19 votes

Simulating an ISP's access to your traffic

Hey all,

We're working on a press-freedom / anti-censorship project and we're testing a variety of scenarios in which a journalist's internet traffic is being monitored by a hostile state. We'd like to simulate an ISP's access to the journalist's traffic so we can run some packet collection and other tests to see what it looks like.

What's the best way to do this? Put a few routers in series and collect on the last one?

7 comments

  1. [4]
    krellor
    Link
    I would start by using a router/firewall that can log net flow records to a logging instance. That will show a realistic view of the sort of data your ISP has at a minimum. Additionally, either...

    I would start by using a router/firewall that can log net flow records to a logging instance. That will show a realistic view of the sort of data your ISP has at a minimum.

    Additionally, either using the same device or an intermediary device, perform a network capture which will show a few additional pieces of data.

    However, much of that data won't really show you how a state level actor can actually use the data. When I was a director of engineering, we could use that data to create near real time global maps of the data flows, heat maps of the networks being communicated, real time lists of network owners that the traffic transited through, and the ability to do traffic engineering to force traffic different directions.

    The limits would be if the traffic is encrypted at the application level, unless there is some sort of forced TLS proxy like an F5 or gigamon appliance coupled with forced installs of apps or certificates on citizen devices.

    Unfortunately, my knowledge likely can't help much with the details. Since I've mostly done this in an enterprise environment. You might look at OPNsense or Arista NG firewalls on spare hardware for the free to cheap route. Then you need to start selecting visualization, mapping, plotting tools.

    14 votes
    1. [3]
      R3qn65
      Link Parent
      Thanks, this is helpful and a good start. Setting flow logging aside for the moment, we'd need to do the pcap on a different device, right? We're assuming that the state actor doesn't have access...

      Thanks, this is helpful and a good start. Setting flow logging aside for the moment, we'd need to do the pcap on a different device, right? We're assuming that the state actor doesn't have access to the actual router, so they won't be able to see traffic moving around across the LAN, only the traffic coming out of it. That's where I was coming from with the "a few routing devices in series" thing.

      2 votes
      1. [2]
        krellor
        Link Parent
        Yeah, to best simulate the ISP you want to put in a tap upstream of your test router, i.e., in the wan interface. There are a few ways to do this, physically and logically. When I've done this...

        Yeah, to best simulate the ISP you want to put in a tap upstream of your test router, i.e., in the wan interface. There are a few ways to do this, physically and logically. When I've done this sort of thing in a work environment, we would setup port mirroring on an upstream switch to send duplicate packets to a second interface that is logged, possibly by a computer.

        So wan->managed switch->router

        And the managed switch can port mirror the interface the router is connected to and send it to a second interface for logging and analysis, like a laptop.

        The network capture will give you packets which might include things like SNI headers that leak domains, unencrypted DNS requests, etc. But the net flow data is likely an important piece as well.

        Cheers!

        4 votes
        1. vord
          (edited )
          Link Parent
          A simpler setup for this case would probably be to have the OPNsense box act as that managed switch and logging box. It can do essentially that in one setup provided it has two ethernet ports. I'm...

          A simpler setup for this case would probably be to have the OPNsense box act as that managed switch and logging box. It can do essentially that in one setup provided it has two ethernet ports. I'm not experienced enough to throw out a config which avoids the double-NAT in that scenario with no research, but I'm sure you might be able to. :)

          Have it dump all the packets, ingest into Graphana or something for some nice charts.

          unencrypted DNS requests

          I would note that your config on your router should try to accept whatever defaults your ISP hands out, but if it is doing encrypted connections to the ISP's DNS, it would be 'fair' to change those settings to an unencrypted DNS provider such that you can see what normally only the ISP would see.

          2 votes
  2. gco
    Link
    I would recommend instead of having multiple routers you should route your traffic through a computer, unless you have very high end routers you'll likely run into resource constraints, especially...

    I would recommend instead of having multiple routers you should route your traffic through a computer, unless you have very high end routers you'll likely run into resource constraints, especially when it comes to storage. I recommend you look into Security Onion and deploy it to that pc, I haven't used it in quite a while but a few years ago it would have been great for what you intend to do. While the focus is on security, it comes bundled with a lot of the tools necessary for packet capture and analysis. You could use Suricata detections or even build your own, that way you don't have to store and analyse all the logs (You can do that as well) but you could focus on things you think are interesting (Like whether they're using Tor).

    3 votes
  3. vord
    (edited )
    Link
    As I think @krellor threw you in the correct direction for "how", I'll throw at you a quick "what" for writing an article and making it accessible for the public. Look for these two ports in...

    As I think @krellor threw you in the correct direction for "how", I'll throw at you a quick "what" for writing an article and making it accessible for the public.

    Look for these two ports in sources and destinations: 25565 and 19132
    Those are the default ports for Minecraft servers, for Java and Bedrock respectively. Seeing traffic coming in to the consumer router on those ports? That person is hosting a Minecraft server. If you're a 3-letter agency trying to spy on a target, you could then try to log into said server, and if they don't have whitelisting turned on, you'll probably be able to get in, even if that server isn't publicly listed.

    If you see traffic flowing outward from that box, you can identify which version of minecraft they're playing. A bit of analytics could probably let you identify how many different computers are playing, especially if they're playing on different modded servers. I haven't tested to see if the traffic is encrypted, but if not that means spying on conversations on a minecraft server is trivial. Which doesn't seem to be a big deal....but a lot of kids play Minecraft, and parents would probably love hearing "oh here is a tangible example of how your ISP can monitor your kids."

    Especially if you simulate, say, a group of neighborhood friends all playing Minecraft together with the same ISP. This same effect can be seen with all other communication methods. The power of metadata, which got explored a lot in the Snowden era, is a good thing to explore further.

    2 votes
  4. R3qn65
    Link
    Much appreciate the thoughts, all.

    Much appreciate the thoughts, all.