Hōʻike
ʻO nā ʻōnaehana kānana ʻikepili ʻoihana hou mai nā mea hana kaulana e like me Cisco, BlueCoat, FireEye he mea like loa me kā lākou mau hoa ikaika loa - nā ʻōnaehana DPI, e hoʻokō ʻia nei ma ka pae aupuni. ʻO ke kumu o ka hana a lāua ʻelua, ʻo ia ka nānā ʻana i ka hele ʻana mai a me ka puka ʻana o ka pūnaewele a, ma muli o nā papa inoa ʻeleʻele/keʻokeʻo, e hoʻoholo i ka pāpā ʻana i ka pilina pūnaewele. A no ka hilinaʻi ʻana o lāua ʻelua i nā loina like i nā kumu o kā lāua hana, ʻo nā ʻano hana no ka hoʻopuni ʻana iā lākou e like pū kekahi.
ʻO kekahi o nā ʻenehana e hiki ai iā ʻoe ke kāʻalo pono i ka DPI a me nā ʻōnaehana ʻoihana ʻo ia ka ʻenehana mua o ka domain. ʻO ke kumu o ka hele ʻana i kahi punawai i hoʻopaʻa ʻia, e peʻe ana ma hope o kahi ʻē aʻe, kahi ākea ākea me ka maikaʻi maikaʻi, ʻaʻole ia e kāohi ʻia e kekahi ʻōnaehana, no ka laʻana google.com.
Nui nā ʻatikala i kākau ʻia e pili ana i kēia ʻenehana a ua hāʻawi ʻia nā hiʻohiʻona he nui. Eia naʻe, ʻo ka DNS-over-HTTPS kaulana a kūkākūkā hou ʻia a me nā ʻenehana hoʻopunipuni-SNI, a me ka mana hou o ka protocol TLS 1.3, hiki ke noʻonoʻo i kahi koho ʻē aʻe no ke alo o ka domain.
Hoʻomaopopo i ka ʻenehana
ʻO ka mea mua, e wehewehe i nā manaʻo kumu liʻiliʻi i maopopo i kēlā me kēia kanaka ʻo wai a no ke kumu e pono ai kēia mau mea. Ua haʻi mākou i ka mīkini eSNI, e kūkākūkā hou ʻia ka hana. ʻO ka eSNI (encrypted Server Name Indication) he mana palekana o SNI, loaʻa wale no ka protocol TLS 1.3. ʻO ka manaʻo nui e hoʻopili, ma waena o nā mea ʻē aʻe, ka ʻike e pili ana i kahi kikowaena i hoʻouna ʻia ai ka noi.
I kēia manawa, e nānā kākou i ka hana ʻana o ka mīkini eSNI i ka hana.
E ʻōlelo mākou he punaewele punaewele i ālai ʻia e kahi hoʻonā DPI hou (e lawe, no ka laʻana, ka tracker torrent tracker.nl kaulana). Ke hoʻāʻo nei mākou e komo i kahi pūnaewele o kahi torrent tracker, ʻike mākou i ka stub maʻamau o ka mea hoʻolako e hōʻike ana ua pāpā ʻia ke kumu waiwai:
Ma ka pūnaewele RKN ua helu maoli ʻia kēia kahua i nā papa hoʻomaha:
Ke nīnau ʻoe iā whois, hiki iā ʻoe ke ʻike ua "huna" ʻia ke kikowaena ma hope o ka mea hāʻawi kapuaʻi Cloudflare.
Akā ʻaʻole e like me nā "poʻe loea" mai RKN, ʻoi aku ka ʻenehana loea i nā limahana mai Beeline (a i aʻo ʻia e ka ʻike ʻawaʻawa o kā mākou mea hoʻoponopono kaulana) ʻaʻole i pāpā naʻaupō i ka pūnaewele ma ka IP address, akā hoʻohui i ka inoa inoa i ka papa inoa hoʻomaha. Hiki iā ʻoe ke hōʻoia i kēia inā e nānā ʻoe i nā mea huna ʻē aʻe ma hope o ka helu IP hoʻokahi, e kipa i kekahi o lākou a ʻike ʻaʻole i pāpā ʻia ke komo:
Pehea e hana ai kēia? Pehea e ʻike ai ka DPI o ka mea hāʻawi i ke kahua o kaʻu polokalamu kele pūnaewele, no ka mea, ke hele nei nā kamaʻilio āpau ma o ka protocol https, a ʻaʻole mākou i ʻike i ka hoʻololi ʻana o nā palapala https mai Beeline? He mākaʻikaʻi ʻo ia a i ʻole ke hahai ʻia nei au?
E ho'āʻo kākou e pane i kēia nīnau ma ka nānā ʻana i ke kaʻa ma o wireshark
Hōʻike ka kiʻi kiʻi i ka loaʻa mua ʻana o ka polokalamu kele pūnaewele i ka IP address o ka server ma o DNS, a laila hele mai kahi lulu lima TCP maʻamau me ka kikowaena huakaʻi, a laila hoʻāʻo ka polokalamu e hoʻokumu i kahi pilina SSL me ke kikowaena. No ka hana ʻana i kēia, hoʻouna ʻo ia i kahi ʻeke SSL Client Hello, kahi i loaʻa ka inoa o ka waihona kumu ma kahi kikokikona maʻemaʻe. Pono kēia kahua e ka cloudflare frontend server i mea e ala pololei ai i ka pilina. ʻO kēia kahi e hopu ai ka mea hāʻawi DPI iā mākou, e uhaʻi i kā mākou pilina. I ka manawa like, ʻaʻole mākou e loaʻa i kahi stub mai ka mea hoʻolako, a ʻike mākou i ka hewa o ka polokalamu kele pūnaewele me he mea lā ua pio ka pūnaewele a ʻaʻole hana wale:
I kēia manawa, hiki iā mākou ke hoʻohana i ka mīkini eSNI i ka polokalamu kele pūnaewele, e like me ka mea i kākau ʻia ma nā kuhikuhi no :
No ka hana ʻana i kēia, wehe mākou i ka ʻaoʻao hoʻonohonoho Firefox e pili ana i: config a ho'ā i kēia mau hoʻonohonoho:
network.trr.mode = 2;
network.trr.uri = https://mozilla.cloudflare-dns.com/dns-query
network.security.esni.enabled = true
Ma hope o kēia, e nānā mākou e hana pololei ana nā hoʻonohonoho ma ka pūnaewele cloudflare. a e hoʻāʻo hou kākou i ka hoʻopunipuni me kā mākou torrent tracker.
Voila. Ua wehe ʻia kā mākou mea punahele punahele me ka ʻole o nā kikowaena VPN a i ʻole nā mea hoʻohana proxy. E nānā kākou i ka hoʻokuʻu ʻana i nā kaʻa ma wireshark e ʻike i ka mea i hana ʻia.
I kēia manawa, ʻaʻole maopopo i ka ssl client hello package ka wahi e hele ai, akā, ua ʻike ʻia kahi kahua hou i loko o ka pūʻolo - encrypted_server_name - ʻo ia kahi i loaʻa ai ka waiwai o rutracker.nl, a ʻo ka cloudflare frontend server wale nō e hiki ke hoʻokaʻawale i kēia. kahua. A inā pēlā, ʻaʻohe koho o ka mea hāʻawi DPI akā e holoi i kona mau lima a ʻae i kēlā kaʻa. ʻAʻohe koho ʻē aʻe me ka hoʻopunipuni.
No laila, ua nānā mākou i ka hana ʻana o ka ʻenehana i ka polokalamu kele pūnaewele. I kēia manawa, e hoʻāʻo kākou e hoʻopili ia mea i nā mea kikoʻī a hoihoi. A ʻo ka mea mua, e aʻo mākou i ka curl like e hoʻohana i ka eSNI e hana pū me TLS 1.3, a i ka manawa like e ʻike mākou pehea e hana ai ka eSNI-based domain fronting own.
Pae ʻāina me ka eSNI
Ma muli o ka hoʻohana ʻana o curl i ka waihona openssl maʻamau e hoʻopili ma o ka protocol https, ʻo ka mea mua pono mākou e hāʻawi i ke kākoʻo eSNI ma laila. ʻAʻohe kākoʻo eSNI i nā lālā kumu openssl, no laila pono mākou e hoʻoiho i kahi lālā openssl kūikawā, hoʻohui a hoʻokomo.
Hoʻopili mākou i ka waihona mai GitHub a hōʻuluʻulu e like me ka maʻamau:
$ git clone https://github.com/sftcd/openssl
$ cd openssl
$ ./config
$ make
$ cd esnistuff
$ make
A laila, hoʻopili mākou i ka waihona me ka curl a hoʻonohonoho i kāna hōʻuluʻulu me ka hoʻohana ʻana i kā mākou waihona openssl i hui pū ʻia:
$ cd $HOME/code
$ git clone https://github.com/niallor/curl.git curl-esni
$ cd curl-esni
$ export LD_LIBRARY_PATH=/opt/openssl
$ ./buildconf
$ LDFLAGS="-L/opt/openssl" ./configure --with-ssl=/opt/openssl --enable-esni --enable-debug
Eia ka mea nui e kuhikuhi pololei i nā papa kuhikuhi a pau kahi i loaʻa ai openssl (i kā mākou hihia, ʻo ia /opt/openssl/) a e hōʻoia i ka holo ʻana o ke kaʻina hoʻonohonoho me ka hala ʻole.
Inā holomua ka hoʻonohonoho, e ʻike mākou i ka laina:
WARNING: esni ESNI i hoʻohana ʻia akā ua kaha ʻia ʻo EXPERIMENTAL. E hoʻohana me ka akahele!
$ makeMa hope o ke kūkulu ʻana i ka pōʻai, e hoʻohana mākou i kahi faila bash kūikawā mai openssl e hoʻonohonoho a holo curl. E kope iā ia i ka papa kuhikuhi me ka curl no ka maʻalahi:
cp /opt/openssl/esnistuff/curl-esni a hana i kahi noi https hoʻāʻo i ka server cloudflare, ʻoiai e hoʻopaʻa pū ana i nā ʻeke DNS a me TLS ma Wireshark.
$ ESNI_COVER="www.hello-rkn.ru" ./curl-esni https://cloudflare.com/Ma ka pane kikowaena, ma kahi o ka nui o ka debugging ʻike mai openssl a me curl, e loaʻa iā mākou kahi pane HTTP me ka code 301 mai cloudflare.
HTTP/1.1 301 Moved Permanently
< Date: Sun, 03 Nov 2019 13:12:55 GMT
< Transfer-Encoding: chunked
< Connection: keep-alive
< Cache-Control: max-age=3600
< Expires: Sun, 03 Nov 2019 14:12:55 GMT
< Location: https://www.cloudflare.com/
e hōʻike ana ua hoʻouna maikaʻi ʻia kā mākou noi i ke kikowaena huakaʻi, lohe ʻia a hana ʻia.
I kēia manawa, e nānā kākou i ka hoʻokuʻu ʻana i nā kaʻa ma wireshark, ʻo ia hoʻi. ka mea a ka mea hoʻolako DPI i ʻike ai i kēia hihia.
Hiki ke ʻike ʻia ua huli mua ka curl i ka server DNS no kahi kī eSNI lehulehu no ka server cloudflare - kahi noi TXT DNS iā _esni.cloudflare.com (package No. 13). A laila, me ka hoʻohana ʻana i ka waihona openssl, ua hoʻouna ʻo curl i kahi noi TLS 1.3 i ke kikowaena cloudflare kahi i hoʻopili ʻia ai ka māla SNI me ke kī ākea i loaʻa i ka pae mua (packet #22). Akā, ma waho aʻe o ka mahina eSNI, ua hoʻokomo pū ka SSL-hello packet i kahi kahua me ka maʻamau - wehe SNI, hiki iā mākou ke kuhikuhi i kēlā me kēia kauoha (i kēia hihia - ).
ʻAʻole i noʻonoʻo ʻia kēia kahua SNI wehe i ka wā i hana ʻia e nā kikowaena cloudflare a lawelawe wale ʻia ma ke ʻano he mask no ka mea hāʻawi DPI. Ua loaʻa i ka server cloudflare kā mākou ʻeke ssl-hello, hoʻokaʻawale i ka eSNI, unuhi i ka SNI kumu mai laila a hoʻoponopono ʻia me he mea lā ʻaʻohe mea i hana ʻia (ua hana ʻo ia i nā mea āpau e like me ka hoʻolālā ʻana i ka hoʻomohala ʻana i ka eSNI).
ʻO ka mea wale nō e hiki ke hopu ʻia i kēia hihia mai kahi ʻike DPI ʻo ia ka noi DNS mua iā _esni.cloudflare.com. Akā ua wehe mākou i ka noi DNS e hōʻike i ka hana ʻana o kēia mīkini mai loko.
No ka huki hope ʻana i ka ʻōpala mai lalo o DPI, hoʻohana mākou i ka mīkini DNS-over-HTTPS i ʻōlelo ʻia. ʻO kahi wehewehe liʻiliʻi - ʻo DOH kahi protocol e hiki ai iā ʻoe ke pale aku i kahi hoʻouka kanaka-i-ka-waena ma ka hoʻouna ʻana i kahi noi DNS ma HTTPS.
E hoʻokō hou i ka noi, akā i kēia manawa e loaʻa iā mākou nā kī eSNI lehulehu ma o ka protocol https, ʻaʻole DNS:
ESNI_COVER="www.hello-rkn.ru" DOH_URL=https://mozilla.cloudflare-dns.com/dns-query ./curl-esni https://cloudflare.com/Hōʻike ʻia ke kiʻi paʻi kiʻi ma lalo nei.
Hiki ke ʻike ʻia ke komo mua ʻana o curl i ka server mozilla.cloudflare-dns.com ma o ka protocol DoH (https pili i ke kikowaena 104.16.249.249) e loaʻa mai iā lākou nā waiwai o nā kī ākea no ka hoʻopili ʻana o SNI, a laila i kahi e hele ai. kikowaena, e peʻe ana ma hope o ke kikowaena .
Ma waho aʻe o ka luna hoʻonā DoH mozilla.cloudflare-dns.com, hiki iā mākou ke hoʻohana i nā lawelawe DoH kaulana ʻē aʻe, no ka laʻana, mai ka hui hewa kaulana.
E holo kāua i kēia nīnau:
ESNI_COVER="www.kremlin.ru" DOH_URL=https://dns.google/dns-query ./curl-esni https://rutracker.nl/A loaʻa iā mākou ka pane:
< HTTP/1.1 301 Moved Permanently
< Date: Sun, 03 Nov 2019 14:10:22 GMT
< Content-Type: text/html
< Transfer-Encoding: chunked
< Connection: keep-alive
< Set-Cookie: __cfduid=da0144d982437e77b0b37af7d00438b1a1572790222; expires=Mon, 02-Nov-20 14:10:22 GMT; path=/; domain=.rutracker.nl; HttpOnly; Secure
< Location: https://rutracker.nl/forum/index.php
< CF-Cache-Status: DYNAMIC
< Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< Server: cloudflare
< CF-RAY: 52feee696f42d891-CPH
I kēia hihia, ua huli mākou i ka server rutracker.nl i ālai ʻia, me ka hoʻohana ʻana i ka DoH resolver dns.google (ʻaʻohe typo ma aneʻi, i kēia manawa ua loaʻa i ka hui kaulana kāna kikowaena pae mua) a uhi iā mākou iho me kahi kikowaena ʻē aʻe, ʻo ia ka paʻa. pāpā ʻia nā DPI a pau e ālai ma lalo o ka ʻeha o ka make. Ma muli o ka pane i loaʻa, hiki iā ʻoe ke hoʻomaopopo ua hoʻokō pono ʻia kā mākou noi.
Ma ke ʻano he hōʻoia hou e pane aku ai ka DPI o ka mea hāʻawi i ka SNI wehe, a mākou e hoʻouna ai ma ke ʻano he uhi, hiki iā mākou ke noi iā rutracker.nl ma lalo o ke ʻano o kekahi kumuwaiwai i pāpā ʻia, no ka laʻana, kahi tracker "maikaʻi" ʻē aʻe:
$ ESNI_COVER="rutor.info" DOH_URL=https://dns.google/dns-query ./curl-esni https://rutracker.nl/ʻAʻole e loaʻa iā mākou kahi pane mai ke kikowaena, no ka mea... e ālai ʻia kā mākou noi e ka ʻōnaehana DPI.
He hopena pōkole i ka hapa mua
No laila, ua hiki iā mākou ke hōʻike i ka hana o eSNI me ka hoʻohana ʻana i openssl a me ka curl a hoʻāʻo i ka hana o ke alo o ka domain e pili ana i ka eSNI. Ma ke ala like, hiki iā mākou ke hoʻololi i kā mākou mea punahele punahele e hoʻohana ana i ka waihona openssl e hana "ma lalo o ke ʻano" o nā kāʻei kapu ʻē aʻe. Nā kikoʻī hou aku e pili ana i kēia ma kā mākou ʻatikala aʻe.
Source: www.habr.com