shoalsteed / i2pir Goto Github PK

https://www.sans.org/media/score/504-incident-response-cycle.pdf

PICKERL

Preparation - have a framework, response plan ready
Identification - find where, how, and why i2p is blocked
Containment - what measures can i2p take to stop this
Eradication - How can i2p take these measures and stop them
Recovery - verify you are/ aren't blocked or restricted , inform users
Lessons Learned - self explanatory

It was reported that an I2P user was blocked from editing a wiki on Wikipedia.
The user reported that they were not using any outproxy - they were simply running an I2P router.
https://www.reddit.com/r/i2p/comments/tc3bhs/is_anybody_else_blocked_from_wikipediawikimedia/

In the future it will be helpful to users and to community stewards to be able to proceed through a process that helps the project understand more about why and how its users may be blocked or be restricted from performing certain actions.
It is important to frame the incident correctly. If we use the above as an example, the user is not blocked from wikipedia, they are restricted from editing.

Where possible we should move this to an issue where we can proceed with a discovery process.
That process would include finding out other information about what the users is running on their local network. It would also include finding out their router / network status.
We can also investigate the environment and processes used that have flagged a user for restricted access or blocking.

The team can then attempt to reproduce the result and test other variables ( for instance a firewalled or non-firewalled router).

We can then take the results from the issue, discovery process and testing, and present it where there is an appeal process.

Protocol analysis. Source, dest, port, what the handshake looks like. Some will probe the points to see what is responding if you do a proxy or TLS connection to a port. Some use Metadata analysis too.

How to Block I2P traffic using App Control Advanced
https://www.sonicwall.com/support/knowledge-base/how-to-block-i2p-traffic-using-app-control-advanced/170505344249270/

Identify P2P Traffic by Inspecting Data Transfer Behaviour�
https://home.ie.cuhk.edu.hk/~dmchiu/mjye.pdf

A Survey On Routing in Annymous Communication
A_Survey_on_Routing_in_Anonymous_Communication_Pro.pdf

I2P Usage Characterization
I2Ps_Usage_Characterization.pdf

A Dive into the Dark Web: Hierarchical Traffic Classification of Anonymity Tools
TNSE_final.pdf

[How to block I2P and Freenet to my network?
https://security.stackexchange.com/questions/119011/how-to-block-i2p-and-freenet-to-my-network

Detecting SSH tunnels
https://www.trisul.org/blog/detecting-ssh-tunnels/

In one reported case, a user indicated that they had I2P running and that they could not edit a wikipedia article. It is not clear if they may have had other applications running as well.

When we are approached with a report of blocking / restricted access by I2P community, we need to learn more about the environment of the user.

If a person is using I2P, they may be using other privacy enhancing/ obfuscating tools. We know that VPN's, and Tor traffic are many times detected and blocked. Although I2P does have outproxy ability, accessing the clearnet is not its intended purpose.

• are you using an I2P outproxy?
• Are you using Tor Browser?
• Are you using a VPN?