Tor is a free open source software that enables users to browse the internet anonymously. It utilizes a network of proxy servers from all parts of the world, known as nodes, that route internet connections. Tracing internet traffic sent via Tor represents a daunting task, because it operates via means of encrypted protocols such as HTTPS. Accordingly, determining whether data sent over Tor is legal or not is quite challenging.
Recently, a group of researchers from the Philippines proposed the Proactive Response and Detection for Tor (PReDTOR) as a security traffic analysis tool that can monitor outbound Tor traffic across a Local Area Network (LAN) environment via signature and heuristic based mechanisms. PreDTOR also includes a reporting and incident response monitoring features that permit closing a Tor connections and blocking an offending IP address for investigative purposes. It can be used by businesses to complement and implement along with the rules of the firewall and Intrusion Detection System (IDS) to monitor traffic across their networks.
Why is PREDTOR a Unique Tool?
Tracing the origin of Tor traffic is literally impossible once it has already reached the internet. Alternatively, detection of Tor traffic within LAN can be traced back to its origin. Previously used techniques to trace Tor traffic used signature based mechanisms which involved feeding known ports and IP addresses to the engine to compare them with real-time network traffic. Whenever a match is found, the traffic is flagged. Using these traditional techniques required the network administrator to verify whether or not, the traffic in question is Tor, which renders traffic verification a subjective process.
Moreover, the list of IP addresses is not always up-to-date, so a user can be browsing using Tor but he/she cannot be detected because the exit node used hasn’t been added to the signature based engine. Most importantly, some of the listed IP addresses on the signature based engine belong to website servers, rather than Tor exit nodes. Accordingly, if IP address is the only way for detection of Tor traffic, many false positives will be generated.
PreDTOR : The Proactive Response and Detection for Tor:
PreDTOR is a mobile and adaptable system that detects Tor based traffic patterns in an organization’s Local Area Network (LAN) via means of signature based and heuristics based techniques. Severity is determined on bases of IP addresses, ports and specific TCP behaviors associated with Tor traffic. The design of PreDTOR includes 5 modules and 2 database engines. The modules are dashboard controller, alert manager, Tor detector, incident response and archive and reports generator. The database engines are the signature based database engine and the heuristic based database engine.
The dashboard controller represents the user interface of the software. It has access to the two database engines, incident response (to block and/or blacklist IP addresses) and generation of reports. The Tor detector monitors all real-time inbound and outbound network traffic. It checks whether any of the connections match the flagged patterns in the signature based and heuristic based database engines. Whenever a match is found, the severity of the traffic is classified. High or very high traffic severity is sent to the alert manager to notify the network administrator and block the network traffic whenever necessary. Blocked IP addresses and network traffic that has been marked as “potential Tor traffic” will be archived for documentation.
The Tor detector sends all traffic with high or very high severity to the alert manager module. The module first checks whether the IP address belongs to the whitelist table and disregards the traffic if the IP is whitelisted. Alternatively, if the IP address is not whitelisted, it will be sent directly to the incident response module to be blocked. The incident response module stores all IP addresses blocked from using Tor. The administrator can update the incident response module at any time. So, he/she can whitelist any IP address whenever needed. All detected Tor traffic is compiled via the archive and reports generator module. It also includes timestamps and severity of Tor traffic. This data can be referred to in the future whenever needed.
All IP addresses and ports related to Tor traffic are included in the signature based engine. The Tor detector module updates the feed via the official Tor link on daily basis which includes all known Tor IP addresses. The heuristic based engine contain IDS rules that detect known Tor behavior through packet communication.