Gabatarwar
Tsarukan tace abun ciki na zamani daga shahararrun masana'antun kamar Cisco, BlueCoat, FireEye suna da alaƙa da takwarorinsu masu ƙarfi - tsarin DPI, waɗanda ake aiwatar da su sosai a matakin ƙasa. Ma'anar aikin duka biyun shine bincika zirga-zirgar Intanet mai shigowa da mai fita kuma, dangane da jerin baƙi / fari, yanke shawarar hana haɗin Intanet. Kuma da yake su biyun sun dogara da ka'idoji iri ɗaya a cikin tushen aikinsu, hanyoyin da za a bi da su kuma za su kasance da yawa iri ɗaya.
Ɗaya daga cikin fasahohin da ke ba ku damar ƙetare duka DPI da tsarin kamfanoni shine fasahar gaba-gaba. Mahimmancinsa shine mu je wurin da aka toshe, muna fakewa da wani, yanki na jama'a tare da kyakkyawan suna, wanda babu shakka ba za a toshe shi ta kowane tsari ba, misali google.com.
An riga an rubuta labarai da yawa game da wannan fasaha kuma an ba da misalai da yawa. Koyaya, sanannen kuma kwanan nan an tattauna akan DNS-over-HTTPS da fasahar SNI da aka ɓoye, da kuma sabon sigar ƙa'idar TLS 1.3, yana ba da damar yin la'akari da wani zaɓi don gaban yanki.
Fahimtar fasaha
Da farko, bari mu ayyana ƴan asali ra'ayoyi domin kowa da kowa ya fahimci wanene kuma me yasa ake buƙatar wannan duka. Mun ambaci tsarin eSNI, wanda za a ci gaba da tattauna aikin. Tsarin eSNI (Rufaffen Sunan Sunan uwar garken) ingantaccen sigar SNI ce, akwai kawai don ƙa'idar TLS 1.3. Babban ra'ayi shine rufaffen, a tsakanin wasu abubuwa, bayanai game da wane yanki ne aka aika da bukatar.
Yanzu bari mu kalli yadda tsarin eSNI ke aiki a aikace.
Bari mu ce muna da albarkatun Intanet wanda aka toshe ta hanyar tsarin DPI na zamani (bari mu ɗauki, alal misali, sanannen torrent tracker rutracker.nl). Lokacin da muka yi ƙoƙarin shiga gidan yanar gizon mai bin diddigin torrent, muna ganin ƙayyadaddun ƙayyadaddun mai samarwa yana nuna cewa an toshe albarkatun:
A kan gidan yanar gizon RKN wannan yanki an jera shi a cikin jerin tasha:
Lokacin da kake tambaya whois, za ka iya ganin cewa yankin da kansa yana "boye" a bayan mai ba da girgije Cloudflare.
Amma ba kamar "ƙwararrun masana" daga RKN ba, ƙarin ma'aikatan fasaha na fasaha daga Beeline (ko koyaswar ƙwarewar mashahuran mu mai kula da mu) ba su hana shafin ta hanyar adireshin IP ba, amma sun ƙara sunan yankin zuwa jerin tasha. Kuna iya tabbatar da hakan cikin sauƙi idan kun kalli abin da wasu yankuna ke ɓoye a bayan adireshin IP iri ɗaya, ziyarci ɗayansu kuma ku ga cewa ba a toshe damar shiga:
Ta yaya hakan ke faruwa? Ta yaya DPI mai ba da sabis ta san wane yanki ne mai bincikena yake, tunda duk hanyoyin sadarwa suna faruwa ta hanyar ka'idar https, kuma har yanzu ba mu lura da sauya takaddun takaddun https daga Beeline ba? Shin shi clairvoyant ne ko ana bina?
Bari muyi kokarin amsa wannan tambayar ta hanyar duba zirga-zirga ta hanyar wayashark
Hoton hoton yana nuna cewa da farko mai binciken yana samun adireshin IP na uwar garken ta hanyar DNS, sannan daidaitaccen musafida TCP yana faruwa tare da uwar garken inda aka nufa, sannan mai binciken yana ƙoƙarin kafa haɗin SSL tare da sabar. Don yin wannan, yana aika fakitin Sannu Abokin Ciniki na SSL, wanda ya ƙunshi sunan yankin tushen a bayyanannen rubutu. Ana buƙatar wannan filin ta uwar garken gaban gaban Cloudflare don daidaita hanyar haɗin kai daidai. Wannan shine inda mai bada DPI ya kama mu, yana karya haɗin gwiwarmu. A lokaci guda, ba mu sami wani taurin kai daga mai bayarwa ba, kuma muna ganin daidaitaccen kuskuren burauzar kamar an kashe rukunin yanar gizon ko kuma kawai baya aiki:
Yanzu bari mu kunna tsarin eSNI a cikin burauzar, kamar yadda aka rubuta a cikin umarnin don :
Don yin wannan muna buɗe shafin daidaitawar Firefox game da: saiti kuma kunna saitunan masu zuwa:
network.trr.mode = 2;
network.trr.uri = https://mozilla.cloudflare-dns.com/dns-query
network.security.esni.enabled = true
Bayan wannan, za mu bincika cewa saitunan suna aiki daidai akan gidan yanar gizon Cloudflare. kuma bari mu sake gwada dabara tare da torrent tracker.
Voila. An buɗe fitaccen tracker ɗinmu ba tare da wani VPN ko sabar wakili ba. Bari yanzu mu kalli jujjuyar zirga-zirgar ababen hawa a cikin wayashark don ganin abin da ya faru.
A wannan karon, kunshin hello abokin ciniki na ssl ba ya ƙunshi yankin da aka nufa, amma a maimakon haka, sabon filin ya bayyana a cikin kunshin - encrypted_server_name - anan ne ke ƙunshe da ƙimar rutracker.nl, kuma uwar garken gaba na Cloudflare ne kawai zai iya warware wannan. filin. Kuma idan haka ne, to DPI mai ba da sabis ba shi da wani zaɓi sai dai ya wanke hannayensa kuma ya ƙyale irin wannan zirga-zirga. Babu wasu zaɓuɓɓuka tare da ɓoyewa.
Don haka, mun kalli yadda fasahar ke aiki a cikin mai binciken. Yanzu bari mu yi ƙoƙari mu yi amfani da shi zuwa ƙarin takamaiman abubuwa masu ban sha'awa. Kuma da farko, za mu koyar da curl iri ɗaya don amfani da eSNI don yin aiki tare da TLS 1.3, kuma a lokaci guda za mu ga yadda yankin tushen eSNI gaba da kansa yake aiki.
Gaban yanki tare da eSNI
Saboda gaskiyar cewa curl yana amfani da daidaitaccen ɗakin karatu openssl don haɗawa ta hanyar ka'idar https, da farko muna buƙatar samar da tallafin eSNI a can. Babu wani tallafi na eSNI a cikin manyan rassan openssl tukuna, don haka muna buƙatar zazzage reshe na openssl na musamman, tattara kuma shigar da shi.
Muna rufe ma'ajin daga GitHub kuma muna tattara kamar yadda aka saba:
$ git clone https://github.com/sftcd/openssl
$ cd openssl
$ ./config
$ make
$ cd esnistuff
$ make
Bayan haka, muna rufe ma'ajiyar tare da curl kuma mu saita tantanin halitta ta amfani da haɗewar laburaren openssl:
$ cd $HOME/code
$ git clone https://github.com/niallor/curl.git curl-esni
$ cd curl-esni
$ export LD_LIBRARY_PATH=/opt/openssl
$ ./buildconf
$ LDFLAGS="-L/opt/openssl" ./configure --with-ssl=/opt/openssl --enable-esni --enable-debug
Anan yana da mahimmanci a ƙayyade duk kundayen adireshi daidai inda openssl yake (a cikin yanayinmu, wannan shine /opt/openssl/) kuma tabbatar da cewa tsarin daidaitawa ya wuce ba tare da kurakurai ba.
Idan tsarin ya yi nasara, za mu ga layin:
GARGAƊI: esni ESNI an kunna amma alamar GWAJI. Yi amfani da hankali!
$ makeBayan nasarar gina fakitin, za mu yi amfani da fayil ɗin bash na musamman daga openssl don daidaitawa da gudanar da curl. Bari mu kwafa shi zuwa kundin adireshi tare da curl don dacewa:
cp /opt/openssl/esnistuff/curl-esni da yin gwajin buƙatun https zuwa uwar garken Cloudflare, yayin yin rikodin fakitin DNS da TLS a lokaci guda a cikin Wireshark.
$ ESNI_COVER="www.hello-rkn.ru" ./curl-esni https://cloudflare.com/A cikin martanin uwar garken, ban da yawancin bayanan gyarawa daga openssl da curl, za mu sami martanin HTTP tare da lambar 301 daga Cloudflare.
HTTP/1.1 301 Moved Permanently
< Date: Sun, 03 Nov 2019 13:12:55 GMT
< Transfer-Encoding: chunked
< Connection: keep-alive
< Cache-Control: max-age=3600
< Expires: Sun, 03 Nov 2019 14:12:55 GMT
< Location: https://www.cloudflare.com/
wanda ke nuni da cewa an samu nasarar isar da bukatar mu zuwa uwar garken inda muka nufa, an ji kuma an sarrafa ta.
Yanzu bari mu dubi jujjuyawar zirga-zirga a cikin wayashark, watau. abin da mai bada DPI ya gani a wannan yanayin.
Ana iya ganin cewa curl ya fara juya zuwa uwar garken DNS don maɓallin eSNI na jama'a don sabar Cloudflare - buƙatun DNS na TXT zuwa _esni.cloudflare.com (kunshi na 13). Sannan, ta amfani da ɗakin karatu na openssl, curl ya aika buƙatar TLS 1.3 zuwa uwar garken Cloudflare wanda a cikinsa aka ɓoye filin SNI tare da maɓallin jama'a da aka samu a matakin da ya gabata (fakiti #22). Amma, ban da filin eSNI, fakitin SSL-hello kuma ya haɗa da filin da aka saba - bude SNI, wanda za mu iya ƙayyade ta kowane tsari (a cikin wannan yanayin - ).
Ba a yi la'akari da wannan buɗaɗɗen filin SNI ta kowace hanya ba lokacin sarrafa sabar Cloudflare kuma kawai yayi aiki azaman abin rufe fuska ga DPI mai bayarwa. Sabar Cloudflare ta karɓi fakitinmu na ssl-hello, ta ɓoye eSNI, cire ainihin SNI daga can kuma ta sarrafa ta kamar ba abin da ya faru (ya yi komai daidai yadda aka tsara lokacin haɓaka eSNI).
Abinda kawai za'a iya kamawa a cikin wannan yanayin daga ra'ayi na DPI shine buƙatun DNS na farko zuwa _esni.cloudflare.com. Amma mun buɗe buƙatar DNS kawai don nuna yadda wannan tsarin ke aiki daga ciki.
Don ƙarshe cire ruggin daga ƙarƙashin DPI, muna amfani da tsarin DNS-over-HTTPS da aka ambata. Ƙananan bayani - DOH yarjejeniya ce da ke ba ku damar kariya daga harin mutum-a-tsakiyar ta hanyar aika buƙatar DNS akan HTTPS.
Bari mu sake aiwatar da buƙatar, amma wannan lokacin za mu karɓi maɓallan eSNI na jama'a ta hanyar ka'idar https, ba DNS:
ESNI_COVER="www.hello-rkn.ru" DOH_URL=https://mozilla.cloudflare-dns.com/dns-query ./curl-esni https://cloudflare.com/Ana nuna jujjuwar zirga-zirgar zirga-zirga a cikin hoton da ke ƙasa:
Ana iya ganin cewa curl ya fara shiga sabar mozilla.cloudflare-dns.com ta hanyar ka'idar DoH (haɗin haɗin yanar gizo zuwa uwar garken 104.16.249.249) don samun ƙimar maɓallan jama'a don ɓoyewar SNI daga gare su, sannan zuwa wurin da aka nufa. uwar garken, yana ɓoye a bayan yankin .
Baya ga abin da ke sama DoH solver mozilla.cloudflare-dns.com, za mu iya amfani da wasu shahararrun sabis na DoH, misali, daga shahararren mugun kamfani.
Bari mu gudanar da tambaya mai zuwa:
ESNI_COVER="www.kremlin.ru" DOH_URL=https://dns.google/dns-query ./curl-esni https://rutracker.nl/Kuma muna samun amsar:
< HTTP/1.1 301 Moved Permanently
< Date: Sun, 03 Nov 2019 14:10:22 GMT
< Content-Type: text/html
< Transfer-Encoding: chunked
< Connection: keep-alive
< Set-Cookie: __cfduid=da0144d982437e77b0b37af7d00438b1a1572790222; expires=Mon, 02-Nov-20 14:10:22 GMT; path=/; domain=.rutracker.nl; HttpOnly; Secure
< Location: https://rutracker.nl/forum/index.php
< CF-Cache-Status: DYNAMIC
< Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< Server: cloudflare
< CF-RAY: 52feee696f42d891-CPH
A wannan yanayin, mun juya zuwa uwar garken rutracker.nl da aka katange, ta yin amfani da DoH resolver dns.google (babu buga rubutu a nan, yanzu shahararriyar kamfani tana da nata yanki na matakin farko) kuma mun rufe kanmu da wani yanki, wanda ke da tsayi sosai. an haramta shi ga duk DPI su toshe ƙarƙashin zafin mutuwa. Dangane da martanin da aka samu, zaku iya fahimtar cewa an sami nasarar aiwatar da buƙatarmu.
A matsayin ƙarin duba cewa DPI na mai bayarwa yana amsawa ga buɗe SNI, wanda muke watsawa azaman murfin, za mu iya yin buƙatu zuwa rutracker.nl a ƙarƙashin sunan wasu albarkatun da aka haramta, misali, wani “mai kyau” torrent tracker:
$ ESNI_COVER="rutor.info" DOH_URL=https://dns.google/dns-query ./curl-esni https://rutracker.nl/Ba za mu sami amsa daga uwar garken ba, saboda... tsarin DPI zai toshe bukatar mu.
A takaice dai karshen kashi na farko
Don haka, mun sami damar nuna ayyukan eSNI ta amfani da openssl da curl da gwada aikin gaba da yanki bisa eSNI. Hakazalika, za mu iya daidaita kayan aikin da muka fi so waɗanda ke amfani da ɗakin karatu na openssl don yin aiki "ƙarƙashin ɓoye" na wasu yankuna. Ƙarin bayani game da wannan a cikin labaranmu na gaba.
source: www.habr.com