Iqela labaphandi abavela kwiYunivesithi yaseMichigan lipapashe iziphumo zophando malunga nokwenzeka ukuchonga (VPN Fingerprinting) uxhulumaniso kwiiseva ezisekelwe kwi-OpenVPN xa ubeka iliso kwi-traffic traffic. Ngenxa yoko, iindlela ezintathu zichongiwe ukuchonga i-OpenVPN protocol phakathi kwezinye iipakethi zenethiwekhi ezingasetyenziselwa kwiinkqubo zokuhlola izithuthi ukuvimba i-OpenVPN-based based network networks.
Uvavanyo lweendlela ezicetywayo kwinethiwekhi yomboneleli we-Intanethi ye-Merit, enabasebenzisi abangaphezu kwesigidi, ibonise ukukwazi ukuchonga i-85% yeeseshoni ze-OpenVPN kunye nezinga eliphantsi lezinto zobuxoki. Ukuvavanya, i-toolkit yalungiselelwa ukuba ibone kuqala i-OpenVPN itrafikhi kwi-fly kwimowudi yokwenziwa, emva koko yaqinisekisa ukuchaneka kwesiphumo ngetshekhi esebenzayo yeseva. Ukuhamba kwetrafikhi enobunzulu obumalunga ne-20 Gbps yaboniswa kwi-analyzer eyenziwe ngabaphandi.
Ngethuba lovavanyo, umhlalutyi wakwazi ukuchonga ngempumelelo i-1718 ngaphandle kwe-2000 yovavanyo lwe-OpenVPN uxhulumaniso olusekwe ngumxhasi okhohlakeleyo, owasebenzisa i-40 eyahlukeneyo yoqwalaselo oluqhelekileyo lwe-OpenVPN (indlela isebenze ngempumelelo kwi-39 ngaphandle kwe-40 yoqwalaselo). Ukongeza, kwiintsuku ezisibhozo zovavanyo, iiseshoni ze-3638 OpenVPN zichongiwe kwitrafikhi yokuhamba, apho iiseshoni ze-3245 zaqinisekiswa. Kuphawulwe ukuba umda ophezulu weengcamango zobuxoki kwindlela ecetywayo yimiyalelo emithathu yobukhulu obuphantsi kuneendlela ezicetywayo ngaphambili ezisekelwe ekusebenziseni umatshini wokufunda.
Ukusebenza kweendlela zokukhusela ukujonga ithrafikhi ze-OpenVPN kwiinkonzo zorhwebo kuhlolwe ngokwahlukeneyo - kwezingama-41 zivavanyiwe VPNKwiinkonzo ezisebenzisa iindlela zokufihla ithrafikhi ye-OpenVPN, ithrafikhi ichongiwe kwiimeko ezingama-34. Iinkonzo ezingafunyanwanga zisebenzise ezinye iileya zokufihla ithrafikhi ukongeza kwi-OpenVPN (umzekelo, ukuhambisa ithrafikhi ye-OpenVPN ngetonela eyongezelelweyo efihliweyo). Uninzi lweenkonzo ezichongiweyo ngempumelelo zisebenzise ukuphazamiseka kwethrafikhi kusetyenziswa umsebenzi we-XOR, iileya ezongezelelweyo zokufihla ngaphandle kokwenza ithrafikhi ngendlela efanelekileyo, okanye ukubakho kweenkonzo ze-OpenVPN ezingafihlakalanga kwindawo enye. umncedisi.
Iindlela zokuchonga ezibandakanyekayo zisekelwe ekubopheleleni kwi-OpenVPN-iipateni ezicacileyo kwiintloko zeepakethe ezingabhalwanga, iipakethi ze-ACK, kunye neempendulo zeseva. Kwimeko yokuqala, isibophelelo kwibala elithi "opcode" kwisihloko sepakethe sinokusetyenziswa njengento yokuchongwa kwinqanaba lothethathethwano, elithatha uluhlu olumiselweyo lwamaxabiso kunye notshintsho ngendlela ethile ngokuxhomekeke kunxibelelwano. ukuseta isigaba. Ukuchonga kubilisa ekuchongeni ulandelelwano oluthile lotshintsho lwe-opcode kwiipakethi zokuqala ze-N zokuhamba.
Indlela yesibini isekelwe kwinto yokuba iipakethi ze-ACK zisetyenziswe kwi-OpenVPN kuphela kwinqanaba lokuxoxisana kunye kwaye ngexesha elifanayo linobukhulu obuthile. Ukuchonga kusekelwe kwinto yokuba iipakethi ze-ACK zobungakanani obunikeziweyo zenzeke kuphela kwiindawo ezithile zeseshoni (umzekelo, xa usebenzisa i-OpenVPN, i-ACK yokuqala yepakethi idla ngokuba yipakethi yesithathu yedatha ethunyelwe kwiseshoni).
Indlela yesithathu yitshekhi esebenzayo kwaye kungenxa yokuba ekuphenduleni isicelo sokusetha kwakhona uxhumano, iseva ye-OpenVPN ithumela ipakethe ethile ye-RST (itshekhi ayisebenzi xa usebenzisa i-"tls-auth" mode, ekubeni i-OpenVPN iseva. akazihoyi izicelo ezisuka kubathengi abangaqinisekiswanga nge-TLS).
umthombo: opennet.ru
