Chair for Network Architectures and Services Technical University of Munich (TUM)
Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections Intermediate Talk
Julien Schmidt
May 30, 2016
Chair for Network Architectures and Services Department of Informatics Technical University of Munich (TUM)
Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 1 Chair for Network Architectures and Services Technical University of Munich (TUM)
Problem Deep Packet Inspection Active Probing
Existing Solutions
Motivation
Approach Architecture Active Probing Resistance Deep Packet Inspection Resistance
Schedule
Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 2 Chair for Network Architectures and Services Technical University of Munich (TUM) Problem
I Network environments with active or passive detection and blocking I Current tunneling solutions not designed with detectability in mind
- IP Blacklist - DNS Blacklist
VPN Client VPN Server (Unrestricted) Internet
Restricted Network
Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 3 Chair for Network Architectures and Services Technical University of Munich (TUM) Problem: Deep Packet Inspection
I Censor can inspect traffic within controlled network
I Destination port, packet size, timing, encryption type. . .
Deep Packet Inspection
VPN Client VPN Server (Unrestricted) Internet
Restricted Network
Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 4 Chair for Network Architectures and Services Technical University of Munich (TUM) Deep Packet Inspection Example
OpenVPN: 1. Censor observes plaintext TLS handshake 2. Detection by cipher list in ClientHello
Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 5 Chair for Network Architectures and Services Technical University of Munich (TUM) Problem: Active Probing
1. Censor connects directly to the source 2. Censor acts like a user, implements target protocol 3. Server gets blocked if it replies with target protocol
Censor controlled Clients Active Probing
VPN Client VPN Server (Unrestricted) Internet
Restricted Network
Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 6 Chair for Network Architectures and Services Technical University of Munich (TUM) Active Probing Example
Detection of MS-SSTP: SSTP_DUPLEX_POST /sra_{BA195980-CD49-458b-9E23- C84EE0ADCD75}/ HTTP/1.1
I Should respond with error, if not MS-SSTP
Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 7 Chair for Network Architectures and Services Technical University of Munich (TUM) Existing Solutions
I Existing HTTPS-VPN protocols, e.g. MS-SSTP I Meek
I Domain-Fronting I Different TLS SNI and HTTP Host I Relies on 3rd-party Cloud / CDN providers I Cooperate or blocked
Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 8 Chair for Network Architectures and Services Technical University of Munich (TUM) Motivation
I Design with detectability in mind I HTTPS has become an integral part of the Internet
I Available in the most restrictive network environments I Often only ports 80 and 443 can be reached I No general blocking for practical and economic reasons
I No reliance on 3rd-party infrastructure
Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 9 Chair for Network Architectures and Services Technical University of Munich (TUM) Approach
I General idea: Make connection look like between a regular web browser and web server I Design and implement a tunneling solution leveraging existing HTTPS infrastructure
I Inherit safety and stability from well-tested software I Simplicity I Maintainability I Works well with proxies I Trend to offer services via Web API
Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 10 Chair for Network Architectures and Services Technical University of Munich (TUM) Approach: Architecture
webtun client webtun server
SOCKS5 SOCKS5
WTP over HTTPS WTP TUN BoringSSL Nginx TUN
TAP TAP
Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 11 Chair for Network Architectures and Services Technical University of Munich (TUM) Approach: Active Probing Resistance
1. Connections established to regular web server 2. Web server delegates connections to tunneling server
I Only after pre-shared secret was exchanged (e.g. Request Path, HTTP Auth, Cookie, . . . )
I Approach makes Active Probing useless
Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 12 Chair for Network Architectures and Services Technical University of Munich (TUM) Approach: Deep Packet Inspection Resistance
I Goal: Greatly increase rate of false-positives
I Assumption: Censor uses blacklisting instead of whitelisting I Avoid detectable patterns
I Traffic-Shaping I Behave like Browsers (e.g. Keep-Alive timeouts)
Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 13 Chair for Network Architectures and Services Technical University of Munich (TUM) Schedule
2016
March April May June July
TLS tunnel prototype Nginx integration HTTPS protocol Basic obfuscation Evaluation Thesis writing
Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 14 Chair for Network Architectures and Services Technical University of Munich (TUM) BibliographyI
[1] M. Belshe, R. Peon, and M. Thomson. Hypertext Transfer Protocol Version 2 (HTTP/2). RFC 7540, RFC Editor, May 2015. http://www.rfc-editor.org/rfc/rfc7540.txt. [2] T. Dierks and E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246, RFC Editor, August 2008. http://www.rfc-editor.org/rfc/rfc5246.txt. [3] R. Ensafi, D. Fifield, P. Winter, N. Feamster, N. Weaver, and V. Paxson. Examining how the great firewall discovers hidden circumvention servers. In Proceedings of the 2015 ACM Conference on Internet Measurement Conference, IMC ’15, pages 445–458, 2015. [4] R. Fielding and J. Reschke. Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing. RFC 7230, RFC Editor, June 2014. http://www.rfc-editor.org/rfc/rfc7230.txt.
Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 15 Chair for Network Architectures and Services Technical University of Munich (TUM) BibliographyII
[5] D. Fifield, C. Lan, R. Hynes, P. Wegmann, and V. Paxson. Blocking-resistant communication through domain fronting. Proceedings on Privacy Enhancing Technologies, 2015(2):46–64, 2015. [6] Microsoft. [MS-SSTP]: Secure Socket Tunneling Protocol (SSTP), 2015 (accessed February 16, 2016). http://download.microsoft.com/download/9/5/E/95EF66AF-9026-4BB0-A41D- A4F81802D92C/[MS-SSTP].pdf. [7] E. Rescorla. HTTP Over TLS. RFC 2818, RFC Editor, May 2000. http://www.rfc-editor.org/rfc/rfc2818.txt.
Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 16