I would like to reach out to the community in order to find out if anyone out there is able to assist me with the following: How can one detect anonymous proxy traffic such as The Onion Router (TOR). Being that now in days TOR utilizes HTTP (SSL encryption) and Intrusion Detection Systems (IDS) are blind to the traffic since it is obfuscated, then what would be the best method for detecting network traffic of users that are utilizing this to connect to proxies to browse the internet and be anonymous?

The issue is not only users will browse the internet and possibly download Malware but another great concern is that anyone can set up their own TOR proxy and as the traffic gets decrypted at that proxy, the admin for that proxy could potentially perform a man-in-the-middle attack and intercept that data or take over the section as the user. Now the end user not only is putting in jeopardy the security of the company but also themselves if they are logging into their bank accounts, personal emails, etc..

My main concern is that there is no way you can obtain an accurate active list of TOR proxy servers since anyone at anytime can set one up and the only resolution I can think of is by somehow filtering out 443 data and then perform a Whois on the external destination IP’s and determine if they do not have a business need to visit it then we can block anyone going to that external IP, investigate the system for the possibility of TOR application running on the system and remove it.

Going this direction would create a tremendous amount of work that will result in potentially missing legitimate network intrusions, call backs to malicious known sites, etc... I hope that those of you that currently have something in place for this will share your solution and for those that don’t have this problem but have ideas would share them.

Thank you in advance.

Chrisj,

Those are great suggestions. We do have an acceptable use policy, perform regular scans in order to identify unauthorized software (remember that if you have an add-on in Firefox a vulnerability/pen test/patch management scan wont identify the add-ons such as a Tor one) and some users can connect their personal laptops and obtain an IP since there is DHCP enable.

We have already tried to push the issue about implementing a static IP environment, leave without pay for employees that are found to have the software and bring personal laptops, etc... But the fact is that at this time none of that will change since we have already brought up a lot of good suggestions, cases to prove our point and a very good presentation, but the fact is that nothing will change for at least a year or two, at this time I have been task to identify Tor activity, report users, remove the application and block it at the firewall level.

Chrisj,

Trust me these are great ideas that you suggested and it gives me a starting point. I’m in the process of compiling a known list of Tor servers, place a block for outgoing traffic and will look into an automatic solution for finding Tor plug-ins, if it comes to developing my own tool then this will be a little bit a new area to me, but as always the best way to learn is when your working in a project. This is why these forums are great it allows other people to give you another set of eyes when trying to figure out a solution.

Thanks again

Letting users install software or make modifications to your software environment is a recipe for disaster I have found.

Ketchup's suggestion to use group policy should be standard in a windows environment. I'm not 100% sure how you would lock down plugins though.

The simplest and easiest fix IMO for anonymous tor traffic would be to do this.

1) Have an acceptable use policy where any surfing done at work is susceptible to monitoring. Users are there to perform work not to perform personal matters.

2) Implement a proxy server. All surfing is done through the proxy server.

3) Either purchase a blue coat proxy which does MITM of SSL or implement your own whitebox setup with sslstrip/sslsniff etc etc so that you can scan the https traffic going through your network.

4) ?

5) Profit.

There is an exe portion to tor, you run the exe and have a plugin for firefox... but you don't have to run the exe on the same computer as the plugin. Nor do you need to run the plugin either really....

Anyways fighting tor is basically an arms race. I think doing things like scanning for their proxy list and such isn't a very good long term strat. Need to fight it closer to the problem.

Using the Sysinternal's tool Process Explorer, you can find what file system and registry permissions the application/driver needs, and you can grant those to users via Group Policy. It is a PITA, and if there's ever an update or some other change, you often need to go through the process again. Still, it may allow you to revoke admin rights, which could end up causing problems that are even less fun to deal with.