Izici zezilungiselelo ze-DPI

Lesi sihloko asifaki ukulungiswa okugcwele kwe-DPI nakho konke okuxhunywe ndawonye, ​​futhi inani lesayensi lombhalo lincane. Kodwa ichaza indlela elula yokudlula i-DPI, izinkampani eziningi ezingazange ziyicabangele.

Umshwana wokuzihlangula #1: Le ndatshana ingeyocwaningo futhi ayikhuthazi muntu ukuthi enze noma asebenzise noma yini. Umbono usekelwe kokuhlangenwe nakho komuntu siqu, futhi noma yikuphi ukufana akuhleliwe.

Isixwayiso No. 2: i-athikili ayivezi izimfihlo ze-Atlantis, ukusesha kwe-Holy Grail nezinye izimfihlakalo zendawo yonke; zonke izinto ezibonakalayo zitholakala mahhala futhi kungenzeka ukuthi zichazwe izikhathi ezingaphezu kwesisodwa ku-Habré. (Angizange ngiyithole, ngingabonga ngesixhumanisi)

Kulabo abafunde izixwayiso, ake siqale.

Yini i-DPI?

I-DPI noma i-Deep Packet Inspection ubuchwepheshe bokuqongelela idatha yezibalo, ukuhlola nokuhlunga amaphakethe enethiwekhi ngokuhlaziya hhayi kuphela izihloko zephakethe, kodwa futhi nokuqukethwe okugcwele kwethrafikhi emazingeni emodeli ye-OSI kusukela kwesibili nangaphezulu, okukuvumela ukuthi uthole futhi vimba amagciwane, ulwazi lokuhlunga olungahlangabezani nemibandela eshiwo .

Kunezinhlobo ezimbili zokuxhuma kwe-DPI, ezichazwe I-ValdikSS ku github:

I-Passive DPI

I-DPI ixhumeke kunethiwekhi yomhlinzeki ngokuhambisana (hhayi ekusikeni) kungaba ngesihlukanisi sokubona okwenziwayo, noma kusetshenziswa isibuko sethrafikhi esivela kubasebenzisi. Lokhu kuxhumana akubambezeli isivinini senethiwekhi yomhlinzeki uma kwenzeka ukusebenza kwe-DPI enganele, yingakho kusetshenziswa abahlinzeki abakhulu. I-DPI enalolu hlobo lokuxhumana ingathola kuphela umzamo wokucela okuqukethwe okunqatshelwe, kodwa ingakuyeki. Ukuze weqe lo mkhawulo futhi uvimbele ukufinyelela kusayithi elingavunyelwe, i-DPI ithumela umsebenzisi ukuthi acele i-URL evinjiwe iphakethe le-HTTP elakhiwe ngokukhethekile eliqondiswe kabusha ekhasini le-stub lomhlinzeki, njengokungathi impendulo enjalo ithunyelwe yinsiza eceliwe ngokwayo (i-IP yomthumeli). ikheli kanye nokulandelana kwe-TCP kwenziwa ngomgunyathi). Ngenxa yokuthi i-DPI iseduze kakhulu nomsebenzisi kunesayithi eliceliwe, impendulo eyinkohliso ifinyelela kudivayisi yomsebenzisi ngokushesha kunempendulo yangempela evela kusayithi.

I-DPI esebenzayo

I-DPI esebenzayo - i-DPI ixhumeke kunethiwekhi yomhlinzeki ngendlela evamile, njenganoma iyiphi enye idivayisi yenethiwekhi. Umhlinzeki ulungiselela umzila ukuze i-DPI ithole ithrafikhi kusuka kubasebenzisi ukuya kumakheli e-IP avinjiwe noma izizinda, bese i-DPI inquma ukuthi iyavumela noma ivimbe ithrafikhi. I-DPI esebenzayo ingahlola kokubili ithrafikhi ephumayo nengenayo, nokho, uma umhlinzeki esebenzisa i-DPI kuphela ukuze avimbe amasayithi kusukela kurejista, ngokuvamile ilungiselelwa ukuhlola ithrafikhi ephumayo kuphela.

Akukhona nje kuphela ukusebenza kahle kokuvinjwa kwethrafikhi, kodwa futhi umthwalo ku-DPI uncike ohlotsheni lokuxhuma, ngakho-ke kungenzeka ukuthi ungaskena yonke ithrafikhi, kodwa ezithile kuphela:

I-DPI "Ejwayelekile".

I-DPI “evamile” i-DPI ehlunga uhlobo oluthile lwethrafikhi kuphela ezimbobeni ezivame kakhulu zalolo hlobo. Isibonelo, i-DPI “evamile” ithola futhi ivimbe ithrafikhi ye-HTTP enqatshelwe kuphela ku-port 80, ithrafikhi ye-HTTPS ku-port 443. Lolu hlobo lwe-DPI ngeke lulandelele okuqukethwe okungavunyelwe uma uthumela isicelo nge-URL evinjiwe ku-IP engavinjiwe noma okunga- imbobo ejwayelekile.

I-DPI "Egcwele".

Ngokungafani ne-DPI “evamile”, lolu hlobo lwe-DPI luhlukanisa ithrafikhi ngaphandle kwekheli le-IP kanye nembobo. Ngale ndlela, amasayithi avinjiwe ngeke avuleke ngisho noma usebenzisa iseva elibamba endaweni ehluke ngokuphelele kanye nekheli le-IP elivuliwe.

Ukusebenzisa i-DPI

Ukuze unganciphisi izinga lokudluliswa kwedatha, udinga ukusebenzisa i-DPI ethi “Normal” passive, ekuvumela ukuthi wenze ngempumelelo? vimba noma yini? izinsiza, ukucushwa okuzenzakalelayo kubukeka kanjena:

• Isihlungi se-HTTP kuphela ku-port 80
• I-HTTPS kuphela ku-port 443
• I-BitTorrent kuphela kumachweba 6881-6889

Kodwa izinkinga ziqala uma insiza izosebenzisa imbobo ehlukile ukuze ingalahlekelwa abasebenzisi, lapho-ke kuzodingeka uhlole iphakheji ngayinye, isibonelo ongayinikeza:

• I-HTTP isebenza ku-port 80 kanye ne-8080
• I-HTTPS ku-port 443 kanye ne-8443
• I-BitTorrent kunoma iyiphi enye ibhendi

Ngenxa yalokhu, kuzodingeka ukuthi ushintshele ku-DPI “Esebenzayo” noma usebenzise ukuvimba usebenzisa iseva ye-DNS eyengeziwe.

Ivimba usebenzisa i-DNS

Enye indlela yokuvimba ukufinyelela esisetshenziswa iwukuba ubambe isicelo se-DNS usebenzisa iseva yendawo ye-DNS bese ubuyisela umsebenzisi ikheli le-IP “le-stub” kunomthombo odingekayo. Kodwa lokhu akunikezi umphumela oqinisekisiwe, ngoba kungenzeka ukuvimbela ukukhwabanisa kwekheli:

Inketho 1: Ukuhlela ifayela labasingathi (ledeskithophu)

Ifayela labasingathi liyingxenye ebalulekile yanoma iyiphi isistimu yokusebenza, ekuvumela ukuthi uyisebenzise njalo. Ukuze ufinyelele insiza, umsebenzisi kufanele:

1. Thola ikheli le-IP lesisetshenziswa esidingekayo
2. Vula ifayela labasingathi ukuze lihlelwe (kudingeka amalungelo omphathi), atholakala ku:
   • I-Linux: /etc/hosts
   • IWindows: %WinDir%System32driversechosts
3. Engeza umugqa ngefomethi:
4. Gcina izinguquko

Inzuzo yale ndlela ukuba yinkimbinkimbi kwayo kanye nemfuneko yamalungelo omlawuli.

Inketho 2: I-DoH (DNS phezu kwe-HTTPS) noma i-DoT (i-DNS phezu kwe-TLS)

Lezi zindlela zikuvumela ukuthi uvikele isicelo sakho se-DNS ekukhohliseni usebenzisa ukubethela, kodwa ukuqaliswa akusekelwa yizo zonke izinhlelo zokusebenza. Ake sibheke ukuthi kulula kanjani ukusetha i-DoH yenguqulo 66 ye-Mozilla Firefox ohlangothini lomsebenzisi:

1. Iya ekhelini mayelana: i-config kuFirefox
2. Qinisekisa ukuthi umsebenzisi uthatha yonke ingozi
3. Shintsha inani lepharamitha network.trr.mode ku:
   • 0 - khubaza i-TRR
   • 1 - ukukhetha okuzenzakalelayo
   • 2 - vula i-DoH ngokuzenzakalelayo
4. Shintsha ipharamitha network.trr.uri ukukhetha iseva ye-DNS
   • Cloudflare DNS: mozilla.cloudflare-dns.com/dns-query
   • I-GoogleDNS: dns.google.com/experimental
5. Shintsha ipharamitha network.trr.boostrapAddress ku:
   • Uma i-Cloudflare DNS ikhethiwe: 1.1.1.1
   • Uma i-Google DNS ikhethiwe: 8.8.8.8
6. Shintsha inani lepharamitha network.security.esni.enabled on weqiniso
7. Hlola ukuthi izilungiselelo zilungile uma usebenzisa Isevisi ye-Cloudflare

Nakuba le ndlela iyinkimbinkimbi kakhulu, ayidingi ukuthi umsebenzisi abe namalungelo omlawuli, futhi ziningi ezinye izindlela zokuvikela isicelo se-DNS ezingachazwanga kulesi sihloko.

Inketho 3 (yamadivayisi eselula):

Ukusebenzisa uhlelo lokusebenza Cloudflare ukuze Android и iOS.

Ukuhlola

Ukuhlola ukuntuleka kokufinyelela ezinsizeni, isizinda esivinjiwe eRussian Federation sathengwa okwesikhashana:

• Isheke le-HTTP + imbobo engu-80
• Isheke le-HTTP + imbobo engu-8080
• Ukuhlola kwe-HTTPS + imbobo engu-443
• Ukuhlola kwe-HTTPS + imbobo engu-8443

isiphetho

Ngithemba ukuthi lesi sihloko sizoba usizo futhi ngeke sikhuthaze abaphathi kuphela ukuthi baqonde isihloko ngokuningiliziwe, kodwa futhi sizonikeza ukuqonda ukuthi izinsiza zizohlala zisohlangothini lwabasebenzisi, futhi ukucinga izixazululo ezintsha kufanele kube yingxenye ebalulekile kubo.

Izixhumanisi eziwusizo

• Ukusebenzisa i-Encrypted SNI indinganiso kuFirefox
• I-DPI Bypass engaxhunyiwe ku-inthanethi

Ukwengeza ngaphandle kwe-athikiliUkuhlolwa kwe-Cloudflare akukwazi ukuqedelwa kunethiwekhi ye-opharetha ye-Tele2, futhi i-DPI emiswe kahle ivimba ukufinyelela kusayithi lokuhlola.
P.S. Kuze kube manje lona ngumhlinzeki wokuqala wokuvimba izinsiza ngendlela efanele.

Source: www.habr.com