Cyber intelligence units are working to develop tools and applications for a deep inspection of the hidden web with the intent of steal classified secret documents of a potential adversary and to maintain the control over cybercrime and terrorists activities and communications.
Let’s start from the beginning, which are the available metrics to analyze the status of TOR networks?
The Tor Metrics Portal gives a set of useful the instruments to monitors the workload of the TOR networks, it proposes a complete collection of tools and documentations for statistical analysis regarding the activities of relays and bridges.
The main areas covered by the metrics are:
- statistics on the network of relays and bridges
- statistics on the number of users accessing to the network
- statistics on the number of packages requested from GetTor
- collection of active and passive performance measurements of the Tor network
As we will demonstrate the metrics could also be used for intelligence purpose, for example analyzing principal network metrics it is possible to investigate on the application of monitoring system inside a country for censorship purpose. Recently in many area of the planet similar systems have been used to suppress media protest and to persecute dissidents, avoiding the circulation of unconformable information outside the country. It is happened for example in Syria and in Iran, country where the control of the web is a major concern of the government. These situations are expression of a political sufferance of a country and could give a further element of evaluation to the analysts.
Tor protects users against traffic analysis using a network of onion routers (also called relay), managed by volunteers, which allow anonymous outbound traffic and the creation of anonymous hidden services. Bridge relays are Tor relays that aren't listed in the main Tor directory. They are common referred when a filtering of connection is made by Internet Services Providers (ISP) to all the known Tor relays. It is important to specify that to directly access to a bridge it is necessary to know its address.
The Tor Metrics Portal provides in the Network many information regarding the network composition, in particular with the available statistics it is possible to analyze:
- average daily number of relays and bridges in the network
- the average daily number of relays by country
- Relays with Exit, Fast, Guard, and Stable flags
- Relays by version
- Relays by platform
- Total relay bandwidth in the network
- Relay bandwidth by Exit and/or Guard flags
- Number of bytes spent on answering directory requests
The portal provides also statistics on the number of users that access to the TOR network via bridges to avoid monitoring systems put in place by government for surveillance purpose. The data could give an indication of the response of local government to the dissident communications.
The following graphs display an estimate of Tor users via bridges based on the unique IP addresses as seen by a few hundred bridges.
Figura 1 - Bridge users from all countries
The Portal collects about the Tor network producing graphical representation regarding the analyses performed, for example it could be interesting to monitor a critical area and the access of population to the TOR network. In days for example in Syria a dictatorial regime is suppressing with military attacks the opponents to the government, in the same time it is using technological applications to avoid that population could transmit information regarding the suppression out of the country. The cyber experts of president Bashar al-Asad have also used several types of RAT (Remote Administration Tool) to prosecute dissidents.
Let’s analyze the number of directly connected users from the region in the last months.
Figura 2 - Connecting user during Syrian protests
In the above picture the graphs related to the period between December 2011 and May 2012 that shows the progressive usage of the network in concomitance to political event. Very interesting a beta feature proposed by the web site that plots on the same graph with a different color possible censorship events.
Every time users are connected to a TOR network need to regular refresh their list of running relays. The users to save bandwidth of the directory authorities send their requests to one out of a few hundred directory mirrors, counting the number of the requests is possible to provide an estimate of the number of connected users. The graphs provide an estimate of recurring Tor users based on the number of sent requests received by few dozen directory mirrors.
Similar information could be used by intelligence services to monitor political evolution in specific areas.
The metric page also provides the list of Top-10 countries by directly connecting users and Top-10 countries by possible censorship events in beta version.
Figura 3 - Top-10 countries by directly connecting users
The functionality GetTor allows users to fetch the Tor software via email, one of the proposed metrics on the portal shows the number of packages requested from GetTor daily.
Crossing this information with statistics about the network usage, and in particular related to access mode through Tor bridges, it's possible verify the real motives behind the use of the network, the increasing of accessing users and the number of bridges it is fair to conclude that the intended audience is confronted with some form of censorship.
Figura 4 - Number of packages requested from GetTor daily.
The portal contains a set of graphs related the performance of the Tor network such as:
Figura 5 - Performance Indicators
The Ethiopian Telecommunication Corporation, unique telecommunication service provider of the country, has deployed for testing purpose a Deep Packet Inspection (DPI) of all Internet traffic.
Let’s try together to use the metrics to verify the existence of monitoring systems. Let’s set a time interval from the beginning of the year to date.
Figura 6 - Ethiopia Tor network usage
It’s simple to note that in the last week of May the Tor Network was not accessible from the country even with trying to use bridged access, evidence of the presence of filtering system for Deep Packet Inspection.
Websites such as https://gmail.com/, https://facebook.com/, https://twitter.com/, and even https://torproject.org/ continue to work. The graphs below show the effects of this deployment of censorship based on Deep Packet Inspection:
Technically the filtering is made interfering with the handshake between Tor clients and Bridge servers, blocking the “TLS server hello” messages from the TOR bridges in response to a “TLS client hello”.