What your ISP knows about you?
Legends of the employees of the companies-providers who out of boredom or for the benefit monitor customer traffic, it is easy to find online. But is it? Understand, what do you know about the provider.
Like big brother is watching you
ISPs in Russia are required to analyze user traffic for compliance with the Russian legislation. In particular, paragraph 1.1 of the Federal law of 07.07.2003 No. 126-FZ (ed. from 05.12.2017) “On communication”
Operators are required to provide the authorized state bodies engaged in investigative activities or provision of security of the Russian Federation, information about the users of communication services and its communication services, as well as other information required to carry out the bodies of the targets in the cases established by Federal laws.
The traffic provider is, of course, does not store. However, it does its processing and classification. The results are recorded in log files.
Analysis the basic information is in automatic mode. Usually the traffic the selected user is mirrored in the Soim server (means of operational-investigative measures), which control the interior Ministry, FSB, etc., and the analysis is already there.
An integral part of modern system SORM-2 is a circular buffer data storage. It should be kept passing through the provider traffic for the last 12 hours. With 2014 being introduced SORM-3. Its main difference – additional storage in which to develop a three-year archive of the entire billing and logs all connections.
As I read the traffic with DPI
A sample diagram from VAS Expert
In the part of the SORM or as a separate can be used DPI (Deep Packet Inspection). This is a system (usually software and hardware systems – hardware with special SOFTWARE) that run on all except the first (the physical bit), levels of the OSI networking model.
In the simplest case, ISPs use DPI to control access to resources (in particular, to the pages of the black list of Roskomnadzor, the Federal law № 139 on amendments to the law “On the protection of children from information harmful to their health and development” or torrents). But generally speaking, the solution can apply and read your traffic.
Opponents of the DPI claim that the right to privacy of correspondence is enshrined in the Constitution, besides technology violates network neutrality. But this does not prevent the use of technology in practice.
DPI without problems examines content that is transmitted over unencrypted HTTP, FTP.
Some systems also use a heuristic – indirect signs that help to identify the service. This, for example, temporal and numerical characteristics of the traffic, as well as special byte sequences.
HTTPS is more complicated. However, in TLS, as of version 1.1, which is now often used for encryption in HTTPS, the domain name of the website is transmitted in the clear. Thus, the provider will be able to know on which domain you visited. But what is there to do, he has no private key never has to know.
In any case, the providers do not check everyone
It’s too expensive. But to monitor someone’s traffic on request theoretically can.
That said the system (or major), usually studied manually. But most often any SORM provider (especially if it is small provider) no. Everything is sought is the ordinary employees in the database logs.
How track torrents
Torrent client and the tracker, typically communicate via HTTP. It is an open Protocol, so, see above: view of user traffic through MITM attack, analysis, decryption, lock using DPI. The provider can examine a lot of data: when started or completed the download, when started the distribution, how much traffic it distributed.
Seeders harder to find. Most often in such cases, the experts themselves become peers. Knowing the IP address of the seeder, peer may send the provider a notification with the name of the distribution, its address, start time distribution, in fact, the IP address of the seeder, etc.
In Russia until it is safe – all laws limit the ability of the administration trackers and other distributors of pirated content, but not ordinary users. However, in some European countries, the use of torrents is fraught with heavy fines. So if you are traveling abroad, do not fall.
What happens when you go to the site
The provider sees the URL that you have opened, if analyzes the contents of the packages that come to you. It can be done, for example, with the help of MITM-attacks (attack “man-in-the-middle” man in the middle).
From the contents of the packages, you can get the history of the search to perform the query history, even to read the correspondence and logins with passwords. Of course, if the site uses authorization for unencrypted HTTP connection. Fortunately, this is increasingly rare.
If the website works with HTTPS, then the ISP only sees the IP address of the server and domain name, time of connection and volume of traffic. The rest of the data are encrypted without the private key to decrypt them is impossible.
What about MAC addresses
Your MAC address the ISP sees anyway. More precisely, the MAC address of the device that connects to its network (and it may not be a computer, a router, for example). The fact that authorization, many providers is performed by login, password and MAC address.
But the MAC address on many routers you can replace manually. And the MAC address of the network adapter is set manually. So if you make it to the first authorization (or change later and ask them to rebind the account to the new MAC address), the true MAC address the ISP will not see it.
What happens if you have enabled VPN
If you use a VPN, the ISP sees encrypted traffic (with high entropy) is sent to a specific IP address. In addition, he can learn that IP addresses from this range are sold under VPN services.
Where is the traffic from the VPN service provider automatically track cannot. But if we compare the traffic of the subscriber with any server traffic by timestamp, you can do further tracing. Just for that we need more complex and expensive technical solutions. Boredom of no one so sure to develop and will not be used.
It happens that the VPN suddenly “falls off” – this can happen at any time and in any operating system. After the VPN stopped working, traffic automatically begins to be open, and the provider can analyze it.
It is important that even if the traffic analysis shows that too large amount of packages is constantly on IP address, which could potentially belong to a VPN, you will break nothing. Use of VPN in Russia is not forbidden – it is forbidden to provide such services to bypass sites from the “black list” Roskomnadzor.
What happens when you turn on Tor
When you connect through Tor, your ISP sees is encrypted traffic. And decipher what you do online at the moment, he can’t.
Unlike VPN, where traffic is usually routed to the same server for a long period of time, Tor will automatically change the IP address. Accordingly, the provider may determine that you have probably used Tor for encrypted traffic and frequent change of addresses, and then reflect it in the logs. But by law you for it, too.
In this case your IP address in the Tor network anyone can use, but only if you have configured Exit Node in settings.
How about “incognito”mode
This mode will not help to hide your traffic from your ISP. He needed to pretend that you didn’t use a browser.
In “incognito” mode are not saved cookies, website data and browsing history. However, your actions see the provider system administrator and the web sites you visit.
But there is good news
The provider knows about you a lot, if not all. However, the budget of smaller companies does not allow to buy the equipment DPI, to install SORM or configure an effective monitoring system.
If you make legal action in the Internet openly and for actions involving the privacy, use VPN, Tor, or other anonymity, the ability to “get on the stick” to the provider and special services are minimal.
But 100% guarantee is given only 100% legal action!
All submitted information is only for informational purposes and does not call You to action violate the law!
ORIGINAL PAGE – https://vk.com/@rucorenet-chto-vash-internet-provaider-znaet-pro-vas