Horudhac
Nidaamyada shaandhaynta waxyaabaha ku jira shirkadaha casriga ah ee ka yimaada soosaarayaasha caanka ah sida Cisco, BlueCoat, FireEye ayaa wax badan la wadaaga dhigooda awooda badan - nidaamyada DPI, kuwaas oo si firfircoon looga hirgalinayo heer qaran. Nuxurka shaqada labadooduba waa in la kormeero taraafikada internetka ee soo galaya iyo kuwa baxaya, iyadoo lagu salaynayo liisaska madow/caddaan, go'aan laga gaaro in la mamnuuco isku xirka internetka. Oo maadaama labadooduba ay ku tiirsan yihiin mabaadi'da isku midka ah ee asaasiga ah ee shaqadooda, hababka loo maro iyaga ayaa sidoo kale yeelan doona wax badan oo ay wadaagaan.
Mid ka mid ah tignoolajiyada kuu ogolaanaya inaad si wax ku ool ah uga gudubto labada nidaamka DPI iyo shirkadaha waa tignoolajiyada hor-istaagga. Nuxurkeedu waa in aan aadno kheyraad xanniban, annagoo ku dhuumanayna mid kale, magac dadweyne oo leh sumcad wanaagsan, kaas oo sida cad aan la xannibi doonin nidaam kasta, tusaale ahaan google.com.
Mar hore ayaa maqaalo badan laga qoray tignoolajiyadan waxaana la soo qaatay tusaalayaal badan. Si kastaba ha noqotee, kuwa caanka ah ee dhowaan laga wada hadlay DNS-over-HTTPS iyo teknoolojiyadda sir-SNI, iyo sidoo kale nooca cusub ee borotokoolka TLS 1.3, ayaa suurtogal ka dhigaya in la tixgeliyo ikhtiyaar kale oo hor-u-dhac ah.
Fahamka farsamada
Marka hore, aan qeexno fikrado yar oo aasaasi ah si qof kastaa u fahmo cidda iyo sababta waxaas oo dhan loogu baahan yahay. Waxaan soo sheegnay habka eSNI, kaas oo hawlgalkiisa si dheeraad ah looga hadli doono. Farsamaynta eSNI (tusmaynta Magaca Server-ka sir ah) waa nooc sugan oo SNI ah, oo loo heli karo oo keliya borotokoolka TLS 1.3. Fikradda ugu weyn waa in la sireeyo, iyo waxyaabo kale, macluumaadka ku saabsan domainka codsiga loo diro.
Hadda aan eegno sida habka eSNI uu u shaqeeyo.
Aynu nidhaahno waxaan haysanaa kheyraad internetka ah oo xannibay xalka casriga ah ee DPI (aan soo qaadanno, tusaale ahaan, tracker torrent caanka rutracker.nl). Marka aan isku dayno in aan galno mareegta raadraaca torrent, waxaan aragnaa caarada bixiyaha ee tilmaamaysa in kheyraadka la xannibay:
Mareegta RKN boggan waxa uu ku taxan yahay liisaska joogsiga:
Markaad waydiiso whois, waxaad arki kartaa in domainka laftiisa uu "ku qarsoon yahay" ka dambeeya bixiyaha daruuraha Cloudflare.
Laakiin si ka duwan "khabiirrada" ka RKN, shaqaale badan oo farsamo yaqaan ah oo ka socda Beeline (ama ay bareen khibradda qadhaadh ee maamulahayada caanka ah) ma aysan si nacasnimo ah u mamnuucin goobta cinwaanka IP-ga, laakiin waxay ku dartay magaca domain liiska joogsiga. Waxaad si fudud u xaqiijin kartaa tan haddii aad eegto waxa xayndaabyada kale ee ku qarsoon isla cinwaanka IP-ga, booqo mid ka mid ah oo arag in gelitaanka aan la xannibin:
Sidee tani u dhacdaa? Sidee buu DPI bixiyaha u garanayaa bogga browserkaygu ku jiro, maadaama dhammaan isgaarsiintu ay ku dhacaan hab-maamuuska https, oo aynaan weli dareemin beddelka shahaadooyinka https ee Beeline? Ma clairvoyant baa mise waa la i raacayaa?
Aan isku dayno inaan ka jawaabno su'aashan annagoo eegayna taraafikada dhexmarta wireshark
Sawirku wuxuu muujinayaa in marka hore browserku ka helo ciwaanka IP-ga ee server-ka iyada oo loo sii marayo DNS, ka dibna is-gacanta caadiga ah ee TCP waxay la dhacdaa server-ka goobta, ka dibna browserku wuxuu isku dayaa inuu sameeyo xiriir SSL ah server-ka. Si tan loo sameeyo, waxay soo dirtaa xirmo Hello Client SSL ah, kaas oo ka kooban magaca goobta isha qoraal cad. Goobtan waxaa looga baahan yahay server-ka hore ee Cloudflare si uu si sax ah u maro xiriirka. Tani waa halka ay bixiyaha DPI nagu qabato, oo jebisay xiriirkeena. Isla mar ahaantaana, kama helin bixiyaha wax qallafsan, waxaanan u aragnaa qaladka browserka caadiga ah sida haddii goobta ay naafo tahay ama aysan si fudud u shaqayn:
Hadda aynu awoodno habka eSNI ee browserka, sida ku qoran tilmaamaha :
Si tan loo sameeyo waxaan furaynaa bogga qaabeynta Firefox ku saabsan: config oo dhaqaaji goobaha soo socda:
network.trr.mode = 2;
network.trr.uri = https://mozilla.cloudflare-dns.com/dns-query
network.security.esni.enabled = true
Taas ka dib, waxaan hubin doonaa in habayntu ay si sax ah ugu shaqeeyaan shabakada Cloudflare. oo aan mar kale isku dayno khiyaanada raadraacayagii torrent.
Voila. Raadiyaha aan jecelnahay wuu furmay iyada oo aan la helin VPN ama adeegayaal wakiil. Aynu hadda eegno meesha lagu daadiyo taraafikada ee wireshark si aan u aragno waxa dhacay.
Markan, xirmada hello macmiilka ssl si toos ah kuma jiraan goobta loo socdo, laakiin taa beddelkeeda, goob cusub ayaa ka soo muuqatay xirmada - encrypted_server_name - halkan waa halka qiimaha rutracker.nl uu ku jiro, oo kaliya server-ka hore ee Cloudflare ayaa ka saari kara tan beerta. Hadday sidaas tahay, markaa bixiyaha DPI ma haysto doorasho aan ka ahayn inuu gacmihiisa dhaqo oo uu oggolaado taraafikadaas. Ma jiraan doorashooyin kale oo leh sir.
Markaa, waxaanu eegnay sida tignoolajiyadu uga shaqeyso browserka. Hadda aan isku dayno inaan ku dabaqno waxyaabo gaar ah oo xiiso leh. Marka hore, waxaan bari doonaa isla curlka si loo isticmaalo eSNI si uu ula shaqeeyo TLS 1.3, isla mar ahaantaana waxaan arki doonaa sida eSNI-ku-saleysan ee horudhaca laftiisa u shaqeeyo.
Hormarinta domain ee eSNI
Sababtoo ah xaqiiqda ah in curlku isticmaalo maktabadda openssl caadiga ah si loogu xiro borotokoolka https, marka hore waxaan u baahanahay inaan ku bixinno taageerada eSNI halkaas. Ma jiro wax taageero ah oo eSNI ah oo ku jira laamaha master-ka openssl weli, markaa waxaan u baahanahay inaan soo dejino laan openssl gaar ah, ururin oo rakibo.
Waxaanu ka xidhnay kaydka GitHub oo aanu u ururinay sidii caadiga ahayd:
$ git clone https://github.com/sftcd/openssl
$ cd openssl
$ ./config
$ make
$ cd esnistuff
$ make
Marka xigta, waxaan ku xireynaa bakhaarka curlka oo waxaan ku habeyneynaa aruurinteeda anagoo adeegsanayna maktabadeena openssl ee la soo aruuriyay:
$ cd $HOME/code
$ git clone https://github.com/niallor/curl.git curl-esni
$ cd curl-esni
$ export LD_LIBRARY_PATH=/opt/openssl
$ ./buildconf
$ LDFLAGS="-L/opt/openssl" ./configure --with-ssl=/opt/openssl --enable-esni --enable-debug
Halkan waxaa muhiim ah in si sax ah loo qeexo dhammaan hagayaasha meesha openssl ku yaal (xaaladkeena, tani waa /opt/openssl/) oo hubi in habka qaabeynta uu u socdo qalad la'aan.
Haddii qaabeynta lagu guuleysto, waxaan arki doonaa khadka:
DIGNIIN: esni ESNI waa karti laakiin la calaamadeeyay tijaabo. Si taxaddar leh u isticmaal!
$ makeKa dib markii si guul leh loo dhiso xirmada, waxaan isticmaali doonaa faylka bash gaarka ah ee openssl si loo habeeyo oo loo socodsiiyo curl. Aan ku koobiyeyno tusaha leh curl si ay ugu habboonaato:
cp /opt/openssl/esnistuff/curl-esni oo samee tijaabi https codsi adeegaha Cloudflare, adigoo isku mar duubaya DNS iyo xirmooyinka TLS gudaha Wireshark.
$ ESNI_COVER="www.hello-rkn.ru" ./curl-esni https://cloudflare.com/Jawaabta serverka, marka lagu daro macluumaad badan oo khalad ah oo laga helay openssl iyo curl, waxaan heli doonaa jawaab HTTP ah oo leh koodka 301 ee Cloudflare.
HTTP/1.1 301 Moved Permanently
< Date: Sun, 03 Nov 2019 13:12:55 GMT
< Transfer-Encoding: chunked
< Connection: keep-alive
< Cache-Control: max-age=3600
< Expires: Sun, 03 Nov 2019 14:12:55 GMT
< Location: https://www.cloudflare.com/
taasoo tilmaamaysa in codsigayagii si guul leh loogu keenay server-kii loo socday, la maqlay lana farsameeyay.
Hadda aan eegno qashinka taraafigga ee wireshark, i.e. waxa DPI uu ku arkay kiiskan.
Waxaa la arki karaa in curl markii hore u soo jeestay server-ka DNS furaha eSNI ee server-ka Cloudflare - codsi TXT DNS ah _esni.cloudflare.com (xirmo lambar 13). Kadib, adoo isticmaalaya maktabadda openssl, curl waxay u dirtay codsi TLS 1.3 server-ka Cloudflare kaas oo goobta SNI lagu sireeyay furaha dadweynaha ee la helay tallaabadii hore (xirmo #22). Laakiin, marka lagu daro goobta eSNI, xirmada SSL-hello sidoo kale waxaa ku jiray beer leh SNI-furan, kaas oo aan ku qeexi karno hab kasta (kiiskan - ).
Goobtan furan ee SNI sina looma xisaabin markii ay farsameeyeen adeegayaasha Cloudflare oo kaliya waxay u adeegeen sidii maaskaro bixiyaha DPI. Adeegga Cloudflare waxa uu helay xidhmadayada ssl-hello, waxa uu furfuray eSNI,waxa uu ka soo saaray SNI-gii asalka ahaa halkaas oo uu u farsameeyay sidii in aanay waxba dhicin (waxa ay u samaysay wax walba sidii la qorsheeyay markii la horumarinayay eSNI).
Waxa kaliya ee lagu qaban karo kiiskan marka laga eego aragtida DPI waa codsiga aasaasiga ah ee DNS ee _esni.cloudflare.com. Laakiin waxaan ka dhignay codsiga DNS furan oo kaliya si aan u muujino sida habkani uga shaqeeyo gudaha.
Si aan ugu dambeyntii uga soo saarno roogga hoos yimaada DPI, waxaan isticmaalnaa habka DNS-over-HTTPS ee horay loo sheegay. Sharaxaad yar - DOH waa hab-maamuus kuu oggolaanaya inaad ka ilaaliso weerarka dhex-dhexaadka ah adoo diraya codsi DNS ah HTTPS.
Aan fulino codsiga mar kale, laakiin markan waxaan heli doonaa furayaasha eSNI ee dadweynaha iyada oo loo marayo borotokoolka https, ma aha DNS:
ESNI_COVER="www.hello-rkn.ru" DOH_URL=https://mozilla.cloudflare-dns.com/dns-query ./curl-esni https://cloudflare.com/Codsiga daadinta taraafiggu waxa lagu muujiyay sawirka hoose:
Waxaa la arki karaa in curl uu marka hore galo mozilla.cloudflare-dns.com serverka iyada oo loo sii marayo nidaamka DoH (https link to server 104.16.249.249) si aad uga hesho qiimayaasha furayaasha dadweynaha ee sirta SNI, ka dibna meesha loo socdo. server, oo ku dhuumanaya gadaasha domainka .
Marka lagu daro xallinta sare ee DoH mozilla.cloudflare-dns.com, waxaan isticmaali karnaa adeegyada kale ee caanka ah ee DoH, tusaale ahaan, shirkada sharka ee caanka ah.
Aynu wadno weydiinta soo socota:
ESNI_COVER="www.kremlin.ru" DOH_URL=https://dns.google/dns-query ./curl-esni https://rutracker.nl/Waxaana helnaa jawaabta:
< HTTP/1.1 301 Moved Permanently
< Date: Sun, 03 Nov 2019 14:10:22 GMT
< Content-Type: text/html
< Transfer-Encoding: chunked
< Connection: keep-alive
< Set-Cookie: __cfduid=da0144d982437e77b0b37af7d00438b1a1572790222; expires=Mon, 02-Nov-20 14:10:22 GMT; path=/; domain=.rutracker.nl; HttpOnly; Secure
< Location: https://rutracker.nl/forum/index.php
< CF-Cache-Status: DYNAMIC
< Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< Server: cloudflare
< CF-RAY: 52feee696f42d891-CPH
Xaaladdan oo kale, waxaan u leexannay server-ka rutracker.nl ee xannibay, anagoo adeegsanayna DoH resolver dns.google (ma jiraan wax typo ah halkan, hadda shirkadda caanka ah waxay leedahay aag u gaar ah heerka koowaad) waxaanan ku daboolnay domain kale, kaas oo si adag u ah. Mamnuuc in dhammaan DPI-yada ay xannibaan xanuunka dhimashada. Iyada oo ku saleysan jawaabta la helay, waxaad fahmi kartaa in codsigeena si guul leh looga shaqeeyay.
Sida hubin dheeraad ah in DPI bixiyaha ay ka jawaabto SNI-da furan, kaas oo aan u gudbinno dabool ahaan, waxaan samayn karnaa codsi rutracker.nl iyada oo la adeegsanaayo ilo kale oo mamnuuc ah, tusaale ahaan, raadraaca durdureedka kale ee "wanaagsan":
$ ESNI_COVER="rutor.info" DOH_URL=https://dns.google/dns-query ./curl-esni https://rutracker.nl/Jawaab kama heli doono server-ka, sababtoo ah... Codsigayaga waxaa xannibi doona nidaamka DPI.
Gabagabo kooban oo ku saabsan qaybta koowaad
Marka, waxaan awoodnay inaan muujino shaqeynta eSNI annagoo adeegsanayna openssl iyo curl oo aan tijaabinno howsha hor-u-socodka domain ee ku saleysan eSNI. Si la mid ah, waxaan la qabsan karnaa qalabyada aan jecelnahay ee isticmaala maktabadda openssl si ay ugu shaqeeyaan "hoos u dhigista" qaybaha kale. Faahfaahin dheeraad ah oo arrintan ku saabsan maqaalladayada soo socda.
Source: www.habr.com