Iimpawu zoseto lweDPI

Eli nqaku alifaki uhlengahlengiso olupheleleyo lwe-DPI kunye nayo yonke into edibeneyo kunye, kwaye ixabiso lezesayensi lombhalo lincinci. Kodwa ichaza indlela elula yokudlula i-DPI, apho iinkampani ezininzi azizange zithathele ingqalelo.

I-Disclaimer #1: Eli nqaku lelohlobo lophando kwaye alikhuthazi nabani na ukuba enze okanye asebenzise nantoni na. Ingcamango isekelwe kumava obuqu, kwaye nakuphi na ukufana akunakwenzeka.

Предупреждение №2: в статье не раскрываются тайны Атлантиды, поиска Святого Грааля и иные загадки вселенной, весь материал находится в свободном доступе и возможно не раз был описан на Хабе. (я не нашел, за ссылку буду признателен)

Kwabo bafunde izilumkiso, masiqale.

Yintoni iDPI?

I-DPI okanye i-Deep Packet Inspection iteknoloji yokuqokelela idatha yezibalo, ukujonga kunye nokucoca iipakethi zenethiwekhi ngokuhlalutya kungekuphela nje iintloko zeepakethe, kodwa kunye nomxholo ogcweleyo we-traffic kumanqanaba omzekelo we-OSI ukusuka kweyesibini nangaphezulu, ekuvumela ukuba ufumane kwaye iintsholongwane ezithintelayo, ulwazi lokucoca olungafikeleliyo kwiikhrayitheriya ezichaziweyo.

Kukho iintlobo ezimbini zoqhagamshelwano lweDPI, ezichazwe ValdikSS kwi github:

I-DPI ye-Passive

I-DPI eqhagamshelwe kuthungelwano lomnikezeli ngokunxuseneyo (kungekhona kwinqumlo) nokuba kunge-passive optical splitter, okanye usebenzisa isipili setrafikhi esisuka kubasebenzisi. Olu xhulumaniso alucothi isantya sothungelwano lomnikezeli kwimeko yokusebenza kweDPI eyaneleyo, yingakho isetyenziswe ngababoneleli abakhulu. I-DPI enolu hlobo loqhagamshelwano inokubona kuphela umzamo wokucela umxholo owalelweyo, kodwa ungawuyeki. Ukugqitha esi sithintelo kunye nokuthintela ukufikelela kwisiza esithintelweyo, i-DPI ithumela umsebenzisi ukuba acele i-URL evaliweyo ipakethi yeHTTP eyenziwe ngokukhethekileyo kunye nokuhanjiswa kwiphepha le stub somboneleli, ngokungathi loo mpendulo ithunyelwe nguvimba oceliweyo ngokwawo (iIP yomthumeli). idilesi kunye nolandelelwano lwe-TCP lwenziwe). Ngenxa yokuba i-DPI isondele ngokwenyama kumsebenzisi kunendawo eceliwe, impendulo ye-spoofed ifikelela kwisixhobo somsebenzisi ngokukhawuleza kunempendulo yokwenyani evela kwisayithi.

I-DPI esebenzayo

I-DPI esebenzayo-i-DPI eqhagamshelwe kwinethiwekhi yomnikezeli ngendlela eqhelekileyo, njengaso nasiphi na esinye isixhobo sothungelwano. Umnikezeli uqwalasela indlela ukuze i-DPI ifumane i-traffic kubasebenzisi ukuya kwiidilesi ze-IP ezivaliweyo okanye imimandla, kwaye i-DPI ithatha isigqibo sokuba ivumele okanye ivimbe i-traffic. I-DPI esebenzayo inokuhlola zombini i-traffic ephumayo kunye nengenayo, nangona kunjalo, ukuba umnikezeli usebenzisa i-DPI kuphela ukubhloka iisayithi ezivela kwirejista, ihlala iqwalaselwe ukuhlola i-traffic ephumayo kuphela.

Ayisiyiyo kuphela impumelelo yokuvalwa kwetrafikhi, kodwa nomthwalo kwi-DPI kuxhomekeke kuhlobo lonxibelelwano, ngoko ke kunokwenzeka ukuba ungaskena zonke iitrafikhi, kodwa ezithile kuphela:

"Eqhelekileyo" DPI

I-DPI "eqhelekileyo" yi-DPI ehluza uhlobo oluthile lwetrafikhi kuphela kwiichweba eziqhelekileyo zolo hlobo. Umzekelo, i-DPI "eqhelekileyo" ibona kwaye ivalele ukugcwala kwe-HTTP evaliweyo kuphela kwi-port 80, i-HTTPS yetrafikhi kwi-port 443. Olu hlobo lwe-DPI aluyi kulandelela umxholo owalelweyo ukuba uthumela isicelo nge-URL evaliweyo kwi-IP engavaliweyo okanye engeyiyo- izibuko elisemgangathweni.

"Igcwele" iDPI

Ngokungafaniyo ne-DPI "eqhelekileyo", olu hlobo lwe-DPI luhlula i-traffic kungakhathaliseki ukuba idilesi ye-IP kunye nechweba. Ngale ndlela, iisayithi ezivaliweyo aziyi kuvula nokuba usebenzisa iseva engummeli kwizibuko elahluke ngokupheleleyo kunye nedilesi ye-IP engavaliweyo.

Ukusebenzisa iDPI

Ukuze unganciphisi izinga lokudluliswa kwedatha, kufuneka usebenzise i-DPI "eqhelekileyo" ye-passive, evumela ukuba usebenze ngokufanelekileyo? vimba nayiphi na? izibonelelo, uqwalaselo olungagqibekanga lujongeka ngolu hlobo:

• Isihluzo se-HTTP kuphela kwizibuko lama-80
• I-HTTPS kuphela kwizibuko 443
• BitTorrent kuphela kumazibuko 6881-6889

Kodwa iingxaki ziqala ukuba umthombo uzakusebenzisa izibuko elahlukileyo ukuze ungalahlekelwa ngabasebenzisi, emva koko kuya kufuneka ujonge ipakethe nganye, umzekelo onokuthi unike:

• I-HTTP isebenza kwi-port 80 kunye ne-8080
• I-HTTPS kwi-port 443 kunye ne-8443
• BitTorrent nakweliphi na elinye iqela

Ngenxa yoku, kuya kufuneka ukuba utshintshele kwi-DPI "Esebenzayo" okanye usebenzise ukuthintela usebenzisa iseva ye-DNS eyongezelelweyo.

Ukuvala usebenzisa i-DNS

Enye indlela yokuthintela ukufikelela kwisixhobo kukuthintela isicelo se-DNS usebenzisa iseva ye-DNS yendawo kwaye ubuyisele umsebenzisi idilesi ye-IP "stub" kunomthombo ofunekayo. Kodwa oku akuniki siphumo siqinisekisiweyo, kuba kunokwenzeka ukukhusela idilesi ye-spoofing:

Ukhetho 1: Hlela ifayile yenginginya (yedesktop)

Ifayile yenginginya yinxalenye ebalulekileyo yayo nayiphi na inkqubo yokusebenza, ekuvumela ukuba uhlale uyisebenzisa. Ukufikelela kumthombo, umsebenzisi kufuneka:

1. Fumana idilesi ye-IP yomthombo ofunekayo
2. Vula ifayile yenginginya yokuhlelwa (amalungelo omlawuli ayafuneka), ebekwe apha:
   • Linux: /etc/hosts
   • IiWindows: %WinDir%System32driversechosts
3. Yongeza umgca kwifomathi: <igama lovimba>
4. Gcina Utshintsho

Inzuzo yale ndlela kubunzima bayo kunye nemfuno yamalungelo omlawuli.

Ukhetho lwesi-2: I-DoH (i-DNS phezu kwe-HTTPS) okanye i-DoT (i-DNS phezu kwe-TLS)

Ezi ndlela zikuvumela ukuba ukhusele isicelo sakho se-DNS kwi-spoofing usebenzisa i-encryption, kodwa ukuphunyezwa akuxhaswanga zizo zonke izicelo. Makhe sijonge ngokulula ukuseta i-DoH yeMozilla Firefox version 66 kwicala lomsebenzisi:

1. Yiya kwidilesi malunga: config kwiFirefox
2. Qinisekisa ukuba umsebenzisi uthatha yonke ingozi
3. Изменит значение параметра network.trr.mode kwi:
   • 0 - khubaza i-TRR
   • I-1 - ukhetho oluzenzekelayo
   • 2 - vula i-DoH ngokungagqibekanga
4. Guqula ipharamitha inethiwekhi.trr.uri ukhetha iseva ye-DNS
   • Cloudflare DNS: mozilla.cloudflare-dns.com/dns-query
   • I-Google DNS: dns.google.com/experimental
5. Guqula ipharamitha network.trr.boostrapAddress kwi:
   • Ukuba i-Cloudflare DNS ikhethiwe: 1.1.1.1
   • Ukuba iGoogle DNS ikhethiwe: 8.8.8.8
6. Изменит значение параметра network.security.esni.enabled phezu oyinyaniso
7. Khangela ukuba useto luchanekile xa usebenzisa Inkonzo yeCloudflare

Nangona le ndlela inzima kakhulu, ayifuni ukuba umsebenzisi abe namalungelo omlawuli, kwaye kukho ezinye iindlela ezininzi zokukhusela isicelo se-DNS esingachazwanga kweli nqaku.

Ukhetho 3 (lwezixhobo eziphathwayo):

Ukusebenzisa i-Cloudflare app ukuze Android и iOS.

Ukuvavanywa

Ukujonga ukungabikho kokufikelela kwizixhobo, isizinda esivaliweyo kwiRussian Federation sathengwa okwethutyana:

• Itshekhi ye-HTTP + izibuko 80
• Itshekhi ye-HTTP + izibuko 8080
• HTTPS khangela + izibuko 443
• HTTPS khangela + izibuko 8443

isiphelo

Ndiyathemba ukuba eli nqaku liya kuba luncedo kwaye liya kukhuthaza abalawuli kuphela ukuba baqonde isihloko ngokubanzi, kodwa baya kunika ukuqonda ukuba izixhobo ziya kuhlala zikwicala lomsebenzisi, kwaye ukukhangela izisombululo ezitsha kufuneka kube yinxalenye ebalulekileyo kubo.

amakhonkco aluncedo

• Ukusebenzisa umgangatho we-Encrypted SNI kwiFirefox
• Ngaphandle kwe-intanethi ye-DPI yokudlula

Ukongezwa ngaphandle kwenqakuUvavanyo lwe-Cloudflare alukwazi ukugqitywa kwinethiwekhi ye-Tele2 yomsebenzisi, kwaye i-DPI elungiselelwe ngokuchanekileyo ivimbela ukufikelela kwindawo yokuvavanya.
PS Ukuza kuthi ga ngoku lo ngumboneleli wokuqala ovimba ngokuchanekileyo izixhobo.

umthombo: www.habr.com