VPN: why and how to hide your IP and encrypt traffic. What does the provider know about the user? Remote Access VPN

We told our readers about the principles of VPN operation and showed, using the example of inexpensive VPN services, how and why to use VPN tunnels.

Today we want to once again touch on the topic of VPN services, especially since the demand for these services is growing every day, as government regulation of the Internet in Russia and other CIS countries is increasing, users are faced with a number of restrictions on the Internet, as well as the situation With information security the network is getting worse every day.

When choosing a VPN service provider, we found a fairly high-quality service: TheSafety.US

Let’s say right away that the prices for VPN services from TheSafety.US are not the lowest, a subscription costs somewhere from $30 per month, but this is compensated high quality services provided and a variety of packages and subscriptions. So, let's start testing TheSafety.US and evaluate this service VPN in practice.

For other operating systems, see settings:

What did I immediately like? That you can choose a server in a country convenient for you. Regular VPN, Double VPN and Offshore VPN are available to you in 20 countries: USA, Canada, Germany, UK (England), Netherlands, Italy, Ukraine, France, Spain, Belgium, Poland, Czech Republic, Portugal, Switzerland, Ireland, Lithuania, Finland, Luxembourg, offshore VPN in Panama and Malaysia. You can choose different countries and destinations yourself, including VPN in offshore countries (Offshore VPN) - this highest level security, since in these countries there is no strict control by the state.

When do you need to choose a specific VPN server country? When you are faced with the task of not just hiding your IP address, but showing that it is from Germany, the USA or Poland, for example. This is necessary to access Internet resources whose owners set filters for visitors from certain countries.

In our article, we have already learned how VPN technology works. Let's tell you how the Double VPN service works.

Double VPN technology - a chain of two servers with a difference in input and output IP addresses. IN in this case you connect to IP1 of the first server with all data encrypted, then your traffic is encrypted a second time and sent to IP2 of the second server. As a result, you will be on the Internet with IP3. This technology helps provide highly effective protection because all your traffic will be double encrypted and pass through different countries.

For example, I tested the chain Germany - Czech Republic, the encrypted traffic first passed through a server in Germany, then through a server in the Czech Republic, and only then entered external Internet resources. This made it possible to provide very strong security, as with a chain of soxes, plus double encryption of the transmitted data. Thus, even the first server will not know my external IP, much less my Internet provider.

In the screenshot, a check of my IP performed on the website 2ip.ru shows an IP address in Prague.

If we load the search engine yandex.ru, it will give us home page for Prague:

As we know, recently Internet providers “record” all Internet traffic of users and store it for a certain time. This state of affairs exists in Russia, Belarus, China and other countries with strong government regulation of the Internet.

Those. Certain organizations and officials will be aware of what sites you visit, what information you receive and transmit on the Internet. These are not “empty horror stories”; let’s check in practice what is recorded in the providers’ logs after our visit to the Internet.

For this experiment, we will use traffic analyzers (sniffers) or Wireshark, which are free software.

I used the Packetyzer program for my experiments. So, what do we see when we surf the Internet using our IP address, without a VPN:

The screenshot above shows that I looked at the weather at: pogoda.tut.by(this is highlighted in the figure with a marker).

And the following screenshot shows which sites I visited at that time:

Now we use the VPN service from TheSafety.US, let's try to analyze the traffic with the Packetyzer sniffer and see that all traffic is encrypted with a strong algorithm, it is impossible to see which sites were visited:

By the way, with , all traffic is also encrypted, see screenshots below:

Also, on TheSafety.US servers, logs are not written and the connection occurs to the IP address, and not to the domain name.

For even greater anonymity, TheSafety.US servers use a forced change in the TTL parameter.

TTL - time to live or the lifetime of the sent packet. For OS family Windows standard TTL value = 128, for Unix TTL = 64. The sent packet is assigned a TTL value, and this value is reduced by one by each host along its route (for example, when opening a specific site, your request packet passes through several hosts until will not reach the server on which the site being opened is located). When the TTL value of a sent packet becomes 0, the packet disappears. That is, we can say that using the TTL value of the transmitted packet, you can find out how many hosts the packet passed through. This means that you can indirectly determine how many hosts your computer is located behind. TheSafety.US servers force change this value to the standard one. This can be checked using standard ping commands and tracert. See below screenshots of these commands running:

The first thing that comes to mind when mentioning a VPN is the anonymity and security of the transmitted data. Is it really? Let's figure it out.

When you need to access corporate network, safe to transfer important information over open communication channels, to hide their traffic from the watchful eye of the provider, to hide their real location when carrying out any not entirely legal (or not at all legal) actions, they usually resort to using a VPN. But is it worth blindly relying on a VPN, putting the security of your data and your own safety at stake? Definitely no. Why? Let's figure it out.

WARNING

All information is provided for informational purposes only. Neither the editors nor the author are responsible for any possible harm caused by the materials of this article.

We need a VPN!

A virtual private network, or simply VPN, is a general name for technologies that allow one or more network connections(logical network) on top of another network, such as the Internet. Despite the fact that communications can be implemented through public networks with an unknown level of trust, the level of trust in the constructed logical network does not depend on the level of trust in the underlying networks due to the use of cryptography tools (encryption, authentication, public key infrastructure, means for protection against replays and changes messages transmitted over a logical network). As you can see, in theory everything is rosy and cloudless, but in practice everything is somewhat different. In this article, we will look at two main points that you must take into account when using a VPN.

VPN traffic leak

The first problem with VPNs is traffic leakage. That is, the traffic that should be transmitted through the VPN connection in encrypted form enters the network in clear text. This scenario is not the result of a bug in the VPN server or client. Everything is much more interesting here. The simplest option is to suddenly disconnect the VPN connection. You decided to scan a host or subnet using Nmap, launched the scanner, walked away from the monitor for a few minutes, and then the VPN connection suddenly dropped off. But the scanner continues to work. And the scanning comes from your address. This is such an unpleasant situation. But there are more interesting scenarios. For example, VPN traffic leakage is widespread in networks (on hosts) that support both versions of the IP protocol (so-called dual-stacked networks/hosts).

Root of Evil

The coexistence of two protocols - IPv4 and IPv6 - has many interesting and subtle aspects that can lead to unexpected consequences. Despite the fact that the sixth version of the IP protocol does not have backward compatibility with the fourth version, both of these versions are “glued” together by the Domain Name System (DNS). To make it clearer what we are talking about, let’s look at a simple example. For example, let's take a website (let's say www.example.com) that has both IPv4 and IPv6 support. Corresponding to it Domain name(www.example.com in our case) will contain both types of DNS records: A and AAAA. Each A record contains one IPv4 address, and each AAAA record contains one IPv6 address. Moreover, one domain name can have several records of both types. Thus, when an application that supports both protocols wants to communicate with the site, it can request any of the available addresses. The preferred address family (IPv4 or IPv6) and the final address that will be used by the application (given that there are several for versions 4 and 6) will differ from one protocol implementation to another.

This coexistence of protocols means that when a client that supports both stacks wants to communicate with another system, the presence of A and AAAA records will influence which protocol will be used to communicate with that system.

VPN and dual protocol stack

Many VPN implementations do not support, or even worse, ignore IPv6 entirely. When establishing a connection software The VPN takes care of transporting IPv4 traffic by adding a default route for IPv4 packets, thereby ensuring that all IPv4 traffic is sent through the VPN connection (instead of it being sent in the clear through local router). However, if IPv6 is not supported (or is completely ignored), every packet with a destination IPv6 address in its header will be sent in the clear through the local IPv6 router.

The main reason for the problem lies in the fact that although IPv4 and IPv6 are two different protocols that are incompatible with each other, they are closely used in the domain name system. Thus, for a system that supports both protocol stacks, it is impossible to secure a connection to another system without securing both protocols (IPv6 and IPv4).

Legitimate VPN traffic leak scenario

Consider a host that supports both protocol stacks, uses a VPN client (working only with IPv4 traffic) to connect to the VPN server, and is connected to a dual-stacked network. If an application on the host needs to communicate with a dual-stacked node, the client typically queries both A and AAAA DNS records. Since the host supports both protocols, and the remote node will have both types of DNS records (A and AAAA), one of the likely scenarios will be to use the IPv6 protocol for communication between them. And since the VPN client does not support the sixth version of the protocol, IPv6 traffic will not be sent through the VPN connection, but will be sent in clear text through the local network.

This scenario puts valuable data being transmitted in clear text at risk when we think it is being transmitted securely over the VPN connection. In this particular case, VPN traffic leakage is a side effect of using non-IPv6 software on a network (and host) that supports both protocols.

Deliberately causing VPN traffic to leak

An attacker can deliberately force an IPv6 connection on a victim's computer by sending fake ICMPv6 Router Advertisement messages. Such packets can be sent using utilities such as rtadvd, SI6 Networks' IPv6 Toolkit or THC-IPv6. Once an IPv6 connection is established, “communication” with a system that supports both protocol stacks can result, as discussed above, in a leak VPN traffic.

And although this attack may be quite fruitful (due to the growing number of sites supporting IPv6), it will only leak traffic when the recipient supports both versions of the IP protocol. However, it is not difficult for an attacker to cause traffic leaks for any recipient (dual-stacked or not). By sending fake Router Advertisement messages containing the appropriate RDNSS option, an attacker can pretend to be a local recursive DNS server, then perform DNS spoofing to perform a man-in-the-middle attack and intercept the corresponding traffic. As in the previous case, tools like SI6-Toolkit and THC-IPv6 can easily pull off this trick.

It doesn’t matter at all if traffic that is not intended for prying eyes ends up in the open on the network. How to protect yourself in such situations? Here are some useful recipes:

  1. If the VPN client is configured to send all IPv4 traffic over the VPN connection, then:
  • if IPv6 is not supported by the VPN client, disable support for the sixth version of the IP protocol on all network interfaces. Thus, applications running on the computer will have no choice but to use IPv4;
  • if IPv6 is supported, ensure that all IPv6 traffic is also sent through the VPN.
  1. To avoid traffic leakage if the VPN connection suddenly drops and all packets are sent through the default gateway, you can:
  2. force all traffic to go through VPN route delete 0.0.0.0 192.168.1.1 // delete default gateway route add 83.170.76.128 mask 255.255.255.255 192.168.1.1 metric 1
  • use the VPNetMon utility, which monitors the state of the VPN connection and, as soon as it disappears, instantly terminates user-specified applications (for example, torrent clients, web browsers, scanners);
  • or the VPNCheck utility, which, depending on the user’s choice, can either completely disable network card, or simply terminate the specified applications.
  1. You can check whether your machine is vulnerable to DNS traffic leaks on the website, and then apply the tips on how to fix the leak described.

VPN traffic decryption

Even if you have configured everything correctly and your VPN traffic does not leak into the network in the clear, this is not yet a reason to relax. The point is that if someone intercepts encrypted data transmitted through a VPN connection, he will be able to decrypt it. Moreover, it does not affect this in any way whether your password is complex or simple. If you use a VPN connection based on the PPTP protocol, then you can say with one hundred percent certainty that all intercepted encrypted traffic can be decrypted.

Achilles' heel

For VPN connections based on the PPTP (Point-to-Point Tunneling Protocol), user authentication is carried out using the MS-CHAPv2 protocol developed by by Microsoft. Despite the fact that MS-CHAPv2 is outdated and very often the subject of criticism, it continues to be actively used. To finally send it to the dustbin of history, the famous researcher Moxie Marlinspike took up the matter, who reported at the twentieth DEF CON conference that the goal had been achieved - the protocol had been hacked. It must be said that the security of this protocol has been puzzled before, but such a long use of MS-CHAPv2 may be due to the fact that many researchers focused only on its vulnerability to dictionary attacks. Limited research and a wide number of supported clients, built-in support by operating systems - all this ensured widespread adoption of the MS-CHAPv2 protocol. For us, the problem lies in the fact that MS-CHAPv2 is used in the PPTP protocol, which is used by many VPN services (for example, such large ones as the anonymous VPN service IPredator and The Pirate Bay’s VPN).

If we turn to history, then already in 1999, in his study of the PPTP protocol, Bruce Schneier indicated that “Microsoft improved PPTP by correcting major security flaws. However, the fundamental weakness of the authentication and encryption protocol is that it is only as secure as the password the user chooses.” For some reason, this made providers believe that there is nothing wrong with PPTP and if you require the user to invent complex passwords, then the transmitted data will be safe. The Riseup.net service was so inspired by this idea that it decided to independently generate 21-character passwords for users, without giving them the opportunity to set their own. But even such a tough measure does not prevent traffic from being decrypted. To understand why, let's take a closer look at the MS-CHAPv2 protocol and see how Moxie Marlinspike managed to crack it.

MS-CHAPv2 protocol

As already mentioned, MSCHAPv2 is used for user authentication. It happens in several stages:

  • the client sends an authentication request to the server, publicly transmitting its login;
  • the server returns a 16-byte random response to the client (Authenticator Challenge);
  • the client generates a 16-byte PAC (Peer Authenticator Challenge - peer authentication response);
  • the client combines the PAC, the server response and its user name into one line;
  • an 8-byte hash is taken from the received string using the SHA-1 algorithm and sent to the server;
  • the server retrieves the hash of this client from its database and decrypts its response;
  • if the decryption result matches the original response, everything is OK, and vice versa;
  • subsequently, the server takes the client's PAC and, based on the hash, generates a 20-byte AR (Authenticator Response), passing it to the client;
  • the client performs the same operation and compares the received AR with the server response;
  • if everything matches, the client is authenticated by the server. The figure shows a visual diagram of the protocol's operation.

At first glance, the protocol seems overly complicated - a bunch of hashes, encryption, random challenges. It's actually not that complicated. If you look closely, you will notice that in the entire protocol only one thing remains unknown - the MD4 hash of the user’s password, on the basis of which three DES keys are built. The remaining parameters are either transmitted in clear text, or can be obtained from what is transmitted in clear text.


Since almost all the parameters are known, we can not consider them, but pay close attention to what is unknown and find out what it gives us.


So, what we have: an unknown password, an unknown MD4 hash of that password, a known plaintext, and a known ciphertext. Upon closer examination, you will notice that the user’s password is not important to us, but its hash is important, since it is this that is checked on the server. Thus, for successful authentication on behalf of the user, as well as for decrypting his traffic, we only need to know the hash of his password.

Having intercepted traffic in hand, you can try to decrypt it. There are several tools (for example, asleap) that allow you to guess a user's password through a dictionary attack. The disadvantage of these tools is that they do not provide a 100% guarantee of results, and success directly depends on the chosen dictionary. Selecting a password using simple brute force is also not very effective - for example, in the case of PPTP VPN service riseup.net, which forces passwords to be 21 characters long, would have to try 96 character variations for each of the 21 characters. This results in 96^21 options, which is slightly more than 2^138. In other words, you need to select a 138-bit key. In a situation where the length of the password is unknown, it makes sense to select an MD4 hash of the password. Considering that its length is 128 bits, we get 2^128 options - per this moment it's simply impossible to calculate.

Divide and rule

The MD4 hash of the password is used as input for three DES operations. DES keys are 7 bytes long, so each DES operation uses a 7-byte portion of the MD4 hash. All this leaves room for the classic divide and conquer attack. Instead of completely brute force the MD4 hash (which, as you remember, is 2^128 options), we can select it in parts of 7 bytes. Since three DES operations are used and each DES operation is completely independent of the others, this gives a total matching complexity of 2^56 + 2^56 + 2^56, or 2^57.59. This is already significantly better than 2^138 and 2^128, but still too much big number options. Although, as you may have noticed, an error crept into these calculations. The algorithm uses three DES keys, each 7 bytes in size, that is, 21 bytes in total. These keys are taken from the MD4 hash of the password, which is only 16 bytes long.

That is, 5 bytes are missing to build the third DES key. Microsoft solved this problem simply by stupidly filling the missing bytes with zeros and essentially reducing the effectiveness of the third key to two bytes.


Since the third key has an effective length of only two bytes, that is, 2^16 options, its selection takes a matter of seconds, proving the effectiveness of the divide and conquer attack. So, we can assume that the last two bytes of the hash are known, all that remains is to select the remaining 14. Also, dividing them into two parts of 7 bytes, we have a total number of options for searching equal to 2^56 + 2^56 = 2^57. Still too much, but much better. Note that the remaining DES operations encrypt the same text, just using different keys. The search algorithm can be written as follows:

But since the text is encrypted the same, it is more correct to do it like this:

That is, there are 2^56 variants of keys to search through. This means that the security of MS-CHAPv2 can be reduced to the strength of DES encryption alone.

Hacking DES

Now that the range of key selection is known, it is up to computing power to successfully complete the attack. In 1998, the Electronic Frontier Foundation built a machine called Deep Crack, which cost $250,000 and could crack a DES key in an average of four and a half days. Currently, Pico Computing, which specializes in building FPGA hardware for cryptographic applications, has built an FPGA device (DES cracking box) that implements DES as a pipeline with one DES operation per clock cycle. With 40 cores at 450 MHz, it can enumerate 18 billion keys per second. With such a brute-force speed, the DES cracking box cracks a DES key in the worst case in 23 hours, and on average in half a day. This miracle machine is available through the commercial web service loudcracker.com. So now you can crack any MS-CHAPv2 handshake in less than a day. And having a password hash in hand, you can authenticate on behalf of this user on a VPN service or simply decrypt his traffic.

To automate work with the service and process intercepted traffic, Moxie posted in open access chapcrack utility. It parses intercepted network traffic, looking for MS-CHAPv2 handshake. For each handshake it finds, it prints the username, the known plaintext, two known ciphertexts, and cracks the third DES key. In addition, it generates a token for CloudCracker, which encodes three parameters necessary for the service to crack the remaining keys.

CloudCracker & Chapcrack

In case you need to crack DES keys from intercepted user traffic, I will provide a short step-by-step instruction.

  1. Download the Passlib library, which implements more than 30 different hashing algorithms for the Python language, unpack and install: python setup.py install
  2. Install python-m2crypto - an OpenSSL wrapper for Python: sudo apt-get install python-m2crypto
  3. Download the chapcrack utility itself, unpack and install: python setup.py install
  4. Chapcrack is installed, you can start parsing the intercepted traffic. The utility accepts a cap file as input, searches it for MS-CHAPv2 handshake, from which it extracts the information necessary for hacking. chapcrack parse -i tests/pptp
  5. From the data output by the chapcrack utility, copy the value of the CloudCracker Submission line and save it to a file (for example, output.txt)
  6. Go to cloudcracker.com, in the “Start Cracking” panel select File Type equal to “MS-CHAPv2 (PPTP/WPA-E)”, select the output.txt file previously prepared in the previous step, click Next -> Next and indicate your e -mail, to which a message will be sent after the hacking is completed.

Unfortunately, CloudCracker is a paid service. Fortunately, you won't have to pay that much to hack the keys - only 20 bucks.

What to do?

Although Microsoft writes on its website that it currently has no information about active attacks using chapcrack, as well as the consequences of such attacks on user systems, this does not mean that everything is in order. Moxie recommends that all users and providers of PPTP VPN solutions begin migrating to another VPN protocol. And PPTP traffic is considered unencrypted. As you can see, there is another situation where VPN can seriously let us down.

Conclusion

It so happens that VPN is associated with anonymity and security. People resort to using a VPN when they want to hide their traffic from the watchful eyes of their provider, replace their real geographical location, and so on. In fact, it turns out that traffic can “leak” into the network in the clear, and if not in the clear, then the encrypted traffic can be decrypted quite quickly. All this once again reminds us that we cannot blindly rely on loud promises of complete security and anonymity. As they say, trust, but verify. So be on your guard and make sure your VPN connection is truly secure and anonymous.

Today, more and more various restrictions are appearing on the Internet around the world. Governments are concerned about the use of OpenVPN and we have to bypass them and find ways to connect services as usual. The Great Firewall of China, for example, blocks some VPN networks both inside and outside China.

Of course, it is impossible to see the data passing through VPN tunnels. However, sophisticated firewalls effectively use DPI techniques to decrypt packets, even those encrypted using SSL encryption.

Exist various ways solutions to the problem, but most of them involve changing the settings of the server itself. In this article we look at the various methods available to you. If you want to hide VPN signals and you don't have port 443 forwarding, you'll need to contact your VPN provider and see if they are willing to provide you with any of the solutions below.

Forwarding via TCP port 443

This is one of the most simple ways. You don't need complex server setup to forward VPN traffic on port 443.

Remember that by default a VPN uses TCP port 80. Typically, firewalls check port 80 and do not allow encrypted traffic through it. HTTPS by default redirects data through port 443. This port is also used by web giants such as Twitter, Gmail, banks and other resources also work with it.

OpenVPN uses SSL encryption, just like HTTPS, and is quite difficult to detect when using port 443. Blocking it will prevent Internet use, so it is not suitable for Internet censors.

Forwarding is supported by almost any VPN client, so you can easily switch to port 443. If your VPN provider does not offer this feature in the client, you need to contact them immediately.

Unfortunately, OpenVPN does not use standard SSL, so if deep packet inspection is used, as is the case in China, encrypted traffic may be detected. In this case, you will need additional protective equipment.

Obfsproxy

The server encrypts data using obfuscation, obfuscating the code and preventing OpenVPN from being detected. This strategy is used by Tor to bypass blocks in China. Encryption available for OpenVPN

Obfsproxy requires installation on both the client computer and VPN server. Of course, this is not as secure as tunneling methods, the traffic is not encrypted, but the channel is not overly congested. This is great for users in countries like Syria or Ethiopia where internet access is a problem. Obfsproxy is quite easy to set up and install, which is a definite advantage.

SSL tunneling for OpenVPN

Socket Security Layer (SSL) can be used as an effective replacement for OpenVPN. Many proxy servers use it to secure the connection. In addition, this protocol completely hides the use of a VPN. Because OpenVPN is based on TLS or SSL encryption, this protocol is very different from standard SSL channels and is not difficult to detect using packet mining. To avoid this, you can add an additional layer of encryption, since DPI does not recognize independent layers of SSL channels.

Conclusion

Of course, without deep analysis, OpenVPN is no different from standard SSL traffic. Security can be increased by forwarding via port 443. However, in countries such as China or Iran, this will not be enough. Governments in these countries have developed complex measures to monitor Internet traffic. Be sure to take these factors into account to avoid unnecessary troubles.

It is clear to everyone that your provider is aware of all your movements on the Internet; there are often stories about company employees monitoring customer traffic. How does this happen, can it be avoided?

How are you being watched?

Providers in the Russian Federation are required to analyze user traffic for compliance with Russian legislation. In particular, clause 1.1 the federal law dated 07.07.2003 N 126-FZ (as amended on 05.12.2017) “On Communications” states:

Telecom operators are required to provide authorized government bodies carrying out operational investigative activities or ensuring security Russian Federation, information about users of communication services and about communication services provided to them, as well as other information necessary to perform the tasks assigned to these bodies, in cases established by federal laws.

The provider itself, of course, does not store the traffic. However, it does process and classify it. The results are recorded in log files.

Analysis of basic information is carried out in automatic mode. Typically, the traffic of the selected user is mirrored on SORM servers (tools for operational investigative measures), which are controlled by the Ministry of Internal Affairs, FSB, etc., and the analysis is carried out there.

An integral part modern systems SORM-2 is a cyclic data storage buffer. It should store traffic passing through the provider for the last 12 hours. SORM-3 has been implemented since 2014. Its main difference is the additional storage, which should contain a three-year archive of all billing and all connection logs.

How to read traffic using DPI

Example diagram from VAS Expert

DPI (Deep Packet Inspection) can be used as part of SORM or separately. These are systems (usually hardware and software systems - hardware with special software) that operate at all except the first (physical, bit) levels of the OSI network model.

In the simplest case, providers use DPI to control access to resources (in particular, to pages of sites from the “black” list of Roskomnadzor under Federal Law No. 139 on amendments to the law “On the protection of children from information harmful to their health and development” or torrents) . But, generally speaking, the solution can also be used to read your traffic.

Opponents of DPI say the right to privacy is enshrined in the Constitution, and the technology violates net neutrality. But this does not prevent us from using the technology in practice.

DPI easily parses content that is transferred via unencrypted HTTP and FTP protocols.

Some systems also use heuristics - indirect signs that help identify a service. These are, for example, temporal and numerical characteristics of traffic, as well as special byte sequences.

It's more difficult with HTTPS. However, in the TLS layer, starting with version 1.1, which is often used today for encryption in HTTPS, the domain name of the site is transmitted in clear text. This way, the provider will be able to find out which domain you visited. But what were they doing there? private key won't know.

In any case, providers do not check everyone

It's too expensive. But theoretically they can monitor someone’s traffic upon request.

What the system (or Comrade Major) has noted is usually examined manually. But most often the provider (especially if it is a small provider) does not have any SORM. Everything is searched and found by ordinary employees in a database with logs.

How torrents are tracked

The torrent client and tracker usually exchange data via the HTTP protocol. This is an open protocol, which means, see above: viewing user traffic using a MITM attack, analysis, decryption, blocking using DPI. The provider can examine a lot of data: when the download started or ended, when the distribution started, how much traffic was distributed.

Siders are harder to find. Most often, in such cases, specialists themselves become peers. Knowing the seeder's IP address, the peer can send a notification to the provider with the name of the distribution, its address, the start time of the distribution, the seeder's IP address, etc.

In Russia it is safe for now - all laws limit the capabilities of the administration of trackers and other distributors of pirated content, but not ordinary users. However, in some European countries, using torrents is fraught with heavy fines. So if you're traveling abroad, don't get caught.

What happens when you visit the site

The provider sees the URL that you opened if it analyzes the contents of the packets that you receive. This can be done, for example, using a MITM attack (“man-in-the-middle” attack).

From the contents of the packages you can get the search history, analyze the request history, even read correspondence and logins with passwords. If, of course, the site uses an unencrypted HTTP connection for authorization. Fortunately, this is becoming less and less common.

If the site works with HTTPS, then the provider sees only the server IP address and domain name, as well as the connection time to it and the volume of traffic. The rest of the data is encrypted, and without a private key it is impossible to decrypt it.

What about the MAC address

The provider sees your MAC address in any case. More precisely, the MAC address of the device that connects to its network (and this may not be a computer, but a router, for example). The fact is that authorization with many providers is performed using a login, password and MAC address.

But MAC addresses on many routers can be changed manually. Yes, and on computers the MAC address network adapter installed manually. So if you do this before the first authorization (or change it later and ask to reassign the account to a new MAC address), the provider will not see the true MAC address.

What happens if you have VPN enabled

If you use a VPN, the provider sees that encrypted traffic (with a high entropy coefficient) is sent to a specific IP address. In addition, he may find out that IP addresses from this range are sold for VPN services.

The provider cannot automatically track where the traffic from the VPN service goes. But if you compare the subscriber's traffic with the traffic of any server using timestamps, you can perform further tracking. It just requires more complex and expensive technical solutions. Out of boredom, no one will definitely develop and use something like this.

It happens that suddenly the VPN “falls off” - this can happen at any time and at any time. operating system. After the VPN stops working, the traffic automatically starts flowing openly, and the provider can analyze it.

It is important that even if traffic analysis shows that too many packets are constantly going to an IP address that could potentially belong to the VPN, you will not break anything. It is not prohibited to use a VPN in Russia; it is prohibited to provide such services to bypass sites on the Roskomnadzor “black list”.

What happens when you enable Tor

When you connect via Tor, the provider also sees encrypted traffic. And he will not be able to decipher what you are doing on the Internet at the moment.

Unlike a VPN, where traffic is usually routed to the same server over a long period of time, Tor automatically changes IP addresses. Accordingly, the provider can determine that you were likely using Tor based on encrypted traffic and frequent address changes, and then reflect this in the logs. But according to the law, nothing will happen to you for this either.

At the same time, someone can use your IP address on the Tor network only if you have configured Exit Node in the settings.

What about incognito mode?

This mode will not help hide your traffic from your ISP. It is needed to pretend that you did not use the browser.

In incognito mode they are not saved cookies, website data and browsing history. However, your actions are visible to the provider, System Administrator and the websites you visit.

But there is good news

The provider knows a lot, if not everything, about you. However, the budget of small companies does not allow them to buy DPI equipment, install SORM, or set up an effective monitoring system.

If you perform legal actions on the Internet openly, and for actions that require confidentiality, use VPN, Tor or other means of ensuring anonymity, the likelihood of being targeted by your ISP and intelligence services is minimal. But only 100% legal actions provide a 100% guarantee.

Today we will talk about what data the provider stores about the user, as well as in general about what he can know and what he cannot. For example, can you see what sites you visit? And why does the provider monitor users?

In general, with providers, not everything is so simple, they are required by law to listen to user traffic - are they breaking the law, what are they doing there, of course they don’t look, but they record basic data, people don’t check them for no reason (that is, it’s all recorded automatically mode).

  • If a user opens a certain website, is this visible to the provider? Yes, in most cases it is the domain name that is visible, rarely just the IP address. The time you visited the site is also recorded. Website content is also visible
  • What if I access the site using a secure https protocol? Then the provider sees only the name of the site or its IP address and that’s it, he doesn’t see the content, since https is a secure connection with encryption, which is why it is recommended to use it.
  • How can the provider detect that I downloaded a movie or program via torrent? The thing is that the torrent downloader communicates with the torrent tracker via the HTTP protocol, so the provider can see everything that you downloaded (simply by analyzing the page from which the torrent file was downloaded) and when (started/finished). It is also possible to connect via HTTPS, but for some reason even the largest torrent in the CIS does not support such a protocol, but why is a mystery.
  • Does the provider save everything I download? No, it’s simply physically impossible, there wouldn’t be enough hard drives. Traffic is processed on the fly, sorted and statistics are kept, which is what has been stored for years.
  • Can the provider find out that I downloaded a .torrent file? Yes, maybe this is exactly what they are trying to monitor - the interaction between the torrent client and the server; they cannot analyze traffic within the torrent network, because it is very, very expensive.
  • And if I use a VPN, the provider doesn’t see anything? Here the thing is that with a VPN, yes, the provider sees a mess - that is, encrypted data and will not analyze it, much less decrypt it, because it is almost impossible. But it can find out from IP servers that this is a VPN specifically for encrypting traffic. This means that the user has something to hide, draw your own conclusions
  • If I use OpenVPN, then all programs will work through it, including Windows update? In theory, yes, and in general it should be so. But in practice it all depends on the settings.
  • Can my provider find out the real IP address of a certain site if I access it via VPN? Actually, no, but there is another point. If suddenly the VPN stops working, or if there is some kind of error, then Windows will simply start working as usual, that is, without using a VPN - just directly. To fix this, firstly, you need to configure OpenVPN itself, and secondly, use an additional firewall (I recommend Outpost Firewall), in which you can create global traffic rules.
  • That is, if the VPN glitches, the provider will see what site I’m on? Unfortunately, yes, everything will be recorded automatically.
  • Can TOR provide anonymity? Maybe, but it is advisable to configure it a little to use IP addresses for all except the CIS, and also for the addresses to change more often, for example every three minutes. Also, for better effect, I advise you to use repeaters (bridges).
  • What does the provider see when I receive packets from constantly different IP addresses? Providers have a detection system using TOR, but I’m not sure whether this system works with repeaters. The fact of using TOR is also recorded and also tells the provider that this user may be hiding something
  • Does the ISP see the site address via Tor or VPN? No, only the VPN IP address or Tor exit node.
  • Is the full name of the address visible to the provider when using the HTTPS protocol? No, you can only see the domain address (that is, only site.com), connection time and transferred volume. But this data is not particularly useful for the provider in terms of information. If you use HTTP, then you can see everything that is transmitted - both the full address and everything that you wrote/sent in a message by mail, for example, but again, this does not apply to Gmail - the traffic there is encrypted.
  • That is, if I use encryption of the connection, then I can already be on the list of suspects? No, not really. On the one hand, yes, but on the other hand, data encryption or even global encryption of the entire network can be used not only by some hackers or users, but also simple organizations who are concerned about the secure transmission of data, which is logical, especially in the banking industry.
  • Does the provider see the fact that I2P is being used? It does, but so far this type of network is not as familiar to providers as, for example, Tor, which, due to its popularity, is attracting more and more attention from intelligence agencies. The I2P provider sees the I2P traffic as encrypted connections to different IP addresses, which indicates that the client is working with a P2P network.
  • How do I know if I am under SORM? This abbreviation stands for “System of technical capabilities for operational-search activities.” And if you are connected to the Internet in the Russian Federation, then you are already under surveillance by default. Moreover, this system is completely official and traffic must pass through it, otherwise Internet providers and telecom operators will simply have their license revoked.
  • How to see all the traffic on your computer the way providers see it? A traffic sniffing utility will help you with this; the best of its kind is the Wireshark analyzer.
  • Is it possible to somehow understand that you are being followed? Today, almost none, sometimes, perhaps with an active attack like MitM (Man in the middle). If passive surveillance is used, then it is technically impossible to detect it.
  • But what to do then, is it possible to somehow make surveillance more difficult? You can divide the Internet, that is, your connection to it, into two parts. Sit on social networks, on dating sites, watch entertainment sites, movies, do it all over a regular connection. And use the encrypted connection separately and in parallel - for example, set for this virtual machine. This way you will have a more or less natural environment, so to speak, because many sites encrypt traffic, Google in its services, and other large companies. But on the other hand, almost all entertainment sites do NOT encrypt traffic. That is, this is the norm - when the user has both open and encrypted traffic. It’s another matter when the provider sees that the user’s traffic is only encrypted; of course, questions may arise here.

Hope you found some useful answers