Prevent Tor/HSS and other onion routers from working - Calgarypuck Forums - The Unofficial Calgary Flames Fan Community

Azure · 08-05-2010, 11:06 AM

Unlimited budget. Huge network with over 2000 users. How do you completely shutdown all onion routers like Tor, HotSpotShield, FreeVPN, and many others.

Bob · 08-05-2010, 11:21 AM

Is that what users are doing to bypass the firewall / web filtering?

Azure · 08-05-2010, 11:31 AM

Quote:

Originally Posted by Bob

Is that what users are doing to bypass the firewall / web filtering?

More or less.

And I realize that generally company policy would result in those employees getting fired, or at least getting warned, but I'm looking at more of a technical solution instead of focusing on the HR side of things.

Bob · 08-05-2010, 11:45 AM

Quote:

Originally Posted by Azure

More or less.

And I realize that generally company policy would result in those employees getting fired, or at least getting warned, but I'm looking at more of a technical solution instead of focusing on the HR side of things.

Ah, because I was going to suggest noisily firing them and making it known that violation of any sort result in immediate termination.

photon · 08-05-2010, 11:47 AM

How much functionality do you want to leave everyone with?

This will be pretty difficult.. You could block every port except port 80 and port 443 (for web browsing) and that won't stop Tor or the VPNs since they operate over those ports as well.

You could try to maintain a block lost of IPs to block onion routers and known VPNs, though that's a full time job really. There might be a commercial list to subscribe to though.

You could try attacking the problem from the other side; lock down the PCs or use software that prevents some applications from running.

Is this for a company? I think a technical solution to users surfing what they shouldn't be surfing isn't really the best way to go, or at least shouldn't be the only portion.. communication and legally binding computer usage policies that are signed by the users should be involved as well.

Azure · 08-05-2010, 11:59 AM

I should have explained better from the start. The 'company' in question would actually be this.

http://www.hbni.net/index.htm

Pretty straight forward. Private ISP that has a common content filter, but has over 2,000 users, and its impossible to set out some legally binding computer usage policies for obvious reasons.

So the problem is being looked at from a strictly technical viewpoint.

Azure · 08-05-2010, 12:03 PM

How much functionality? Well, for the most part the Tor routers are being used to access stuff that the content filters are blocking.

But that isn't the real issue. As I understand it, people using the onion routers are creating some sort of bottleneck which is slowing down the gateway appliances. This is in turn slowing down the internet and causing a problem for the numerous businesses amongst the colonies that use the HBNI.

photon · 08-05-2010, 12:14 PM

You could still have legally binding network usage policies.. anyone running a disallowed service gets removed from the network. Might not be a viable solution tough.

If you blocked common VPN ports, that would also defeat legit VPN usage and wouldn't stop things like HotSpotShield since I think they can do everything over port 443 which is the SSL port.

The only way I can think of would be to have a block list on the outgoing routers to prevent connections to known Tor and VPN sites.

You could use OpenDNS http://www.opendns.com/solutions/overview/ https://www.opendns.com/solutions/business/filtering/, they have blocking and have anonymizers/proxies as one of their options I've read.

However this wouldn't stop someone that changed their own computer's DNS to something else.

No matter what you do, if you allow a connection to the Internet people will be able to use that connection to get around any filters you put in place, period.

photon · 08-05-2010, 12:21 PM

Quote:

Originally Posted by Azure

How much functionality? Well, for the most part the Tor routers are being used to access stuff that the content filters are blocking.

I was thinking for a company you could block all ports except 80 and 443, which would basically mess up everything except web browsing.. Obviously not the way you want to go in this case. And a savvy user will just reconfigure the software to work over the open ports anyway.

Quote:

Originally Posted by Azure

But that isn't the real issue. As I understand it, people using the onion routers are creating some sort of bottleneck which is slowing down the gateway appliances. This is in turn slowing down the internet and causing a problem for the numerous businesses amongst the colonies that use the HBNI.

Hm, well with unlimited $$ they could get some hardware that would allow them to do traffic shaping, give the important traffic higher priority.

That's what big things like Shaw do, they have hardware that will do deep packet inspection and decide based on the content of the packet (as much as can be deduced anyway, if it's encrypted then it's more limited).

Blocking known proxy and tor IP's would still probably be the more effective, the difficulty is finding the right IPs to block.

WilsonFourTwo · 08-05-2010, 12:27 PM

Quote:

Originally Posted by photon

No matter what you do, if you allow a connection to the Internet people will be able to use that connection to get around any filters you put in place, period.

No matter how long this thread goes, Photon's statement above will remain the truest and most important.

I spent a decade dealing with requests like this, and I can promise you that the likely upkeep is gonna crush you. Unless there is an 'absolute' that can be blocked (like a specific domain, IP, port number), you will forever be playing catchup.

My honest advice would be to put your efforts and resources into identifying unacceptable traffic, and enforcing solid, coherent and Terms of Service. You will likely get MUCH more bang for your buck, and not become completely burned out while trying to keep up.

Azure · 08-05-2010, 12:31 PM

Quote:

Originally Posted by photon

You could still have legally binding network usage policies.. anyone running a disallowed service gets removed from the network. Might not be a viable solution tough.

If you blocked common VPN ports, that would also defeat legit VPN usage and wouldn't stop things like HotSpotShield since I think they can do everything over port 443 which is the SSL port.

The only way I can think of would be to have a block list on the outgoing routers to prevent connections to known Tor and VPN sites.

You could use OpenDNS http://www.opendns.com/solutions/overview/ https://www.opendns.com/solutions/business/filtering/, they have blocking and have anonymizers/proxies as one of their options I've read.

We already use OpenDNS for their DNS service, and of course blocking the proxy sites. But that only blocks the actual websites. Which would block someone from downloading Tor.

Problem is there are a lot of other ways to still get the program. Free Wi-Fi at the library, airport, whatever.

Quote:

However this wouldn't stop someone that changed their own computer's DNS to something else.

You can create rules where all port 53 requests are blocked or redirected to the OpenDNS addresses that you specify on the gateway device.

Azure · 08-05-2010, 12:39 PM

Quote:

Originally Posted by photon

Hm, well with unlimited $$ they could get some hardware that would allow them to do traffic shaping, give the important traffic higher priority.

That's what big things like Shaw do, they have hardware that will do deep packet inspection and decide based on the content of the packet (as much as can be deduced anyway, if it's encrypted then it's more limited).

Blocking known proxy and tor IP's would still probably be the more effective, the difficulty is finding the right IPs to block.

We already do traffic shaping in order to make sure that IPTV and VOIP get bandwidth priority, plus a certain level of bandwidth is guaranteed to each colony. Paid more than $15,000 for the appliance.

But the way I understand it Tor and other similar services operate over SSL, so the question is can Shaw, or any other big ISP company, actually prevent Tor from running if they do deep packet inspection.

From what I've read its a common problem that people are dealing with.

sclitheroe · 08-05-2010, 12:40 PM

Without deep packet inspection hardware its a losing battle. SSL VPN runs over 443, and really, you can run any protocol over any port, so you can tunnel any of those other VPN type apps over 80.

Use tools like DPI to identify the source, and then TOS to eliminate or reign in the source. As others have noted, this is the only way.

photon · 08-05-2010, 01:03 PM

Quote:

Originally Posted by Azure

We already use OpenDNS for their DNS service, and of course blocking the proxy sites. But that only blocks the actual websites. Which would block someone from downloading Tor.

Problem is there are a lot of other ways to still get the program. Free Wi-Fi at the library, airport, whatever.

Yeah blocking the actual download is pretty much useless.

Quote:

Originally Posted by Azure

You can create rules where all port 53 requests are blocked or redirected to the OpenDNS addresses that you specify on the gateway device.

True! Then I'll just run my own DNS server.

Quote:

Originally Posted by Azure

But the way I understand it Tor and other similar services operate over SSL, so the question is can Shaw, or any other big ISP company, actually prevent Tor from running if they do deep packet inspection.

Nope, at least not by inspecting the encrypted payload. I've seen people blocking specific things like HotSpotShield based on URL patterns and stuff, but that's just a cat/mouse game.

You can throw the encrypted packets to the bottom of the pile though, which could help with the network type issues. Doesn't help with circumvention of filters though. And might cause problems for people trying to do banking if you can't differentiate between Tor encrypted packets and IE ones.

Quote:

Originally Posted by Azure

From what I've read its a common problem that people are dealing with.

Yup. And it's a losing battle, if Iran and China can't do it, you aren't going to be able to either

Azure · 08-05-2010, 01:33 PM

There are a ton of IPs here.

http://proxy.org/tor.shtml

I don't know how often they update it though.

Someone also suggested blocking ports 9001, and 9030 as apparently Tor listens on port 9001, and their directory is on port 9030. Might not completely block it, but it might make it hard to use.

Problem is there are numerous other similar programs.

sclitheroe · 08-05-2010, 01:38 PM

I’m assuming this is being used to access material on the internet that is against community norms and standards. I’m curious how the community would deal with someone going to a store and obtaining “media” that is in violation of community values - would they strive to actively impede one’s ability to visit those stores? Or would they take some other approach.

What I’m getting at is that surely the community has developed in their long tradition, means of dealing with infractions when detected - so maybe focusing on detection, rather than blocking, and working in concert with their already established social processes, is the right solution here.

If you’ve already been able to identify that Tor is an issue, are you able to narrow it down to specific houses/buildings? Maybe that’s all the community really needs.

photon · 08-05-2010, 01:49 PM

Quote:

Originally Posted by Azure

There are a ton of IPs here.

http://proxy.org/tor.shtml

I don't know how often they update it though.

Yeah, and that's just Tor. The VPNs you mentioned work on a totally different idea, and they're all going to have their own set of rules.

And the IPs will change all the time, it'll be a game of whack-a-mole, something to administrate on an ongoing basis.

Quote:

Originally Posted by Azure

Someone also suggested blocking ports 9001, and 9030 as apparently Tor listens on port 9001, and their directory is on port 9030. Might not completely block it, but it might make it hard to use.

Problem is there are numerous other similar programs.

I think the ports are only used that way if you are setting up a tor relay; actually participating in creating the tor network... while if you just use tor without having those ports open or even blocked, it'll still work to circumvent filtering.

But you could do a combination of removing the low hanging fruit (blocking common TOR IPs, ports, and such) and communicating and instructing the user base.

Parents don't have any problem monitoring what their kids watch on TV and don't call Shaw asking them to block the Fashion TV show for their house, this is the same thing, just a little more complicated.

Azure · 08-05-2010, 02:07 PM

Tough to trace the actual traffic if someone is using Tor, but I would imagine the concern is as much about the amount of traffic happening on the SSL side, and creating bottlenecks as it is about the fact that Tor, HSS or other services can be used to access content that would usually be restricted.

There is a specific process in place to deal with someone who goes to websites against community guidelines, even if there is no official guideline, but we're talking about 50 colonies who are on the HBNI, with average of 75 people on each colony. That would be the possibility of over 3500 users. I cut it back to 2000 because not everyone uses the internet. Unless someone is caught in the act, by either the network administrator at that specific community, or anyone else, it is virtually impossible to trace the traffic beyond what colony it is happening at.

And outside of the core people who look after the HBNI network itself, not every community has someone who can actively monitor their own networks. Either because of time constraints, or because they don't know much about it.

Because there is so much going on at a larger community, especially with these specific colonies who are heavily into manufacturing, it is impossible to keep check on what every single member is doing at all times. So a large level of a trust is placed upon those people who have a drivers license, or a responsibility that provides them with the opportunity of perhaps going to the store and buying objectionable content.

BloodFetish · 08-05-2010, 02:41 PM

I don't know much about TOR networks, but have spent some time thinking about blocking unproductive websites (facebook, myspace, etc) and therefore internet proxies as well. Same conclusion as others have stated - you can perhaps make it difficult and/or increase your time administrating your solution, but nothing is absolute.

I don't know much about TOR, though. Is the bandwidth used by TOR (and similar) mostly on port 443? If so, could you build a list of allowable https websites (like online banking) and then deny everything else on port 443? You would have to provide some way for end users to request https sites to be included on your allowable list...

Hack&Lube · 08-05-2010, 03:31 PM

This is a fascinating scenario of web filtering related to community/religious values. Is this a specific request from the Hutterite communities you serve?

Honestly, even if you block these services, individuals in the community who really do want to access content frowned upon by the community will probably find a way or an alternative through normal internet. If they are smart enough to use these services and SSL in what they do, they are probably smart enough to find a way to get what they want.

Unfortuantely, I can't think of anything to help you beyond what others have posted in this thread but keep us updated on this. Basically what Photon said is all that I can think of as well, find a list of the common IPs that these services use and block them. I'm sure there must be a commercial list of these somewhere as it's a hot commodity for websites seeking to restrict content to regional IPs. This is an interesting situation.