Sunday, 15 May 2016

Paranoid Ramblings One : ISP Monitoring

Working in Information Security opens your eyes to some of the questionable activities that are undertaken by a range of threat actors. The most difficult thing is to not become a nervous wreck as a result.

This is the first in a (probably) ongoing series of thought experiments to rationalise some of these threats and what they mean for me, and maybe also for you.

To understand the techniques that malicious entities might try to use against me, my employer, or people that I know, I inevitably like to try these things out for myself sometimes. This includes playing with tools such as nmap, zmap, nping, recon-ng, the social engineering toolkit, metasploit, Mana, Karma, BDFProxy, WiFite, Tor, SQLMap, etc. etc. etc. the list is simply too long. Most recently, thanks to my MSc final year project, I have been increasingly experimenting with Tor, scapy, and MITMProxy.

All of this toying and experimenting has never resulted in a complaint, although it has always occurred to me that my ISP might find some of the traffic emanating from my location increasingly questionable. I have read stories online of people's internet being disconnected due to using nmap too aggressively, for example, and so the possibility that this could happen to me has always been at the back of my mind. I do make use of Tor and various VPN's when testing out certain tools, but I have never made an all-encompassing effort to go completely "dark".

Two weeks ago, my internet connection slowed right down. It's never been that amazing, typically achieving between 8-14Mbps down and 2Mbps up. Around 2 weeks ago it slowed down to around 3Mbps down. I didn't have the time or energy to take this up with my ISP. Around a week ago, my download speed dropped again to around 1Mbps. Today I thought enough was enough so I called them. They were incredibly helpful and ran a number of line tests, and stated that they had found a fault on the line, which would require an engineer to visit somewhere (not my house) later in the week to correct the problem.

Immediately, my line speed increased to 3Mbps.

So, with my tin-foil hat lying somewhere else in the house, my paranoia metre begins to register some activity.

I suppose it is possible that my IP address has been flagged as sending suspicious packets for a long enough time now that I have ended up on some kind of "high risk" list. And perhaps the ISP process is to, rather than just disconnect their users, throttle their connection until the customer gets in touch to report a problem, thus getting confirmation that they have the correct customer. Maybe they occasionally take the step of sending an engineer to physically separate the high risk users from the main customer base to make their monitoring easier and reduce noise from lower risk customers. Perhaps, nah, surely not... perhaps they alert suspicious activity to higher authorities so that they can have their agents patch high risk users through to other monitoring systems for closer inspection, with minimal noise.

Perhaps it was just a fault on the line.

This certainly isn't the only thing that I wonder about. Trying to guess what other people's intentions are (mostly at work) takes up an increasing amount of my thought time these days, which can be exhausting. I wonder, do all Information Security professionals have this same level of paranoia?

In any case, I have spent enough time pondering this now. Any excuse for a distraction from wrestling with shadow-tor, python, graphml generation, and pcap inspection! I'm sure I have enough evidence that I'm a researcher and not a criminal in case I ever get a knock on the door.

Back to work!

No comments:

Post a Comment