Saturday, October 19, 2013

Evading the NSA TCP/IP Traffic Analysis Program


The NSA TCP/IP traffic analysis program primarly focuses on the traffic analysis of WAN ATM (Asynchronous Transfer Mode) cell header and payload data at IXPs (Internet Exchange Points) globally that employ Cisco Systems routing equipment.

Concerned persons should implement the following:

  1. If possible, ensure that your network routing equipment’s’ ATM switched virtual connections and permanent virtual connections are disabled; AND
  2. Tunnel your TCP/IP connections over a new SSH2 session for each and every new WAN TCP/IP routed connection (for EVERY transmission to any WAN address); AND
  3. Create transmission latency for each of your new WAN SSH2-enabled TCP/IP routed connections through a modified SSH login command such as:


ssh -N -L 6000:localhost:4000 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4 -l User 1.2.3.4

Note that localhost is on port 6000 and remote web host proxy is on port 4000; username is User (if using SSH user authentication); and remote SSH server IP is 1.2.3.4; transmission latency is created with multiples of -l User 1.2.3.4.

More to follow on creating transmission latency when using remote port forwarding through OpenVPN.

If your server traffic is a specific collection target of NSA/Level 3 Communications Regional Security Center (NSA/CSS Georgia) at Fort Gordon Georgia USA or of one of NSA’s non-US affiliates, flagging of sniffed IXP traffic for subsequent analysis can only be triggered by your server’s SECOND or subsequent routing connection to one or more WAN addresses.

Perhaps surprisingly, if your server’s traffic is a collection target, your users’ use of the above SSH transmission latency will also actually increase users’ upload and download speeds during SSH2 sessions.

http://jollyblog.squarespace.com/updates/2008/9/30/evading-the-nsa-tcpip-traffic-analysis-program.html

Cielo e terra (duet with Dante Thomas)