Chair for Network Architectures and Services Technical University of Munich (TUM) Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections Intermediate Talk Julien Schmidt May 30, 2016 Chair for Network Architectures and Services Department of Informatics Technical University of Munich (TUM) Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 1
Chair for Network Architectures and Services Technical University of Munich (TUM) Problem Deep Packet Inspection Active Probing Existing Solutions Motivation Approach Architecture Active Probing Resistance Deep Packet Inspection Resistance Schedule Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 2
Chair for Network Architectures and Services Technical University of Munich (TUM) Problem ◮ Network environments with active or passive detection and blocking ◮ Current tunneling solutions not designed with detectability in mind - IP Blacklist - DNS Blacklist VPN Client VPN Server (Unrestricted) Internet Restricted Network Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 3
Chair for Network Architectures and Services Technical University of Munich (TUM) Problem: Deep Packet Inspection ◮ Censor can inspect traffic within controlled network ◮ Destination port, packet size, timing, encryption type. . . Deep Packet Inspection VPN Client VPN Server (Unrestricted) Internet Restricted Network Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 4
Chair for Network Architectures and Services Technical University of Munich (TUM) Deep Packet Inspection Example OpenVPN: 1. Censor observes plaintext TLS handshake 2. Detection by cipher list in ClientHello Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 5
Chair for Network Architectures and Services Technical University of Munich (TUM) Problem: Active Probing 1. Censor connects directly to the source 2. Censor acts like a user, implements target protocol 3. Server gets blocked if it replies with target protocol Censor controlled Clients Active Probing VPN Client VPN Server (Unrestricted) Internet Restricted Network Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 6
Chair for Network Architectures and Services Technical University of Munich (TUM) Active Probing Example Detection of MS-SSTP: SSTP_DUPLEX_POST /sra_{BA195980-CD49-458b-9E23- C84EE0ADCD75}/ HTTP/1.1 ◮ Should respond with error, if not MS-SSTP Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 7
Chair for Network Architectures and Services Technical University of Munich (TUM) Existing Solutions ◮ Existing HTTPS-VPN protocols, e.g. MS-SSTP ◮ Meek ◮ Domain-Fronting ◮ Different TLS SNI and HTTP Host ◮ Relies on 3rd-party Cloud / CDN providers ◮ Cooperate or blocked Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 8
Chair for Network Architectures and Services Technical University of Munich (TUM) Motivation ◮ Design with detectability in mind ◮ HTTPS has become an integral part of the Internet ◮ Available in the most restrictive network environments ◮ Often only ports 80 and 443 can be reached ◮ No general blocking for practical and economic reasons ◮ No reliance on 3rd-party infrastructure Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 9
Chair for Network Architectures and Services Technical University of Munich (TUM) Approach ◮ General idea: Make connection look like between a regular web browser and web server ◮ Design and implement a tunneling solution leveraging existing HTTPS infrastructure ◮ Inherit safety and stability from well-tested software ◮ Simplicity ◮ Maintainability ◮ Works well with proxies ◮ Trend to offer services via Web API Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 10
Chair for Network Architectures and Services Technical University of Munich (TUM) Approach: Architecture webtun client webtun server SOCKS5 SOCKS5 WTP over HTTPS WTP TUN BoringSSL Nginx TUN TAP TAP Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 11
Chair for Network Architectures and Services Technical University of Munich (TUM) Approach: Active Probing Resistance 1. Connections established to regular web server 2. Web server delegates connections to tunneling server ◮ Only after pre-shared secret was exchanged (e.g. Request Path, HTTP Auth, Cookie, . . . ) ◮ Approach makes Active Probing useless Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 12
Chair for Network Architectures and Services Technical University of Munich (TUM) Approach: Deep Packet Inspection Resistance ◮ Goal: Greatly increase rate of false-positives ◮ Assumption: Censor uses blacklisting instead of whitelisting ◮ Avoid detectable patterns ◮ Traffic-Shaping ◮ Behave like Browsers (e.g. Keep-Alive timeouts) Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 13
Chair for Network Architectures and Services Technical University of Munich (TUM) Schedule 2016 April May July March June TLS tunnel prototype Nginx integration HTTPS protocol Basic obfuscation Evaluation Thesis writing Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 14
Chair for Network Architectures and Services Technical University of Munich (TUM) Bibliography I [1] M. Belshe, R. Peon, and M. Thomson. Hypertext Transfer Protocol Version 2 (HTTP/2). RFC 7540, RFC Editor, May 2015. http://www.rfc-editor.org/rfc/rfc7540.txt. [2] T. Dierks and E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246, RFC Editor, August 2008. http://www.rfc-editor.org/rfc/rfc5246.txt. [3] R. Ensafi, D. Fifield, P . Winter, N. Feamster, N. Weaver, and V. Paxson. Examining how the great firewall discovers hidden circumvention servers. In Proceedings of the 2015 ACM Conference on Internet Measurement Conference , IMC ’15, pages 445–458, 2015. [4] R. Fielding and J. Reschke. Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing. RFC 7230, RFC Editor, June 2014. http://www.rfc-editor.org/rfc/rfc7230.txt. Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 15
Chair for Network Architectures and Services Technical University of Munich (TUM) Bibliography II [5] D. Fifield, C. Lan, R. Hynes, P . Wegmann, and V. Paxson. Blocking-resistant communication through domain fronting. Proceedings on Privacy Enhancing Technologies , 2015(2):46–64, 2015. [6] Microsoft. [MS-SSTP]: Secure Socket Tunneling Protocol (SSTP) , 2015 (accessed February 16, 2016). http://download.microsoft.com/download/9/5/E/95EF66AF-9026-4BB0-A41D- A4F81802D92C/[MS-SSTP].pdf. [7] E. Rescorla. HTTP Over TLS. RFC 2818, RFC Editor, May 2000. http://www.rfc-editor.org/rfc/rfc2818.txt. Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 16
Recommend
More recommend
