Nhanganyaya
Mazuvano emakambani ekusefa masisitimu kubva kune vane mukurumbira vagadziri seCisco, BlueCoat, FireEye vane zvakawanda zvakafanana nevamwe vavo vane simba - DPI masisitimu, ari kuitwa nesimba padanho renyika. Chinokosha chebasa revaviri ndechekuongorora inopinda uye inobuda Internet traffic uye, zvichibva pane nhema / chena zvinyorwa, ita sarudzo yekurambidza iyo Internet kubatana. Uye sezvo vese vari vaviri vachivimba nemisimboti yakafanana mune izvo zvekutanga zvebasa ravo, nzira dzekudzinzvenga nadzo dzichavawo nezvakawanda zvakafanana.
Imwe yetekinoroji inobvumidza iwe kuti unyatso kupfuura zvese DPI uye emakambani masisitimu ndeye domain-mberi tekinoroji. Chinhu chayo ndechekuti isu tinoenda kune yakavharidzirwa sosi, tichivanda kuseri kweimwe, yeruzhinji domain ine mukurumbira wakanaka, izvo zviri pachena hazvizovharirwe nechero system, semuenzaniso google.com.
Zvakawanda zvinyorwa zvakatonyorwa nezve tekinoroji iyi uye mienzaniso yakawanda yakapihwa. Nekudaro, iyo yakakurumbira uye ichangobva kukurukurwa DNS-pamusoro-HTTPS uye encrypted-SNI matekinoroji, pamwe neiyo vhezheni itsva yeTLS 1.3 protocol, inoita kuti zvibvire kufunga imwe sarudzo yekutangira domain.
Kunzwisisa tekinoroji
Chekutanga, ngatitsanangurirei pfungwa shoma shoma kuitira kuti munhu wese anzwisise kuti ndiani uye nei zvese izvi zvichidikanwa. Takataura nezve eSNI mechanism, kushanda kwayo kuchakurukurwa mberi. Iyo eSNI (encrypted Server Name Indication) mashandiro ishanduro yakachengeteka yeSNI, inongowanikwa chete kune TLS 1.3 protocol. Pfungwa huru ndeye encrypt, pakati pezvimwe zvinhu, ruzivo nezve iyo domain iyo chikumbiro chinotumirwa.
Zvino ngatitarisei kuti iyo eSNI michina inoshanda sei mukuita.
Ngatitii tine Internet sosi iyo yakavharwa neiyo DPI mhinduro yemazuva ano (ngatitorei, semuenzaniso, yakakurumbira torrent tracker rutracker.nl). Kana isu tichiedza kuwana webhusaiti ye torrent tracker, tinoona mupi wemupi anoratidza kuti sosi yakavharwa:
Pawebhusaiti yeRKN iyi domain yakanyorwa mumazita ekumira:
Paunobvunza kuti ndiani, unogona kuona kuti iyo domain pachayo "yakavanzwa" kuseri kwe Cloudflare inopa.
Asi kusiyana ne "nyanzvi" kubva kuRKN, vashandi veBeeline vane ruzivo rwakanyanya (kana kudzidziswa nechiitiko chinovava chemutongi wedu ane mukurumbira) havana kurambidza saiti iyi nekero yeIP, asi vakawedzera zita renzvimbo kune yekumisa runyoro. Unogona kuonesa izvi zviri nyore kana ukatarisa izvo mamwe madomasi akavanzwa kuseri kweiyo IP kero, shanyira imwe yacho uye uone kuti kupinda hakuna kuvharwa:
Izvi zvinoitika sei? Ko DPI yemupi inoziva sei kuti ndeipi bhurawuza rangu riri pairi, sezvo kutaurirana kwese kunoitika kuburikidza ne https protocol, uye isu hatisati taona kutsiviwa kwe https zvitupa kubva kuBeeline? Ari clairvoyant here kana kuti ndiri kuteverwa?
Ngatiedzei kupindura mubvunzo uyu nekutarisa traffic kuburikidza newayashark
Iyo skrini inoratidza kuti chekutanga bhurawuza rinowana IP kero yeseva kuburikidza neDNS, kozoti yakajairika TCP kubata maoko kunoitika nesevha yekuenda, uyezve bhurawuza rinoedza kumisikidza kubatana kweSSL neseva. Kuti uite izvi, inotumira SSL Client Mhoro packet, iyo ine zita renzvimbo yekubva mune zvinyorwa zvakajeka. Iyi ndima inodiwa ne cloudflare frontend server kuitira kuti ifambe nenzira kwayo. Apa ndipo patinobata DPI, tichityora kubatana kwedu. Panguva imwecheteyo, isu hatigamuchire chero stub kubva kumupi, uye tinoona yakajairwa browser kukanganisa sekunge saiti yakadzimwa kana kuti isingashande:
Zvino ngatigonese iyo eSNI mechanism mubrowser, sezvakanyorwa mumirayiridzo ye :
Kuti tiite izvi tinovhura iyo Firefox yekumisikidza peji pamusoro: config uye shandisa zvirongwa zvinotevera:
network.trr.mode = 2;
network.trr.uri = https://mozilla.cloudflare-dns.com/dns-query
network.security.esni.enabled = true
Mushure meizvi, isu tichatarisa kuti marongero ari kushanda nemazvo pane cloudflare webhusaiti. uye ngatiedzei hunyengeri ne torrent tracker yedu zvakare.
Voila. Yedu yatinofarira tracker yakavhurwa pasina chero VPN kana proxy maseva. Ngatitarisei panorasirwa traffic muwireshark kuti tione zvakaitika.
Panguva ino, iyo ssl mutengi hello package haina pachena nzvimbo yekuenda, asi panzvimbo pacho, munda mutsva wakaonekwa mupakeji - encrypted_server_name - apa ndipo panowanikwa kukosha kwerutracker.nl, uye chete cloudflare frontend server inogona kubvisa izvi. munda. Uye kana zvakadaro, saka mupi weDPI haana sarudzo kunze kwekugeza maoko uye kubvumira traffic yakadaro. Iko hakuna dzimwe sarudzo dzine encryption.
Saka, takatarisa kuti tekinoroji inoshanda sei mubrowser. Zvino ngatiedzei kuishandisa kune zvimwe zvinhu zvakananga uye zvinonakidza. Uye kutanga, isu tichadzidzisa imwechete curl kushandisa eSNI kushanda neTLS 1.3, uye panguva imwe chete tichaona kuti eSNI-based domain fronting pachayo inoshanda sei.
Domain pamberi neSNI
Nekuda kwekuti curl inoshandisa yakajairwa openssl raibhurari yekubatanidza kuburikidza neiyo https protocol, chekutanga pane zvese isu tinoda kupa eSNI rutsigiro ipapo. Iko hakuna tsigiro yeSNI mumapazi e openssl master parizvino, saka isu tinoda kudhawunirodha yakakosha openssl bazi, kuunganidza nekuiisa.
Isu tinogadzirisa repository kubva kuGitHub uye tinonyora semazuva ese:
$ git clone https://github.com/sftcd/openssl
$ cd openssl
$ ./config
$ make
$ cd esnistuff
$ make
Tevere, isu tinogadzirisa repository ne curl uye togadzirisa kuunganidzwa kwayo tichishandisa yedu yakaunganidzwa openssl raibhurari:
$ cd $HOME/code
$ git clone https://github.com/niallor/curl.git curl-esni
$ cd curl-esni
$ export LD_LIBRARY_PATH=/opt/openssl
$ ./buildconf
$ LDFLAGS="-L/opt/openssl" ./configure --with-ssl=/opt/openssl --enable-esni --enable-debug
Pano zvakakosha kutsanangura nenzira kwayo madhairekitori ese anowanikwa openssl (munyaya yedu, iyi ndiyo /opt/openssl/) uye ita shuwa kuti hurongwa hwekugadzirisa hunoenda pasina zvikanganiso.
Kana iyo gadziriso ikabudirira, isu tichaona mutsara:
Yambiro: esni ESNI yakagoneswa asi yamaka EXPERIMENTAL. Shandisa nekuchenjerera!
$ makeMushure mekubudirira kuvaka pasuru, isu tichashandisa yakakosha bash faira kubva openssl kugadzirisa uye kumhanya curl. Ngatiikopei kune dhairekitori ine curl kuti zvive nyore:
cp /opt/openssl/esnistuff/curl-esni uye ita bvunzo https chikumbiro kune cloudflare server, panguva imwe chete kurekodha DNS uye TLS mapaketi muWireshark.
$ ESNI_COVER="www.hello-rkn.ru" ./curl-esni https://cloudflare.com/Mumhinduro yeseva, mukuwedzera kune yakawanda yeruzivo rwekugadzirisa kubva openssl uye curl, isu tinogashira mhinduro yeHTTP nekodhi 301 kubva kucloudflare.
HTTP/1.1 301 Moved Permanently
< Date: Sun, 03 Nov 2019 13:12:55 GMT
< Transfer-Encoding: chunked
< Connection: keep-alive
< Cache-Control: max-age=3600
< Expires: Sun, 03 Nov 2019 14:12:55 GMT
< Location: https://www.cloudflare.com/
izvo zvinoratidza kuti chikumbiro chedu chakaunzwa zvakabudirira kuseva yekuenda, chakanzwikwa uye chakagadziriswa.
Zvino ngatitarisei kune traffic dump mu wireshark, i.e. zvakaonekwa nemupi weDPI munyaya iyi.
Zvinogona kuonekwa kuti curl yakatanga kutendeukira kuDNS server kune yeruzhinji eSNI kiyi ye cloudflare server - chikumbiro cheTXT DNS ku _esni.cloudflare.com (package No. 13). Zvadaro, uchishandisa raibhurari yeOpenssl, curl yakatumira chikumbiro cheTLS 1.3 kune cloudflare server umo SNI ndima yakavharidzirwa nekiyi yeruzhinji yakawanikwa munhanho yapfuura (packet #22). Asi, mukuwedzera kune eSNI munda, iyo SSL-hello packet yaisanganisirawo munda neyakajairwa - yakavhurika SNI, yatinogona kutsanangura mune chero kurongeka (munyaya iyi - ).
Iyi SNI munda yakavhurika haina kuverengerwa munzira chero ipi zvayo payakagadziriswa ne cloudflare maseva uye yakangoshanda semask kune mupi weDPI. Iyo cloudflare server yakagamuchira yedu ssl-hello packet, decrypted the eSNI, yakabvisa iyo yekutanga SNI kubva ipapo uye yakagadzirisa sekunge hapana chakaitika (yakaita zvese sezvakarongwa pakugadzira eSNI).
Chinhu chega chinogona kubatwa munyaya iyi kubva paDPI poindi yekuona ndiyo yekutanga DNS chikumbiro ku _esni.cloudflare.com. Asi isu takaita kuti chikumbiro cheDNS chivhurwe chete kuratidza kuti iyi michina inoshanda sei kubva mukati.
Kupedzisira nekudhonza rug kubva pasi peDPI, isu tinoshandisa yatotaurwa DNS-pamusoro-HTTPS maitiro. Tsanangudzo shoma - DOH iprotocol inobvumidza iwe kudzivirira kubva kumurume-pakati-kurwiswa nekutumira chikumbiro cheDNS pamusoro peHTTPS.
Ngatiite chikumbiro zvakare, asi panguva ino tichagamuchira makiyi eSNI eruzhinji kuburikidza ne https protocol, kwete DNS:
ESNI_COVER="www.hello-rkn.ru" DOH_URL=https://mozilla.cloudflare-dns.com/dns-query ./curl-esni https://cloudflare.com/Iyo yekukumbira traffic dump inoratidzwa mune iyo skrini pazasi:
Zvinogona kuonekwa kuti curl inotanga kupinda mozilla.cloudflare-dns.com server kuburikidza neDoH protocol (https yekubatanidza kune server 104.16.249.249) kuti uwane kubva kwavari zvakakosha zvekiyi yeruzhinji yeSNI encryption, uyezve kuenda kunzvimbo. server, yakavanda kuseri kwedomasi .
Pamusoro pezviri pamusoro apa DoH solver mozilla.cloudflare-dns.com, tinogona kushandisa mamwe masevhisi ane mukurumbira eDoH, semuenzaniso, kubva kune yakakurumbira yakaipa corporation.
Ngatimhanyei mubvunzo unotevera:
ESNI_COVER="www.kremlin.ru" DOH_URL=https://dns.google/dns-query ./curl-esni https://rutracker.nl/Uye isu tinowana mhinduro:
< HTTP/1.1 301 Moved Permanently
< Date: Sun, 03 Nov 2019 14:10:22 GMT
< Content-Type: text/html
< Transfer-Encoding: chunked
< Connection: keep-alive
< Set-Cookie: __cfduid=da0144d982437e77b0b37af7d00438b1a1572790222; expires=Mon, 02-Nov-20 14:10:22 GMT; path=/; domain=.rutracker.nl; HttpOnly; Secure
< Location: https://rutracker.nl/forum/index.php
< CF-Cache-Status: DYNAMIC
< Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< Server: cloudflare
< CF-RAY: 52feee696f42d891-CPH
Muchiitiko ichi, takatendeukira kune yakavharwa rutracker.nl server, tichishandisa iyo DoH solver dns.google (hapana typo pano, ikozvino kambani ine mukurumbira ine yayo yekutanga-level domain) uye takazvifukidza neimwe domain, iyo yakanyatso. inorambidzwa kuti maDPI ese avhare pasi pemarwadzo erufu. Zvichienderana nemhinduro yagamuchirwa, unogona kunzwisisa kuti chikumbiro chedu chakaitwa zvakanaka.
Sekuwedzera cheki kuti DPI yemupi inopindura kune yakavhurika SNI, yatinotumira sevhavha, tinogona kuita chikumbiro kune rutracker.nl pasi pechiratidziro chechimwe chinhu chinorambidzwa, semuenzaniso, imwe "yakanaka" torrent tracker:
$ ESNI_COVER="rutor.info" DOH_URL=https://dns.google/dns-query ./curl-esni https://rutracker.nl/Isu hatigamuchire mhinduro kubva kune server, nekuti... chikumbiro chedu chichavharwa neDPI system.
Mhedziso pfupi yechikamu chekutanga
Saka, isu takakwanisa kuratidza mashandiro eSNI tichishandisa openssl uye curl uye kuyedza kushanda kwedomain fronting zvichibva paSNI. Nenzira imwecheteyo, isu tinokwanisa kuchinjisa maturusi edu atinoda anoshandisa openssl raibhurari kushanda "pasi pechifukidzo" chemamwe madomasi. Mamwe mashoko pamusoro peizvi munyaya dzedu dzinotevera.
Source: www.habr.com