Selelekela
Sistimi ea sejoale-joale ea ho sefa litaba tsa likhoebo tse tsoang ho baetsi ba tummeng joalo ka Cisco, BlueCoat, FireEye li na le lintho tse ngata tse tšoanang le balekane ba tsona ba matla ho feta - litsamaiso tsa DPI, tse ntseng li kengoa ts'ebetsong ka mafolofolo maemong a naha. Taba ea mantlha ea mosebetsi oa bobeli ke ho hlahloba sephethephethe sa Marang-rang se kenang le se tsoang mme, ho ipapisitse le manane a matšo / a masoeu, ho etsa qeto ea ho thibela khokahano ea Marang-rang. 'Me kaha bobeli ba bona ba itšetlehile ka melao-motheo e tšoanang metheong ea mosebetsi oa bona, mekhoa ea ho e qoba le eona e tla ba le lintho tse ngata tse tšoanang.
E 'ngoe ea mahlale a u lumellang ho feta DPI le litsamaiso tsa khoebo ka nepo ke theknoloji ea ho etella pele. Ntho ea bohlokoa ea eona ke hore re ee mohloling o koetsoeng, re ipata ka mor'a e 'ngoe, sebaka sa sechaba se nang le botumo bo botle, boo ka ho hlakileng bo ke keng ba thibeloa ke tsamaiso leha e le efe, mohlala google.com.
Ho se ho ngotsoe lingoliloeng tse ngata mabapi le theknoloji ena mme ho fanoe ka mehlala e mengata. Leha ho le joalo, theknoloji e tsebahalang le e sa tsoa buisanoa ea DNS-over-HTTPS le encrypted-SNI, hammoho le mofuta o mocha oa protocol ea TLS 1.3, e etsa hore ho khonehe ho nahana ka khetho e 'ngoe bakeng sa sebaka sa marang-rang.
Ho utloisisa theknoloji
Taba ea pele, a re hlaloseng lintlha tsa motheo e le hore e mong le e mong a be le kutloisiso ea hore na ke mang le hore na ke hobane'ng ha sena sohle se hlokahala. Re boletse mochine oa eSNI, oo ts'ebetso ea oona e tla tšohloa ka ho eketsehileng. Mochine oa eSNI (Encrypted Server Name Indication) ke mofuta o sireletsehileng oa SNI, o fumanehang feela bakeng sa protocol ea TLS 1.3. Taba ea mantlha ke ho encrypt, hara lintho tse ling, tlhahisoleseling mabapi le hore na kopo e romelloa ho domain efe.
Joale ha re shebeng hore na mochini oa eSNI o sebetsa joang.
A re re re na le mohloli oa Inthanete o koetsoeng ke tharollo ea morao-rao ea DPI (a re nke, ka mohlala, torrent tracker e tummeng rutracker.nl). Ha re leka ho fumana sebaka sa marang-rang sa torrent tracker, re bona sesupo se tloaelehileng sa mofani se bontšang hore sesebelisoa se koetsoe:
Webosaeteng ea RKN domain ena e hlile e thathamisitsoe lethathamong la li-stop list:
Ha u botsa whois, u ka bona hore domain ka boeona e "patiloe" ka mor'a Cloudflare mofani oa maru.
Empa ho fapana le "litsebi" tse tsoang ho RKN, basebetsi ba nang le tsebo e eketsehileng ba Beeline (kapa ba rutoang ke phihlelo e bohloko ea molaoli oa rona ea tummeng) ha baa ka ba thibela sebaka sena ka aterese ea IP, empa ba ekelitse lebitso la domain name lethathamong la ho emisa. U ka netefatsa sena habonolo haeba u sheba hore na libaka tse ling li patiloe ka mor'a aterese e tšoanang ea IP, etela e 'ngoe ea tsona' me u bone hore phihlello ha e thijoe:
See se etsahala joang? DPI ea mofani e tseba joang hore na sebatli sa ka se ho domain efe, kaha likhokahano tsohle li hlaha ka https protocol, 'me ha re so elelloe ho nkeloa sebaka ha litifikeiti tsa https ho tsoa ho Beeline? Na ke clairvoyant kapa ke ntse ke lateloa?
Ha re leke ho araba potso ena ka ho sheba sephethephethe ka wireshark
Setšoantšo sa skrini se bontša hore pele sebatli se fumana aterese ea IP ea seva ka DNS, ebe ho ts'oarana ka letsoho ho tloaelehileng ho TCP ho etsahala le seva sa moo u eang teng, ebe sebatli se leka ho theha khokahano ea SSL le seva. Ho etsa sena, e romella pakete ea Hello Client ea SSL, e nang le lebitso la sebaka sa mohloli ka mongolo o hlakileng. Sebaka sena se hlokoa ke cloudflare frontend server e le hore u tsamaise khokahanyo ka nepo. Mona ke moo mofani oa DPI a re tšoarang teng, a senya khokahano ea rona. Ka nako e ts'oanang, ha re fumane stub ho tsoa ho mofani, 'me re bona phoso e tloaelehileng ea sebatli joalokaha eka sebaka sa marang-rang se holofetse kapa ha se sebetse:
Joale ha re lumelle mochini oa eSNI ho sebatli, joalo ka ha ho ngoliloe litaelong tsa :
Ho etsa sena, re bula leqephe la tlhophiso la Firefox mabapi le: config ebe o kenya li-setting tse latelang:
network.trr.mode = 2;
network.trr.uri = https://mozilla.cloudflare-dns.com/dns-query
network.security.esni.enabled = true
Ka mor'a sena, re tla hlahloba hore na litlhophiso li sebetsa hantle webosaeteng ea cloudflare. 'me ha re leke leqheka ka torrent tracker ea rona hape.
Voila. Tracker eo re e ratang haholo e ile ea buloa ntle le VPN kapa li-server tsa proxy. Joale ha re shebeng thotobolo ea sephethephethe ka wireshark ho bona hore na ho etsahetse eng.
Lekhetlong lena, sephutheloana sa hello sa bareki ba ssl ha se na sebaka seo u eang ho sona, empa ho e-na le hoo, tšimo e ncha e hlahile ka har'a sephutheloana - encrypted_server_name - mona ke moo boleng ba rutracker.nl bo leng teng, 'me ke seva sa cloudflare feela se ka hlakolang sena. lebala. 'Me haeba ho joalo, joale mofani oa DPI ha a na boikhethelo haese ho hlatsoa matsoho le ho lumella sephethephethe se joalo. Ha ho na likhetho tse ling tse nang le encryption.
Kahoo, re ile ra sheba hore na theknoloji e sebetsa joang ho sebatli. Joale a re lekeng ho e sebelisa linthong tse tobileng le tse thahasellisang. 'Me pele, re tla ruta curl e tšoanang ho sebelisa eSNI ho sebetsa le TLS 1.3,' me ka nako e ts'oanang re tla bona hore na eSNI-based domain fronting ka boeona e sebetsa joang.
Domain fronting le eSNI
Ka lebaka la hore curl e sebelisa laeborari e tloaelehileng ea openssl ho hokela ka https protocol, pele ho tsohle re hloka ho fana ka tšehetso ea eSNI moo. Ha ho na tšehetso ea eSNI makaleng a master a openssl leha ho le joalo, kahoo re hloka ho khoasolla lekala le khethehileng la openssl, re le phuthe le ho le kenya.
Re kopanya sebaka sa polokelo ho tsoa ho GitHub mme re bokella joalo ka tloaelo:
$ git clone https://github.com/sftcd/openssl
$ cd openssl
$ ./config
$ make
$ cd esnistuff
$ make
Ka mor'a moo, re kopanya polokelo ka li-curl le ho hlophisa pokello ea eona re sebelisa laeborari ea rona e hlophisitsoeng ea openssl:
$ cd $HOME/code
$ git clone https://github.com/niallor/curl.git curl-esni
$ cd curl-esni
$ export LD_LIBRARY_PATH=/opt/openssl
$ ./buildconf
$ LDFLAGS="-L/opt/openssl" ./configure --with-ssl=/opt/openssl --enable-esni --enable-debug
Mona ke habohlokoa ho hlalosa ka nepo li-directory tsohle moo openssl e leng teng (ho rona, ena ke /opt/openssl/) mme o netefatse hore ts'ebetso ea tlhophiso e feta ntle le liphoso.
Haeba tlhophiso e atlehile, re tla bona mohala:
TLHOKOMELISO: esni ESNI e lumelletsoe empa e tšoailoe EXPERIMENTAL. Sebelisa ka hloko!
$ makeKamora ho haha sephutheloana ka katleho, re tla sebelisa faele e khethehileng ea bash ho tloha openssl ho lokisa le ho tsamaisa curl. Ha re e kopitsise bukeng ka li-curl bakeng sa boiketlo:
cp /opt/openssl/esnistuff/curl-esni 'me u etse tlhahlobo ea https ho seva sa cloudflare, ha u ntse u rekota lipakete tsa DNS le TLS ho Wireshark.
$ ESNI_COVER="www.hello-rkn.ru" ./curl-esni https://cloudflare.com/Karabelong ea seva, ntle le tlhaiso-leseling e ngata ea debugging ho tloha openssl le curl, re tla fumana karabo ea HTTP ka khoutu ea 301 ho tloha cloudflare.
HTTP/1.1 301 Moved Permanently
< Date: Sun, 03 Nov 2019 13:12:55 GMT
< Transfer-Encoding: chunked
< Connection: keep-alive
< Cache-Control: max-age=3600
< Expires: Sun, 03 Nov 2019 14:12:55 GMT
< Location: https://www.cloudflare.com/
e leng se bontšang hore kopo ea rona e rometsoe ka katleho ho seva sa sebaka seo re eang ho sona, se utloiloe le ho sebetsoa.
Joale a re shebeng thotobolo ea sephethephethe ho wireshark, i.e. seo mofani oa DPI a se boneng tabeng ena.
Ho ka bonoa hore curl e qala ho retelehela ho seva sa DNS bakeng sa senotlolo sa sechaba sa eSNI bakeng sa seva sa cloudflare - kopo ea TXT DNS ho _esni.cloudflare.com (sephutheloana sa No. 13). Joale, ka ho sebelisa laebrari ea openssl, curl e rometse kopo ea TLS 1.3 ho seva sa cloudflare moo tšimo ea SNI e neng e ngotsoe ka senotlolo sa sechaba se fumanoeng mohato o fetileng (pakete #22). Empa, ho phaella tšimong ea eSNI, pakete ea SSL-hello e boetse e kenyelletsa tšimo e nang le SNI e tloaelehileng - e bulehileng, eo re ka e hlalosang ka tatellano leha e le efe (tabeng ena - ).
Sebaka sena se bulehileng sa SNI ha sea ka sa nkoa ka tsela leha e le efe ha se sebetsoa ke li-server tsa cloudflare 'me se sebetsa feela e le mask bakeng sa mofani oa DPI. Seva ea cloudflare e amohetse pakete ea rona ea ssl-hello, ea hlakola eSNI, ea ntša SNI ea pele ho tloha moo 'me ea e sebetsana joalokaha eka ha ho letho le etsahetseng (e entse ntho e 'ngoe le e' ngoe hantle kamoo ho neng ho reriloe kateng ha ho etsoa eSNI).
Ntho e le 'ngoe feela e ka tšoaroang tabeng ena ho tloha ponong ea DPI ke kopo e ka sehloohong ea DNS ho _esni.cloudflare.com. Empa re entse hore kopo ea DNS e bulehe feela ho bonts'a hore na mochini ona o sebetsa joang ho tsoa kahare.
E le hore re qetelle re hula rug ho tsoa tlas'a DPI, re sebelisa mochine o seng o boletsoe oa DNS-over-HTTPS. Tlhaloso e nyane - DOH ke protocol e u lumellang ho itšireletsa khahlanong le tlhaselo ea motho ea bohareng ka ho romella kopo ea DNS holim'a HTTPS.
Ha re phethe kopo hape, empa lekhetlong lena re tla fumana linotlolo tsa eSNI tsa sechaba ka https protocol, eseng DNS:
ESNI_COVER="www.hello-rkn.ru" DOH_URL=https://mozilla.cloudflare-dns.com/dns-query ./curl-esni https://cloudflare.com/Kopo ea ho lahla sephethephethe e bontšoa setšoantšong se ka tlase:
Ho ka bonoa hore curl e qala ho fihlella seva sa mozilla.cloudflare-dns.com ka protocol ea DoH (https mabapi le seva 104.16.249.249) ho fumana ho bona boleng ba linotlolo tsa sechaba bakeng sa encryption ea SNI, ebe o ea moo o eang teng. seva, e ipatileng ka morao ho sebaka .
Ho ekelletsa ho tse ka holimo DoH resolution mozilla.cloudflare-dns.com, re ka sebelisa litšebeletso tse ling tse tsebahalang tsa DoH, mohlala, ho tsoa ho koporasi e mpe e tsebahalang.
Ha re arabe potso e latelang:
ESNI_COVER="www.kremlin.ru" DOH_URL=https://dns.google/dns-query ./curl-esni https://rutracker.nl/Mme re fumana karabo:
< HTTP/1.1 301 Moved Permanently
< Date: Sun, 03 Nov 2019 14:10:22 GMT
< Content-Type: text/html
< Transfer-Encoding: chunked
< Connection: keep-alive
< Set-Cookie: __cfduid=da0144d982437e77b0b37af7d00438b1a1572790222; expires=Mon, 02-Nov-20 14:10:22 GMT; path=/; domain=.rutracker.nl; HttpOnly; Secure
< Location: https://rutracker.nl/forum/index.php
< CF-Cache-Status: DYNAMIC
< Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< Server: cloudflare
< CF-RAY: 52feee696f42d891-CPH
Tabeng ena, re ile ra retelehela ho seva sa rutracker.nl se koetsoeng, re sebelisa DoH solver dns.google (ha ho na typo mona, hona joale mokhatlo o tummeng o na le sebaka sa oona sa boemo ba pele) 'me re ikoahetse ka sebaka se seng, se tiileng. e thibetsoe hore li-DPI tsohle li thibele tlas'a bohloko ba lefu. Ho latela karabo e fumanweng, o ka utlwisisa hore kopo ya rona e sebetswa ka katleho.
E le cheke e eketsehileng ea hore DPI ea mofani e arabela SNI e bulehileng, eo re e fetisang e le sekoahelo, re ka etsa kopo ho rutracker.nl tlas'a mokhoa oa mohloli o mong o thibetsoeng, mohlala, tracker e 'ngoe e "ntle" ea torrent:
$ ESNI_COVER="rutor.info" DOH_URL=https://dns.google/dns-query ./curl-esni https://rutracker.nl/Re ke ke ra fumana karabo ho tsoa ho seva, hobane ... kopo ea rona e tla thibeloa ke tsamaiso ea DPI.
Qetello e khutšoane ea karolo ea pele
Kahoo, re khonne ho bonts'a ts'ebetso ea eSNI ka ho sebelisa openssl le curl le ho leka ts'ebetso ea domain fronting e thehiloeng ho eSNI. Ka mokhoa o ts'oanang, re ka ikamahanya le lisebelisoa tseo re li ratang tse sebelisang laebrari ea openssl ho sebetsa "ka boikaketsi" ba libaka tse ling. Lintlha tse ling mabapi le sena lihloohong tsa rona tse latelang.
Source: www.habr.com