Flattr this!

Our little problem today – anonymously host your site on the Internet. There are not many technologies that we in this business can help. But one of the most technological solutions, which provides anonymous hosting virtually eliminating the possibility of determining where in fact the server is File is I2P.

I2P vs Tor

So, what is I2P? Technology is best understood as an additional network layer, which runs on top of the usual IP protocol and provides opportunities for anonymous data transfer. In I2P uses various types of cryptography for secure communications and numerous pear-to-pear tunnels, which is provided on the basis of anonymity and resilience system. We have already mentioned in the pages of I2P, but never stopped its operation in detail. And few people had with it. Where great prominence in the field was the development of anonymization Tor. Therefore, talking about how running I2P, we will carry out some comparisons these two technologies.

Both systems, I2P and Tor, using multi-level cryptography to mediators could not decrypt the contents of transmitted packets through them. The only thing we know for each node – this is the next link in the chain data. While Tor more focused on preserving the incognito client while surfing the Internet, the challenge is to create an I2P anonymous network of users connected. And although the possibility of anonymous surfing still there (with special locks, which have access to “outside”, as you can read the sidebar), its main appointment – this is an anonymous hosting services.

It is primarily on the deployment of a network of Web sites that I2P terminology called eepsites. This is somewhat similar to the concept of Hidden Services, available to users of Tor, but anonymous hosting in I2P works much faster. This is not a pathetic attempt, but really works technology for hosting, reliable and stable.

In I2P no central servers and not the usual DNS-servers, but uses a distributed hash table DHT (Distributed Hash Table), built on Kademlia. This approach eliminates a major point system failure. We all remember the story when in 2007, China was the firewall blocked access to the main directory service Tor. The fact that relies on I2P peering technology to exchange information on routing, avoiding such problems. The system, through which users receive I2P information about each other, called NetDB. Each participant is network router, which is passed through the transit traffic, therefore, generally speaking, system does not have any noticeable difference between a server and an ordinary customer.

Addressing in I2P

To access other routers and services are not used IP’shniki, Addressing is carried out using a special cryptographic ID, by which are designated as routers and end services. For example, the identifier www.i2p2.i2p (the main project site within Network I2P) is as follows:

-KR6qyfPWXoN ~ F3UzzYSMIsaRy4udcRkHu2Dx9syXSz
[… cut …] e9NYkIqvrKvUAt1i55we0Nkt6xlEdhBqg6xXOyIAAAA

Thus, to the point of destination uses 516 bytes in Base64. Obviously, that such an identifier is hardly convenient. In addition, it will not be work with some protocols (including HTTP). Therefore I2P offering more one way for identifiers – it’s called “Base 32 Names” and quite similar to the rules of drawing names. onion network Tor. Primordial 516-byte identifier is decoded (with the substitution of certain characters) source raw-form. The resulting value is hashed using SHA256 and thereafter encoded in Base32. In the end the result is added. B32.i2p. That obtained as a result? It is quite suitable for use sequence characters. If you do this for the original ID www.i2p2.i2p, we get the following:


With this form of work is much easier. In I2P is not some sort of official DNS-server counterpart, who would rezolving names (that is installed correspondence between domain <somename>. i2p and ID), as it was would be a serious point of failure throughout the system. Each node has its own set I2P text files, which is made for mapping services. These files are very similar to the familiar configuration we HOSTS. However, the user can synchronize their base “binding” via a special server in the subscription I2P. However, he only trusts the owner of such a service, assuming that that gives him the “right” identifiers.

Defense mechanisms

In I2P provides several interesting technologies to eliminate the possibility interception and spoofing traffic. While in use Tor for a chain perform communications, I2P is based on the concept of incoming (“in”) and outgoing (“Out”) tunnel. Thus, queries and answers do not always go on the same way. During transmission, the message being multi-level Encryption (through, tunneling and transport layer), and leaf nodes designated kriptovat identifiers. Moreover, the tunnels themselves rebuilt every ten minutes.

In addition, the I2P uses the “garlic routing” (Garlic routing). In fact, this multi-layered encryption, which allows a single message (So-called “garlic”) contain a set of “teeth” – is completely malformed messages with instructions to deliver them. In a “garlic” in moment of its formation is laid before sending the set of “teeth” non-encrypted messages like our site and others – transit. Is that a “clove” in the “garlic” or a message to our alien transit message that passes through us, knows only one who created the “Garlic”. No one else get this information can not.

Such a complex approach provides a high level of data protection, but does not limit the possibilities of using I2P. The network may be deployed most different services: IRC, BitTorrent, eDonkey, Email. In addition, the developers of I2P provide an API to create new applications that work across secure network, but does not require the user to further establish and I2P-configure the client.

Interesting internal resources I2P

  • inproxy.tino.i2p/status.php – a continuously updated index eepsite, displaying information about the availability of a other services;
  • tracker2.postman.i2p and exotrack.i2p – the biggest BitTorrent-tracker;
  • hashparty.i2p – service to crack hashes (LM, MD5, MYSQLSHA1, NTLM, SHA1, and so on);
  • redzara.i2p

Client Installation

If we are talking about client installation, then move on to the practical part our material. I2P is written in Java, but because you can run the application on virtually any operating system – as long as the system was installed Java-machine. Upgrade to the customer is provided with a convenient installer that does it for you. After the installation, go to the directory with the application and run it a demon. Everything is managed through a web-shell, which is available at / index.jsp. With it, we will continue to work. To have opportunity to attend I2P resources and external resources the Internet (for anonymous conditions), it is better to register in your browser HTTP-Proxy: That’s the entire installation. Nothing to add.

Anonymous Web site hosting

So, as one of the main destinations I2P – creating the conditions for completely anonymous hosting services, it is reasonable to begin our practice from that moment. The site, located within the I2P, called eepsite. Yes, it will not be publicly available via the Internet, but it will always be able to I2P users seek and desire to make a mirror of the resource in the global Network. In this theory (and is a matter for separate discussion, which We will return later in the article) to identify your real IP-address will be extremely difficult. I suggest you lower step-by-step instructions for the placement of a site through I2P.

1. If you Will you come to a page, you’ll see the site-cap. It billet eepsite, which we will use. All that is needed – it edit or replace the files in ~ / .i2p/eepsite/docroot / (Linux) and% APPDATA% \ I2P \ eepsite \ docroot \ (Windows). This is a standard folder for the Web daemon Jetty, which was installed with I2P: it is he now accepts connections on port 7658. Here we have understand that at this point is just the local site. To make it available users online I2P for him to create the appropriate tunnel.

2. Fortunately, we also have a billet for the tunnel. If you go to the admin panel for control tunnel ( / i2ptunnel), then in the section “Server I2P-tunnels, “you will see the entry” I2P webserver “- this is just what you need. Now the tunnel is switched off. We go in its settings. The first thing you should pay note that the “local address destination” (local destination) and its value that represents something like “F94tTd-vSO7C0v ~ 4wudVsaYV [.. cut …] AAAA “. This is a very long string to Base64 is the key, which used to address within the I2P-network. Something like IP-address. For convenience, it can be copied anywhere – we still need it. By the same time to translate it into a readable Base32-form (meaning of this operation we have described above) using simple Python-script (look for it on the disk). Specifying the original identifier as a key output from the script we get the kind of key “Zeky7b4hp3hscdwovgb2vtdbvltsvpf24ushype5uoigu42p3v5q.b32.i2p”. If the tunnel now been launched, other users could connect to it, using this address. But to activate the tunnel soon, we must also take care of to our site had the opportunity to apply for the domain name.

3. DNS system in I2P as such is not, however, is its substitute. Therefore, we can register for our eepsite domain name (something.i2p). Check, whether it is not used by someone else easily through A special service: / susidns / addressbook.jsp? book = router & filter = none. Convinced of the uniqueness, we go into the settings of our tunnel, and replace it standard value “mysite.i2p” selected name (for example, xa31337xa.i2p). Not over here will enable the “Auto” to our service automatically started with I2P.

4. The minimum configuration is complete! Now we can turn our tunnel. To do this, go to the admin panel for our eepsite click “Start” button. In column “Status” star, which reflects the current status, first turns yellow, and then green. If you go to the admin home page, then in the left pane Category “Local tunnels” will be a new record with our eepsite. From this since anonymous hosting and running! Can be shared with anyone id Base32-in format, and a man without a problem starting our site in your browser.

5. Now we must finish the cases relating to domain name. First thing record of the selected domain to be added to your own address book, Using the web interface / susidns / addressbook.jsp? book = master. You can then try to go to the site from the local machine, using domain, and make sure everything works.

6. Information about our eepsite be made to address the distributed store like stats.i2p. If you go to this resource, you quickly find the form to add a new record. Here again, we need to specify the domain name and local destination address (516 bytes in Base64). Do not forget to click “Submit”. What is the meaning of this venture? Many of our clients periodically update their local address books, getting fresh entries from this site. Therefore, after a time (from several hours to several days) in each of these users will write about our xa31337xa.i2p. Obtained even if the brake, but the analog DNS-server. User, however, can go directly to it via Base32-mail or by reference in the following format: stats.i2p/cgi-bin/jump.cgi? a = xa31337xa.i2p. If the site is a public interest, it can be added to the wiki ugha.i2p/eepsiteIndex and make an announcement on the official forum forum.i2p.

7. That’s because we just set up a server where the site is spinning, which is extremely difficult track. Practically impossible to limit access to it. In conclusion, should say that the resource is not necessarily even have to physically reside on the local computer, it can be anywhere: in a local network or even in the internet. Nothing prevents us from forwarding tunnel is not on, and, say, (ip-it shnik xakep.ru).

Anonymous Surfing

Let the possibility of anonymous surfing and is the basis for I2P, but it is still implemented. All that is needed – to register in your browser proxy: But the question of how such a safe surfing, you should decide for himself. To access Internet resources using special gateways (So-called outproxy). Accordingly, there is a potential risk that someone found it and sniffer monitors all traffic. In short, I2P is not for this. If you want to go to the ‘Net through anonymous and encrypted channel, then use the VPN / Tor / SSH-Tunnel. I2P – this is, above all, anonymous hosting.

Accommodating SSH-server

In addition to direct hosting web servers via I2P quite a run and many other services. As an example, options for creating SSH-tunnel, which can be helpful at least to manage your eepsite. Then there are nuances.

1. To begin with, that in the familiar create a new admin I2P tunnel. Specify the address and port of our SSH-server. Let this be a daemon running somewhere in our network: for example, a router or access point (for more specifics – Next, we need to address local destination, which generated the admin panel. Translate into long identifier reduced (Base32) form – we need it to connect.

2. It may seem that now all that remains of the client, is to indicate ID service in its SSH-client (eg, PuTTY). But no. Others I2P users will not apply to such service directly. Will have use SOCKS, and this, in turn, create a special tunnel. So, on the machine that will be used for connection must be opened admin I2P, go to the section for administration of the tunnel section to find “Custom I2P-tunnels” and create a tunnel “SOCKS 4/4a/5”. In fact, the only option you want to specify – this port (for specificity we take 5454).

3. Now check to see how everything works. Open PuTTY, indicate as server identifier obtained in paragraph one. Jump to the setting “Connection .. Proxy “and in the” Proxy proxyname “put this address on which we have just SOCKS-created tunnel – Options “DNS name lookup” must be exposed to the value of “Yes” or “Auto”.

4. That’s it. It remains only to join the server and make sure that over a secure I2P works fine SSH. Thus, we can not host the only Web servers, but many other demons.

Is it safe?

A cautious reader might ask: “And really can I2P provide 100% owner of anonymity eepsite? “. Short answer: no. Despite that the system itself is very nice thought, to let the owner of the service can themselves services that are hosted in I2P. A simple example – a vulnerability in the Web-based application. If it be able to proeskpluatirovat possibility of teams, that is more likely to reveal the real IP-address of the computer. It not the only danger. If you are interested in this topic, I recommend the report Irongeek‘And the discovery of hidden services in such networks, which he recently presented a hacker BlackHat Conference 2011 DC.


How to access the site from I2P-online? You can use special Proxy: https://www.awxcnx.de/cgi-bin/proxy2/nphproxy.cgi/000000A/http/ <address Server>