Taw qhia
Niaj hnub nimno tuam txhab cov ntsiab lus lim cov tshuab los ntawm cov tuam txhab nto moo xws li Cisco, BlueCoat, FireEye muaj ntau yam sib xws nrog lawv cov khoom muaj zog dua - DPI systems, uas tau ua haujlwm zoo hauv lub tebchaws. Lub ntsiab lus ntawm kev ua haujlwm ntawm ob qho tib si yog los tshuaj xyuas kev nkag mus hauv Internet thiab, raws li cov npe dub / dawb, txiav txim siab txwv kev sib txuas hauv Is Taws Nem. Thiab txij li ob qho tib si tso siab rau cov ntsiab lus zoo sib xws hauv cov hauv paus ntawm lawv txoj haujlwm, cov txheej txheem rau kev hla lawv kuj yuav muaj ntau yam sib xws.
Ib qho ntawm cov thev naus laus zis uas tso cai rau koj kom ua tau zoo dhau los ntawm DPI thiab cov tuam txhab lag luam yog kev siv thev naus laus zis. Nws cov ntsiab lus yog tias peb mus rau qhov chaw thaiv, zais tom qab lwm tus, pej xeem sau npe nrog lub koob npe zoo, uas pom tseeb yuav tsis raug thaiv los ntawm ib qho system, piv txwv li google.com.
Muaj ntau cov ntawv twb tau sau txog cov cuab yeej no thiab ntau yam piv txwv tau muab. Txawm li cas los xij, cov neeg nyiam thiab tsis ntev los no tau tham txog DNS-dhau-HTTPS thiab encrypted-SNI thev naus laus zis, nrog rau cov qauv tshiab ntawm TLS 1.3 raws tu qauv, ua kom nws muaj peev xwm xav txog lwm txoj hauv kev rau kev sau npe fronting.
Nkag siab txog technology
Ua ntej, cia peb txhais cov ntsiab lus me me kom txhua tus muaj kev nkag siab ntawm leej twg yog leej twg thiab vim li cas txhua qhov no xav tau. Peb tau hais txog eSNI mechanism, kev ua haujlwm uas yuav tau tham ntxiv. eSNI (encrypted Server Name Indication) mechanism yog kev ruaj ntseg version ntawm SNI, tsuas yog muaj rau TLS 1.3 raws tu qauv. Lub tswv yim tseem ceeb yog kom encrypt, ntawm lwm yam, cov ntaub ntawv hais txog tus sau qhov kev thov raug xa mus rau.
Tam sim no cia saib seb eSNI mechanism ua haujlwm li cas hauv kev xyaum.
Cia peb hais tias peb muaj cov peev txheej hauv Is Taws Nem uas raug thaiv los ntawm kev daws teeb meem niaj hnub DPI (cia peb siv, piv txwv li, tus nto moo torrent tracker rutracker.nl). Thaum peb sim nkag mus rau torrent tracker lub vev xaib, peb pom tus neeg muab kev pabcuam tus qauv qhia tias cov peev txheej raug thaiv:
Ntawm RKN lub vev xaib no sau npe tiag tiag hauv cov npe nres:
Thaum koj nug whois, koj tuaj yeem pom tias tus sau nws tus kheej yog "pob ntseg" tom qab tus muab kev pabcuam huab Cloudflare.
Tab sis tsis zoo li "cov kws tshaj lij" los ntawm RKN, cov neeg ua haujlwm txawj ntse ntau dua los ntawm Beeline (lossis qhia los ntawm cov kev paub dhau los ntawm peb tus kws tswj hwm nto moo) tsis ruam txwv lub vev xaib los ntawm IP chaw nyob, tab sis ntxiv cov npe sau npe rau cov npe nres. Koj tuaj yeem tshawb xyuas qhov no yooj yim yog tias koj saib dab tsi lwm cov npe tau muab zais tom qab tib tus IP chaw nyob, mus saib ib qho ntawm lawv thiab pom tias kev nkag tsis raug thaiv:
Qhov no tshwm sim li cas? Tus neeg muab kev pabcuam DPI paub li cas uas kuv tus browser yog nyob rau, txij li txhua qhov kev sib txuas lus tshwm sim ntawm https raws tu qauv, thiab peb tseem tsis tau pom qhov hloov pauv ntawm https daim ntawv pov thawj los ntawm Beeline? Nws puas yog clairvoyant lossis kuv puas tau ua raws?
Cia peb sim teb cov lus nug no los ntawm kev saib cov tsheb khiav los ntawm wireshark
Lub screenshot qhia tau hais tias thawj tus browser tau txais tus neeg rau zaub mov tus IP chaw nyob ntawm DNS, tom qab ntawd tus qauv TCP kev sib koom tes tshwm sim nrog cov neeg rau zaub mov lo lus uas peb, thiab tom qab ntawd tus browser sim tsim kev sib txuas SSL nrog lub server. Ua li no, nws xa ib pob ntawv SSL Client Hello, uas muaj lub npe ntawm qhov chaw sau ntawv hauv cov ntawv ntshiab. Daim teb no yuav tsum tau ua los ntawm cloudflare frontend server thiaj li ua kom txoj kev sib txuas tau raug. Qhov no yog qhov chaw muab kev pabcuam DPI ntes peb, rhuav peb kev sib txuas. Nyob rau tib lub sijhawm, peb tsis tau txais ib qho stub los ntawm tus neeg muab kev pabcuam, thiab peb pom tus qauv browser yuam kev zoo li lub vev xaib raug xiam lossis tsuas tsis ua haujlwm:
Tam sim no cia peb qhib lub eSNI mechanism nyob rau hauv lub browser, raws li sau nyob rau hauv cov lus qhia rau :
Txhawm rau ua qhov no peb qhib nplooj ntawv Firefox teeb tsa txog: config thiab qhib cov kev teeb tsa hauv qab no:
network.trr.mode = 2;
network.trr.uri = https://mozilla.cloudflare-dns.com/dns-query
network.security.esni.enabled = true
Tom qab no, peb yuav xyuas tias cov chaw ua haujlwm raug rau ntawm lub vev xaib cloudflare. thiab cia sim ua kom yuam kev nrog peb torrent tracker dua.
Voila. Peb nyiam tracker qhib yam tsis muaj VPN lossis npe servers. Cia peb tam sim no saib cov tsheb thauj khoom pov tseg hauv wireshark kom pom tias muaj dab tsi tshwm sim.
Lub sijhawm no, ssl tus neeg siv khoom nyob zoo pob tsis meej meej muaj qhov chaw sau npe, tab sis hloov chaw tshiab tau tshwm sim hauv pob - encrypted_server_name - qhov no yog qhov uas tus nqi ntawm rutracker.nl muaj, thiab tsuas yog cloudflare frontend server tuaj yeem decrypt qhov no. teb. Thiab yog tias muaj, ces tus kws kho mob DPI tsis muaj kev xaiv tsuas yog ntxuav nws txhais tes thiab tso cai rau kev khiav tsheb. Tsis muaj lwm txoj kev xaiv nrog encryption.
Yog li, peb tau saib seb cov thev naus laus zis ua haujlwm li cas hauv browser. Tam sim no cia peb sim siv nws rau ntau yam tshwj xeeb thiab nthuav. Thiab ua ntej, peb yuav qhia tib lub curl kom siv eSNI ua haujlwm nrog TLS 1.3, thiab tib lub sijhawm peb yuav pom tias eSNI-based domain fronting nws tus kheej ua haujlwm li cas.
Domain fronting nrog eSNI
Vim qhov tseeb tias curl siv tus qauv openssl tsev qiv ntawv los txuas ntawm https raws tu qauv, ua ntej ntawm txhua yam peb yuav tsum tau muab kev txhawb nqa eSNI nyob ntawd. Tsis muaj kev txhawb nqa eSNI hauv openssl master ceg tsis tau, yog li peb yuav tsum rub tawm ib ceg tshwj xeeb openssl, sau thiab nruab nws.
Peb clone lub repository los ntawm GitHub thiab muab tso ua ke raws li ib txwm:
$ git clone https://github.com/sftcd/openssl
$ cd openssl
$ ./config
$ make
$ cd esnistuff
$ make
Tom ntej no, peb clone lub repository nrog curl thiab configure nws compilation siv peb compiled openssl tsev qiv ntawv:
$ cd $HOME/code
$ git clone https://github.com/niallor/curl.git curl-esni
$ cd curl-esni
$ export LD_LIBRARY_PATH=/opt/openssl
$ ./buildconf
$ LDFLAGS="-L/opt/openssl" ./configure --with-ssl=/opt/openssl --enable-esni --enable-debug
Ntawm no nws yog ib qho tseem ceeb kom qhia meej tag nrho cov npe uas openssl nyob (hauv peb rooj plaub, qhov no yog /opt/openssl/) thiab xyuas kom meej tias cov txheej txheem teeb tsa mus dhau yam tsis muaj qhov yuam kev.
Yog tias kev teeb tsa ua tiav, peb yuav pom cov kab:
CEEB TOOM: esni ESNI enabled tab sis cim EXPERIMENTAL. Siv nrog ceev faj!
$ makeTom qab ua tiav lub tsev pob, peb yuav siv cov ntaub ntawv tshwj xeeb bash los ntawm openssl los teeb tsa thiab khiav curl. Cia peb luam nws mus rau cov npe nrog curl kom yooj yim:
cp /opt/openssl/esnistuff/curl-esni thiab ua qhov kev sim https thov rau cloudflare server, thaum ib txhij sau DNS thiab TLS pob ntawv hauv Wireshark.
$ ESNI_COVER="www.hello-rkn.ru" ./curl-esni https://cloudflare.com/Hauv cov lus teb server, ntxiv rau ntau cov ntaub ntawv debugging los ntawm openssl thiab curl, peb yuav tau txais HTTP teb nrog code 301 los ntawm cloudflare.
HTTP/1.1 301 Moved Permanently
< Date: Sun, 03 Nov 2019 13:12:55 GMT
< Transfer-Encoding: chunked
< Connection: keep-alive
< Cache-Control: max-age=3600
< Expires: Sun, 03 Nov 2019 14:12:55 GMT
< Location: https://www.cloudflare.com/
uas qhia tau hais tias peb qhov kev thov raug xa mus rau qhov chaw server, hnov ββthiab ua tiav.
Tam sim no cia saib cov tsheb thauj khoom pov tseg hauv wireshark, i.e. qhov uas tus kws kho mob DPI pom hauv qhov no.
Nws tuaj yeem pom tias curl thawj tig mus rau DNS server rau pej xeem eSNI tus yuam sij rau cloudflare server - TXT DNS thov rau _esni.cloudflare.com (pob No. 13). Tom qab ntawd, siv lub tsev qiv ntawv openssl, curl xa TLS 1.3 thov mus rau cloudflare server nyob rau hauv uas SNI teb tau encrypted nrog pej xeem tus yuam sij tau txais hauv cov kauj ruam dhau los (pob ntawv #22). Tab sis, ntxiv rau eSNI teb, SSL-nyob zoo pob ntawv kuj suav nrog ib daim teb nrog rau ib txwm - qhib SNI, uas peb tuaj yeem hais qhia hauv ib qho kev txiav txim (qhov no - ).
Qhov chaw qhib SNI no tsis raug suav nrog txhua txoj hauv kev thaum ua tiav los ntawm cloudflare servers thiab tsuas yog ua lub npog ntsej muag rau tus kws kho mob DPI. Cov neeg rau zaub mov cloudflare tau txais peb cov pob ntawv ssl-nyob zoo, decrypted eSNI, rho tawm thawj SNI los ntawm qhov ntawd thiab ua tiav nws zoo li tsis muaj dab tsi tshwm sim (nws ua txhua yam raws nraim li tau npaj thaum tsim eSNI).
Tib yam uas tuaj yeem ntes tau nyob rau hauv rooj plaub no los ntawm DPI qhov kev pom yog thawj DNS thov rau _esni.cloudflare.com. Tab sis peb tau ua qhov kev thov DNS tsuas yog qhib kom pom tias qhov txheej txheem no ua haujlwm li cas los ntawm sab hauv.
Thaum kawg rub cov ntaub pua plag tawm ntawm hauv qab DPI, peb siv cov txheej txheem DNS-dhau-HTTPS uas twb tau hais lawm. Kev piav qhia me ntsis - DOH yog cov txheej txheem uas tso cai rau koj los tiv thaiv tus txiv neej-hauv-tus-nruab nrab los ntawm kev xa DNS thov dhau HTTPS.
Cia peb rov ua qhov kev thov dua, tab sis lub sijhawm no peb yuav tau txais pej xeem eSNI yuam sij ntawm https raws tu qauv, tsis yog DNS:
ESNI_COVER="www.hello-rkn.ru" DOH_URL=https://mozilla.cloudflare-dns.com/dns-query ./curl-esni https://cloudflare.com/Qhov kev thov tsheb thauj khoom pov tseg yog qhia hauv screenshot hauv qab no:
Nws tuaj yeem pom tau tias curl thawj zaug nkag mus rau mozilla.cloudflare-dns.com server ntawm DoH raws tu qauv (https txuas rau server 104.16.249.249) kom tau txais los ntawm lawv cov txiaj ntsig ntawm pej xeem cov yuam sij rau SNI encryption, thiab tom qab ntawd mus rau qhov chaw. server, nkaum tom qab tus sau .
Ntxiv rau qhov DoH daws teeb meem saum toj no mozilla.cloudflare-dns.com, peb tuaj yeem siv lwm cov kev pabcuam DoH nrov, piv txwv li, los ntawm lub tuam txhab kev phem nto moo.
Cia peb khiav cov lus nug hauv qab no:
ESNI_COVER="www.kremlin.ru" DOH_URL=https://dns.google/dns-query ./curl-esni https://rutracker.nl/Thiab peb tau txais cov lus teb:
< HTTP/1.1 301 Moved Permanently
< Date: Sun, 03 Nov 2019 14:10:22 GMT
< Content-Type: text/html
< Transfer-Encoding: chunked
< Connection: keep-alive
< Set-Cookie: __cfduid=da0144d982437e77b0b37af7d00438b1a1572790222; expires=Mon, 02-Nov-20 14:10:22 GMT; path=/; domain=.rutracker.nl; HttpOnly; Secure
< Location: https://rutracker.nl/forum/index.php
< CF-Cache-Status: DYNAMIC
< Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< Server: cloudflare
< CF-RAY: 52feee696f42d891-CPH
Hauv qhov no, peb tig mus rau qhov thaiv rutracker.nl server, siv DoH daws dns.google (tsis muaj typo ntawm no, tam sim no lub tuam txhab nto moo muaj nws tus kheej thawj-theem sau) thiab npog peb tus kheej nrog lwm tus sau, uas yog nruj me ntsis. txwv tsis pub rau tag nrho DPIs los thaiv kev mob ntawm kev tuag. Raws li cov lus teb tau txais, koj tuaj yeem nkag siab tias peb qhov kev thov tau ua tiav tiav.
Raws li kev txheeb xyuas ntxiv tias tus kws kho mob DPI teb rau qhov qhib SNI, uas peb xa tawm raws li daim npog, peb tuaj yeem thov rau rutracker.nl raws li kev siv lwm yam txwv tsis pub siv, piv txwv li, lwm qhov "zoo" torrent tracker:
$ ESNI_COVER="rutor.info" DOH_URL=https://dns.google/dns-query ./curl-esni https://rutracker.nl/Peb yuav tsis tau txais lus teb los ntawm server, vim ... peb qhov kev thov yuav raug thaiv los ntawm DPI system.
Ib qho luv luv rau thawj ntu
Yog li, peb muaj peev xwm ua kom pom kev ua haujlwm ntawm eSNI siv openssl thiab curl thiab kuaj kev ua haujlwm ntawm domain fronting raws li eSNI. Ib yam li ntawd, peb tuaj yeem hloov kho peb cov cuab yeej nyiam uas siv lub tsev qiv ntawv openssl los ua haujlwm "hauv qab qhov guise" ntawm lwm tus thawj. Xav paub ntau ntxiv txog qhov no hauv peb cov lus tom ntej.
Tau qhov twg los: www.hab.com