Active Probing and Deep Packet Inspection Detection Resistant Tunneling Through HTTPS Connections Intermediate Talk

Chair for Network Architectures and Services Technical University of Munich (TUM)

Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections Intermediate Talk

Julien Schmidt

May 30, 2016

Chair for Network Architectures and Services Department of Informatics Technical University of Munich (TUM)

Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 1 Chair for Network Architectures and Services Technical University of Munich (TUM)

Problem Deep Packet Inspection Active Probing

Existing Solutions

Motivation

Approach Architecture Active Probing Resistance Deep Packet Inspection Resistance

Schedule

Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 2 Chair for Network Architectures and Services Technical University of Munich (TUM) Problem

I Network environments with active or passive detection and blocking I Current tunneling solutions not designed with detectability in mind

- IP Blacklist - DNS Blacklist

VPN Client VPN Server (Unrestricted) Internet

Restricted Network

Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 3 Chair for Network Architectures and Services Technical University of Munich (TUM) Problem: Deep Packet Inspection

I Censor can inspect trafﬁc within controlled network

I Destination port, packet size, timing, encryption type. . .

Deep Packet Inspection

VPN Client VPN Server (Unrestricted) Internet

Restricted Network

Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 4 Chair for Network Architectures and Services Technical University of Munich (TUM) Deep Packet Inspection Example

OpenVPN: 1. Censor observes plaintext TLS handshake 2. Detection by cipher list in ClientHello

Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 5 Chair for Network Architectures and Services Technical University of Munich (TUM) Problem: Active Probing

1. Censor connects directly to the source 2. Censor acts like a user, implements target protocol 3. Server gets blocked if it replies with target protocol

Censor controlled Clients Active Probing

VPN Client VPN Server (Unrestricted) Internet

Restricted Network

Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 6 Chair for Network Architectures and Services Technical University of Munich (TUM) Active Probing Example

Detection of MS-SSTP: SSTP_DUPLEX_POST /sra_{BA195980-CD49-458b-9E23- C84EE0ADCD75}/ HTTP/1.1

I Should respond with error, if not MS-SSTP

Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 7 Chair for Network Architectures and Services Technical University of Munich (TUM) Existing Solutions

I Existing HTTPS-VPN protocols, e.g. MS-SSTP I Meek

I Domain-Fronting I Different TLS SNI and HTTP Host I Relies on 3rd-party Cloud / CDN providers I Cooperate or blocked

Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 8 Chair for Network Architectures and Services Technical University of Munich (TUM) Motivation

I Design with detectability in mind I HTTPS has become an integral part of the Internet

I Available in the most restrictive network environments I Often only ports 80 and 443 can be reached I No general blocking for practical and economic reasons

I No reliance on 3rd-party infrastructure

Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 9 Chair for Network Architectures and Services Technical University of Munich (TUM) Approach

I General idea: Make connection look like between a regular web browser and web server I Design and implement a tunneling solution leveraging existing HTTPS infrastructure

I Inherit safety and stability from well-tested software I Simplicity I Maintainability I Works well with proxies I Trend to offer services via Web API

Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 10 Chair for Network Architectures and Services Technical University of Munich (TUM) Approach: Architecture

webtun client webtun server

SOCKS5 SOCKS5

WTP over HTTPS WTP TUN BoringSSL Nginx TUN

TAP TAP

Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 11 Chair for Network Architectures and Services Technical University of Munich (TUM) Approach: Active Probing Resistance

1. Connections established to regular web server 2. Web server delegates connections to tunneling server

I Only after pre-shared secret was exchanged (e.g. Request Path, HTTP Auth, Cookie, . . . )

I Approach makes Active Probing useless

Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 12 Chair for Network Architectures and Services Technical University of Munich (TUM) Approach: Deep Packet Inspection Resistance

I Goal: Greatly increase rate of false-positives

I Assumption: Censor uses blacklisting instead of whitelisting I Avoid detectable patterns

I Trafﬁc-Shaping I Behave like Browsers (e.g. Keep-Alive timeouts)

Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 13 Chair for Network Architectures and Services Technical University of Munich (TUM) Schedule

2016

March April May June July

TLS tunnel prototype Nginx integration HTTPS protocol Basic obfuscation Evaluation Thesis writing

Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 14 Chair for Network Architectures and Services Technical University of Munich (TUM) BibliographyI

[1] M. Belshe, R. Peon, and M. Thomson. Hypertext Transfer Protocol Version 2 (HTTP/2). RFC 7540, RFC Editor, May 2015. http://www.rfc-editor.org/rfc/rfc7540.txt. [2] T. Dierks and E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246, RFC Editor, August 2008. http://www.rfc-editor.org/rfc/rfc5246.txt. [3] R. Ensafi, D. Fifield, P. Winter, N. Feamster, N. Weaver, and V. Paxson. Examining how the great firewall discovers hidden circumvention servers. In Proceedings of the 2015 ACM Conference on Internet Measurement Conference, IMC ’15, pages 445–458, 2015. [4] R. Fielding and J. Reschke. Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing. RFC 7230, RFC Editor, June 2014. http://www.rfc-editor.org/rfc/rfc7230.txt.

Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 15 Chair for Network Architectures and Services Technical University of Munich (TUM) BibliographyII

[5] D. Fiﬁeld, C. Lan, R. Hynes, P. Wegmann, and V. Paxson. Blocking-resistant communication through domain fronting. Proceedings on Privacy Enhancing Technologies, 2015(2):46–64, 2015. [6] Microsoft. [MS-SSTP]: Secure Socket Tunneling Protocol (SSTP), 2015 (accessed February 16, 2016). http://download.microsoft.com/download/9/5/E/95EF66AF-9026-4BB0-A41D- A4F81802D92C/[MS-SSTP].pdf. [7] E. Rescorla. HTTP Over TLS. RFC 2818, RFC Editor, May 2000. http://www.rfc-editor.org/rfc/rfc2818.txt.

Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 16