2

I am trying to figure out what is the best way to hide Tor traffic in order to improve anonymity.

While Tor is pretty good at hiding users’ IP addresses, its traffic stands out. This can be detrimental in some cases.

In this article (FBI agents tracked Harvard bomb threats despite Tor), the perpetrator has been identified by matching the timing between Tor connections on Hardvard’s network and the email threats. Has he been able to mask the Tor traffic, he might not have been singled out as a suspect.

Some methods that have been proposed are:

  • Connecting to Tor through a VPN. Some well known companies such as ProtonVPN offer such service. However, adding a VPN increases the attack surface and ties billing information to the user. cf. Why is Home --> VPN --> Tor worse than Home --> Tor? Also, (to be confirmed), I think that a VPN won’t hide the fact that all Tor packets have the same known length, which can be a give away.

  • Using Tor bridges with obfsproxy. Obfuscated bridges are designed to circumvent DPI. While it is more difficult to detect with obfuscation, under manual inspection the traffic can still be recognized as Tor traffic. (Lightly explained here, so I wont dive into more details Different types of Tor bridges - implications for detection of Tor use )

For some people such as whistleblowers, journalists and activists, beind de-anonymized can be fatal. So when generating Tor traffic is suspicious, what is the best way to hide it?

Gregoire42
  • 29
  • 2
  • 1
    basically you're asking how to hide the time/destination of your traffic from the FBI when they have access to the ISP. I would say that this can't be done. (might be a little more difficult with a larger pool of users though...) – pcalkins Dec 02 '20 at 23:34
  • @pcalkins not really, i’m rather asking how to make the tor traffic not identifiable as such. – Gregoire42 Dec 02 '20 at 23:42
  • Kim would have been found as welt if he was the only one on the university to be connected to a VPN at that time. – Ángel Dec 03 '20 at 01:47
  • 1
    Another purpose Tor Pluggable Transports serve is to prevent ISP to learn that you are using Tor. – defalt Dec 03 '20 at 04:59
  • @defalt it is only prevented against automated tools. If a person is suspected already, manual inspection of their traffic can still identify Tor. – Gregoire42 Dec 03 '20 at 07:30
  • Manual inspection on traffic of pluggable transports shows obfuscated gibberish packets. It can be suspected that it is obfuscating Tor traffic but not with surety. If domain fronting is still supported by any CDN, pluggable transport like `meek` wraps Tor traffic in `https` which doesn't look suspicious. If pluggable transports were so easily defeated, all of them would be blocked. – defalt Dec 03 '20 at 13:47
  • Since the attack you're trying to prevent is a timing attack based on the destination ip of your traffic, you need to obscure the destination ip. This isn't easy. One option might be to maintain a list of open proxies and bounce your traffic through those randomly. You could intersperse open proxies with public vpns and private vpns to make it even harder to detect. – DylanYoung Dec 18 '20 at 17:40
  • Another option would be to run a tor guard node on the same machine you're making the attack from. Then timing your traffic becomes very difficult because it's interspersed with other tor traffic. (Basically, you're always connected to tor). An alternative would be to regularly send some random traffic through tor, busting the correlation with the malicious emails. – DylanYoung Dec 18 '20 at 17:43

1 Answers1

1

When generating Tor traffic is suspicious then the best way to hide is to not use Tor. What is your end goal and who is your adversary? You only really need Tor when you want to connect to a hidden service. For normal websites you could just use a VPN/proxy or multiple of those.

For VPN + Tor creating lots of (non tor) traffic will make analysis at least harder.

Many bridges are public. Using obfsproxy + a private bridge would maybe not stick out that much but the protocol still does not look like standard internet traffic. The host for the private bridge will know you use Tor. The bridge itself is also not invisible since it needs to connect to other Tor nodes in order to work. Meek is better than obfsproxy because it looks like TLS. There is also another upcoming pluggable transport which should make the connection look like a normal browser.

currende
  • 11
  • 1