SkillAgentSearch skills...

Splitter

SPLITTER is TOR based load balance approach create to difficult correlation, traffic analysis and statistical attacks inside TOR network.

GenerateConvertImprove

Install / Use

/learn @renergr1nch/Splitter
About this skill

Quality Score

0/100

Supported Platforms

Universal

README

DcLabs SPLITTER

=== INTRODUCTION ===

To exploit the common weakness of TOR related de-anonymization techniques, difficulty traffic-analysis, correlation and statistically related attacks on the TOR network. [1, 2, 3, 4, 5, 6, 10, 20, 23, 28]

I developed a free open-source TOR network based shell script called SPLITTER. This script configures and applies a systematic chain of free open-source solutions, working together to difficult the TOR related de-anonymization techniques and ensure a better performance for TOR network. The result is a better TOR user experience and a more secure TOR network related connection approach. The SPLITTER is licensed under the BSD - License and was created with an initial academic propose.[41] The user accepts the total responsibility for his acts while using this tool.

For the best effectiveness of the theoretical approach behind the SPLITTER solution, a low-cost private VPS and VPN networks chain should be considered. The idea behind this globally distributed network infrastructure is difficult more specific traffic-analysis attacks and do not allow a direct association between the TOR network and the user. This network approach will be called “SPLITTER NETWORK” and comprehends few VPS machines under the control of the user running the SPLITTER script but using a public VPN service to connect in TOR network.

The bundle of linux open-source tools which compose the SPLITTER tool are:

  • 1) HAPROXY Community Edition: “HAProxy is a free, very fast and reliable solution offering high availability, load balancing, and proxying for TCP and HTTP-based applications. It is particularly suited for very high traffic web sites and powers quite a number of the world's most visited ones. Over the years it has become the de-facto standard opensource load balancer, is now shipped with most mainstream Linux distributions, and is often deployed by default in cloud platforms. Since it does not advertise itself, we only know it's used when the admins report it.” [33]

  • 2) PRIVOXY: “Privoxy is a non-caching web proxy with advanced filtering capabilities for enhancing privacy, modifying web page data and HTTP headers, controlling access, and removing ads and other obnoxious Internet junk. Privoxy has a flexible configuration and can be customized to suit individual needs and tastes. It has application for both stand-alone systems and multi-user networks.”[34]

  • 3) TOR (standalone): The TOR network client.[35]

== DEPENDENCIES:==

- 1. tor          --> version 0.3.3.6 or earlier - https://www.torproject.org/
- 2. privoxy      --> version 3.0.26  or earlier - http://www.privoxy.org/
- 3. haproxy      --> version 1.7.5-2 or earlier - https://www.haproxy.org/
- 4. proxychains  --> version 3.1     or earlier - https://sourceforge.net/projects/proxychains/
- 5. expect       --> version 5.45    or earlier - https://sourceforge.net/projects/expect/

=== SPLITTER overview ===

Each SPLITTER related tool is applied in a systematic sequence, driving the TCP packets from the user browser or application, first to HAPROXY, second to PRIVOXY and the last step is the TOR standalone which provide the connection with TOR network. After being routed through the current active TOR circuit[8], the packet reaches the final destination. The answer for this TCP packet will follow the reverse path.

SPLITTER - TCP STREAM PATH

The SPLITTER will create and handle with many TOR network connections. A single TOR standalone network connection is also called in this paper as “TOR INSTANCE” and comprehends a single and unique execution of TOR standalone running and administrating it’s own TOR network circuits.[8, 16, 21, 22, 24, 25, 26, 27] The SPLITTER gives the user the opportunity to configure every single parameter related to the execution of HAPROXY, PRIVOXY, and TOR standalone. [27, 36, 37] However, the most important aspect of this tool is the geolocation approach and how it selects the countries which will be enforced to compose the TOR circuit.[8, 16, 21, 22, 24, 26, 27, 29] The user should define how many TOR instances per country and how many countries the SPLITTER can use. It’s possible for example to create a number “X” of instances using the same country, as ENTRY NODE or EXIT NODE.

TOR instances load balance overview:

SPLITTER - LOAD BALANCE OVERVIEW

Considering a single TOR instance, by default the SPLITTER will never use the same country as TOR ENTRY NODE and TOR EXIT NODE. This rule forces the same adversary compromise TOR nodes in different countries to be able to capture and correlate the user data transmitted using the currently active and selected TOR circuit.

Default “Anti-Correlation” rules:

  1. Always select a random country, from the list of countries that user accepts use as TOR ENTRY node or TOR EXIT node depending on which TOR node the user decide to enforce. It means that all random TOR circuits created by this manipulated TOR instance have a great chance to have a unique geolocation oriented combination of TOR ENTRY NODE and TOR EXIT NODE. This feature can by default difficult the correlation of many de-anonymization techniques based on:

    A) The absence of adversary’s compromised TOR nodes or compromised network related equipment in both randomly selected countries.[1, 2, 3, 4, 5, 6, 10, 20, 23, 28]

B) The deliberated disturbed created by SPLITTER in the natural global network path for packets in transit between the user machine and the destination server. [1, 2, 3, 4, 5, 6, 10, 20, 23, 28]

  1. Considering the natural random country selection of TOR algorithm[8] which inside the SPLITTER manipulated context, will compose the beginning or the end of the TOR circuit, depending on which node/relay the user decide to enforce.[8] The probability exists for future TOR circuits[8] created by this TOR instance, select once again the same previous combination of TOR ENTRY node and TOR EXIT used by this TOR instance in the past. Aiming to reduce this risk, the SPLITTER also controls the life circle of the TOR instance, giving the user the control about how long time a TOR INSTANCE can remain alive enforced to use a specific country as ENTRY NODE or EXIT NODE.

As result:

A) This rule affects the random geolocation[29] oriented combination of TOR ENTRY NODE and TOR EXIT NODE.

B) This rule disturbs the lifetime of TCP streams interrupting the TCP streams associated with this TOR instance when longer than “X” minutes. The premature interruption of an established TCP stream can affect the ability of the adversary to transmitting the pattern depending on the de-anonymization technique. [1, 2, 3, 4, 5, 6, 10, 20, 23, 28]

The life circle of a single TOR INSTANCE inside the SPLITTER context comprehends:

  1. After selecting a random new country, the SPLITTER will write the TOR configuration file based on the TOR options[27] defined by the user. By default, the first SPLITTER’s rule will be always respected. However, there are two exceptions to the first default rule:

    A) When the user decides to work with SPLITTER SPEED MODE described later in this paper. In this context, the First SPLITTER rule approach will be modified but still being observed.

    B) When the TOR option “StrictNodes” is disabled and the TOR algorithm is not able to find a route and generate a TOR circuit using the current random combination of the ENTRY NODE, MIDDLE NODE, and EXIT NODE.[27] Under this circumstance, TOR algorithm can select a TOR node from the TOR “ExcludeNodes”[27] to compose the circuit and provide a valid route to the destination.

  2. The SPLITTER starts the new TOR INSTANCE. This instance will create the TOR circuits always observing the first SPLITTER rule, according to RELAY ENFORCE MODE selected and others specific TOR options.[27]

3.The SPLITTER creates a random disturb in the interval of TOR circuit creation, aiming to avoid a natural time pattern in the systematic loop process of creation and utilization of TOR circuits.

4.When the instance lifetime, reach the time limit specified by the user, the SPLITTER kills the running process related with this TOR instance, delete the temporary and all configuration files related with it and restart the life circle.

SPLITTER - TOR INSTANCE LIFE CIRCLE

The total amount of simultaneous active TOR instances is calculated using:

(X * Y) = Total amount of simultaneous active TOR instances.

Where X is the number of countries and Y the number of desired instances inside the same country.

How the SPLITTER "control" the TOR NODE/RELAY:

The options for the TOR NODE/RELAY enforcing are:

  • ENTRY: Sets a specific country as ENTRY NODE and will use a different country as EXIT relay. This mode provides the best security for the user and it’s considered the default enforcing mode inside the context of SPLITTER solution.[27]

The load balancing algorithm for HAPROXY in this mode is Round Robin.[36] Considering a specific country is enforced for TOR ENTRY node, the SPLITTER will select another random country from the list of countries defined by the user as TOR EXIT node, but never the same country already defined to be used as TOR ENTRY node.

By enforcing this rule, the SPLITTER is controlling the TOR algorithm and its free random selection of countries which will compose the TOR circuit. [8, 27]

  • EXIT: Sets a specific country as EXIT NODE and will use a different country as ENTRY relay. This option gives the user the control of the EXIT relays and could be used to bypass GeoIP protections.[29] For example, this option is very suitable when you need to ma

renergr1nch

View profile

View on GitHub
GitHub Stars138
CategoryDevelopment
Updated22d ago
Forks38
renergr1nch/splitter

Languages

Shell

Security Score

95/100

Audited on Mar 10, 2026

No findings