Adversary Resistant Networking

Much like our thinking regarding Adversary Resistant Computing, we have some ideas on dealing with opponents who exhibit enough situational awareness to spot a visitor originating in a certain place, and then devise some way to cause trouble for them.

First, what hunts you?

Our taxonomy of threats from the ARC article is a bit much here. Any foe you might encounter will fall somewhere on this spectrum:

  • Simple detection via web site logging or documents seeded with some means of ‘phoning home’. Threats are doxing, civil discovery, or maybe an attempt to involve law enforcement.
  • Detection and fingerprinting for browser, OS, and the like. Threats as above, adding perhaps browser hijacking or spearphishing attempt.
  • Detection, fingerprinting, temporal analysis, and other corporate defense tactics. Threats as above, adding much more likely civil or criminal trouble.
  • Competent nation state or Five Eyes, curious and tracking large classes of anomalous behavior, watching (and interfering) in ways you can not quite imagine. Threats scale up with their perceived value of what interests you.

Second, what role does your organization play?

If you are noticed, what does your presence convey to the entity that has detected you? Are they about to get some negative press? A lawsuit? A raid by authorities? Are you a vanguard for a sanctioned intrusion or some sort of subversion of their systems? They will be doing a threat assessment on you, just as you should be doing on them.

Third, how much are you willing to give up?

You can not interact with a remote system without leaving some sort of trace. There are a variety of ways to hide, from the Tor anonymizing network, to various VPNs, to physical travel away from your normal haunts. And if you have a budget, there is realm beyond this one.

Some Real World™ scenarios:

The Tor network provides a multi-hop routing architecture, hundreds of global exits to the clearnet, and a private darknet of websites with onion addresses. Entry level opponents will be baffled by this, wary ones will simply use the Tor exit nodes list to block access, and nation states are in a position to attempt traffic correlation and other mischief.

There are many VPN providers out there. If they require you to use a binary bundle, you should turn and run. Free services that accept OpenVPN connections are profiling you, injecting ads, and likely trying to hijack your system. We trust ProtonVPN to not be doing this, and for certain other activities the very feral Cryptostorm is a good choice. The problem with each is that their exits are discoverable by anyone willing to spend $5 to $125 to explore, and once your pattern is recognized,

Tor will happily engage its network after exiting a VPN node. Some VPN providers, like Cryptostorm, offer free low speed services, and they will accept TCP connections that arrive from the Tor network. The first is good discipline if you might be facing one of those nation state opponents, the latter is a technique used to circumvent Tor access bans while still enjoying its protection.

The real hazards here are forgetting to do some certain step, say turning on a VPN, or having a a failure that in some way exposes your location. We are big fans of “fail closed networking” – if something isn’t right with your connection, it should behave in such a way that you must repair it before resuming your work.

There are tools that purport to do this for desktop operating systems; we find all of them to be less than comforting. Linux can be made to behave in this fashion, and Linux based firewalls can enforce such discipline for your entire network, including those devices which otherwise have no hope of operating safely.