Mau oyamba
Njira zamakono zosefera zamakampani kuchokera kwa opanga otchuka monga Cisco, BlueCoat, FireEye ali ndi zofanana kwambiri ndi anzawo amphamvu kwambiri - machitidwe a DPI, omwe akugwiritsidwa ntchito mwachangu kudziko lonse. Chofunikira cha ntchito ya onse awiri ndikuwunika kuchuluka kwa anthu omwe akubwera komanso otuluka pa intaneti ndipo, potengera mindandanda yakuda/yoyera, kupanga chisankho choletsa intaneti. Ndipo popeza onse awiri amadalira mfundo zofananira pazoyambira zantchito yawo, njira zowazemba nazonso zimakhala zofanana kwambiri.
Imodzi mwamatekinoloje omwe amakulolani kuti mudutse bwino DPI ndi machitidwe amakampani ndiukadaulo wotsogola. Chofunikira chake ndi chakuti timapita kumalo otsekedwa, kubisala kumbuyo kwa wina, malo a anthu omwe ali ndi mbiri yabwino, zomwe mwachiwonekere sizidzatsekedwa ndi dongosolo lililonse, mwachitsanzo google.com.
Zolemba zambiri zalembedwa kale zaukadaulo uwu ndipo zitsanzo zambiri zaperekedwa. Komabe, matekinoloje odziwika komanso omwe takambirana posachedwa a DNS-over-HTTPS ndi encrypted-SNI, komanso mtundu watsopano wa TLS 1.3 protocol, zimapangitsa kuti tiganizire njira ina yakutsogolo.
Kumvetsetsa ukadaulo
Choyamba, tiyeni tifotokoze mfundo zingapo zofunika kuti aliyense amvetse kuti ndani ndi chifukwa chiyani zonsezi zikufunika. Tinatchula njira ya eSNI, ntchito yomwe idzakambidwenso. Makina a eSNI (encrypted Server Name Indication) ndi mtundu wotetezedwa wa SNI, womwe umapezeka pa protocol ya TLS 1.3 yokha. Lingaliro lalikulu ndikubisa, mwa zina, zambiri zokhudza dera lomwe pempho limatumizidwa.
Tsopano tiyeni tiwone momwe makina a eSNI amagwirira ntchito.
Tiyerekeze kuti tili ndi intaneti yomwe yatsekedwa ndi njira yamakono ya DPI (tiyeni titenge, mwachitsanzo, wotchuka torrent tracker rutracker.nl). Tikamayesa kulowa patsamba la torrent tracker, timawona masitepe omwe amawonetsa kuti gwero latsekedwa:
Patsamba lawebusayiti la RKN domeni iyi yalembedwa m'mindandanda yoyimitsa:
Mukafunsa kuti whois, mutha kuwona kuti domain palokha "yabisika" kumbuyo kwa Cloudflare.
Koma mosiyana ndi "akatswiri" ochokera ku RKN, ogwira ntchito mwaukadaulo a Beeline (kapena ophunzitsidwa ndi zowawa za owongolera athu otchuka) sanaletse mopusa malowa ndi adilesi ya IP, koma adawonjezera dzina la domain pamndandanda woyimitsa. Mutha kutsimikizira izi mosavuta ngati muyang'ana zomwe madambwe ena abisika kuseri kwa adilesi yomweyo ya IP, pitani ku imodzi mwazo ndikuwona kuti mwayi sunatsekeredwe:
Kodi izi zimachitika bwanji? Kodi DPI ya woperekayo imadziwa bwanji kuti msakatuli wanga ali pa domain, popeza kulumikizana konse kumachitika kudzera pa protocol ya https, ndipo sitinazindikire kulowetsedwa kwa satifiketi za https kuchokera ku Beeline? Kodi ndi clairvoyant kapena ndikutsatiridwa?
Tiyeni tiyese kuyankha funsoli poyang'ana magalimoto kudzera pa wireshark
Chithunzicho chikuwonetsa kuti choyamba msakatuli amapeza adilesi ya IP ya seva kudzera pa DNS, ndiye kugwirana chanza kwa TCP kokhazikika kumachitika ndi seva yopita, ndiyeno msakatuli amayesa kukhazikitsa kulumikizana kwa SSL ndi seva. Kuti muchite izi, imatumiza paketi ya SSL Client Hello, yomwe ili ndi dzina la gwero lachidziwitso m'mawu omveka bwino. Gawoli likufunika ndi seva yakutsogolo ya cloudflare kuti muyende bwino. Apa ndipamene DPI wothandizira amatigwira, kuswa kulumikizana kwathu. Panthawi imodzimodziyo, sitilandira stub kuchokera kwa wothandizira, ndipo tikuwona zolakwika za msakatuli ngati kuti tsambalo layimitsidwa kapena silikugwira ntchito:
Tsopano tiyeni tiyambitse makina a eSNI mu msakatuli, monga momwe zalembedwera mu malangizo a :
Kuti tichite izi timatsegula tsamba la kasinthidwe ka Firefox za: config ndi yambitsani zoikamo zotsatirazi:
network.trr.mode = 2;
network.trr.uri = https://mozilla.cloudflare-dns.com/dns-query
network.security.esni.enabled = true
Pambuyo pake, tiwona kuti makonda akugwira ntchito bwino patsamba la cloudflare. ndipo tiyeni tiyese chinyengo ndi torrent tracker yathu kachiwiri.
Voila. Tracker yathu yomwe timakonda idatsegulidwa popanda VPN kapena ma seva oyimira. Tiyeni tsopano tiwone malo otayira magalimoto mu wireshark kuti tiwone zomwe zidachitika.
Panthawiyi, phukusi la hello la kasitomala wa ssl silikhala ndi malo omwe akupita, koma m'malo mwake, gawo latsopano linawonekera mu phukusi - encrypted_server_name - apa ndipamene mtengo wa rutracker.nl uli, ndipo seva ya cloudflare frontend yokha ingathe kusokoneza izi. munda. Ndipo ngati ndi choncho, ndiye kuti wothandizira DPI alibe chochita koma kusamba m'manja ndikulola magalimoto otere. Palibe zosankha zina ndi kubisa.
Kotero, tinayang'ana momwe teknoloji imagwirira ntchito mu msakatuli. Tsopano tiyeni tiyese kuzigwiritsa ntchito pazinthu zenizeni komanso zosangalatsa. Ndipo choyamba, tidzaphunzitsa ma curl omwewo kugwiritsa ntchito eSNI kugwira ntchito ndi TLS 1.3, ndipo nthawi yomweyo tiwona momwe eSNI-based domain fronting imagwirira ntchito.
Domain fronting ndi eSNI
Chifukwa choti curl imagwiritsa ntchito laibulale ya openssl yokhazikika kuti ilumikizane kudzera pa protocol ya https, choyamba tiyenera kupereka thandizo la eSNI pamenepo. Palibe chithandizo cha eSNI m'nthambi za openssl master pakadali pano, chifukwa chake tifunika kutsitsa nthambi yapadera ya openssl, kuyiphatikiza ndikuyiyika.
Timagwirizanitsa zosungirako kuchokera ku GitHub ndikulemba monga mwachizolowezi:
$ git clone https://github.com/sftcd/openssl
$ cd openssl
$ ./config
$ make
$ cd esnistuff
$ make
Kenako, timagwirizanitsa chosungiracho ndi ma curl ndikukonzekera kuphatikiza kwake pogwiritsa ntchito laibulale yathu ya openssl:
$ cd $HOME/code
$ git clone https://github.com/niallor/curl.git curl-esni
$ cd curl-esni
$ export LD_LIBRARY_PATH=/opt/openssl
$ ./buildconf
$ LDFLAGS="-L/opt/openssl" ./configure --with-ssl=/opt/openssl --enable-esni --enable-debug
Apa ndikofunikira kufotokozera molondola zolemba zonse zomwe openssl ilipo (kwa ife, iyi ndi /opt/openssl/) ndipo onetsetsani kuti kasinthidwe kachitidwe kakudutsa popanda zolakwika.
Ngati kasinthidweyo akuyenda bwino, tiwona mzerewu:
CHENJEZO: esni ESNI yayatsidwa koma yolembedwa EXPERIMENTAL. Gwiritsani ntchito mosamala!
$ makePambuyo pomanga phukusilo, tidzagwiritsa ntchito fayilo yapadera ya bash kuchokera ku openssl kukonza ndikuyendetsa ma curl. Tiyeni tiyikopere ku chikwatu ndi ma curl kuti zitheke:
cp /opt/openssl/esnistuff/curl-esni ndikuyesa kuyesa kwa https ku seva ya cloudflare, ndikujambula mapaketi a DNS ndi TLS ku Wireshark.
$ ESNI_COVER="www.hello-rkn.ru" ./curl-esni https://cloudflare.com/Mumayankhidwe a seva, kuphatikiza pazambiri zambiri zosokoneza kuchokera ku openssl ndi curl, tidzalandira yankho la HTTP ndi code 301 kuchokera ku cloudflare.
HTTP/1.1 301 Moved Permanently
< Date: Sun, 03 Nov 2019 13:12:55 GMT
< Transfer-Encoding: chunked
< Connection: keep-alive
< Cache-Control: max-age=3600
< Expires: Sun, 03 Nov 2019 14:12:55 GMT
< Location: https://www.cloudflare.com/
zomwe zikuwonetsa kuti pempho lathu lidaperekedwa bwino ku seva yomwe tikupita, kumveka ndikukonzedwa.
Tsopano tiyeni tiyang'ane kutayira kwa magalimoto mu wireshark, i.e. zomwe DPI adawona pankhaniyi.
Zitha kuwoneka kuti kupindika koyamba kutembenukira ku seva ya DNS kwa kiyi ya eSNI yapagulu ya seva ya cloudflare - pempho la TXT DNS ku _esni.cloudflare.com (phukusi No. 13). Kenako, pogwiritsa ntchito laibulale ya openssl, curl idatumiza pempho la TLS 1.3 ku seva ya cloudflare momwe gawo la SNI lidasungidwa ndi kiyi yapagulu yomwe idapezedwa pagawo lapitalo (paketi #22). Koma, kuwonjezera pa gawo la eSNI, paketi ya SSL-hello idaphatikizanso gawo lomwe lili ndi SNI yokhazikika, yomwe titha kufotokozera mwanjira iliyonse (pankhaniyi - ).
Munda wotseguka wa SNI sunaganiziridwe mwanjira iliyonse mukakonzedwa ndi maseva a cloudflare ndipo umangogwiritsidwa ntchito ngati chigoba kwa DPI wopereka. Seva ya cloudflare inalandira paketi yathu ya ssl-hello, inachotsa eSNI, inachotsa SNI yoyambirira kuchokera kumeneko ndikuyikonza ngati kuti palibe chomwe chinachitika (idachita zonse monga momwe anakonzera popanga eSNI).
Chokhacho chomwe chingagwidwe pankhaniyi kuchokera pakuwona kwa DPI ndi pempho loyamba la DNS ku _esni.cloudflare.com. Koma tidapanga pempho la DNS kuti litsegulidwe kokha kuti tiwonetse momwe makinawa amagwirira ntchito kuchokera mkati.
Kuti titulutse chiguduli pansi pa DPI, timagwiritsa ntchito njira yomwe tatchula kale ya DNS-over-HTTPS. Kufotokozera pang'ono - DOH ndi ndondomeko yomwe imakulolani kuti muteteze ku nkhondo yapakati-pakati potumiza pempho la DNS pa HTTPS.
Tiyeni tipempherenso, koma nthawi ino tilandila makiyi a eSNI pagulu kudzera pa https protocol, osati DNS:
ESNI_COVER="www.hello-rkn.ru" DOH_URL=https://mozilla.cloudflare-dns.com/dns-query ./curl-esni https://cloudflare.com/Kutaya kwa magalimoto ofunsira kukuwonetsedwa pachithunzi pansipa:
Zitha kuwoneka kuti ma curl amapeza kaye seva ya mozilla.cloudflare-dns.com kudzera pa protocol ya DoH (https yolumikizana ndi seva 104.16.249.249) kuti alandire kuchokera kwa iwo makiyi amtundu wa SNI encryption, kenako kupita komwe akupita. seva, kubisala kuseri kwa domain .
Kuphatikiza pa zomwe zatchulidwa pamwambapa za DoH mozilla.cloudflare-dns.com, titha kugwiritsa ntchito mautumiki ena otchuka a DoH, mwachitsanzo, kuchokera ku bungwe loyipa lodziwika bwino.
Tiyeni tiyankhe funso ili:
ESNI_COVER="www.kremlin.ru" DOH_URL=https://dns.google/dns-query ./curl-esni https://rutracker.nl/Ndipo timapeza yankho:
< HTTP/1.1 301 Moved Permanently
< Date: Sun, 03 Nov 2019 14:10:22 GMT
< Content-Type: text/html
< Transfer-Encoding: chunked
< Connection: keep-alive
< Set-Cookie: __cfduid=da0144d982437e77b0b37af7d00438b1a1572790222; expires=Mon, 02-Nov-20 14:10:22 GMT; path=/; domain=.rutracker.nl; HttpOnly; Secure
< Location: https://rutracker.nl/forum/index.php
< CF-Cache-Status: DYNAMIC
< Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< Server: cloudflare
< CF-RAY: 52feee696f42d891-CPH
Pankhaniyi, tidatembenukira ku seva yotsekeka ya rutracker.nl, pogwiritsa ntchito DoH resolutionr dns.google (palibe typo pano, tsopano bungwe lodziwika lili ndi gawo lake loyamba) ndikudziphimba ndi dera lina, lomwe ndilokhazikika. zoletsedwa kuti ma DPI onse atseke pansi pa ululu wa imfa. Kutengera yankho lomwe mwalandira, mutha kumvetsetsa kuti pempho lathu lasinthidwa bwino.
Monga cheke chowonjezera kuti DPI ya woperekayo imayankha SNI yotseguka, yomwe timatumiza ngati chivundikiro, titha kupanga pempho kwa rutracker.nl mothandizidwa ndi zida zina zoletsedwa, mwachitsanzo, tracker ina "yabwino" torrent:
$ ESNI_COVER="rutor.info" DOH_URL=https://dns.google/dns-query ./curl-esni https://rutracker.nl/Sitidzalandira yankho kuchokera kwa seva, chifukwa... pempho lathu lidzatsekedwa ndi dongosolo la DPI.
Kumaliza mwachidule kwa gawo loyamba
Chifukwa chake, tidatha kuwonetsa magwiridwe antchito a eSNI pogwiritsa ntchito openssl ndi curl ndikuyesa magwiridwe antchito a domain fronting potengera eSNI. Momwemonso, titha kusintha zida zathu zomwe timakonda zomwe zimagwiritsa ntchito laibulale ya openssl kuti igwire ntchito "monga" madera ena. Zambiri za izi m'nkhani zathu zotsatira.
Source: www.habr.com