How would a resourceful government block Tor?

Question

I came across this article saying that after the November 2015 Paris attacks, some French police officers proposed to ban Tor.

Tor is used to circumvent censorship! What security techniques would governments use to block Tor?

Answer 1

Tor is used to circumvent censorship!

No, not directly. Tor is about anonymity, not about availability. Tor alone does not help its users access blocked content. Tor helps by making it hard to link clients with site visits, so that people can publish or read content without being identified. It's used to avoid being caught in relation to banned content, not directly to spread banned content.

A government that controls all the network equipment of ISPs in the country can decide which websites and services residents are allowed to access, and can know who is accessing what. If someone is using Tor, their computer makes connections to hosts that offer Tor services (Tor relays). The ISP-level filter can detect whether the target of the connection is a Tor relay and deny it if it is.

A tool that directly helps circumvent censorship is a VPN. The ISP-level filter can block connections to a VPN, but only if it knows that the service is a VPN. Tor relays are for the most part public and have to be part of a heavy infrastructure (they have to be known from other Tor known). On the contrary, a VPN operates on its own, so it's very easy to create new ones: blocking VPN altogether is practically impossible (blocking all encrypted protocols does block most common VPN, but it's still possible to make a low-bandwidth VPN using steganography if nothing else).

VPN and Tor can of course be combined (and frequently are). An ISP can block direct use of Tor, but cannot block the use of Tor through VPNs. There even exist VPN-like services specialized to use Tor: Tor bridges. There's an arms race here where the ISP/government can block Tor bridges as they discover them, but new bridges can pop up easily.

---

France is going to ban Tor

No, that's not what the original article says and that's not what the THN article says either. The original article says that the police administration (not the goverment) has requested a huge array of measures of varying realism, including banning Tor. Even the article you cite claims that this request is a legislation proposal (which it isn't yet), not a law about to take effect.

Answer 2

In order to block Tor, all that has to be done is have the current list of Tor nodes which can be found at the following link:

http://torstatus.blutmagie.de/ip_list_all.php/Tor_ip_list_ALL.csv

and then block them bi-directionally via the Routers or Firewalls.

That said there will be numerous ways around such efforts, people can still use VPNs to connect outside of a given area and then run the Tor traffic from another location or tunnel the traffic through, but this will effectively block many of the less technical people from accessing Tor.

Similarly, the following list of Tor exit nodes could be useful for blocking Tor traffic from connecting to any given websites: https://check.torproject.org/exit-addresses

I would say it's easy to make Tor hard to use but that it's extremely hard to make it impossible to use.

Keep in mind that governments with large financial resources can spend money to run tools like ZMAP.io to find potential Tor servers, including Tor Bridges, minutes after they are started. Continuously scanning the entire IPv4 address space has become trivial for those with even a small budget so a campaign to find and block Tor nodes could easily be very effective, but it will never be absolute.

Finally, keep in mind that once Tor users have been identified the government would likely monitor future connections by that user to locate new Tor bridges or similar connections.

Note: The task of scanning IPv4 has become trivial but the process for scanning all of the public IPv6 address space would be radically unmanageable due to the scale. That said a large government project correlating other types of data such as Netflow, some type of traffic signatures, or some other form of identification would be required to identify and block Tor traffic on IPv6 networks.

Again governments can make Tor hard to use but that it's extremely hard to make it impossible to use.

It should be further noted that governments also leverage additional tactics to identify anonymous users. To protect end-users from risks related to cookies or other signatures which may give away additional information about Tor users it may be wise to use an anonymous live CD such as the following:

https://www.whonix.org/

https://tails.boum.org/

Torflow visualization may also be of interest:

https://torflow.uncharted.software

Related article: 81% of Tor Users Can be Easily Unmasked By Analyzing Router Information

http://thehackernews.com/2014/11/81-of-tor-users-can-be-easily-unmasked_18.html

Another related article about a much more dangerous but related issue: Tor Browser Exposed

https://hackernoon.com/tor-browser-exposed-anti-privacy-implantation-at-mass-scale-bd68e9eb1e95

Answer 3

Tor will be actually quite hard to block because of tor bridges:

Bridge relays (or "bridges" for short) are Tor relays that aren't listed in the main Tor directory. Since there is no complete public list of them, even if your ISP is filtering connections to all the known Tor relays, they probably won't be able to block all the bridges.

To ban Tor altogether, France will need to perform deep packet inspection (similar to Chinese firewall), but even such measures could be defeated by specialized tools like Obfsproxy. What effectively keeps people in China from using Tor is the threat of a prison sentence; I hope France will not go this way.

Also, I don't quite understand how banning Tor would hurt the terrorists, since there are countless options which allow them to stay under the radar. They could happily switch to OwnCloud or a similar service which cannot be blocked as a whole. Or they could communicate via GMail by sending encrypted 7zip attachments. Etc.

Keep in mind that France has just been through regional polls, and announcements like this one spawn in election time like mushrooms after a summer rain.

Answer 4

A Censorship Arms Race

Attempts to censor the Tor network have taken place in different countries. China has, thus far, been the most successful. But, other countries/governments have had successes as well. Regardless of these successes, censorship is a technological arms race and each side is continuing to make improvements on their attacks and defenses.

An excellent resource that is particularly relevant to your question is a presentation by Jacob Appelbaum and Roger Dingledine titled How Governments Have Tried to Block Tor. (This talk is also available on YouTube.) As Tor developers, they provide a quick overview of the Tor network before moving on to show the evolution of attacks against it. The attacks covered range from simple port and DNS blocking to modern techniques including deep packet inspection and active probing.

I will be summarizing the material of that presentation below before briefly addressing the future technologies that are likely to be used in this arms race.

---

Attacks Taking Place Now

Here is a summary of the blocking methods discussed in the presentation mentioned above, along with some additional commentary and information about the limitations of each method:

• Block the directory authorities: the Tor binaries have a hard-coded list of IP addresses they use for bootstrapping (the process of finding other nodes on the Tor network). Normally, the Tor client will connect to one of these servers on startup to download the list of relays. Blocking this connection will prevent the exchange from taking place. The limitation is that bridges can be used to route your directory connections through an alternate IP address.
• Download the network directory: also known as the network consensus, this is the list of all relays on the network (bridges excluded). Blocking the IP addresses of all relays will prevent the Tor client from being able to route traffic through them. Again, the limitation is that bridges can bypass this as they use IP addresses that are not published on one list.
• Blocking bridges: if you can obtain all the bridge IP addresses, you can block connections to them as well. The Tor Project divides their pool of bridge addresses across different distribution strategies to prevent one person from obtaining all bridge addresses, even if there is a weakness in one of the distribution mechanisms. In addition to those mechanisms, you can obtain bridges by communicating with a friend or other organization that may run their own unlisted bridges.
• Deep packet inspection: this method, also known as DPI, relies on distinguishing minute differences between the Tor protocol and the SSL/TLS handshake that Tor attempts to mimic. In the presentation, Roger mentions that there are numerous protocol distinguishers that the Tor Project is already aware of and that it is an open question whether they should be preemptively fixed or left as low-hanging fruit for future attacks.
• Block the Tor website: if people cannot download the Tor software, they cannot connect to the network. The limitation is that people can obtain software via other mechanisms, including different mirrors or by sending an email to gettor@torproject.org.
• Active probing of bridges: in China, when someone connects to a Tor bridge or SSH server, another IP address makes a follow-up connection attempting to speak the Tor protocol... If this attempt is successful, the original Tor connection is dropped. This is the latest step in the arms race, and there are a few possible approaches that could be used to address it. One method mentioned in the video is to password protect bridges, but that has its own trade-offs.
• Bandwidth limitations: in Iran, the government reduced the bandwidth allocated to encrypted connections. With the rising use of encryption on websites, this method will increasingly limit access to commonly used websites including Google, Wikipedia, etc. Furthermore, as discussed below, protocols need not appear to be encrypted with the use of format transforming encryption.

---

The Future of the Arms Race

As was mentioned, censorship technology is an arms race, and it is still ongoing. This implies that innovations will continue to occur.

A lot of development effort has been put into pluggable transports, which are essentially a layer of protocol obfuscation that can be applied on Tor bridge nodes. This makes it more difficult to distinguish Tor traffic from non-Tor traffic and forces the blocking of additional services/protocols that are not Tor-related.

To select a few examples of pluggable transports:

• Meek: the Meek transport uses a method called "domain fronting" to falsify the final destination of the traffic. By changing the HTTP header on a request to google.com, it becomes possible to cause Google's infrastructure to re-route your packets to their App Engine service. The same is true for Amazon's CloudFront and Microsoft's Azure platform, among others.
• Flashproxy: started as a project at Stanford University, this project uses JavaScript and Web Sockets to turn ordinary web browsers into Tor bridges, allowing for extreme diversity and churn of bridge addresses that are difficult to block in real-time.

Finally, I would like to mention format transforming encryption (FTE). This encryption technology allows one to manipulate data such that it appears like another protocol to a DPI engine. In this paper, the researchers apply the technology to the Tor network to create protocol misidentification by DPI engines.