Active Probing and Deep Packet Inspection Detection Resistant Tunneling Through HTTPS Connections Intermediate Talk

Active Probing and Deep Packet Inspection Detection Resistant Tunneling Through HTTPS Connections Intermediate Talk

Chair for Network Architectures and Services Technical University of Munich (TUM) Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections Intermediate Talk Julien Schmidt May 30, 2016 Chair for Network Architectures and Services Department of Informatics Technical University of Munich (TUM) Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 1 Chair for Network Architectures and Services Technical University of Munich (TUM) Problem Deep Packet Inspection Active Probing Existing Solutions Motivation Approach Architecture Active Probing Resistance Deep Packet Inspection Resistance Schedule Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 2 Chair for Network Architectures and Services Technical University of Munich (TUM) Problem I Network environments with active or passive detection and blocking I Current tunneling solutions not designed with detectability in mind - IP Blacklist - DNS Blacklist VPN Client VPN Server (Unrestricted) Internet Restricted Network Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 3 Chair for Network Architectures and Services Technical University of Munich (TUM) Problem: Deep Packet Inspection I Censor can inspect traffic within controlled network I Destination port, packet size, timing, encryption type. Deep Packet Inspection VPN Client VPN Server (Unrestricted) Internet Restricted Network Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 4 Chair for Network Architectures and Services Technical University of Munich (TUM) Deep Packet Inspection Example OpenVPN: 1. Censor observes plaintext TLS handshake 2. Detection by cipher list in ClientHello Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 5 Chair for Network Architectures and Services Technical University of Munich (TUM) Problem: Active Probing 1. Censor connects directly to the source 2. Censor acts like a user, implements target protocol 3. Server gets blocked if it replies with target protocol Censor controlled Clients Active Probing VPN Client VPN Server (Unrestricted) Internet Restricted Network Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 6 Chair for Network Architectures and Services Technical University of Munich (TUM) Active Probing Example Detection of MS-SSTP: SSTP_DUPLEX_POST /sra_{BA195980-CD49-458b-9E23- C84EE0ADCD75}/ HTTP/1.1 I Should respond with error, if not MS-SSTP Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 7 Chair for Network Architectures and Services Technical University of Munich (TUM) Existing Solutions I Existing HTTPS-VPN protocols, e.g. MS-SSTP I Meek I Domain-Fronting I Different TLS SNI and HTTP Host I Relies on 3rd-party Cloud / CDN providers I Cooperate or blocked Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 8 Chair for Network Architectures and Services Technical University of Munich (TUM) Motivation I Design with detectability in mind I HTTPS has become an integral part of the Internet I Available in the most restrictive network environments I Often only ports 80 and 443 can be reached I No general blocking for practical and economic reasons I No reliance on 3rd-party infrastructure Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 9 Chair for Network Architectures and Services Technical University of Munich (TUM) Approach I General idea: Make connection look like between a regular web browser and web server I Design and implement a tunneling solution leveraging existing HTTPS infrastructure I Inherit safety and stability from well-tested software I Simplicity I Maintainability I Works well with proxies I Trend to offer services via Web API Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 10 Chair for Network Architectures and Services Technical University of Munich (TUM) Approach: Architecture webtun client webtun server SOCKS5 SOCKS5 WTP over HTTPS WTP TUN BoringSSL Nginx TUN TAP TAP Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 11 Chair for Network Architectures and Services Technical University of Munich (TUM) Approach: Active Probing Resistance 1. Connections established to regular web server 2. Web server delegates connections to tunneling server I Only after pre-shared secret was exchanged (e.g. Request Path, HTTP Auth, Cookie, . ) I Approach makes Active Probing useless Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 12 Chair for Network Architectures and Services Technical University of Munich (TUM) Approach: Deep Packet Inspection Resistance I Goal: Greatly increase rate of false-positives I Assumption: Censor uses blacklisting instead of whitelisting I Avoid detectable patterns I Traffic-Shaping I Behave like Browsers (e.g. Keep-Alive timeouts) Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 13 Chair for Network Architectures and Services Technical University of Munich (TUM) Schedule 2016 March April May June July TLS tunnel prototype Nginx integration HTTPS protocol Basic obfuscation Evaluation Thesis writing Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 14 Chair for Network Architectures and Services Technical University of Munich (TUM) BibliographyI [1] M. Belshe, R. Peon, and M. Thomson. Hypertext Transfer Protocol Version 2 (HTTP/2). RFC 7540, RFC Editor, May 2015. http://www.rfc-editor.org/rfc/rfc7540.txt. [2] T. Dierks and E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246, RFC Editor, August 2008. http://www.rfc-editor.org/rfc/rfc5246.txt. [3] R. Ensafi, D. Fifield, P. Winter, N. Feamster, N. Weaver, and V. Paxson. Examining how the great firewall discovers hidden circumvention servers. In Proceedings of the 2015 ACM Conference on Internet Measurement Conference, IMC ’15, pages 445–458, 2015. [4] R. Fielding and J. Reschke. Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing. RFC 7230, RFC Editor, June 2014. http://www.rfc-editor.org/rfc/rfc7230.txt. Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 15 Chair for Network Architectures and Services Technical University of Munich (TUM) BibliographyII [5] D. Fifield, C. Lan, R. Hynes, P. Wegmann, and V. Paxson. Blocking-resistant communication through domain fronting. Proceedings on Privacy Enhancing Technologies, 2015(2):46–64, 2015. [6] Microsoft. [MS-SSTP]: Secure Socket Tunneling Protocol (SSTP), 2015 (accessed February 16, 2016). http://download.microsoft.com/download/9/5/E/95EF66AF-9026-4BB0-A41D- A4F81802D92C/[MS-SSTP].pdf. [7] E. Rescorla. HTTP Over TLS. RFC 2818, RFC Editor, May 2000. http://www.rfc-editor.org/rfc/rfc2818.txt. Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 16.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    16 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us