Iqela labaphandi abavela kwiYunivesithi yaseMichigan lipapashe iziphumo zophando malunga nokwenzeka kokuchonga unxibelelwano (lwe-VPN Fingerprinting) kwiiseva ngokusekelwe kwi OpenVPN ngelixa bejonga izithuthi zokuhamba. Ngenxa yoko, iindlela ezintathu zokuchonga inkqubo zichongiwe OpenVPN phakathi kwezinye iipakethi zenethiwekhi ezinokusetyenziswa kwiinkqubo zokuhlola ithrafikhi ukuvimba iinethiwekhi ezibonakalayo ngokusekelwe kwi OpenVPN.
Uvavanyo lweendlela ezicetywayo kwinethiwekhi yababoneleli be-intanethi yeMerit, enabasebenzisi abangaphezu kwesigidi, lubonise amandla okuchonga i-85% OpenVPN-iiseshoni ezinezinga eliphantsi le-false positive. Ukuvavanya, kwaveliswa isixhobo esathi ekuqaleni sachonga ithrafikhi ngendlela engasebenziyo nehamba ngebhayisekile. OpenVPN, ize iqinisekise ukuchaneka kweziphumo ngokuqinisekiswa kweseva esebenzayo. Umsinga wethrafikhi onamandla angama-20 Gbps uboniswe kwi-analyzer eyenziwe ngabaphandi.
Ngexesha lovavanyo, umhlalutyi ukwazile ukuchonga ngempumelelo uvavanyo oluyi-1718 kwi-2000 OpenVPN- uqhagamshelo olusekwe ngumthengi wobuxoki, apho kusetyenziswe khona iindlela ezahlukeneyo ezingama-40 zokumisela OpenVPN (Le ndlela isebenze ngempumelelo kwiindlela ezingama-39 kwezingama-40 zokucwangcisa). Ukongeza, iiseshoni ezingama-3638 zifunyenwe kwitrafikhi yezothutho kwiintsuku ezisibhozo zovavanyo. OpenVPN, apho iiseshoni ezingama-3245 zaqinisekiswa. Kuqatshelwe ukuba umda ophezulu weziphumo ezingalunganga kwindlela ecetywayo ungaphantsi kathathu kunakwiindlela ezicetywayo ngaphambili ezisekelwe ekufundeni koomatshini.
Ukusebenza kweendlela zokukhusela ukulandelwa kwezithuthi kuhlolwe ngokwahlukeneyo. OpenVPN kwiinkonzo zorhwebo - kwezingama-41 ezivavanyiweyo VPN-inkonzo esebenzisa iindlela zokufihla iitrafikhi OpenVPN, ithrafikhi ichongiwe kwiimeko ezingama-34. Iinkonzo ezingakwazanga ukubonwa, ukongeza kwi OpenVPN kusetyenziswe iileya ezongezelelweyo ukufihla ithrafikhi (umzekelo, ukudlulisela phambili OpenVPN-traffic ngokusebenzisa itonela eyongezelelweyo efihliweyo). Uninzi lweenkonzo ezifunyenwe ngempumelelo zisebenzise ukuphambuka kwetrafikhi kusetyenziswa umsebenzi we-XOR, iileya ezongezelelweyo ze-obfuscation ngaphandle kokudibanisa okufanelekileyo kwetrafikhi, okanye ukubakho kwe-unobfuscation OpenVPN-iinkonzo ezifanayo umncedisi.
Iindlela zokuchonga ezisetyenzisiweyo zisekelwe ekunxibelelaniseni izinto ezithile OpenVPN Iipateni kwiintloko zepakethi ezingabhalwanga, ubungakanani beepakethi ze-ACK, kunye neempendulo zeseva. Kwimeko yokuqala, intsimi ethi "opcode" kwintloko yepakethi, ethatha uluhlu oluzinzileyo lwamaxabiso kunye notshintsho ngendlela ethile ngokuxhomekeke kwinqanaba lokusekwa konxibelelwano, ingasetyenziswa njengento yokuchonga ngexesha lesigaba sokuxoxisana ngonxibelelwano. Ukuchonga kufikelela ekuboneni ulandelelwano oluthile lotshintsho lwe-opcode kwiipakethi zokuqala ze-N zomlambo.
Indlela yesibini isekelwe kwinto yokuba iipakethi ze-ACK zisetyenziswa OpenVPN kuphela kwinqanaba lokuxoxisana ngonxibelelwano kwaye zibe nobukhulu obuthile. Ukuchongwa kusekelwe kwinto yokuba iipakethi ze-ACK zobukhulu obuthile zenzeka kuphela kwiindawo ezithile zeseshoni (umzekelo, xa usebenzisa OpenVPN Ipakethi yokuqala ye-ACK idla ngokuba yipakethi yesithathu yedatha edluliselwa kwiseshoni).
Indlela yesithathu kukujonga okusebenzayo kwaye kungenxa yokuba xa kuphendulwa isicelo sokuseta kwakhona uqhagamshelo, iseva OpenVPN ithumela ipakethi ethile ye-RST (ukujonga akusebenzi xa usebenzisa imo ye-"tls-auth" kuba OpenVPN- iseva ayizinaki izicelo ezivela kubathengi ezingaqinisekiswanga nge-TLS).
umthombo: opennet.ru
