Isingeniso
Izinhlelo zesimanje zokuhlunga okuqukethwe kwezinkampani ezivela kubakhiqizi abadumile njengeCisco, BlueCoat, FireEye zinokuningi okufanayo nozakwabo abanamandla kakhulu - izinhlelo ze-DPI, ezisetshenziswa ngenkuthalo ezingeni likazwelonke. Ingqikithi yomsebenzi wabo bobabili ukuhlola ithrafikhi ye-inthanethi engenayo naphumayo futhi, ngokusekelwe ezinhlwini ezimnyama/ezimhlophe, wenze isinqumo sokuvimba uxhumano lwe-inthanethi. Futhi njengoba bobabili bethembele ezimisweni ezifanayo ezisekelweni zomsebenzi wabo, izindlela zokuzigwema nazo zizofana kakhulu.
Obunye bobuchwepheshe obukuvumela ukuthi udlule ngokuphumelelayo kokubili i-DPI kanye nezinhlelo zezinkampani ubuchwepheshe bokubheka phambili kwesizinda. Ingqikithi yayo iwukuthi siya esisetshenziswa esivinjiwe, sicasha ngemva kwesinye, isizinda esisesidlangalaleni esinegama elihle, okusobala ukuthi ngeke sivinjwe yinoma iyiphi isistimu, isibonelo i-google.com.
Ziningi kakhulu izindatshana esezibhaliwe mayelana nalobu buchwepheshe futhi izibonelo eziningi zinikiwe. Kodwa-ke, ubuchwepheshe obudumile futhi obusanda kuxoxwa nge-DNS-over-HTTPS kanye ne-encrypted-SNI, kanye nenguqulo entsha yephrothokholi ye-TLS 1.3, kwenza kube nokwenzeka ukucabangela enye inketho yesizinda sangaphambili.
Ukuqonda ubuchwepheshe
Okokuqala, ake sichaze imiqondo emincane eyisisekelo ukuze wonke umuntu aqonde ukuthi ubani futhi kungani konke lokhu kudingeka. Sikhulume ngomshini we-eSNI, okuzoxoxwa ngawo ngokuqhubekayo. I-eSNI (encrypted Server Name Indication) iyinguqulo evikelekile ye-SNI, etholakala kuphela ngephrothokholi ye-TLS 1.3. Umqondo oyinhloko uwukubethela, phakathi kwezinye izinto, ulwazi mayelana nokuthi isicelo sithunyelwa kusiphi isizinda.
Manje ake sibheke ukuthi indlela ye-eSNI isebenza kanjani ekusebenzeni.
Ake sithi sinensiza ye-inthanethi evinjwe isisombululo sesimanje se-DPI (ake sithathe, isibonelo, i-torrent tracker edumile rutracker.nl). Uma sizama ukufinyelela iwebhusayithi ye-torrent tracker, sibona isitembu esijwayelekile somhlinzeki esibonisa ukuthi insiza ivinjiwe:
Kuwebhusayithi ye-RKN lesi sizinda empeleni sisohlwini lwezitobhi:
Uma ubuza ukuthi ngubani, ungabona ukuthi isizinda ngokwaso "sifihliwe" ngemuva komhlinzeki wefu Cloudflare.
Kodwa ngokungafani βnochwephesheβ abavela kwa-RKN, abasebenzi abanolwazi olunzulu ngobuchwepheshe be-Beeline (noma abafundiswe isipiliyoni esibuhlungu somlawuli wethu odumile) abazange bavimbele ngobuwula isayithi ngekheli le-IP, kodwa bangeze igama lesizinda ohlwini lokumisa. Ungakuqinisekisa lokhu kalula uma ubheka ukuthi yiziphi ezinye izizinda ezifihlwe ngemuva kwekheli le-IP elifanayo, vakashela elinye lawo futhi ubone ukuthi ukufinyelela akuvinjiwe:
Kwenzeka kanjani lokhu? Yazi kanjani i-DPI yomhlinzeki ukuthi yisiphi isizinda isiphequluli sami esikuso, njengoba konke ukuxhumana kwenzeka ngephrothokholi ye-https, futhi asikakaqapheli ukushintshwa kwezitifiketi ze-https ezivela ku-Beeline? Ingabe u-clairvoyant noma ngiyalandelwa?
Ake sizame ukuphendula lo mbuzo ngokubheka ithrafikhi nge-wireshark
Isithombe-skrini sibonisa ukuthi okokuqala isiphequluli sithola ikheli le-IP leseva nge-DNS, bese kuba ukuxhawula okujwayelekile kwe-TCP neseva yendawo, bese isiphequluli sizama ukusungula uxhumano lwe-SSL neseva. Ukwenza lokhu, ithumela iphakethe le-SSL Client Hello, eliqukethe igama lesizinda somthombo embhalweni ocacile. Le nkambu idingwa iseva ye-frontend ye-cloudflare ukuze uhambise ngendlela efanele uxhumano. Lapha yilapho umhlinzeki we-DPI esibamba khona, ephula uxhumano lwethu. Ngesikhathi esifanayo, asitholi noma iyiphi i-stub evela kumhlinzeki, futhi sibona iphutha lesiphequluli elijwayelekile sengathi isayithi livaliwe noma alisebenzi:
Manje ake sivumele indlela ye-eSNI esipheqululini, njengoba kubhaliwe emiyalweni ye :
Ukwenza lokhu sivula ikhasi lokucushwa kweFirefox mayelana: i-config futhi wenze kusebenze izilungiselelo ezilandelayo:
network.trr.mode = 2;
network.trr.uri = https://mozilla.cloudflare-dns.com/dns-query
network.security.esni.enabled = true
Ngemuva kwalokhu, sizohlola ukuthi izilungiselelo zisebenza kahle kuwebhusayithi ye-cloudflare. futhi ake sizame iqhinga nge-torrent tracker yethu futhi.
Voila. I-tracker yethu esiyintandokazi ivuleke ngaphandle kwe-VPN noma amaseva wommeleli. Manje ake sibheke indawo yokulahla izimoto ku-wireshark ukuze sibone ukuthi kwenzekeni.
Ngalesi sikhathi, iphakheji ye-hello yeklayenti le-ssl ayiqukethe ngokusobala isizinda okuyiwa kuso, kodwa esikhundleni salokho, kuvele inkambu entsha kuphakheji - encrypted_server_name - kulapho inani le-rutracker.nl liqukethwe khona, futhi yiseva ye-cloudflare frontend kuphela engasusa ukubhala lokhu. inkambu. Futhi uma kunjalo, i-DPI yomhlinzeki ayinakho ukukhetha ngaphandle kokugeza izandla zayo futhi ivumele ithrafikhi enjalo. Azikho ezinye izinketho ezinokubethela.
Ngakho-ke, sibheke ukuthi ubuchwepheshe busebenza kanjani esipheqululini. Manje ake sizame ukukusebenzisa ezintweni eziqondile nezithokozisayo. Futhi okokuqala, sizofundisa i-curl efanayo ukusebenzisa i-eSNI ukuze isebenze ne-TLS 1.3, futhi ngesikhathi esifanayo sizobona ukuthi i-eSNI-based domain fronting ngokwayo isebenza kanjani.
Isizinda esingaphambili nge-eSNI
Ngenxa yokuthi i-curl isebenzisa umtapo wezincwadi ojwayelekile we-openssl ukuxhuma ngephrothokholi ye-https, okokuqala sidinga ukuhlinzeka ngosekelo lwe-eSNI lapho. Akukho ukusekelwa kwe-eSNI emagatsheni e-openssl master okwamanje, ngakho-ke sidinga ukulanda igatsha elikhethekile le-openssl, silihlanganise futhi silifake.
Sihlanganisa indawo yokugcina kusuka ku-GitHub futhi sihlanganise njengokujwayelekile:
$ git clone https://github.com/sftcd/openssl
$ cd openssl
$ ./config
$ make
$ cd esnistuff
$ make
Okulandelayo, sihlanganisa indawo yokugcina nge-curl futhi silungiselele ukuhlanganiswa kwayo sisebenzisa umtapo wethu wezincwadi we-openssl ohlanganisiwe:
$ cd $HOME/code
$ git clone https://github.com/niallor/curl.git curl-esni
$ cd curl-esni
$ export LD_LIBRARY_PATH=/opt/openssl
$ ./buildconf
$ LDFLAGS="-L/opt/openssl" ./configure --with-ssl=/opt/openssl --enable-esni --enable-debug
Lapha kubalulekile ukucacisa kahle zonke izikhombisi lapho i-openssl itholakala khona (kithi, lokhu /opt/openssl/) futhi uqinisekise ukuthi inqubo yokumisa idlula ngaphandle kwamaphutha.
Uma ukucushwa kuphumelele, sizobona umugqa:
ISEXWAYISO: i-esni ESNI inikwe amandla kodwa imakwe ngokuthi EXPERIMENTAL. Sebenzisa ngokuqapha!
$ makeNgemuva kokwakha ngempumelelo iphakheji, sizosebenzisa ifayela elikhethekile le-bash kusuka ku-openssl ukuze silungiselele futhi sisebenzise i-curl. Masiyikopishele kumkhombandlela nge-curl ukuze kube lula:
cp /opt/openssl/esnistuff/curl-esni futhi wenze isicelo sokuhlola se-https kuseva ye-cloudflare, ngenkathi uqopha kanyekanye amaphakethe e-DNS nawe-TLS ku-Wireshark.
$ ESNI_COVER="www.hello-rkn.ru" ./curl-esni https://cloudflare.com/Empendulweni yeseva, ngaphezu kolwazi oluningi lokususa iphutha kusuka ku-openssl ne-curl, sizothola impendulo ye-HTTP enekhodi 301 evela ku-cloudflare.
HTTP/1.1 301 Moved Permanently
< Date: Sun, 03 Nov 2019 13:12:55 GMT
< Transfer-Encoding: chunked
< Connection: keep-alive
< Cache-Control: max-age=3600
< Expires: Sun, 03 Nov 2019 14:12:55 GMT
< Location: https://www.cloudflare.com/
okubonisa ukuthi isicelo sethu sithunyelwe ngempumelelo kuseva yendawo, sizwiwe futhi sacutshungulwa.
Manje ake sibheke ukulahlwa kwethrafikhi ku-wireshark, i.e. lokho okwabonwa umhlinzeki we-DPI kuleli cala.
Kungabonakala ukuthi i-curl iqale yaphendukela kuseva ye-DNS ukuze uthole ukhiye we-eSNI womphakathi weseva ye-cloudflare - isicelo se-TXT DNS ku-_esni.cloudflare.com (iphakheji No. 13). Bese, usebenzisa umtapo wezincwadi we-openssl, i-curl ithumele isicelo se-TLS 1.3 kuseva ye-cloudflare lapho inkambu ye-SNI ibethelwe ngokhiye womphakathi otholwe esinyathelweni sangaphambilini (iphakethe #22). Kodwa, ngaphezu kwenkambu ye-eSNI, iphakethe le-SSL-hello liphinde lafaka inkambu ene-SNI evamile - evulekile, esingayicacisa nganoma iyiphi i-oda (kulokhu - ).
Le nkambu evulekile ye-SNI ayizange inakwe nganoma iyiphi indlela lapho icutshungulwa amaseva e-cloudflare futhi isetshenziswa kuphela njengemaski ye-DPI yomhlinzeki. Iseva ye-cloudflare ithole iphakethe lethu elithi ssl-hello, yasusa ukubethela kwe-eSNI, yakhipha i-SNI yasekuqaleni lapho futhi yayicubungula sengathi akwenzekanga lutho (yenze yonke into njengoba yayihleliwe ngenkathi ithuthukisa i-eSNI).
Okuwukuphela kwento engabanjwa kuleli cala ngokubuka kwe-DPI yisicelo esiyinhloko se-DNS ku-_esni.cloudflare.com. Kodwa senze isicelo se-DNS sivuleke kuphela ukuze sibonise ukuthi lo mshini usebenza kanjani ngaphakathi.
Ukuze ekugcineni sikhiphe umalabhu ngaphansi kwe-DPI, sisebenzisa indlela esivele ishiwo ngayo i-DNS-over-HTTPS. Incazelo encane - I-DOH iyiphrothokholi ekuvumela ukuthi uvikele ekuhlaselweni komuntu ophakathi nendawo ngokuthumela isicelo se-DNS nge-HTTPS.
Masiphinde sisebenzise isicelo, kodwa kulokhu sizothola okhiye basesidlangalaleni be-eSNI ngephrothokholi ye-https, hhayi i-DNS:
ESNI_COVER="www.hello-rkn.ru" DOH_URL=https://mozilla.cloudflare-dns.com/dns-query ./curl-esni https://cloudflare.com/Ukulahlwa kwethrafikhi yesicelo kuboniswa esithombeni ngezansi:
Kuyabonakala ukuthi i-curl iqala ifinyelela iseva ye-mozilla.cloudflare-dns.com ngephrothokholi ye-DoH (uxhumano lwe-https kuseva 104.16.249.249) ukuze uthole kubo amanani okhiye basesidlangalaleni bokubethela kwe-SNI, bese kuya endaweni okuyiwa kuyo. iseva, icashe ngemuva kwesizinda .
Ngokungeziwe kulokhu okungenhla kwe-DoH solver mozilla.cloudflare-dns.com, singasebenzisa ezinye izinsiza ezidumile ze-DoH, isibonelo, ezivela enhlanganweni yobubi edumile.
Masiqalise lo mbuzo olandelayo:
ESNI_COVER="www.kremlin.ru" DOH_URL=https://dns.google/dns-query ./curl-esni https://rutracker.nl/Futhi sithola impendulo:
< HTTP/1.1 301 Moved Permanently
< Date: Sun, 03 Nov 2019 14:10:22 GMT
< Content-Type: text/html
< Transfer-Encoding: chunked
< Connection: keep-alive
< Set-Cookie: __cfduid=da0144d982437e77b0b37af7d00438b1a1572790222; expires=Mon, 02-Nov-20 14:10:22 GMT; path=/; domain=.rutracker.nl; HttpOnly; Secure
< Location: https://rutracker.nl/forum/index.php
< CF-Cache-Status: DYNAMIC
< Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< Server: cloudflare
< CF-RAY: 52feee696f42d891-CPH
Kulokhu, siphendukele kuseva evinjiwe ye-rutracker.nl, sisebenzisa i-DoH solver dns.google (akukho typo lapha, manje inkampani edumile inesizinda sayo sezinga lokuqala) futhi sazimboza ngesinye isizinda, esiqinile. kunqatshelwe ukuthi wonke ama-DPI avimbe ngaphansi kobuhlungu bokufa. Ngokusekelwe empendulweni oyitholile, ungaqonda ukuthi isicelo sethu sicutshungulwe ngempumelelo.
Njengesheke elengeziwe lokuthi i-DPI yomhlinzeki iphendula i-SNI evulekile, esiyidlulisela njengekhava, singenza isicelo ku-rutracker.nl ngokucasha kwesinye isisetshenziswa esinqatshelwe, isibonelo, enye βenhleβ i-torrent tracker:
$ ESNI_COVER="rutor.info" DOH_URL=https://dns.google/dns-query ./curl-esni https://rutracker.nl/Ngeke sithole impendulo evela kuseva, ngoba... isicelo sethu sizovinjwa uhlelo lwe-DPI.
Isiphetho esifushane sengxenye yokuqala
Ngakho-ke, sikwazile ukukhombisa ukusebenza kwe-eSNI sisebenzisa i-openssl ne-curl futhi sihlole ukusebenza kwesizinda sangaphambili esisekelwe ku-eSNI. Ngendlela efanayo, singakwazi ukuzivumelanisa namathuluzi esiwathandayo asebenzisa umtapo wezincwadi we-openssl ukuze asebenze βngaphansi kokucashaβ kwezinye izizinda. Imininingwane eyengeziwe ngalokhu ezihlokweni zethu ezilandelayo.
Source: www.habr.com