Whakataki
Ko nga punaha tātari ihirangi rangatōpū hou mai i nga kaihanga rongonui penei i a Cisco, BlueCoat, FireEye he tino rite ki o raatau hoa kaha ake - nga punaha DPI, kei te kaha te whakatinana i te taumata o te motu. Ko te ngako o te mahi a te tokorua ko te tirotiro i nga waka Ipurangi taumai me te puta, a, i runga i nga rarangi pango/ma, ka whakatau ki te aukati i te hononga Ipurangi. A, i te mea e whakawhirinaki ana raua tokorua ki runga i nga maapono rite i roto i nga kaupapa o a raatau mahi, ka nui ano te rite o nga tikanga mo te karo i a raatau.
Ko tetahi o nga hangarau ka taea e koe te karo i te DPI me nga punaha umanga ko te hangarau-a-rohe. Ko te mea nui ko te haere ki tetahi rauemi kua aukatihia, ka huna ki muri i tetahi atu, te rohe whanui me te ingoa pai, e kore e aukatia e tetahi punaha, hei tauira google.com.
He maha nga tuhinga kua tuhia mo tenei hangarau, a he maha nga tauira kua hoatu. Engari, ko te rongonui me te korero tata nei mo nga hangarau DNS-over-HTTPS me nga hangarau whakamunatia-SNI, me te putanga hou o te kawa TLS 1.3, ka taea te whakaaro ki tetahi atu waahanga mo te rohe o mua.
Te mohio ki te hangarau
Tuatahi, me whakamaarama etahi o nga ariā taketake kia mohio ai nga tangata katoa ko wai me te take i hiahiatia ai enei mea katoa. I whakahuahia e matou te tikanga eSNI, ko te mahi ka korerohia ano. Ko te tikanga eSNI (Whakamunatanga Ingoa Ingoa) he putanga haumaru o SNI, e waatea ana mo te kawa TLS 1.3 anake. Ko te whakaaro nui ko te whakamuna, me era atu mea, nga korero mo te rohe ka tukuna te tono.
Inaianei me titiro ki te mahi a te tikanga eSNI.
Me kii he rauemi Ipurangi kei te aukatihia e te otinga DPI hou (me tango, hei tauira, te rongonui rongonui rongonui rutracker.nl). Ka ngana ana matou ki te uru atu ki te paetukutuku a te kaiwhaiwhai awa, ka kite matou i te stub paerewa a te kaiwhakarato e tohu ana kua aukatihia te rauemi:
I runga i te paetukutuku RKN kua whakararangitia tenei rohe ki nga rarangi mutu:
Ka patai koe ko wai, ka kite koe kei te "huna" te rohe i muri i te kaiwhakarato kapua Cloudflare.
Engari kaore i rite ki nga "tangata" mai i te RKN, he maha atu nga kaimahi mohio hangarau mai i Beeline (i whakaakona ranei e te wheako kawa o to tatou kaiwhakahaere rongonui) kaore i porangi te aukati i te waahi ma te IP IP, engari i whakauruhia te ingoa rohe ki te rarangi mutu. Ka taea e koe te manatoko i tenei mena ka tirohia e koe he aha etahi atu rohe e huna ana i muri i te wahitau IP kotahi, tirohia tetahi o ratou ka kite kaore i te aukatihia te uru:
Me pehea e tupu ai? Me pehea e mohio ai te DPI o te kaiwhakarato ko tehea rohe kei runga taku tirotiro, na te mea ka puta nga korero katoa ma te kawa https, a kaore ano matou i kite i te whakakapinga o nga tiwhikete https mai i Beeline? He mohio ia, kei te whai ranei ahau?
Me ngana ki te whakautu i tenei patai ma te titiro ki nga waka ma te wireshark
Ko te Whakaahuamata e whakaatu ana i te tuatahi ka whiwhi te kaitirotiro i te wahitau IP o te tūmau ma te DNS, katahi ka puta he ruru ringa TCP paerewa ki te tūmau ūnga, katahi ka ngana te kaitirotiro ki te whakatu hononga SSL ki te tūmau. Hei mahi i tenei, ka tukuna he putea SSL Client Hello, kei roto te ingoa o te rohe puna i roto i nga tuhinga maamaa. Ko tenei mara e hiahiatia ana e te tūmau o mua cloudflare kia tika ai te arai i te hononga. Koinei te waahi ka hopuhia e te kaiwhakarato DPI, ka pakaru to taatau hononga. I te wa ano, kaore matou e whiwhi i tetahi papa mai i te kaiwhakarato, ka kite matou i te hapa o te kaitirotiro paerewa me te mea kua monokia te pae, kaore ranei e mahi:
Inaianei ka taea e tatou te tikanga eSNI i roto i te tirotiro, kua tuhia ki nga tohutohu mo :
Ki te mahi i tenei ka whakatuwherahia e matou te wharangi whirihoranga Firefox e pā ana ki: whirihora ka whakahohe i nga tautuhinga e whai ake nei:
network.trr.mode = 2;
network.trr.uri = https://mozilla.cloudflare-dns.com/dns-query
network.security.esni.enabled = true
I muri i tenei, ka tirohia e matou kei te mahi tika nga tautuhinga i runga i te paetukutuku cloudflare. a kia whakamatau ano tatou i te tinihanga me to tatou kaiwhaiwhai awa.
Voila. I whakatuwherahia ta maatau kaiwhaiwhai tino pai kaore he VPN, he kaiwhakarato takawaenga ranei. Me titiro inaianei ki te putunga waka i wireshark kia kite i te aha.
I tenei wa, kaore i roto i te ssl client hello package te rohe ūnga, engari, ka puta he mara hou i roto i te kete - encrypted_server_name - koinei te waahi kei roto te uara o rutracker.nl, ka taea anake e te tūmau o mua cloudflare te wetewete i tenei. mara. A, ki te pera, karekau he whiringa a te kaiwhakarato DPI engari ki te horoi i ona ringa me te tuku i aua waka. Karekau etahi atu whiringa me te whakamunatanga.
Na, i titiro matou ki te mahi o te hangarau i roto i te tirotiro. Inaianei me ngana ki te whakamahi ki nga mea motuhake me nga mea whakamere. Ko te tuatahi, ka whakaakona e matou te korikori kotahi ki te whakamahi i te eSNI ki te mahi me te TLS 1.3, me te wa ano ka kite tatou me pehea te mahi a te rohe-eSNI kei mua.
Rohe kei mua me te eSNI
Na te mea ka whakamahia e te curl te whare pukapuka openssl paerewa ki te hono ma te kawa https, ko te tuatahi me tuku tautoko eSNI ki reira. Karekau he tautoko eSNI i roto i nga manga matua openssl, no reira me tango mai he peka openssl motuhake, whakahiato me te whakauru.
Ka kohia e matou te putunga mai i GitHub ka whakahiato penei i o mua:
$ git clone https://github.com/sftcd/openssl
$ cd openssl
$ ./config
$ make
$ cd esnistuff
$ make
I muri mai, ka kohia e matou te putunga ki te curl me te whirihora i tana whakahiato ma te whakamahi i ta maatau whare pukapuka openssl kua whakahiato:
$ cd $HOME/code
$ git clone https://github.com/niallor/curl.git curl-esni
$ cd curl-esni
$ export LD_LIBRARY_PATH=/opt/openssl
$ ./buildconf
$ LDFLAGS="-L/opt/openssl" ./configure --with-ssl=/opt/openssl --enable-esni --enable-debug
I konei he mea nui ki te tautuhi tika i nga raarangi katoa kei reira te openssl (i roto i ta maatau, ko tenei /opt/openssl/) me te whakarite kia haere te tukanga whirihoranga me te kore he.
Mena ka angitu te whirihoranga, ka kite tatou i te raina:
WHAKATŪPATO: esni ESNI i whakahohea engari kua tohua he WHAKATAUTANGA. Whakamahia me te tupato!
$ makeWhai muri i te pai o te hanga i te kete, ka whakamahia e matou he konae bash motuhake mai i openssl hei whirihora me te whakahaere curl. Me kape ki te whaiaronga me te curl mo te pai:
cp /opt/openssl/esnistuff/curl-esni me te tono tono https ki te tūmau cloudflare, i te wa e tuhi ana i nga paatete DNS me TLS ki Wireshark.
$ ESNI_COVER="www.hello-rkn.ru" ./curl-esni https://cloudflare.com/I roto i te whakautu a te tūmau, i tua atu i te maha o nga korero patuiro mai i openssl me te curl, ka whiwhi tatou i te whakautu HTTP me te waehere 301 mai i te cloudflare.
HTTP/1.1 301 Moved Permanently
< Date: Sun, 03 Nov 2019 13:12:55 GMT
< Transfer-Encoding: chunked
< Connection: keep-alive
< Cache-Control: max-age=3600
< Expires: Sun, 03 Nov 2019 14:12:55 GMT
< Location: https://www.cloudflare.com/
e tohu ana i tukuna pai ta matou tono ki te tūmau ūnga, i rongohia, i tukatukahia.
Inaianei ka titiro tatou ki te putunga waka i te wireshark, ara. he aha ta te kaiwhakarato DPI i kite i tenei keehi.
Ka kitea i tahuri tuatahi te curl ki te tūmau DNS mo te kī eSNI tūmatanui mo te tūmau cloudflare - he tono TXT DNS ki _esni.cloudflare.com (package No. 13). Na, ma te whakamahi i te whare pukapuka openssl, ka tukuna e curl he tono TLS 1.3 ki te tūmau cloudflare i whakamunatia ai te mara SNI me te kī tūmatanui i whiwhi i te taahiraa o mua (pakete #22). Engari, i tua atu i te mara eSNI, kei roto ano i te kete SSL-hello tetahi mara me te SNI o mua - tuwhera, ka taea e matou te tohu i roto i tetahi ota (i tenei keehi - ).
Ko tenei mara SNI tuwhera kaore i whakaarohia i roto i nga huarahi katoa i te wa e tukatukahia ana e nga kaiwhakarato cloudflare me te mahi hei kanohi kanohi mo te kaiwhakarato DPI. I whiwhi te tūmau cloudflare i ta maatau putea ssl-hello, i wetewete i te eSNI, i tangohia te SNI taketake mai i reira ka tukatukahia me te mea kaore he mea i tupu (i mahia e ia nga mea katoa i whakaritea i te wa e whakawhanake ana i te eSNI).
Ko te mea anake ka taea te hopu i tenei keehi mai i te tirohanga DPI ko te tono DNS tuatahi ki _esni.cloudflare.com. Engari i whakatuwherahia e matou te tono DNS hei whakaatu me pehea te mahi o roto.
Ki te toia te whariki i raro i te DPI, ka whakamahia e matou te tikanga DNS-over-HTTPS kua whakahuahia ake nei. He whakamarama iti - Ko te DOH he kawa e taea ai e koe te tiaki i te whakaeke tangata-i-te-waenganui ma te tuku tono DNS ma runga HTTPS.
Kia mahia ano te tono, engari i tenei wa ka whiwhi tatou i nga taviri eSNI whanui ma te kawa https, ehara i te DNS:
ESNI_COVER="www.hello-rkn.ru" DOH_URL=https://mozilla.cloudflare-dns.com/dns-query ./curl-esni https://cloudflare.com/Ko te tono tuku waka ka whakaatuhia ki te whakaahua i raro nei:
Ka kitea ka uru tuatahi te curl ki te tūmau mozilla.cloudflare-dns.com mā te kawa DoH (hononga https ki te tūmau 104.16.249.249) ki te tiki mai i a raatau nga uara o nga taviri a te iwi mo te whakamunatanga SNI, katahi ka haere ki te taunga. tūmau, e huna ana i muri i te rohe .
I tua atu i te DoH solver mozilla.cloudflare-dns.com i runga ake nei, ka taea e tatou te whakamahi i etahi atu ratonga DoH rongonui, hei tauira, mai i te kaporeihana kino rongonui.
Me whakahaere te patai e whai ake nei:
ESNI_COVER="www.kremlin.ru" DOH_URL=https://dns.google/dns-query ./curl-esni https://rutracker.nl/Na ka whiwhi tatou i te whakautu:
< HTTP/1.1 301 Moved Permanently
< Date: Sun, 03 Nov 2019 14:10:22 GMT
< Content-Type: text/html
< Transfer-Encoding: chunked
< Connection: keep-alive
< Set-Cookie: __cfduid=da0144d982437e77b0b37af7d00438b1a1572790222; expires=Mon, 02-Nov-20 14:10:22 GMT; path=/; domain=.rutracker.nl; HttpOnly; Secure
< Location: https://rutracker.nl/forum/index.php
< CF-Cache-Status: DYNAMIC
< Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< Server: cloudflare
< CF-RAY: 52feee696f42d891-CPH
I tenei keehi, ka tahuri matou ki te tūmau rutracker.nl kua aukatihia, ma te whakamahi i te DoH resolver dns.google (karekau he hapa i konei, inaianei kei te kaporeihana rongonui tana ake rohe taumata tuatahi) ka hipokina matou ki tetahi atu rohe, he tino tika. kua whakakorehia mo nga DPI katoa ki te aukati i raro i te mamae o te mate. I runga i te whakautu i tae mai, ka mohio koe i tutuki pai ta matou tono.
Hei tirotiro taapiri mo te whakautu a te DPI o te kaiwhakarato ki te SNI tuwhera, ka tukuna e matou hei uhi, ka taea e matou te tono tono ki rutracker.nl i raro i te ahua o etahi atu rauemi kua rahuitia, hei tauira, tetahi atu "pai" torrent tracker:
$ ESNI_COVER="rutor.info" DOH_URL=https://dns.google/dns-query ./curl-esni https://rutracker.nl/Kaore matou e whiwhi urupare mai i te tūmau, na te mea ... ka aukatihia ta matou tono e te punaha DPI.
He whakatau poto mo te wahanga tuatahi
Na, i taea e matou te whakaatu i te mahi o te eSNI ma te whakamahi i te openssl me te curl me te whakamatautau i te mahi o te rohe o mua i runga i te eSNI. Waihoki, ka taea e tatou te whakarereke i a tatou taputapu tino pai e whakamahi ana i te whare pukapuka openssl ki te mahi "i raro i te ahua" o etahi atu rohe. Ko etahi atu korero mo tenei i a maatau tuhinga e whai ake nei.
Source: will.com