I am trying to find a way to block I2P and Freenet darknets in a corporate network. Does anyone know a way to block them (on firewall)? Do I need to close particular ports or block entry nodes (like Tor)?
-
4You might have problems - they're designed to bypass blocks by, essentially, disguising their data as legitimate traffic. The general approach would probably be to ensure that using darknets or other means to bypass filtering is a disciplinary offence within the company, then look out for "unexplained" traffic, and investigate it if found. – Matthew Mar 30 '16 at 15:53
-
Rewriting the comment. There is a similar question (https://security.stackexchange.com/q/135907/67189) where I also provided answer. The accepted answer highlights that blacklisting known nodes has limited effects as suggested by Forest here. I propose a different approach: block the workstation from installing unauthorized software. – usr-local-ΕΨΗΕΛΩΝ Jun 25 '19 at 15:31
3 Answers
You won't have much luck. All of those are designed specifically to circumvent censorship. You may have very limited luck by simply downloading and keeping an up to date list of Freenet IPs and I2P IPs and blocking them, and an up to date list of Tor nodes with the "guard flag" and blocking them. This will not stop anyone for more than 5 minutes. Alternatively, you may be able to perform random searches of people who use more than a certain amount of traffic, if excessive traffic is a concern, or people who have a certain ratio of unexplained to regular traffic, and reprimand those who are caught using disallowed software, and write them up if they knew better.
The reason it'll be hard to block these software is:
Freenet can connect using random ports to people who are not identified in the Freenet network, called "darknet mode". It randomizes packet sizes and obfuscates the protocol to prevent detection.
Tor is even better at evading censorship. You say you just need to close ports or block certain IPs to block it, but that's not true. It can use bridges, which are unregistered Tor nodes that listen on random ports. They furthermore can obfuscate their traffic even better than Freenet can. This can range from simple encryption to traffic shaping to literally disguising traffic by encoding it as a stream of PDF files, or a stream of javascript/html, or a video stream in the Skype format, or even a stream of random dictionary words in plain text.
I know little about I2P, but I believe it can use similar traffic obfuscation technologies as Tor, as well as unlicensed entry nodes.
Note that both I2P and Freenet are self-contained networks. They cannot be used to access the outside internet, so there isn't a risk of them being used to browse Facebook or Pornhub secretly. I2P does have "outproxies", but I believe they are so few as to be almost useless. Freenet only works with internal Freesites and I2P only works with internal eepsites. Tor on the other hand works with both real websites and Tor-specific onion sites ("hidden services").
Lastly, please consider the reason you are trying to block these technologies. If you were asked to do so by your boss, or if it is taking up an excessive amount of traffic, it's totally understandable. But unless there are compelling reasons otherwise, privacy should be a valid reason to use such technologies.
- 64,616
- 20
- 206
- 257
You cannot expect technology to solve social problems. Enforceable policies need to be created to rid the infrastructure from this. If management does not make clear its intentions, you should not seek to inherit this issue via way of technology. Putting together a policy, means little if not enforced. Example: We all know there are speed limits set on all highway. If we get caught speeding, we are (usually) given a ticket (enforcement.) Imagine getting pulled over for speeding, then let go, over and over. The speed limit (policy) means little since you will get away with it. Management needs to enforce policies, and they need to understand WHY they need to create, and or enforce policies.
Once that area (policy/enforcement) is covered, then you can begin to successfully filter out as much as you can via way of alerting. It will give you baseline attempts of users trying to connect. This data can be given to management, where they can enforce a policy: 1st mishap warning 2nd suspension 3rd termination. Then AND ONLY then, will filtering work. Otherwise, anything you will do, will be a band-aid approach that will require you to constantly review, and revise hardware, and software (add/remove rules) which can lead to all sorts of issues down the road
- 8,682
- 16
- 31
You might want to take a look at Untangle, a firewall distro which provides application control that allows you to block or better tarpit Tor, I2P, usenet, freenet, etc.
- 1