Obfuscating Torrent Traffic
by Filip Kälebo (a.k.a., flipchan)
In Sweden we have a company called Spridningskollen, which basically represents a lot of media companies. They have what I understand as some kind of mass torrent-scanner, which is close-sourced. Anyhow, these guys are real assholes. They collect torrent swarm data and then send out threats through letters, demanding 2000 kr (that's around $234 U.S. dollars) for what they see as "stolen art." So if they see a Swedish IP downloading a torrent with any file that the companies they represent have created or have copyrighted, they will contact the ISP for that IP and get the address of the person who is torrenting down the file and send that person a letter demanding 2000 Swedish crowns. If the person doesn't pay, Spridningskollen threatens to report them and bring them to court. This is basically DMCA bad guys blackmailing regular people into giving them money to avoid going to court and opening up a legal case against that person. Anyhow, I have found a way around this using my latest project called LayerProx: github.com/flipchan/LayerProx
So the problem is kinda that we need to secure the torrent traffic. I think that they are connecting to torrent "swarms" and just collecting IPs, but if that were to end up in court, they would need proof from the ISP that the person had been sending BitTorrent packets at that time to prove the legal case.
The way I solved this is that I wrote a SOCKS5 support module to LayerProx that supports UDP so I can proxy BitTorrent traffic. I then bought a VPS and put up that as a Tor relay. I have removed client IP logging from the LayerProx server so that you can't really tell if there is someone just using Tor that sent packets from the server or if someone is downloading a torrent. So if Spridningskollen were to see the IP of my Tor relay, they couldn't trace it back to the client. They could, of course, trace it back to me because I have my nick on the server: atlas.torproject.org/#details/AB8EE34C5CF3B6802DD1F4021FF015A463DF4572
But this would probably not be enough to bring a case against someone in court because there is no proof that only that person was using it due to the no IP logging part.
The packets going from the LayerProx client to the LayerProx server are being obfuscated to look like regular HTTP packets.
For example, I have implemented eBay format so that it will appear as if someone is just using eBay to look at products and so on. So the packets are encrypted and then obfuscated to look like regular HTTP browsing data. The data looks completely innocent, like a person is simply using social media and so on.
Why obfuscate/encrypt torrent traffic? If this gets big, there is a chance that the ISP will block or at least record all BitTorrent traffic. And torrents are used by a lot of good company to distribute news and media of all kinds. So the worst case scenario is that the ISPs block all torrent traffic.
So encrypt like its 1984!
Special thanks to: Kevin P. Dyer, 2600 swedish, and the global infosec hacking community.