- This topic has 10 replies, 5 voices, and was last updated 10 years, 11 months ago by
dynamik.
-
AuthorPosts
-
-
March 9, 2010 at 4:41 pm #4769
itg33k
ParticipantI would like to reach out to the community in order to find out if anyone out there is able to assist me with the following: How can one detect anonymous proxy traffic such as The Onion Router (TOR). Being that now in days TOR utilizes HTTP (SSL encryption) and Intrusion Detection Systems (IDS) are blind to the traffic since it is obfuscated, then what would be the best method for detecting network traffic of users that are utilizing this to connect to proxies to browse the internet and be anonymous?
The issue is not only users will browse the internet and possibly download Malware but another great concern is that anyone can set up their own TOR proxy and as the traffic gets decrypted at that proxy, the admin for that proxy could potentially perform a man-in-the-middle attack and intercept that data or take over the section as the user. Now the end user not only is putting in jeopardy the security of the company but also themselves if they are logging into their bank accounts, personal emails, etc..
My main concern is that there is no way you can obtain an accurate active list of TOR proxy servers since anyone at anytime can set one up and the only resolution I can think of is by somehow filtering out 443 data and then perform a Whois on the external destination IP’s and determine if they do not have a business need to visit it then we can block anyone going to that external IP, investigate the system for the possibility of TOR application running on the system and remove it.
Going this direction would create a tremendous amount of work that will result in potentially missing legitimate network intrusions, call backs to malicious known sites, etc… I hope that those of you that currently have something in place for this will share your solution and for those that don’t have this problem but have ideas would share them.
Thank you in advance.
-
March 9, 2010 at 4:58 pm #29914
rattis
ParticipantActually, you hit on some of the information in your post.
I’ve found most of the our users using TOR, either while fixing a problem on their computer, or by viewing the firewall logs.
While the list of proxy servers change, the boxes that provide those lists don’t change as often. So blocking them, prevents users from getting updated lists.
When I have a working syslog server at work collecting the firewall logs (they’re worth having, just don’t have the hardware right now after our move) you can grep the logs for that information, and use either the firewall, or internal proxy to block those sites. You don’t have to be perfect in the case of blocking, users will stop using it when they find it’s not very reliable.
Since you’re talking about blocking this traffic from work, you might want to talk to upper management about about updating the acceptable use policy, with teeth behind it when it’s broken. Example: There used to be a problem with something at work. When management started walking people out the door for doing it, people stopped.
As for finding it installed on people’s computers, I’m assuming a windows environment. You can write a script that (if it has domain admin privileges) list the contents of c:program files. I’ve done something similar with Perl looking for multimedia files on peoples user shares.
-
March 9, 2010 at 6:37 pm #29915
itg33k
ParticipantChrisj,
Those are great suggestions. We do have an acceptable use policy, perform regular scans in order to identify unauthorized software (remember that if you have an add-on in Firefox a vulnerability/pen test/patch management scan wont identify the add-ons such as a Tor one) and some users can connect their personal laptops and obtain an IP since there is DHCP enable.
We have already tried to push the issue about implementing a static IP environment, leave without pay for employees that are found to have the software and bring personal laptops, etc… But the fact is that at this time none of that will change since we have already brought up a lot of good suggestions, cases to prove our point and a very good presentation, but the fact is that nothing will change for at least a year or two, at this time I have been task to identify Tor activity, report users, remove the application and block it at the firewall level.
-
March 9, 2010 at 7:03 pm #29916
rattis
Participantif you’re using cisco switches, you can limit the number mac addresses allowed per port. We’ve had the same problem with users bringing laptops in.
The static ip addresses don’t really help that much. users will find an open ip address and use it. Sometimes it’s an open ip address because the box it belongs to is turned off.
As for using the plugins, instead of them installing the programs installing, try looking in:
C:Documents and SettingsUSERNAMEApplication DataMozillaFirefoxProfilesPROFILEextensions. You’ll have to look at all the sub folders in those directories. A nested for loop could work. I looked in my extension directory, and able to find javascript files with the names of the programs.You’ll have to write your own tools to do it, I don’t know of any off the shelf that will do that for you (Others might). The benefit, if management agrees, is you get to see what other things the users are installing.
Sorry I can’t be more help than what I’ve suggested. But looking in the 2 locations on their computers, getting a list of the proxy servers, and the ones that contain the lists (blocking at the firewall), the only other thing I can suggest is googling “blocking TOR” (which I did sometime in the last 3 years).
*Edit: Make sure you keep your manager, and maybe director informed of what you’re doing. I was lucky, when I was working the security part of my job, my director insisted I report straight to him not my manager, and he covered whatever I needed to do, like writing those scripts. My manager didn’t like it, but my Director had my back.
-
March 9, 2010 at 7:24 pm #29917
itg33k
ParticipantChrisj,
Trust me these are great ideas that you suggested and it gives me a starting point. I’m in the process of compiling a known list of Tor servers, place a block for outgoing traffic and will look into an automatic solution for finding Tor plug-ins, if it comes to developing my own tool then this will be a little bit a new area to me, but as always the best way to learn is when your working in a project. This is why these forums are great it allows other people to give you another set of eyes when trying to figure out a solution.
Thanks again
-
March 9, 2010 at 11:50 pm #29918
Ketchup
ParticipantI usually do not give users administrative privs on their workstations. They are not able to install software.
You can use Group Policies to restrict which software can and cannot run on your windows boxes. Check out the following link:
-
March 10, 2010 at 1:23 am #29919
KamiCrazy
ParticipantLetting users install software or make modifications to your software environment is a recipe for disaster I have found.
Ketchup’s suggestion to use group policy should be standard in a windows environment. I’m not 100% sure how you would lock down plugins though.
The simplest and easiest fix IMO for anonymous tor traffic would be to do this.
1) Have an acceptable use policy where any surfing done at work is susceptible to monitoring. Users are there to perform work not to perform personal matters.
2) Implement a proxy server. All surfing is done through the proxy server.
3) Either purchase a blue coat proxy which does MITM of SSL or implement your own whitebox setup with sslstrip/sslsniff etc etc so that you can scan the https traffic going through your network.
4) ???????
5) Profit.
-
March 10, 2010 at 1:39 am #29920
Ketchup
ParticipantKamiCrazy, Isn’t there an executable portion for TOR? If you block that, the plug-in would be useless. Either way, a plug-in is still a file. I would have to test it, but I would think you should be able to block that through a GPO.
-
March 10, 2010 at 1:51 am #29921
KamiCrazy
ParticipantThere is an exe portion to tor, you run the exe and have a plugin for firefox… but you don’t have to run the exe on the same computer as the plugin. Nor do you need to run the plugin either really….
Anyways fighting tor is basically an arms race. I think doing things like scanning for their proxy list and such isn’t a very good long term strat. Need to fight it closer to the problem.
-
March 10, 2010 at 4:13 am #29922
rattis
Participant@Ketchup wrote:
I usually do not give users administrative privs on their workstations. They are not able to install software.
You can use Group Policies to restrict which software can and cannot run on your windows boxes. Check out the following link:
We’re still fighting this at work. I was able to get a lot of the Admin rights taken out of the boxes, but since we scan books, and the scanners the company went with require admin privileges to run (that’s how the drivers are set up for them), some users.. Well you get the idea.
-
April 3, 2010 at 9:04 pm #29923
dynamik
Participant@chrisj wrote:
We’re still fighting this at work. I was able to get a lot of the Admin rights taken out of the boxes, but since we scan books, and the scanners the company went with require admin privileges to run (that’s how the drivers are set up for them), some users.. Well you get the idea.
Using the Sysinternal’s tool Process Explorer, you can find what file system and registry permissions the application/driver needs, and you can grant those to users via Group Policy. It is a PITA, and if there’s ever an update or some other change, you often need to go through the process again. Still, it may allow you to revoke admin rights, which could end up causing problems that are even less fun to deal with.
-
-
AuthorPosts
- You must be logged in to reply to this topic.