What informations do ISPs usually log?

I am curious if anybody can share any information on what an ISP could possibly log or could be traced back to users.

It's obvious there is a timestamp on your internet activity and usage of an IP address but what else is there?

 

Well, for starters, if you use your ISP's DNS servers (rather than a neutral alternative like OpenDNS servers), then your ISP gets to log where you visit on the Internet.

If your ISP uses Deep Packet Inspection (DPI), then if you are using Tor which even though it is encrypted, they can eventually identify where you visit on the Internet if they have the interest, time, money and storage to investigate your use of Tor or assist the authorities at their request.

 

Do you have any link about this kind of attacks on TOR that involves only entry nodes? Or were you referring to the ISP as one of the links in an attack chain? Thanks!

 

This seems implausible. Traffic to your entry guard, which specifies (among other things) the next router in your circuit, is encrypted with the entry guard's key. Just seeing payloads with DPI wouldn't help. They'd just see encrypted data. In order to identify the next router in your circuit, they'd need to get your entry guard's private key, or break the encryption. Neither seems very likely.

Even if your attacker accomplished that, they'd need to do the same for the next router in your circuit. And then, they'd need to do it again for the third. That seems altogether implausible.

Alternatively, they'd need to collect data from enough of the Tor network to perform traffic analysis. Even with lots of data, traffic analysis is nontrivial for users. If you're operating a hidden service, they can send distinctive sequences of requests. It's also possible for hidden services to probe their users, but it's harder.

Have I missed your point?

 

As I mentioned, it was purely an ISP thing to employ DPI to assist authorities at their request which should imply that there are more resources being employed behind the curtain (think Wizard of OZ)! Identification depends on the total collection of information which at that point would include traffic analysis (which would mean someone with the resources to do so).

 

Expect everything, and I do mean EVERYTHING is being logged, saved, and shipped of to the nation's intelligence agencies.

 

Indeed! But make that nations'

 

I know that saying: You are never paranoid enough about your Internet privacy but what I was looking for was: what sort of information does an ISP log on a daily basis so to speak...

From the responses above I deduct one could be DNS requests (Never thought about that). What else?

BTW I'm not a big fan of conspiracies (the government watching every move) so that Expect everything doesn't really work for me Sorry.

 

They probably log all network conversations, at least. Likely variables:

account ID
start date and time
end date and time
local IP aka your assigned IP address
remote IP aka server you connect to
packets transmitted
packets received
bytes transmitted
bytes received

 

This is not the case if the circuit is encrypted end to end. The payload of the packet data is protected.

Not true from an ISP stand point, it takes a lot of overhead and money to "log everything". Anyone here who has ever been blessed (sarcasm) with the pleasure of log aggregation will tell you. Even for a small cluster of nodes and a medium client base, you are taking multi-millions easily and if you are talking full PCAP for any reasonable legal time frame? You are talking petabytes. Then there is the storage server capacity, not to mention the arrays and maintenance, failure rates of hard drives/ repair costs...yuck. Now if you are using Google as your ISP, well their pockets are a little deeper then most, I'd expect them to tie more together to create a deeper profile of their client base.

Regular ISPs will do the bare minimum to follow the laws (e.g log IP address to account unqiueID per date.) unless they can turn a profit from it, I do not see them dishing out such complex deployments anytime soon.

 

OK I admit I'm a little paranoid, but I suspect there is logging going on. They have to for gathering data about usage for plans that are capped.

Maybe not EVERYTHING, but they still do log a bit. I think

 

Oh no you are correct, there is indeed logging going on. At most mirimir hit the nail on the head with what would be logged (however I'd expect that level of detail with ISPs residing in countries with strict data retention laws).

Which is why VPNs do come in handy if you are trying to give yourself an additional layer of privacy.

 

EncryptedBytes do you think Tor traffic is logged? I think it is.

 

EncryptedBytes & mirimir thanks for clearing this up for me.

Maybe in states like Iran, Syria, North Korea etc. But in western countries unless you have been flagged I don't think there is reason to do so.

 

I assume many US folks saw the recent reports about the "Copyright Alert System" going live. Perhaps I'm not the only one who thinks logging may have been increased in order to support that.

 

I don't think that TOR traffic is logged more than other types of traffic.

 

I'm not sure about that. It's become clear that ISPs will merely be enforcers. IP industry consultants will still be joining torrent swarms to compile lists of "illegal downloaders". Their clients will provide lists of suspects to ISPs, and the ISPs will warn the suspect account holders. It does not appear that ISPs themselves will be snooping more on their customers, doing deep packet inspection, or whatever.

 

There even Internet does not exist, being used just by goverment's agencies.
And even if you go there for business, your pc gets confiscated upon arrival (togheter with all your electronic devices) and returned upon departure.
I have a friend who went there few months ago. He told me unbelievable things.

 

Depends on the country in question honestly. I can see some ISPs in say Iran, China blocking known Tor ports, however logging the payload traffic of a user would again be futile unless you are talking about exit nodes.