Categories: IntelligenceSecurity

How to use Tor Metrics to discover censorship, the Ethiopia case

Tor Metrics

Cyber intelligence units are working to develop tools and applications for a deep inspection of the hidden web with the intent of steal classified secret documents of a potential adversary and to maintain the control over cybercrime and terrorists activities and communications.

Let’s start from the beginning, which are the available metrics to analyze the status of TOR networks?

The Tor Metrics Portal gives a set of useful the instruments to monitors the workload of the TOR networks, it proposes a complete collection of tools and documentations for statistical analysis regarding the activities of relays and bridges.

The main areas covered by the metrics are:

–        statistics on the network of relays and bridges

–        statistics on the number of users accessing to the network

–        statistics on the number of packages requested from GetTor

–        collection of active and passive performance measurements of the Tor network

As we will demonstrate the metrics could also be used for intelligence purpose, for example analyzing principal network metrics it is possible to investigate on the application of monitoring system inside a country for censorship purpose. Recently in many area of the planet similar systems have been used to suppress media protest and to persecute dissidents, avoiding the circulation of unconformable information outside the country. It is happened for example in Syria and in Iran, country where the control of the web is a major concern of the government. These situations are expression of a political sufferance of a country and could give a further element of evaluation to the analysts.

Network of relays and bridges

Tor protects users against traffic analysis using a network of onion routers (also called relay), managed by volunteers, which allow anonymous outbound traffic and the creation of anonymous hidden services.  Bridge relays are Tor relays that aren’t listed in the main Tor directory. They are common referred when a filtering of connection is made by Internet Services Providers (ISP) to all the known Tor relays. It is important to specify that to directly access to a bridge it is necessary to know its address.

The Tor Metrics Portal provides in the Network many information regarding the network composition, in particular with the available statistics it is possible to analyze:

–        average daily number of relays and bridges in the network

–        the average daily number of relays by country

–        Relays with Exit, Fast, Guard, and Stable flags

–        Relays by version

–        Relays by platform

–        Total relay bandwidth in the network

–        Relay bandwidth by Exit and/or Guard flags

–        Number of bytes spent on answering directory requests

The portal provides also statistics on the number of users that access to the TOR network via bridges to avoid monitoring systems put in place by government for surveillance purpose. The data could give an indication of the response of local government to the dissident communications.

The following graphs display an estimate of Tor users via bridges based on the unique IP addresses as seen by a few hundred bridges.

Figura 1 – Bridge users from all countries

 

Users accessing to the network

The Portal collects about the Tor network producing graphical representation regarding the analyses performed, for example it could be interesting to monitor a critical area and the access of population to the TOR network. In days for example in Syria a dictatorial regime is suppressing with military attacks the opponents to the government, in the same time it is using technological applications to avoid that population could transmit information regarding the suppression out of the country. The cyber experts of president Bashar al-Asad have also used several types of RAT (Remote Administration Tool) to prosecute dissidents.

Let’s analyze the number of directly connected users from the region in the last months.

Figura 2 – Connecting user during Syrian protests

In the above picture the graphs related to the period between December 2011 and May 2012 that shows the progressive usage of the network in concomitance to political event. Very interesting a beta feature proposed by the web site that plots on the same graph with a different color possible censorship events.

Every time users are connected to a TOR network need to regular refresh their list of running relays. The users to save bandwidth of the directory authorities send their requests to one out of a few hundred directory mirrors, counting the number of the requests is possible to provide an estimate of the number of connected users. The graphs provide an estimate of recurring Tor users based on the number of sent  requests received by few dozen directory mirrors.

Similar information could be used by intelligence services to monitor political evolution in specific areas.

The metric page also provides the list of Top-10 countries by directly connecting users and Top-10 countries by possible censorship events in beta version.

 

Figura 3 – Top-10 countries by directly connecting users

 

Packages requested from GetTor

The functionality GetTor allows users to fetch the Tor software via email, one of the proposed metrics on the portal shows the number of packages requested from GetTor daily.

Crossing this information with statistics about the network usage, and in particular related to access mode through Tor bridges, it’s possible verify the real motives behind the use of the network, the increasing of accessing users and the number of bridges it is fair to conclude that the intended audience is confronted with some form of censorship.

 

 

Figura 4 – Number of packages requested from GetTor daily.

 

Collection of active and passive performance measurements of the Tor network

The portal contains a set of graphs related the performance of the Tor network such as:

  • the average (median) time to request files of three different sizes over Tor network
  • fraction of timeouts and failures of downloading files over Tor as experienced by users. Following the definition for TOR Timeout and TOR Failure
    • A timeout occurs when a 50 KiB (1 MiB, 5 MiB) download does not complete within 4:55 minutes (29:55 minutes, 59:55 minutes).
    • A failure occurs when the download completes, but the response is smaller than 50 KiB (1 MiB, 5 MiB).
    • fraction of connections that is used uni- or bi-directionally. Each connection is classified as “Mostly reading” or “Mostly writing,” and “Both reading and writing.”

 

Figura 5 – Performance Indicators

 

Case Study – Ethiopia Introduces Deep Packet Inspection

The Ethiopian Telecommunication Corporation, unique telecommunication service provider of the country, has deployed for testing purpose a Deep Packet Inspection (DPI) of all Internet traffic.

Let’s try together to use the metrics to verify the existence of monitoring systems. Let’s set a time interval from the beginning of the year to date.

 

Figura 6 – Ethiopia Tor network usage

It’s simple to note that in the last week of May the Tor Network was not accessible from the country even with trying to use bridged access, evidence of the presence of filtering system for Deep Packet Inspection.

Websites such as https://gmail.com/, https://facebook.com/, https://twitter.com/, and even https://torproject.org/ continue to work. The graphs below show the effects of this deployment of censorship based on Deep Packet Inspection:

Technically the filtering is made interfering with the handshake between Tor clients and Bridge servers, blocking the “TLS server hello” messages from the TOR bridges in response to a “TLS client hello”.

Pierluigi Paganini

Reference

If you are searching for a Deep Web expert, GaTo is right man!

 

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

36 mins ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

15 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

21 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

This website uses cookies.