tags : VPN, TOR, Networking

What about it?

It’s almost impossible to be 100% anonymous on the internet. You have to understand who you want to hide from and be creative about it. There’s no “do this, do that, and boom you’ll be anonymous”.

If you upto some mischief, it’s better to create a total different identity or even no identity at all. Trying to hide your original identity is not likely the best plan because if anything leaks, they already know who your are in the real world.

Whether you want to be anonymous for privacy or to some mischief, in both of these cases, it’s not about being undetected. It’s about being anonymous. It’s about not using anything that can be traced back to you. But like I said, that’s extremely difficult and you’ll have to be both creative and careful.

Things like TOR will help you increase your privacy but they by itself will not provide you anonymity. On top of that, it’s a known fact that bad actors maintain tor nodes. You ISP can still know that you’re using TOR, you can use obfuscation of some sort but there’s no 100% guarantee that you’ll be anonymous with it.

It comes down to statistics. Using a VPN you are using 1 entity. With Tor, you can be assured that your attacker needs to monitor more than some % of the network (which can be done either by running nodes themselves or having a wide view of netflow data). Alphabet soup agencies are capable of this.

In other words, If you’re that concerned about hiding your tor usage from your ISP you probably shouldn’t be using your home wifi to access tor. Eg. Ross used the same public wifi when he was running the silk road. He never thought to hack into wifi and connect from a distance, and keep moving around. Things like Clearview AI exist.

What about VPN and TOR

If anything, just know that VPN+TOR is not a good idea. I’ve written about it in my TOR page.

Even multi-hop is not enough to hide your IP. There are timing correlation attacks, you need to build a system with jitter and randomness to somewhat hide your IP.

Tor is just a layer. You still have to take measures to separate your identity from the device, the behavior, and the location. When tor falls, the next question is “what do they see?” You have control over that.

Censorship v/s Anonymity

These are different things.

  • Level1: Running your own resolver
    • Can help if your ISP is returning bad results. You can get ‘real ones’ with this.
    • This will not help if the ISP is hijacking your DNS queries because they are unencrypted.
    • Using DNSSEC at best can help you ensure you’re getting correct responses but it’s not widely adopted.
  • Level2: DNS Lookups via encrypted DNS Protocols
    • DNS over HTTPS, DNS over TLS, DNS over QUIC, dnscrypt.
    • This can help but SNI is a bitch.
  • Level3: Use double blinded DNS like ODoH, anonymised-dnscrypt, DNS over TOR etc.
    • These types of lookup make your initial connection to an intermediate node before asking for DNS requests so that even the ultimate resolver doesn’t know who asked for a certain domain, they only know the intermediate’s IP address.
  • Level4: What if ISP is blocking on IP
    • If ISP is blocking IPs, even if you get the correct DNS response, you won’t be able to use the IP only.
    • In this case, VPNs can be your friend. If they are also short lived you can use a VPN/Proxy which is obfuscated. Things like Shadowsocks, V2Ray, Cloak etc.
  • Taken from this nice post on reddit
  • Welcome to GFW.Report

Obfuscation

Obfuscation of encrypted data is best explained by this snippet I found on reddit.

This is not entirely true. VPNs encrypt the data, yes, but your ISP can still “fingerprint” your traffic. Web browsing or streaming Netflix has a very, very different signature and behavior pattern than the Bittorrent protocol.

So while your ISP cannot see WHAT you are torrenting, if they have DPI hardware installed (most large ISPs do) they can most definitely tell at a high-level what you’re doing - Netflix, Bittorrent, etc.

Think of it like this - if you wrap a bicycle and mail it to someone, the post office knows it’s a bicycle. They don’t know what brand it is and they can’t see the serial number to determine if it’s stolen, but they know you’re sending a bike from your house to the destination address.

This is why OpenVPN obsfucation can bypass the Great Firewall of China, it makes the traffic look random so it doesn’t match the fingerprint patterns DPI hardware looks for. It would be like breaking the bike up into individual parts, then puting each part into a nondescript box, then wrapping and mailing those parts at random intervals.

How do hackers remain undetected?

Ofcourse there’s no definite answer to this but here are some ideas I found on the internet, some of them are funny. It boils down to a Layered approach, Good OpSec, good traffic decipline, cleanroom client tools, with a combination of VPN, TOR, and sometimes proxies as needed based on the type of traffic and protocols you are using to connect to your target hosts.

Defense in Depth m8

  • Have a bootable Tails OS stick a throwaway laptop and a coffee shop or library internet access ofc change Mac address and all the jazz with VPN’s and never access anything personal that can tie back to your identity.
  • Use medical mask, don’t get caught in surveillance
  • No cellphone on the trip to your coffee shop.
  • Shape the data that the client “sees” coming from you in such a way as to keep them either unaware of your actions because your traffic looks boringly normal and blends into the background noise or, extremely brief if you are going for the crown. Keep changing all variables up regularly, but randomly, to keep pattern-matching threat detection algos blissfully unaware of your existence until it’s too late.
  • Proxychains, bulletproof hosts(fast flux dns), hopped through several hostile/semi-hostile/uncooperative nations.
  • Never hack on your own network. Do not use any personal machines, buy a burner laptop, never connect it to anything you use. Do not log in to twitter, even if you wipe it after, do not connect to your wifi network, do not use a fancy custom browser setup, do not even turn it on at your house. This laptop’s sole purpose is to be as unrelated to you as possible to prevent data leak. A single correlated fingerprint burns the entire proxychain.
  • For remote control, techniques like anonymous twitter accounts can be used. Post a tweet that says “XYZ 123”, and your botnet that has been watching the twitter feed for instructions starts performing an attack.

Resources

Leak check tools