Brksec 2011
Brksec 2011
Brksec 2011
A little journey…
BRKSEC-2011
Cisco Webex Teams
Questions?
Use Cisco Webex Teams to chat
with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
About Garlic and Onions
We are all looking for privacy on the internet, for one or the other reason.
This Session is about some technologies you can use to anonymise your
network traffic, such as Tor (The Onion Router). The first part will give an
introduction and explain the underlaying technology of Tor. We will take look
at how you can not only use the Tor browser for access but also how the Tor
network is working. We will learn how you can establish a Tor session and
how we can find hidden websites and give examples of some websites...So
we will enter the Darknet together. Beside Tor, we will also take a quick look
at other techniques like I2P (Garlic Routing). In the last section we will make
a quick sanity check what security technologies we can use to (maybe)
detect such traffic in the network. This presentation is aimed at everyone
who likes to learn about anonymization techniques and have a little bit of fun
in the Darknet.
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Me…
• Domain Fronting
• Detect Tor
• I2P – Invisible Internet Project
• Introduction to Garlic Routing
• Freenet Project
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Different Intentions
Hide me from
Government!
Hide me from ISP!
Hide me from tracking!
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Browser Identity
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Proxies
EPIC Browser
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Firepower App Detector for Proxy Traffic
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
VPN
VPN
https://thatoneprivacysite.net/vpn-section/
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Trust your VPN / Proxy?
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Trust your VPN / Proxy?
https://thebestvpn.com/chrome-extension-vpn-dns-leaks/
• Chrome Browser
leaking real IP because
of DNS Prefetching
• Despite using a VPN
Service…
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Tracking VPN & Proxies
Enumerating known
VPN & Proxy IPs
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Deep Web / Dark
Web
The Deep Web / The Dark Web
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
The (partial) Reality
https://gizmodo.com/the-deep-web-is-mostly-full-of-garbage-1786857267
Bill, stop
searching
…
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
About Tor
The Onion router
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
How is the Tor Network built?
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
The Tor Browser – Connecting to the Tor Network
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Tor Relay
Tor Dir OR1
OR2
OR3
PK OR1 Web Server
PK OR2
PK OR3
Tor Client selects 3 random Routers out of all Tor Relays and get
their public keys
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Tor Relay
OR1
OR2
OR3
PK OR1 Web Server
PK OR2
PK OR3
OR2
OR3
PK OR1 SK1 Web Server
PK OR2
PK OR3
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Tor Relay
OR1
OR2
OR3
PK OR1 SK1 Web Server
PK OR2
PK OR3
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Tor Relay
OR1
OR2
OR3
PK OR1 SK1 Web Server
PK OR2 SK2
PK OR3
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Tor Relay
OR1
OR2
OR3
PK OR1 SK1 Web Server
PK OR2 SK2
PK OR3 SK3
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Tor Relay
OR1
OR2
OR3
PK OR1 SK1 Web Server
PK OR2 SK2
PK OR3 SK3
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Tor Directory Authorities
https://atlas.torproject.org/#search/flag:authority
• Very trusted servers that hold the list of all active Tor relays
• Tor client comes with this predefined list and the corresponding public keys
• Every hour they agree on the most recent list of relays (“voting”)
• They create a document called “consensus”.
• Each DirAuth publishes and signs its own relay list to all other DirAuth
• Tor relays can be “Directory caches” where clients can get an updated version of
the consensus without the directory authorities
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
List of all Tor Relays
https://torstatus.blutmagie.de/
Flags
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Tor Relay
EXIT_NODE: if you
OR1
request HTTP, your
traffic is visible to the
EXIT_NODE
OR2
OR3
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Tor Browser - Don’t leak information!
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Do your own spylink ☺
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Tor Exit Relay List
https://check.torproject.org/cgi-bin/TorBulkExitList.py
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Customizing Tor
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Customizing Tor (2)
Define Geolocation of
your ExitNodes
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Customizing Tor (3)
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Customizing Tor (4) – some settings for torrc
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
DNS for access to well known websites
OR1
DNS Server
OR2
OR3
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
DNS Leaking for access to cleartext websites
https://nymity.ch/tor-dns/
• ISP Resolver
• Traversing the least
amount of AS
• Own Resolver
• QNAME Minimization
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
1.1.1.1 - DNS over Tor
https://dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onio
n/
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Bridges
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Custom Bridges
Fingerprint
IP & Port
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Custom Bridges
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Hidden Websites - ”.onion” links
http://xmh57jrzrnw6insl.onion/
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
DEMO: Some websites in the Darknet….
Some links
• Tor Mailbox
http://torbox3uiot6wchz.onion/
• Torch
http://xmh57jrzrnw6insl.onion/
• The Hidden Wiki
http://zqktlwi4fecvo6ri.onion/wiki/Main_Page
• Imperial Library of Trantor
http://xfmro77i3lixucja.onion/
• DuckDuckGoGo
https://3g2upl4pq6kufc4m.onion/
• The Federalist Paper (Onion v3 Service)
http://vww6ybal4bd7szmgncyruucpgfkqahzddi37ktceo3ah7ngmcopnpyyd.onion/
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Some links
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Facebook via Tor
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Onionrouting
Onion server
Introduction point
Rendezvous point
HS Directory server
Client
Setup hidden service (create public and private key) and create a circuit to
chosen Introduction point(s)
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Onionrouting (2)
Rendezvous point
HS Directory server
Client
Publish hidden service in six of the directory servers. The servers are
calculated based on a function including the consensus status document
and the “.onion” address. Repeat once a day (different HSDirs…)
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Onionrouting (3)
Onion server
Introduction point
Rendezvous point
HS Directory server
Client
Client asks one of the directory server for the hidden service.
Client gets the public key and the Introduction Points for that service.
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Onionrouting (4)
Onion server
Introduction point
Rendezvous point
HS Directory server
Client
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Onionrouting (5)
Onion server
Introduction point
message
Rendezvous point
HS Directory server secret
Client
message
secret
Onion server
Introduction point
Rendezvous point
HS Directory server
Client
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Onionrouting (7)
Onion server
secret
Introduction point
Rendezvous point
HS Directory server
Client
Server builds a circuit to the RP, providing the one-time secret from the client
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Onionrouting (8)
Onion server
Introduction point
Rendezvous point
HS Directory server
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
DEMO: Onionshare
#1 HSDir Hash Function
FIRST 80 bits of the SHA1 of the
1024 bit Public Key
http://xmh57jrzrnw6insl.onion/
Desc ID0
- Predict the selected HSDir
relay at a certain point in HSDirn
time….
- If you are the selected
HSDirn+1
HSDir, you can control
access or monitor
connections for statistics HSDirn+2
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
#2 Protocol leaking
Onion server
http://xmh57jrzrnw6insl.onion/
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Onion Service v3
https://gitweb.torproject.org/torspec.git/tree/rend-spec-v3.txt
a) Better crypto
(replaced SHA1/DH/RSA1024 with SHA3/ed25519/curve25519)
b) Improved directory protocol leaking less to directory servers.
c) Improved directory protocol with smaller surface for targeted attacks.
d) Better onion address security against impersonation
e) More extensible introduction/rendezvous protocol
f) A cleaner and more modular code base
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
#1 HSDir Hash Function with Onion Service v3
https://gitweb.torproject.org/torspec.git/tree/rend-spec-v3.txt
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
#2 Protocol leaking with Onion Service v3
The Descriptor is signed by a subkey that prevents the HSDir Server to derive
the real .onion address
Only the client , who knows the real .onion address, can derive the real public
key
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
DEMO: Some more websites in the
Darknet….
Obfuscation
Pluggable Transport
https://www.pluggabletransports.info/
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Tor Pluggable Transport (PT)
loopback
Client App PT Client (Socks)
Obfuscated traffic
loopback
Server App PT Client (Socks)
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Tor Pluggable Transport (PT)
https://www.torproject.org/docs/pluggable-transports.html.en
• Obfs2
• Use a additional encryption layer to obfuscate. Key is exchanged in cleartext.
• Obfs3
• Negotiation of a DH Key for obfuscation. Not resistant for active probing.
• Obfs4
• Authenticate with a pre-shared key, distributed out-of-band. Resistant against active probing.
Obfuscate with DHE.
• Meek
• Obfuscate in http and TLS, leveraging domain fronting
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Domain Fronting
Domain Fronting – the concept
https://www.bamsoftware.com/papers/fronting/
DNS TLS
A www.google.com SNI: www.google.com
HTTP
…..
Host: www.evilrats.com
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Domain Fronting with Tor
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Domain Fronting with Tor
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Google and Amazon on Domain Fronting
https://arstechnica.com/information-technology/2018/05/amazon-blocks-domain-fronting-
threatens-to-shut-down-signals-account/
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Snowflake
https://snowflake.torproject.org/
Leveraging WebRTC
Broker Access via
different methods
Domain-fronted
DNS over HTTPS ☺
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Using snowflake
Snowflake is just
another PT to select
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Detecting Tor
A Sample Tor Request
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
The TLS Client hello
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
The TLS Server hello
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
The Certificate, decoded…
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
The other two relay nodes
Port 9001
Self-signed….
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
The other two relay nodes
This is another proof that Tor does not really care about the content of the TLS certificates ☺
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Tor Relay Certificates
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Detecting Tor
WSA - Decryption Policy
Categories
“Pass Through” will still check for certificate errors!
Invalid certificate or expired certificate on the server will fail the “Pass through”
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
WSA - Decryption Policy
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
WSA - Certificate Error Handling
Default Values provide a good balance between Security and User Experience
Remember: EUN in case of a “Drop” requires “Decryption for EUN”!
“Drop” : log the certificate error in the access log, decrypt and display EUN
“Decrypt” : log the certificate error in the access log, decrypt with a purposely “invalid” certificate
and let the client decide if he accepts the connection.
“Monitor” : don’t do anything, it’s all on the client to decide…
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
WSA Logs
1513893450.780 65269 192.168.178.55 TCP_MISS/502 39 CONNECT tunnel://85.31.186.98:443/ "tmayer@TOBYLAB" DIRECT/85.31.186.98 -
DECRYPT_WEBCAT_7-DEC.TOBYLAB-ID.TOBYLAB-NONE-NONE-NONE-NONE <nc,-3.5,1,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,nc,-,"-","-","Unknown","Unknown","-
","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> - AUTHM: BASIC DestIP: 85.31.186.98 UAG: - REF: - AUTH: 0 DNS: 0 REP: 925 SFBR: 0 CFBWR: 1176
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
WSA Logs
(Invalid Leaf Certificate set to “Decrypt”)
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Tor and WSA
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
Add Rules to FTD for Certificate Checking
Block
Self-
signed
Certificate
Certificate Errors
Errors
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
FTD and Tor
Some relays are
detected and classified
as Tor Traffic
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
FTD and Tor (2)
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Cognitive Analytics
Cisco
Cognitive Threat
Analytics (CTA)
Time | IP | URL | User Agent | …
Proxy
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
CTA and WSA – Tor detection
Distinguishes Tor by time, sequences, and recognition of hidden IP’s
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
CTA and WSA – Tor detection
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
Tor and Stealthwatch
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
Tor and Stealthwatch
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
Tor and Stealthwatch with Cognitive
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
Tor and Stealthwatch with Cognitive
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
Tor and AMP for Endpoints
The responsible
IOC for Tor process
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
Tor and AMP for Endpoints (2)
“Onionshare”
created
“Tor.exe”
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
Tor and AMP for Endpoints (3)
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
Tor and AMP for Endpoints (4)
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
Tor and CTR
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
Other Apps with
Tor
Embedded Tor in Browser
https://brave.com/
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
TorChat
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
Enterprise Onion Toolkit
• https://blog.torproject.org/volunteer-spotlight-alec-helps-companies-activate-
onion-services
• https://open.nytimes.com/https-open-nytimes-com-the-new-york-times-as-a-tor-
onion-service-e0d0b67b7482
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
DEMO: SSH over Tor
SSH Server behind Tor ☺
HiddenServiceAuthorizeClient
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
Tor hidden service with authentication
HiddenServiceDir /var/lib/tor/myssh In the server
torrc file,
HiddenServiceAuthorizeClient basic After restart of
choose “basic”
myclient HiddenServicePort 3221 12223 tor service
or “stealth”
# cat /var/lib/tor/myssh/hostname
keesh0ahGh6lahbe.onion auliech8bu7aighaiv4aiW # client: myclient
In the client
torrc file
HidServAuth keesh0ahGh6lahbe.onion auliech8bu7aighaiv4aiW
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
Tails
• https://tails.boum.org
• Secure OS based on modified
Linux
• Only communicates outside via
Tor
• Has Thunderbird, Pidgin IM, etc. already
preconfigured
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
Summary of Tor usage guidelines
Basic security:
• Disable automatic launch of scripts by using setting of “safest”
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
How SILK ROAD owner was revealed
• Ross’s Youtube channel and Google Plus page included links to Mises Institute, an Austrian blog that published
content related to the economic theory. On the Silk Road forum, DRP also backlinked to Mises Institute and
shared the site’s content there. Through one of these posts, he mentioned that his time zone is the (PT), i.e. the
Pacific Time zone.
• Ross posted on Stakoverflow this question “How can I connect to a Tor hidden service using curl in PHP?”.
Initially, Ross posted the question using an account aliased with his real name, yet less than a minute later, the
account’s alias was changed to “frosty”.
• Ross bought 9 fake identification documents that included his real picture, yet different names. The US border
customs intercepted the package which had been shipped from Canada to Ross’s apartment in San Francisco.
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
I2P – Invisible
Internet Project
I2P
https://geti2p.net/en/
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
Inbound and Outbound Tunnels
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
I2P – Technolgy
NetDB 3
Alice: 1,2
4
Simon: 3,4
Bob: 5,6 InboundTunnels
1 Simon
Alice 5
6
Outbound Tunnels
Bob
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 122
NetDB
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 123
Initialization
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 124
Garlic Routing
Garlic Cloves
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 125
I2P – Joining the network
NetDB
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 126
I2P – Building a tunnel
NetDB
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 127
I2P – Building a connection
CONNECT Tunnel
NetDB
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 128
I2P – Encryption
Garlic
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 129
I2P – shared Tunnels
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 130
I2P
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 131
I2P
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 132
I2P
I2P recommends to
poke a hole in your
firewall for incoming
traffic
udp/<random>
tcp/<random>
Will dramatically
improve performance
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 133
Things to do…
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 134
Firepower & I2P (default config)
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 135
Stealthwatch & I2P (default config)
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 136
I2P on AMP for Endpoints
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 137
I2P on Cisco Threat Response
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 138
More Infos about I2P
• https://www.cdc.informatik.tu-
darmstadt.de/fileadmin/user_upload/Group_CDC/Documents/Lehre/SS13/Seminar/
CPS/cps2014_submission_4.pdf
• https://geti2p.net/en/docs/how/tech-intro
• http://hor6372x6soyyts2.onion/mirrors/HiddenWikiClean/A_Radical's_Introduction_t
o_Anonymity.html#Weaknesses
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 139
Freenet Project
Freenet Project
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 141
Freenet Project
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 142
Freenet protocol, on a high level
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 144
Request file or site
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 145
Freenet with Umbrella
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 146
CTR: one of the seed IPs of Freenet
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 147
Freenet and Stealthwatch
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 148
Freenet and Firepower
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 149
“Darknet” mode – connect to a friend directly
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 150
Freenet Project
• https://en.wikipedia.org/wiki/Freenet
• https://freenetproject.org/pages/about.html
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 151
Conclusion
Conclusion
Blocking Tor completely is very hard, but a check on TLS certificate errors can provide some
decent blocking & visibility for enterprises
Combination of netflow analysis, anomaly detection & certificate checking on the gateways
is probably your best bet
Leveraging Stealthwatch with CTA and ETA
Combine it with AMP for Endpoints for further analysis and visibility
Other Tools like I2P and Freenet exist, but purpose is to exchange information, not so much
for anonymizing your browsing
I2P optimizing performance over special ports that need to be open
No support over web proxies with I2P
Port-forwarding on firewalls is recommended for I2P -> cumbersome to use within corporate
environments
Freenet purpose of sharing information with the public
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 153
Result check for our intentions
Hide me from
Government!
Hide me from ISP!
Hide me from tracking!
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 154
Complete your
online session
survey • Please complete your session survey
after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live t-shirt.
• All surveys can be taken in the Cisco Events
Mobile App or by logging in to the Content
Catalog on ciscolive.com/emea.
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 155
Continue your education
BRKSEC-2011 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 156
Thank you