T2 06 TOR I2P traffic - Ben Herzberg

my name is Ben um I the most important thing about me is that I have two adorable children and uh in my history I I did what I like uh two things that I like development and information security and with development I was from writing code Code Monkey to up to being C and the v&d of startup product uh in cyber security and with information security I was from P to head of offensive Security in one of Israel's largest Professional Services Company which brought me to my current St P I'm working in capsula we do web automation web attack protection and we do Doos attack mitigation and uh we Advanced automated attacks detection where I work as a security

research manager which kind of merges both the things I like some writing code uh speaking here which is a lot of fun and uh uh and um and of course security uh that's my Twitter and my LinkedIn I'm I like to answer B of course and the opinion I'm stating or at least some of them are mine and not my employers uh so let's uh let's uh start uh with a quick recap of the tour Network just to uh know uh where we're standing how many of you have ever heard of the t tour project okay H how many have used it in the last year okay and in the last week okay how many of you have used it

in order to get hardcore drugs or murder for except for you okay so uh basically but actually this would be my the next question of layman of people who just heard the name t tour it would be wow so that's where all the child pornography is at uh so um let's just have a quick recap of how all works but really high level um if we have the user of the tour network of the tour Network they go to through an exit an entry um node through a relay node uh and to an exit node from there they go to the Internet or there are also hidden services that are sites within the tour Network

um and basically it works like an onion and that's why it's called the onion marting protocol where each hop Only Knows its current connection so uh the exit node doesn't know what the entry node is and Bob doesn't know who Alice is again this is just a very simple recap of Tor Network and uh and the data in here is of course encrypted up to the exit Noe where uh it's not encrypted of course the T routing instructions are not encrypted but of course the data if it's https it's also encrypted U by the application protocol so it allows a very good level of anonymity to the users of the tour network uh most of the researches done

about breaking this anonymity U they were mostly about either getting your hands on a very large number of exit nodes and then correlating the data uh you can do that for example by attacking some of the exit nodes and bringing them down and mostly about application layer vulnerabilities uh that lets you either fingerprint your client and then correlate information or uh or even uncover your ID but again this is not topic but it was just the so how this started it started with a research that was published uh a couple of months ago about uh 94% of store traffic uh is a per se malicious malicious per se and uh and this got us very curious about this uh because it it

just uh didn't really add up uh I I myself thought that it sounds like way too much I I use t uh I know a lot of people were using Tor and uh and it sounds a little too much so decided to uh test that H as well as this there was another the security research group in IBM called xforce and in the end of uh 2015 last year uh they published a quarterly report which is what the security groups always do including us um so uh in their quarterly report they advised organizations to block T because uh uh there is a steady increase in the amount of attacks coming from Tor exit notes so uh when you look at

these these assumptions or these these statements you're saying perhaps they're right right because if I have an organization and I know that a certain channel is bringing 94% bad traffic I can very easily either block it or or do other severe things like give a capture to all the traffic that goes through the that entry Channel if that's T then let's block T 94% is a big enough uh impact that uh that people would seriously consider doing that and they actually do however on the other hand uh and we won't get this thing f finish because a lot of companies has a lot of opinions but Facebook for example they have their own onion website and they're saying

that a lot of they're getting a lot of uh positive traffic I don't know if posting Facebook post is positive but but they're seeing a lot of positive traffic so and it goes on and on and on and on and on so what is the tour is is this tour like I said in the beginning is it about H hardcore drug uh dealing and I don't mean you know the recreational and good to have stuff I'm talking about you know the really hardcore stuff and about bot nets for higher uh that's a a recap to the last talk I gave over there murder For Hire there've been all the it's very it's it's very sexy to to put out the

headline like there's a murder for high networking tour where you pay someone and then they murder whoever you want and of course these things never happen outside of Tor right it's something unique before T no murders for h no no attacks for hires child pornography so this is some of the associations that you can uh here about the Tor Network when asking just uh I wish it was just asking my mother what she thinks about t but you I recently I'm a maybe shamefully I'm a member in a WhatsApp group who is lot of cisos in it and a lot of them that's what they think as well but we're not even talking about that because those things are

all hidden services in Tor and that got a lot to do with anonymity but nothing to do with whether you as a site owner should block Tor exit noes or not okay uh so uh that is why it's irrelevant when we're looking at the b b traffic uh so so um and besides okay besides uh I want to put the quote in the right context besides like I said it's not like those things never happen before Tor and it's not like people who want to uh to masquerade and and hide they have a lot of other options when you're sending instruction instructions to terrorists you you don't need to for that you can do that uh you can achieve

privacy for these sort of things uh with other ways as well so I'd like to quote from the the Tor frequently asked questions criminals can already do bad things since they're willing to break laws they already have a lot of options available provide better privacy than Tor provides T aims to provide protection for ordinary people who want to follow the load only criminals have privacy right now and we need to fix that so yes criminals could in theory use T but they already have better options and it seems unlikely that taking th away from the world will stop them from doing those bad things at the same time Tor and other privacy measures can fight identity physical crimes like

stalking ET so uh again a quick recap of a tour what is it good for um so let's start with us being in aens Greece um and it's lovely here Al very hot uh but uh I feel right at home because in Israel it's also very hot right now uh but there are other places darker places where uh Torah gives uh people Liberties that otherwise they wouldn't have which is hard to imagine sitting in a liberal place but of course this this happens but let's not let's get a little lower than that Tor provided a lot of whistleblowers with the ability to expose Corruptions uh without having to face consequent that people who exposes Corruptions

sometimes have to face with um but even getting a little lower than those High branches uh Tor is useful when I as a member of an organization as a worker in a company or as someone who uses the Wi-Fi in a hotel um would like to have a chat with my girlfriend without someone looking at it or I would like to have a chat with my wife wife and I wouldn't like anyone looking at the chat or perhaps with both of them if it was possible and I especially wouldn't want people to look at those chats or I would just like to buy something I wouldn't want people to to see and I think this is also missing

the point because I shouldn't say why like making excuses why I should need privacy privacy I think it's something that we all enjoy and we don't just close the shade in our house when we're doing something bad we like our privacy so I think in 2016 it's not H it's something that we shouldn't um really make an excuse for but it's important to say all the things that I did in the context of uh tour because it's not just any traffic so back to the 94% research again uh when it sounded uh interesting enough uh we said uh let's uh let's have a small uh research and when I'm saying small I me I mean very

small research and we will be happy also to cooperate with academics or whatever in order to to do larger researches about this um because we also have our own pool of researches uh about um um that concerns our products that we also need to do so our research was very very simple as simple as it can get uh so basically the to-do list was very easy check the percentage of attacks going uh to uh going to our to origin servers to websites from t Exit noes so if we have the client in this case it's to not we are the proxy because we have a CDN and we are proxying the data the traffic we are the proxy we're

checking how many of these of the of this traffic how much is attack traffic and uh this is the origin the website that's being attacked or just being visited then the next thing we do is to check for good your El it's checking how many good Le generation URLs were used outside of an attack context of course so by Clean traffic to good uh URLs and uh again because we're doing it on a global level we're not uh we haven't divided it by industry to check a segments to say okay in banking a lead is $25 and in I don't know thata warehousing it's $100 uh um and what not to do is to check IP reputation because IP

reputation is tricky about Tor and it's also tricky about other uh areas because since the tour exit nodes uh you're not always getting out of the same tour exit nodes it keep it keeps changing it's like a net or a proxy uh because of that if you look at IP reputation it's enough that I do something bad today and if let's say that the scope is a weak then the other people in this room are doing a good things for a week but it's still marked as a bad bad a bad node so basically looking at the the attack requests we got 19.11% attack request uh which is a lot okay it's one out of

every every for every four packets uh requested there is one H malicious uh packet Okay so so that's quite a lot you're you have traffic with a lot of uh attacks in it and although not 94% it's still very significant how many of you think that we should still block this this channel that delivers 20% of uh attack traffic don't be shy I know it's the food you're tired and everything okay so it's a good thing that you don't think that it should be blocked because it has 20% almost 20% fact requests because that was speaking about Ireland okay and of course we didn't pick China or Russia or Ukraine or Israel uh we we chose

Ireland as somewhere in the middle uh uh to to look at the traffic of Tor versus the traffic in Ireland and I'm sure that in Ireland there are drug dealers and murder for hires and everything else so it would be it would be the same in terms of uh also blocking bad bad things as well and it really fluctuates it's really like it can be Ireland for for a while because there's a botet in there or some sort of a campaign happening in Ireland and it can be in France it can be uh we see it moving all the time the the attack the geographical attack map is always shifting except for certain countries uh which are very stable in

the first first and second place yes when you talking about Ireland you're talking about the t Exit not see no I'm talking about irand Ireland IP addresses with G IP of Ireland okay what as the Target or as the as the source not at the taret as a source we we're comparing this with the Tor exit Noe um as a source we're looking at attacks originating from Ireland not attacks against Ireland some of them are of course also against Ireland Target in Ireland so I'm confused so we are so I as in so the ex so you are actually looking at the exit mod that is sitting in IR no I'm looking at it addresses

that are sitting in Ireland not related to Tor okay okay that was brought as a you know to uh to match Tor traffic versus the Ireland traffic so in tour we see lots of more requests more attack requests we see almost half of the requests uh at the same time period which was about three weeks in May uh were attack requests okay 48. 53% which is a lot uh and uh and um and then uh then we wanted to refine these statistics because if I attack H for example I do a Doos attack I don't send one request I send a lot of requests H so looking at the request and I would still when protecting I would just need

to block that session I wouldn't need to block each and every effectively I would block each request would be easier so it doesn't really matter matter or it matters less the amount of attack requests when filtering out attack traffic so we wanted to first uh look at sessions instead of uh requests so in irland we had 19.11% of attack of requests being attack requests and once we we we looked at sessions it went down to uh about 12 12 and a half per okay and then the next uh the next stage uh of what we did was uh to filter it down more even more by not looking just on the top 10 attackers because a large part of what we do is to

classify clients and we have uh hundreds of classified clients both malicious and good clients but we didn't want to make it about us so for example getting rid of w get or of Cur or or the the top 10 D Spot Etc which got got us to about 5.45% and that was just like a cutting the top so it's eventually that's what we ended up with and with t traffic again we started at 48 53% % attack request got down to about 40% of attack session because a lot of sessions are repeating sending repeating malicious requests and then when also cutting down the top 10 uh D spots and and bad clients uh we got down to

6.78% okay so basically what what it means that uh the final filtered attack sessions of Thor versus Ireland in in the same time was it was still higher but it was roughly the same uh and and again uh An Origin uh origin lock uh origin block uh is just part of the solution you it's just part of the protection every organization knows that you need a layer defense and uh it's not just knowing where the attacks coming from and blocking them it's also blocking the attack vectors for example which is also important so you don't want anything you want to get this to 0.0 right you don't want any of the attack requests ending up with a SQL

injection or whatever so uh we did also another test which was was basically to take all the URLs coming through uh from t Exit noes and uh measure uh the amount of H of lead generation uh websites pages in these URLs again it was a very simple research that we did we just took about the uh the top 10 uh like check out. PHP or thank you and such and just measur the amount and again I'm sure that we can uh we can cooperate with more more of an academic um Institute to to make a further really drill down on this report and we found that about 0.77% of the H requests of the EUR

requested were actually uh um for good lead generation um URLs now I'm not a marketing expert or a sales expert to to say if 0.77% is uh a lot or not it's uh it's uh but to me at least sometimes I wouldn't give up so easily I think there a lot of one of the problems is that uh a lot of people who are making these decisions View all the traffic as what would someone have to hide why would someone want to hide himself when he goes through my website without thinking that people perhaps like to do all of their uh browsing uh anonymizing so the main issue here I think is not even H tour

traffic H it's about stopping attacks at scale and I've seen uh this misconception in in several organizations when I was in security uh basically blocking uh geographically or blocking by I even by IPS uh is something that is often used it's often used um without thinking of the consequences I've seen organizations that when you do a port map against against thatg iation they block your IP and you're doing a s Port map you're just sending s package nothing uh you can send po s packet saying I come from 8.8.8.8 and they will block Google for example so blocking uh by IP uh can bring those results uh those bad results uh for example if someone sits in the

train gets on the Wi-Fi of the train and uh does a scraping against the site it blocks the IP address of anyone who who does scraping against that site they can lock out the entire nut of that train or a big part of it if they're using several IP addresses so um basically I would like to um uh um give some I I think that in every talk we we spoke about tour and tour traffic and such but I think from every talk there should be some insights you know couple of insights to go out with so first of all uh what I would do like if I had an organization what I would do

right now first of all I would keep track of t Exit noes and the traffic that they they give uh there's enough Sim solutions for example I can throw that into my PL for example and see to check if there are any anomalies check check if there is anything suspicious going on of course not just about tour traffic but I would keep track uh on the tour traffic uh I would distinguish between clients and there are several solutions to it my compan is uh of course doing the best one of course but H there are several Solutions but even doing this uh in a bad way let's say in a not a fine brain hell even even looking at user

agents that we all know that you can forge user agents uh or even looking at Google Bots uh user agents that are not sent from Google IPS or you know like the stop bed client 101 things even not being fine brained about about it but but you should uh you should do that you should uh either find a solution to does it or even do it at least you will narrow down the the attack surface and also save yourself some penguins along the way and what I would do is to reevaluate the assumptions they make based on IPS in general so if you're blocking IPS because they're doing a port scanning theme based Port scanning for example ex

that's a bad thing you should stop it or if you're blocking IP because well if you're doing it re-evaluate I'm not saying stop in some cases it's the only way but when you're doing it make sure it's for a certain amount of time don't uh don't uh do it uh forever and try not to do it um in a in a very broad way so the conclusions again are there are t attacks there are attacks coming out of t Exit nodes and their percentage is higher than the percentage of those coming from normal H geographical uh location uh however when we filter it down to traffic with matters which is the traffic that we can easily uh

differentiate differentiate bad ver good versus is bad it's not by a lot and uh and there's lot of quality uh traffic going from the tour Network as well so that you cannot ignore by saying that all traffic all T traffic is bad and again the my suggestions uh to you uh would be GGG okay uh if you know what I mean uh to be granular like not uh try not to uh to block entire countries then try not to block IP addresses especially if they might be Nets or proxies trying to be gradient when you're uh when you're uh performing things that can distr traffic to a website for example uh I can say we

do we have raising challenges uh so uh so uh you try to be as passive as possible so you don't disrupt the traffic with waiting screens and captures before you must do this things and again be gentle that's more it's it's more the same but I want to be a GTG um so uh with that I I [Music] conclude thank you very much