I2P is one of the most technologically advanced solutions that provides the possibility of anonymous hosting. I2P seriously complicates tracking, thus practically excluding the possibility of determining where the server with files is located.
Tor and I2P
So, what is I2P? This is an additional network layer that runs on top of the IP protocol and provides the ability to transfer data anonymously. I2P uses various types of cryptography for secure message transmission as well as numerous pear-to-pear tunnels that provide anonymity and fault tolerance of the system.
The Tor Project has become extremely popular in the field of anonymization. Therefore, while talking about how I2P works, let us compare these two technologies.
Both systems, Tor and I2P, use multi-layered cryptography to prevent third parties from decrypting the contents of transmitted packets. The only thing that is known for each node is the next link in the data transmission chain. While Tor is more focused on keeping the client's incognito while surfing the Internet, I2P's aim is to create an anonymous network of connected users. However, the possibility of anonymous surfing is still present.
I2P is primarily about hosting websites (called eepSites) on the network. This is somewhat similar to the concept of hidden\onion services available to Tor users. However, anonymous hosting using I2P is significantly faster.
I2P does not have central servers. There are also no usual DNS servers. It uses a distributed hash table (DHT), built on the basis of Kademlia. This approach eliminates the problem of a single point of failure. Experts know how the Great Firewall of China blocks Tor. The fact that I2P relies on peer-to-peer technology to exchange routing information avoids such problems.
The system by which I2P users get information about each other is called netDb. Each member of the network represents a router through which traffic is transmitted. Generally speaking, there is no noticeable difference between a server and a regular client.
IP's are not used to access other routers and services. Addressing is carried out using a unique cryptographic identifier, through which both routers and end services are designated.
The identifier of the destination point uses 516 bytes in Base64. Obviously, such an identifier is not very convenient. Besides, it will not work with some protocols. Therefore, I2P offers another approach called Base32 names. It is similar to the system used for naming .onion sites on the Tor network. The original 516-byte identifier is decoded (with some characters replaced) into the original raw form. The resulting value is hashed using SHA256 and then gets B32 encoded. The result is quite a usable sequence of characters which is much easier to work with.
In I2P, there is no official analog of a DNS server that would perform name resolution, that is, establish a correspondence between the "somename.i2p"; domain and an identifier, since this would be a severe privacy and security issue. Each I2P node has its own set of text files, in which the mapping for services is performed. These files are very similar to HOSTS. However, the user can synchronize his base of "bindings" through a special server inside I2P. At the same time, he must trust the owner of such a service, believing that the latest provides him with the correct identifiers.
I2P implements several interesting technologies to eliminate the possibility of traffic interception and spoofing. While Tor uses a single chain to perform communication, I2P relies on the concept of inbound and outbound tunneling. Thus, requests and responses do not always follow the same path. During transmission, the message is subjected to multi-level encryption (end-to-end, tunnel, and transport layers), and the end nodes are identified with encrypted identifiers. Moreover, the tunnels themselves are rebuilt/updated every several minutes.
In addition, I2P uses Garlic routing. In essence, it is multi-layer encryption that allows a single message (called a "garlic") to contain many "cloves" - fully formed messages with instructions for their delivery. In one "garlic" at the moment of its formation, before sending, a lot of "cloves" are laid. These "cloves" represent encrypted messages from our node as well as other nodes – transit messages. Only the person who created the "garlic" knows whether this or that "clove" in the "garlic" is his own message or it is someone else's transit message that passes through him.
This sophisticated approach provides a high level of data protection but does not limit the use of I2P. The network can host a variety of services: IRC, BitTorrent, email. In addition, I2P developers provide APIs for new applications that work over a secure network but do not require the user to additionally install and configure an I2P client.
I2P is written in Java, and therefore you can run the application on almost any OS. The client distribution kit is equipped with a convenient installer that will do everything for you. After the installation is complete, go to the directory with the application and launch it. All control is carried out through a web shell, which is available at 127.0.0.1:7657/index.jsp. To be able to visit I2P resources and external Internet resources (anonymously), it is better to immediately register the HTTP proxy in your browser: 127.0.0.1:4444.
Anonymous website hosting
Your eepSite will not be available to the general public via the Internet, but I2P users can always visit it and, if they wish, make a mirror of your site on the global network. At the same time, in theory, it will be extremely difficult to identify your real IP address. Below is a step-by-step guide for hosting a site using I2P.
So, you have just learned the basic steps how to set up a site, which is extremely difficult to track and almost impossible to restrict access to. Your site does not have to be physically located on the local computer; it can be anywhere: on the local network or even on the Internet.
Although the possibility of anonymous surfing is not the main feature of I2P, it is still possible. All you need to do is to register the proxy: 127.0.0.1:4444. To access Internet resources, special gateways (so-called outproxy) are used. However, there is a potential risk as someone may install a sniffer there and monitor all traffic. In short, I2P is not for 100% anonymous surfing. If you want to access the Internet through an anonymous and encrypted channel, use a combination of VPN, Tor, and secure browsers.
In addition to hosting web servers, I2P works well for many other services. Below are instructions on how to create an SSH tunnel, which can be useful at least in order to administer your eepSite.
Is I2P safe?
A security concerned reader may ask the question: "Can I2P provide 100% anonymity to the owner of an eepSite?" And the short answer is - No. Even though the core system is very well thought out, the services hosted on I2P can pose privacy and security risks. A simple example is a vulnerability in a web application. If you manage to exploit it and execute commands, then there is a high probability of identifying the real IP address of the computer.