR1, called “relay_create”
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 23 Tor Relay OR1
OR2
OR3 PK OR1 SK1
PK OR2
PK OR3
OR1 completes handshake, symmetric key is created
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 24 Tor Relay OR1
OR2
OR3 PK OR1 SK1
PK OR2
PK OR3
Tor Client sends “relay_extend” to OR1, requesting to extend the circuit to OR2. Keyshare for OR2 is protected by the public key of OR2
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 25 Tor Relay OR1
OR2
OR3 PK OR1 SK1
PK OR2 SK2
PK OR3
OR1 send “relay_create” to OR2, OR2 responds and circuit with symmetric key is created to OR2
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 26 Tor Relay OR1
OR2
OR3 PK OR1 SK1
PK OR2 SK2
PK OR3 SK3
“relay_extend” to OR3, create a circuit
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 27 Tor Relay OR1
OR2
OR3 PK OR1 SK1
PK OR2 SK2
PK OR3 SK3
Web Request follow the circuits
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 28 Tor Directory Authorities https://atlas.torproject.org/#search/flag:authority
Every hour all Authorities calculate a common status document called the “consensus”
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 29 Tor Directory Authorities
Very trusted servers that hold the list of all active Tor relays Tor client comes with this predefined list and the corresponding public keys Every hour they agree on the most recent list of relays (“voting”) They create a document called “consensus”. Each DirAuth publishes and signs its own relay list to all other DirAuth Tor client downloads the consenus at first start Client receives consenus plus hashes of the consenus of all other authorities. Will only trust the consensus if more than half of the hashes match. Tor relays can be “Directory caches” where clients can get an updated version of the consensus without the directory authorities
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 30 List of all Tor Relays https://torstatus.blutmagie.de/
Flags
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 31 Tor Relay EXIT_NODE: if you OR1 request HTTP, your traffic is visible to the EXIT_NODE
OR2
OR3
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 32 Tor Browser - Don’t leak information!
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 33 Tor Exit Relay List https://check.torproject.org/cgi-bin/TorBulkExitList.py
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 34 Customizing Tor
“torrc” = config file
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 35 Customizing Tor (2)
Also use IPv6 relays
Define Geolocation of your ExitNodes
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 36 Customizing Tor (3)
ExitNode from Germany
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 37 Customizing Tor (4) – some settings for torrc
ClientOnly 1 #never, ever act as an exitNode ExcludeNodes #avoid the nodes / countries listed StrictNodes #if set to 1, Tor will strictly avoid #ExcludeNodes settings EnforceDistinctSubnets #Don‘t select two nodes that are close FascistFirewall 1 #only 80/443 entry & exit nodes EntryNodes # only use those entry node ExitNodes # only use those exit nodes ExcludeExitNodes
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 38 DNS for access to well known websites OR1
DNS Server OR2
OR3
Tor Exit Relay is responsible for the DNS Resolution
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 39 DNS Leaking for access to cleartext websites https://nymity.ch/tor-dns/
• ISP Resolver • Traversing the least amount of AS • Own Resolver • QNAME Minimization
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 40 Bridges
Bridges are relays that are not announced in the directory servers You can request bridges but will not get the full list 3 bridges are provided
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 41 Custom Bridges
Fingerprint
IP & Port
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 42 Custom Bridges
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 43 Hidden Websites - ”.onion” links FIRST 80 bits of the SHA1 of the 1024 bit Public Key http://xmh57jrzrnw6insl.onion/
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 44 DEMO: Some websites in the Darknet…. Some links
• Tor Mailbox http://torbox3uiot6wchz.onion/
• Torch http://xmh57jrzrnw6insl.onion/
• The Hidden Wiki http://zqktlwi4fecvo6ri.onion/wiki/Main_Page
• Imperial Library of Trantor http://xfmro77i3lixucja.onion/
• DuckDuckGoGo https://3g2upl4pq6kufc4m.onion/
• The Federalist Paper (Onion v3 Service) http://vww6ybal4bd7szmgncyruucpgfkqahzddi37ktceo3ah7ngmcopnpyyd.onion/
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 46 Facebook via Tor
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 47 Onionrouting
Onion server
Introduction point
Rendezvous point Directory server
Client
Setup hidden service (create public and private key) and create a circuit to chosen Introduction point(s)
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 48 Onionrouting (2)
IP, Pk Onion server
Introduction point (IP)
Rendezvous point Directory server
Client Publish hidden service in six of the directory servers. The servers are calculated based on a function including the consensus status document and the “.onion” address. Repeat once a day (different HSDirs…)
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 49 Onionrouting (3)
Onion server
Introduction point
Rendezvous point Directory server
Client
Client asks one of the directory server for the hidden service. Client gets the public key and the Introduction Points for that service.
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 50 Onionrouting (4)
Onion server
Introduction point
Rendezvous point Directory server
Client
Client selects a random relay node as a rendezvous point
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 51 Onionrouting (5)
Onion server
Introduction point
message Rendezvous point Directory server secret
Client Client contacts the introduction point, requesting to forward the information about the rendezvous point to the hidden server. Message includes a one- time secret
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 52 Onionrouting (6)
message secret Onion server
Introduction point
Rendezvous point Directory server
Client
IP contacts the hidden server, telling him about the RP
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 53 Onionrouting (7)
Onion server secret
Introduction point
Rendezvous point Directory server
Client
Server builds a circuit to the RP, providing the one-time secret from the client
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 54 Onionrouting (8)
Onion server
Introduction point
Rendezvous point Directory server
3 relays from client, 3 relays from server Client
Client communicates to the hidden server via the rendezvous point
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 55 DEMO: Onionshare Onion Service v3 https://gitweb.torproject.org/torspec.git/tree/rend-spec-v3.txt
SearX with v3 .onion address (52 characters vs. 16 characters) http://ozmh2zkwx5cjuzopui64csb5ertcooi5vya6c2gm4e3vcvf2c2qvjiyd.onion/
a) Better crypto (replaced SHA1/DH/RSA1024 with SHA3/ed25519/curve25519) b) Improved directory protocol leaking less to directory servers. c) Improved directory protocol with smaller surface for targeted attacks. d) Better onion address security against impersonation.e) e) More extensible introduction/rendezvous protocol.f) f) A cleaner and more modular code base
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 57 Obfuscation Tor Pluggable Transport https://www.torproject.org/docs/pluggable-transports.html.en
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 59 Tor Pluggable Transport
loopback Client App PT Client (Socks)
Obfuscated traffic
loopback Server App PT Client (Socks)
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 60 Tor Pluggable Transport https://www.torproject.org/docs/pluggable-transports.html.en
• Obfs2 • Use a additional encryption layer to obfuscate. Key is exchanged in cleartext.
• Obfs3 • Negotiation of a DH Key for obfuscation. Not resistant for active probing.
• Obfs4 • Authenticate with a pre-shared key, distributed out-of-band. Resistant against active probing. Obfuscate with DHE.
• Meek • Obfuscate in http and TLS, leveraging domain fronting
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 61 Domain Fronting Domain Fronting – the concept https://www.bamsoftware.com/papers/fronting/ Using different domain names at different levels Leveraging the fact that CDN Network can forward requests that are not in their own domain DNS TLS A www.google.com SNI: www.google.com
HTTP ….. Host: www.evilrats.com
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 63 Domain Fronting with Tor
Hidden domain Front Domain
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 64 Domain Fronting with Tor
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 65 Google and Amazon on Domain Fronting
• https://arstechnica.com/information-technology/2018/05/amazon- blocks-domain-fronting-threatens-to-shut-down-signals-account/
• Reason: • Signal IM uses Domain Fronting…. • Certain countries blocking Signal because they can’t stop it…. • Hard times for people in severely restrictive countries…
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 66 Snowflake https://trac.torproject.org/projects/tor/wiki/doc/Snowflake • Leveraging WebRTC
• Broker Access via different methods • Domain- fronted • DNS over HTTPS
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 67 The Request
First relay, located in russia
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 68 The TLS Client hello
SNI Name not really matching the website
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 69 The TLS Server hello
CN Name different from SNI String
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 70 The Certificate, decoded…
Issuer, yet another generated domain
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 71 The other two relay nodes
Port 9001
Generated strings for common name
Self-signed….
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 72 The other two relay nodes
This is another proof that Tor does not really care about the content of the TLS certificates
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 73 Tor Relay Certificates
• SNI String , CN-Name and Issuer are just generated strings…
• Certificates are self-signed
• Purpose of certificates is simply to provide a common method to exchange the keys using the TLS Protocol
• Tor client and relays do not care much about the certificate values
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 74 Detecting Tor WSA - Decryption Policy
Categories “Pass Through” will still check for certificate errors! Invalid certificate or expired certificate on the server will fail the “Pass through”
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 76 WSA - Decryption Policy
Custom URLs (best used for making an exception for decryption) “Pass Through” will bypass all certificate check -> true Pass Through “Decrypt” -> certificates will be checked and the user will get a prompt (“untrusted CA”) Custom categories take precedence over predefined categories!
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 77 WSA - Certificate Error Handling
Default Values provide a good balance between Security and User Experience Remember: EUN in case of a “Drop” requires “Decryption for EUN”! “Drop” : log the certificate error in the access log, decrypt and display EUN “Decrypt” : log the certificate error in the access log, decrypt with a purposely “invalid” certificate and let the client decide if he accepts the connection. “Monitor” : don’t do anything, it’s all on the client to decide…
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 78 WSA Logs
1513893450.780 65269 192.168.178.55 TCP_MISS/502 39 CONNECT tunnel://85.31.186.98:443/ "tmayer@TOBYLAB" DIRECT/85.31.186.98 - DECRYPT_WEBCAT_7-DEC.TOBYLAB-ID.TOBYLAB-NONE-NONE-NONE-NONE
1513893461.688 76177 192.168.178.55 NONE/504 0 CONNECT tunnel://192.99.11.54:443/ "tmayer@TOBYLAB" DIRECT/192.99.11.54 - OTHER-NONE- ID.TOBYLAB-NONE-NONE-NONE-NONE
1513893461.688 76178 192.168.178.55 NONE/504 0 CONNECT tunnel://154.35.22.9:443/ "tmayer@TOBYLAB" DIRECT/154.35.22.9 - OTHER-NONE- ID.TOBYLAB-NONE-NONE-NONE-NONE
1513893471.762 86252 192.168.178.55 TCP_MISS/502 39 CONNECT tunnel://85.31.186.26:443/ "tmayer@TOBYLAB" DIRECT/85.31.186.26 - DECRYPT_WEBCAT_7-DEC.TOBYLAB-ID.TOBYLAB-NONE-NONE-NONE-NONE
1513893509.387 584 192.168.178.55 TCP_MISS_SSL/200 39 CONNECT tunnel://193.23.244.244:443/ "tmayer@TOBYLAB" DIRECT/193.23.244.244 - DECRYPT_ADMIN_MISMATCHED_HOSTNAME_7-DEC.TOBYLAB-ID.TOBYLAB-NONE-NONE-NONE-NONE
1513893509.479 766 192.168.178.55 TCP_MISS_SSL/200 39 CONNECT tunnel://185.96.180.29:443/ "tmayer@TOBYLAB" DIRECT/185.96.180.29 - DECRYPT_ADMIN_MISMATCHED_HOSTNAME_7-DEC.TOBYLAB-ID.TOBYLAB-NONE-NONE-NONE-NONE
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 79 WSA Logs (Invalid Leaf Certificate set to “Decrypt”)
1515881089.066 605 192.168.178.55 TCP_MISS_SSL/200 39 CONNECT tunnel://149.56.233.142:443/ "tmayer@TOBYLAB" DIRECT/149.56.233.142 - DECRYPT_ADMIN_INVALID_LEAF_CERT_7- DEC.TOBYLAB-ID.TOBYLAB-NONE-NONE-NONE-NONE
1515881089.815 356 192.168.178.55 TCP_MISS_SSL/200 39 CONNECT tunnel://89.163.224.250:443/ "tmayer@TOBYLAB" DIRECT/89.163.224.250 - DECRYPT_ADMIN_INVALID_LEAF_CERT_7- DEC.TOBYLAB-ID.TOBYLAB-NONE-NONE-NONE-NONE
1515881090.876 419 192.168.178.55 TCP_MISS_SSL/200 39 CONNECT tunnel://185.125.33.58:443/ "tmayer@TOBYLAB" DIRECT/185.125.33.58 - DECRYPT_ADMIN_INVALID_LEAF_CERT_7- DEC.TOBYLAB-ID.TOBYLAB-NONE-NONE-NONE-NONE
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 80 Tor and WSA
• Activate HTTPS Proxy
• Tune WSA to handle crypto errors in the log
• Block category “Anonymizers and Filters” • Will not block all connections, but some
• Check logs for a combination of • Reputation blocks and Category blocks • Errors on hostname mismatch • Errors on unrecognized root • Connections to IP • Connections to non-web ports
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 81 Add Rules to FTD for Certificate Checking
Block
Self- signed Certificate Certificate Errors Errors
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 82 Firepower and Tor Some relays are detected and classified as Tor Traffic
..and some are not
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 83 Firepower and Tor (2) obfs4 obfuscated traffic No cert informations availible
Detecting Tor as Application
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 84 Firepower and Tor (3)
obfs4 obfuscated traffic Tor relay No App Detected tcp/80
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 85 Cognitive Threat Analytics
As users go through a web proxy, access logs are generated
Cisco Cognitive Threat Analytics (CTA) Time | IP | URL | User Agent | … 2:45 | 54.62.37.10 | www.google.com | Mozilla (… 2:45 | 68.62.37.10 | www.yahoo.com | Mozilla (… 2:45 | 22.62.37.10 | www.cnn.com | Chrome (… Proxy 2:45 | 59.62.37.10 | www.seznam.com | Mozilla (… HTTP/HTTPS Headers (meta data) HTTP/HTTPS
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 86 CTA and WSA – Tor detection Distinguishes Tor by time, sequences, and recognition of hidden IP’s
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 87 Tor and Stealthwatch
• Stealthwatch downloads Tor directory list of entry and exit nodes every hour
• CTA downloads the Tor directory list every hour
• CTA analyzes connections on a global basis and tries to identify potential Tor relays • Analyzing certificate details from the TLS Handshake (via Stealthwatch ETA netflow) • Correlating requests globally • Detection of new relays can come in retrospectively • No complete list of discovered gateways is being kept or exported
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 88 Tor and Stealthwatch
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 89 Tor and Stealthwatch with CTA
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 90 Tor and AMP for Endpoints
Obvious search for the Tor browser EXE
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 91 Tor and AMP for Endpoints
Deeper Analysis of the connections being made
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 92 I2P – Invisible Internet Project I2P https://geti2p.net/en/
• Packet-switched anonymous network layer (ard. 70K users)
• Distributed Network database of routers (no Directory Servers)
• Provides anonymous web browsing, chat, email, IM, file sharing, …
• Opensource
• Built as its own hidden network, not as an anonymization tool
• Using UDP for transport
• Java based
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 94 Inbound and Outbound Tunnels
• Every routers has one or more inbound and outbound tunnels
• Lifetime of 10 min
• Routers are both relays and nodes • Relay: forward other message to other routers • Nodes: sending or receiving messages for themselves
• Inbound tunnels require port forwarding for optimizing throughput • Cumbersome to use within corporate networks (but not impossible ;) )
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 95 I2P – Technolgy
NetDB 3 Alice: 1,2 4 Simon: 3,4 InboundTunnels Bob: 5,6 1 Simon 2
Alice 5 6 Outbound Tunnels Bob
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 96 NetDB
• Super-Peers (aka floodfill peers) hold a network database (distributed hashtable)
• This contains two informations : “routerInfo” and “leaseSets”
• routerInfo – stores information on specific I2P routers and how to contact them (public key, identifier, contact information)
• leaseSets – stores information on a offered service (i.e. I2P websites, email servers, etc.); entry point of a specific tunnel
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 97 Initialization
• Initial set of active peers is loaded from some public sources • Hardcoded into the software
• Every router collects a local statistic of other active peers
• When a router is successfully selected for establishing a tunnel, key exchange is happening
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 98 Garlic Routing
• Each message sent can be sent through any other router
• Several different messages can be sent within one encrypted packet
• Similar to Garlic that can hold several cloves Many cloves inside the “head”
Garlic Cloves
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 99 I2P – Joining the network
Alice Peter Jan
NetDB
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 100 I2P – Building a tunnel
Build tunnel Build tunnel
Alice Peter Jan
NetDB
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 101 I2P – Building a connection
CONNECT Tunnel
Alice Peter Jan Clara Simon Bob
NetDB
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 102 I2P – Encryption
Garlic
Outbound Tunnel Inbound Tunnel
Alice Peter Jan Harry Eve Clara Simon Bob
Tunnel Encryption: AES Transport Encryption: DH + AES
Garlic Encryption: El Gamal + AES
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 103 I2P – shared Tunnels
All nodes act as a router
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 104 I2P
Point your browser to your local I2P router
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 105 I2P
Accessing hidden websites within the I2P network I2P is mainly about hidden websites, NOT so much about reaching the cleartext internet
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 106 I2P Can be defined on ANY Port! I2P recommends to poke a hole in your firewall for incoming traffic udp/23852 tcp/23852 Will dramatically improve performance
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 107 Things to do…
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 108 Firepower & I2P (default config)
Lot of requests for udp/23852…(but remember, port defineable…)
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 109 Stealthwatch & I2P (default config)
Classified as P2P File Traffic
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 110 I2P on AMP for Endpoints
I2P is java based….
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 111 More Infos about I2P
• https://www.cdc.informatik.tu- darmstadt.de/fileadmin/user_upload/Group_CDC/Documents/Lehre /SS13/Seminar/CPS/cps2014_submission_4.pdf
• https://geti2p.net/en/docs/how/tech-intro
• http://hor6372x6soyyts2.onion/mirrors/HiddenWikiClean/A_Radical' s_Introduction_to_Anonymity.html#Weaknesses
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 112 Conclusion
• Blocking Tor completely is very hard, but a check on TLS certificate errors can provide some decent blocking & visibility for enterprises
• Combination of netflow analysis, anomaly detection & certificate checking on the gateways is probably your best bet • Leveraging Stealthwatch with CTA and ETA • Combine it with AMP for Endpoints for further analysis and visibility
• Other Tools like I2P exist, but purpose is to exchange information, not so much for anonymizing your browsing • I2P optimizing performance over special ports that need to be open • No support over web proxies • Port-forwarding on firewalls is recommended -> cumbersome to use within corporate environments
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 113 Result check for our intentions
Hide me from Government! Hide me from ISP! Hide me from tracking!
Bypass Corporate Bypass Country Access Hidden policies restrictions Services
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 114 Complete your online session evaluation
Give us your feedback to be entered into a Daily Survey Drawing. Complete your session surveys through the Cisco Live mobile app or on www.CiscoLive.com/us.
Don’t forget: Cisco Live sessions will be available for viewing on demand after the event at www.CiscoLive.com/Online.
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 115 Continue Demos in Walk-in Meet the Related your the Cisco self-paced engineer sessions education campus labs 1:1 meetings
#CLUS BRKSEC-2011 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 116 Thank you
#CLUS #CLUS