In a monitored network, can the admins tell if Tor is being used?

Question

I'm not asking if Tor is secure, I'm asking if an observer can know you are using Tor? For example if a persons ISP or company network monitors traffic would they be able to determine with certainty that a person is using Tor or not? For example, the exit nodes certainly are known, though I'm uncertain if the first node the traffic gets passed to is (publicly known)? A sys admin would be able to perform a whois and find out that it's a tor relay node (if they really wanted to know), wouldn't they?

As @Manumit asks "If anyone can pitch in on the missing piece, is "obfs3, scramblesuit, fte, and obfs4" ample obfuscation then?"

Answer 1

According to scuzzy-delta, yes:

It is possible to detect that someone on your network is using Tor (e.g. You're a network administrator at a workplace, and an employee is using it), and the fact that you're using it is in itself interesting information.

His answer: https://security.stackexchange.com/a/27848/76663

Using a bridged TOR connection is a safer bet but by no means the definition of safe, closer to gambling actually. The reason for this is they are meant to circumvent cencorship, if one bridge doesn't work for you in e.g. Iran you try another until you find one that's not blocked yet. However, I assume all bridged connections will work in lands of freedom, and therefore you have no idea what bridge connections your admin is aware of.

Diving deeper, this is an excerpt from https://www.torproject.org/docs/bridges.html.en

Over the last few years, censors have found ways to block Tor even when clients are using bridges. They usually do this by installing special boxes at ISPs that peek into network traffic and detect Tor; when Tor is detected they block the traffic flow.
To circumvent such sophisticated censorship Tor introduced pluggable transports. These transports manipulate all Tor traffic between the client and its first hop such that it is not identifiable as a Tor connection. If the censor can't decide if the connection is a Tor connection, then they are less likely to block it.

If anyone can pitch in on the missing piece, is "obfs3, scramblesuit, fte, and obfs4" ample obfuscation then?

Answer 2

You can check network packets against public Tor node list (for example https://torstatus.blutmagie.de/) using WireShark or any other packet sniffing software.

Answer 3

Anyone looking at your internet activity can tell if/when you are using Tor: ISP, employer, etc. You can block them from seeing that you are using Tor by turning on your VPN first then connecting to Tor.

Answer 4

Yes!

I'll answer by another security question, which is big enough a key.

In a company phone network, how the admin notice that a line is used to establish an outside connection to build an Internet connection on modem?

A rogue modem has a scheme of communication which is pretty clear: one number called and a terrific communication time.

More seriously,

A simple behavioural analysis (not a deep one but just a collection of the pairs of @IP and protocols involved: { (@IP src, @IP dst, tcp or udp, port) } of the connections established immediatly points out a typical Tor client (or node).

Normal IP traffic looks like:

• 1 × N on {80,443}/tcp where N is around 1000,
• and a few 1 × n on {21,22}/tcp where n is around less than 10,
• n × N on {80,443}/tcp where n corresponds to your official web servers and N is around 1000 (depending on the fame of your web servers).

A Tor client (or node) will exhibit a traffic which will looks like:

• 1 × 1 on 443/tcp,
• or 1 × N on 443/tcp where N is around 1000, as a return traffic back from an internal @IP where you don't have an official web server.

A VPN based on SSL looks a lot like a Tor client from this very basic bahavioural analysis. But a quick test on the @IP dst most notably a basic whois @IP dst will clarify this within 10s.