Intshayelelo
Iinkqubo zanamhlanje zokuhluza umxholo wenkampani ezivela kubavelisi abadumileyo abanjengoCisco, iBlueCoat, iFireEye zininzi kakhulu ezifanayo kunye noogxa babo abanamandla ngakumbi - iinkqubo zeDPI, eziphunyezwa ngenkuthalo kwinqanaba lesizwe. Undoqo womsebenzi wabo bobabini kukuhlola i-intanethi engenayo kunye nephumayo kwi-intanethi kwaye, ngokusekelwe kuluhlu olumnyama / olumhlophe, wenze isigqibo sokuvala uxhulumaniso lwe-Intanethi. Kwaye ekubeni bobabini baxhomekeke kwimigaqo efanayo kwiziseko zomsebenzi wabo, iindlela zokuzinqanda nazo ziya kufana kakhulu.
Enye yetekhnoloji ekuvumela ukuba ugqithe ngokufanelekileyo kuzo zombini i-DPI kunye neenkqubo zeshishini bubuchwephesha bokuhamba phambili kwesizinda. Ingundoqo yalo kukuba siye kwisixhobo esivaliweyo, sifihla emva komnye, i-domain yoluntu enegama elihle, ngokucacileyo ayiyi kuvinjelwa nayiphi na inkqubo, umzekelo google.com.
Amanqaku amaninzi sele ebhaliwe malunga nobu buchwepheshe kwaye imizekelo emininzi inikwe. Nangona kunjalo, i-DNS-over-HTTPS ethandwayo kwaye isandul 'ukuxoxwa kunye nobuchwepheshe be-SNI efihliweyo, kunye nenguqulelo entsha ye-TLS 1.3 protocol, yenza kube lula ukuqwalasela enye inketho ye-domain fronting.
Ukuqonda iteknoloji
Okokuqala, makhe sichaze iikhonsepthi ezincinci ezisisiseko ukuze wonke umntu aqonde ukuba ngubani kwaye kutheni kufuneka konke oku. Sikhankanye indlela ye-eSNI, ukusebenza kwayo kuya kuxoxwa ngakumbi. I-eSNI (iSalathiso segama leseva efihliweyo) luguqulelo olukhuselekileyo lwe-SNI, efumaneka kuphela kwi-TLS 1.3 protocol. Ingcamango ephambili kukufihla, phakathi kwezinye izinto, ulwazi malunga nokuba yeyiphi i-domain isicelo esithunyelwa kuyo.
Ngoku makhe sijonge indlela esebenza ngayo indlela ye-eSNI ekusebenzeni.
Masithi sinomthombo we-Intanethi ovaliweyo yisisombululo seDPI yanamhlanje (masithathe, umzekelo, i-torrent tracker edumileyo rutracker.nl). Xa sizama ukufikelela kwiwebhusayithi ye-torrent tracker, sibona istub esisezantsi somboneleli esibonisa ukuba isixhobo sivaliwe:
Kwiwebhusayithi ye-RKN esi sizinda sidweliswe kuluhlu lokumisa:
Xa ubuza ukuba ngubani, unokubona ukuba i-domain ngokwayo "ifihliwe" emva komboneleli wefu Cloudflare.
Kodwa ngokungafaniyo "neengcali" ezivela kwi-RKN, abasebenzi abanobuchule ngakumbi be-Beeline (okanye abafundiswe ngamava abuhlungu omlawuli wethu odumileyo) abazange bavimbe ngokungenangqondo isayithi ngedilesi ye-IP, kodwa bongeze igama lesizinda kwi-stop list. Ungakuqinisekisa ngokulula oku ukuba ujonga ukuba zeziphi ezinye iindawo ezifihlwe emva kwedilesi ye-IP efanayo, ndwendwela enye yazo kwaye ubone ukuba ufikelelo aluvalwanga:
Kwenzeka njani oku? Yazi njani i-DPI yomboneleli ukuba yeyiphi idomeyini isikhangeli sam esikuyo, kuba lonke unxibelelwano lwenzeka nge-https protocol, kwaye asikaqapheli ukutshintshwa kwezatifikethi ze-https ezivela kuBeeline? Ngaba u-clairvoyant okanye ndiyalandelwa?
Masizame ukuphendula lo mbuzo ngokujonga i-traffic kwi-wireshark
Umfanekiso weskrini ubonisa ukuba kuqala isikhangeli sifumana idilesi ye-IP yomncedisi nge-DNS, emva koko ukuxhawula ngesandla kwe-TCP okuqhelekileyo kwenzeka kunye neseva yendawo, kwaye emva koko isikhangeli sizama ukuseka uxhulumaniso lwe-SSL kunye nomncedisi. Ukwenza oku, ithumela i-SSL Client Hello packet, equlethe igama lesizinda somthombo kwisicatshulwa esicacileyo. Lo mmandla ufunwa ngumncedisi we-cloudflare we-frontend ukuze uhambelane ngendlela echanekileyo yoqhagamshelwano. Kulapho umboneleli we-DPI esibamba khona, ephula uxhulumaniso lwethu. Kwangaxeshanye, asifumani nayiphi na stub kumnikezeli, kwaye sibona impazamo yesikhangeli esiqhelekileyo ngokungathi isiza sivaliwe okanye singasebenzi:
Ngoku makhe sivule indlela ye-eSNI kwisikhangeli, njengoko kubhaliwe kwimiyalelo ye :
Ukwenza oku sivula iphepha loqwalaselo lweFirefox malunga: config kwaye uvule oluseto lulandelayo:
network.trr.mode = 2;
network.trr.uri = https://mozilla.cloudflare-dns.com/dns-query
network.security.esni.enabled = true
Emva koko, siya kujonga ukuba useto lusebenza ngokuchanekileyo kwiwebhusayithi yecloudflare. kwaye masizame iqhinga nge-tracker yethu ye-torrent kwakhona.
Voila. Umkhondo wethu esiwuthandayo uvulwe ngaphandle kweVPN okanye iiseva zommeleli. Ngoku makhe sijonge kwindawo yokulahla izithuthi kwi-wireshark ukuze sibone ukuba kwenzeke ntoni.
Ngeli xesha, iphakheji yomxhasi we-ssl ayiqulathanga ngokucacileyo indawo ekuyiwa kuyo, kodwa endaweni yoko, intsimi entsha ivele kwiphakheji - encrypted_server_name - kulapho ixabiso le-rutracker.nl liqulethwe khona, kwaye kuphela ngumncedisi we-frontend we-cloudflare onokususa oku. intsimi. Kwaye ukuba kunjalo, ke umboneleli we-DPI akanakukhetha kodwa ukuhlamba izandla kunye nokuvumela ukugcwala okunjalo. Azikho ezinye iinketho ngoguqulelo oluntsonkothileyo.
Ke, sijonge indlela itekhnoloji esebenza ngayo kwisikhangeli. Ngoku makhe sizame ukusisebenzisa kwizinto ezithe ngqo nezinika umdla. Kwaye okokuqala, siya kufundisa i-curl efanayo ukusebenzisa i-eSNI ukusebenzisana ne-TLS 1.3, kwaye kwangaxeshanye siza kubona indlela i-eSNI-based domain fronting ngokwayo isebenza ngayo.
I-Domain fronting nge-eSNI
Ngenxa yokuba i-curl isebenzisa ilayibrari eqhelekileyo ye-openssl ukudibanisa nge-https protocol, okokuqala kufuneka sinikeze inkxaso ye-eSNI apho. Akukho nkxaso ye-eSNI kumasebe e-openssl master okwangoku, ngoko kufuneka sikhuphele isebe elikhethekileyo le-openssl, lihlanganise kwaye lifake.
Sidibanisa indawo yokugcina kwi-GitHub kwaye sihlanganise njengesiqhelo:
$ git clone https://github.com/sftcd/openssl
$ cd openssl
$ ./config
$ make
$ cd esnistuff
$ make
Emva koko, sidibanisa indawo yokugcina kunye ne-curl kwaye silungiselele ukuqulunqwa kwayo usebenzisa ilayibrari yethu ye-openssl ehlanganisiweyo:
$ cd $HOME/code
$ git clone https://github.com/niallor/curl.git curl-esni
$ cd curl-esni
$ export LD_LIBRARY_PATH=/opt/openssl
$ ./buildconf
$ LDFLAGS="-L/opt/openssl" ./configure --with-ssl=/opt/openssl --enable-esni --enable-debug
Apha kubalulekile ukucacisa ngokuchanekileyo zonke izikhokelo apho i-openssl ikhona (kwimeko yethu, le yi /opt/openssl/) kwaye uqinisekise ukuba inkqubo yoqwalaselo ihamba ngaphandle kweempazamo.
Ukuba ubumbeko luphumelele, siza kubona umgca:
ISILUMKISO: esni ESNI yenziwe yasebenza kodwa iphawulwe EXPERIMENTAL. Sebenzisa ngononophelo!
$ makeEmva kokwakha ngempumelelo ipakethe, siya kusebenzisa ifayile ekhethekileyo ye-bash ukusuka kwi-openssl ukuqwalasela kunye nokuqhuba i-curl. Masiyikhuphele kuluhlu lwe-curl ukuze kube lula:
cp /opt/openssl/esnistuff/curl-esni kwaye wenze uvavanyo lwesicelo se-https kwiseva yefu, ngelixa ngaxeshanye urekhoda iipakethi zeDNS kunye neTLS kwiWireshark.
$ ESNI_COVER="www.hello-rkn.ru" ./curl-esni https://cloudflare.com/Kwimpendulo yomncedisi, ngaphezu kolwazi oluninzi lwe-debugging oluvela kwi-openssl kunye ne-curl, siya kufumana impendulo ye-HTTP ngekhowudi ye-301 evela kwi-cloudflare.
HTTP/1.1 301 Moved Permanently
< Date: Sun, 03 Nov 2019 13:12:55 GMT
< Transfer-Encoding: chunked
< Connection: keep-alive
< Cache-Control: max-age=3600
< Expires: Sun, 03 Nov 2019 14:12:55 GMT
< Location: https://www.cloudflare.com/
nto leyo ebonisa ukuba isicelo sethu sinikezelwe ngempumelelo kwiseva yendawo, siviwe kwaye saqwalaselwa.
Ngoku makhe sijonge ukulahlwa kwetrafikhi kwi-wireshark, okt. into eyabonwa ngumboneleli we-DPI kule meko.
Ingabonwa ukuba i-curl iqale yajika kwiseva ye-DNS kwisitshixo se-eSNI sikawonkewonke kwi-cloudflare server - isicelo se-TXT DNS ku-_esni.cloudflare.com (iphakheji No. 13). Emva koko, usebenzisa ilayibrari ye-openssl, i-curl ithumele isicelo se-TLS 1.3 kwiseva ye-cloudflare apho intsimi ye-SNI ifihliweyo kunye nesitshixo sikawonke-wonke esifunyenwe kwisinyathelo sangaphambili (ipakethi #22). Kodwa, ukongeza kwintsimi ye-eSNI, ipakethe ye-SSL-hello ikwaquka intsimi enesiqhelo- evulekileyo ye-SNI, esinokuyichaza ngayo nayiphi na indlela (kule meko - ).
Le ntsimi ye-SNI evulekileyo ayizange ithathelwe ingqalelo nangayiphi na indlela xa iqhutywe ngabancedisi be-cloudflare kwaye isebenza kuphela njengemaski kumnikezeli we-DPI. Umncedisi we-cloudflare ufumene ipakethe yethu ye-ssl-hello, i-decrypted i-eSNI, ikhuphe i-SNI yasekuqaleni ukusuka apho kwaye iqhutywe ngokungathi akukho nto yenzekileyo (yenza yonke into kanye njengoko bekucwangcisiwe xa kuphuhliswa i-eSNI).
Into kuphela enokuthi ibanjwe kule meko ukusuka kwindawo yokujonga i-DPI yisicelo sokuqala se-DNS ku-_esni.cloudflare.com. Kodwa senze isicelo se-DNS sivuleke kuphela ukubonisa ukuba le ndlela isebenza njani ngaphakathi.
Ukukhupha umbhoxo phantsi kweDPI, sisebenzisa indlela esele ikhankanyiwe ye-DNS-over-HTTPS. Ingcaciso encinci - i-DOH yiprothokholi ekuvumela ukuba ukhusele ngokuchasene nomntu ophakathi-phakathi ngokuthumela isicelo se-DNS phezu kwe-HTTPS.
Masiqhube isicelo kwakhona, kodwa ngeli xesha siza kufumana izitshixo ze-eSNI zikawonkewonke nge-https protocol, hayi i-DNS:
ESNI_COVER="www.hello-rkn.ru" DOH_URL=https://mozilla.cloudflare-dns.com/dns-query ./curl-esni https://cloudflare.com/Isicelo sokulahlwa kwetrafikhi kubonisiwe kumfanekiso wekhusi ongezantsi:
Inokubonwa ukuba i-curl ifikelela kuqala kwi-mozilla.cloudflare-dns.com iseva nge-DoH protocol (uqhagamshelo ku-https kwiseva 104.16.249.249) ukufumana kubo amaxabiso ezitshixo zikawonke-wonke zofihlo lwe-SNI, kwaye emva koko ukuya kwindawo umncedisi, ezifihla emva kwendawo .
Ukongeza kwesi sisombululo se-DoH singentla mozilla.cloudflare-dns.com, sinokusebenzisa ezinye iinkonzo ezidumileyo ze-DoH, umzekelo, kwiqumrhu elidumileyo elingendawo.
Masiqhube lo mbuzo ulandelayo:
ESNI_COVER="www.kremlin.ru" DOH_URL=https://dns.google/dns-query ./curl-esni https://rutracker.nl/Kwaye sifumana impendulo:
< HTTP/1.1 301 Moved Permanently
< Date: Sun, 03 Nov 2019 14:10:22 GMT
< Content-Type: text/html
< Transfer-Encoding: chunked
< Connection: keep-alive
< Set-Cookie: __cfduid=da0144d982437e77b0b37af7d00438b1a1572790222; expires=Mon, 02-Nov-20 14:10:22 GMT; path=/; domain=.rutracker.nl; HttpOnly; Secure
< Location: https://rutracker.nl/forum/index.php
< CF-Cache-Status: DYNAMIC
< Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< Server: cloudflare
< CF-RAY: 52feee696f42d891-CPH
Kule meko, siphendukele kwi-server evaliweyo ye-rutracker.nl, sisebenzisa i-DoH solver dns.google (akukho typo apha, ngoku i-corporation eyaziwayo ine-domain yayo yezinga lokuqala) kwaye sizigqume ngenye i-domain, engqongqo ngokungqongqo. akuvumelekanga ukuba zonke iiDPI zithintele phantsi kweentlungu zokufa. Ngokusekelwe kwimpendulo efunyenweyo, unokuqonda ukuba isicelo sethu siqhutywe ngempumelelo.
Njengotsheki olongezelelweyo ukuba i-DPI yomnikezeli iphendula kwi-SNI evulekileyo, esiyithumela njengekhava, sinokwenza isicelo kwi-rutracker.nl phantsi kwengubo yesinye isibonelelo esinqatshelwe, umzekelo, enye i-torrent tracker "elungileyo":
$ ESNI_COVER="rutor.info" DOH_URL=https://dns.google/dns-query ./curl-esni https://rutracker.nl/Asiyi kufumana mpendulo kumncedisi, kuba... isicelo sethu siya kuvalwa yinkqubo yeDPI.
Isiphelo esifutshane kwinxalenye yokuqala
Ke, sakwazi ukubonisa ukusebenza kwe-eSNI usebenzisa i-openssl kunye ne-curl kunye nokuvavanya ukusebenza kwe-domain fronting esekelwe kwi-eSNI. Ngendlela efanayo, sinokuziqhelanisa nezixhobo zethu ezizithandayo ezisebenzisa ilayibrari ye-openssl ukuze isebenze "phantsi kwengubo" yezinye iindawo. Iinkcukacha ezingakumbi malunga noku kumanqaku ethu alandelayo.
umthombo: www.habr.com