Active Probing and Deep Packet Inspection detection resistant - - PowerPoint PPT Presentation

Chair for Network Architectures and Services Technical University of Munich (TUM)

Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections

Intermediate Talk Julien Schmidt

May 30, 2016 Chair for Network Architectures and Services Department of Informatics Technical University of Munich (TUM)

Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 1

Chair for Network Architectures and Services Technical University of Munich (TUM)

Problem

Deep Packet Inspection Active Probing

Existing Solutions Motivation Approach

Architecture Active Probing Resistance Deep Packet Inspection Resistance

Schedule

Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 2

Chair for Network Architectures and Services Technical University of Munich (TUM)

Problem

◮ Network environments with active or passive detection and

blocking

◮ Current tunneling solutions not designed with detectability

in mind

VPN Server VPN Client (Unrestricted) Internet

Restricted Network

• IP Blacklist
• DNS Blacklist

Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 3

Chair for Network Architectures and Services Technical University of Munich (TUM)

Problem: Deep Packet Inspection

◮ Censor can inspect traffic within controlled network ◮ Destination port, packet size, timing, encryption type. . .

VPN Server VPN Client (Unrestricted) Internet

Restricted Network

Deep Packet Inspection

Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 4

Chair for Network Architectures and Services Technical University of Munich (TUM)

Deep Packet Inspection Example OpenVPN:

• 1. Censor observes plaintext TLS handshake
• 2. Detection by cipher list in ClientHello

Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 5

Chair for Network Architectures and Services Technical University of Munich (TUM)

Problem: Active Probing

• 1. Censor connects directly to the source
• 2. Censor acts like a user, implements target protocol
• 3. Server gets blocked if it replies with target protocol

VPN Server VPN Client (Unrestricted) Internet

Restricted Network

Active Probing Censor controlled Clients

Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 6

Chair for Network Architectures and Services Technical University of Munich (TUM)

Active Probing Example Detection of MS-SSTP:

SSTP_DUPLEX_POST /sra_{BA195980-CD49-458b-9E23- C84EE0ADCD75}/ HTTP/1.1 ◮ Should respond with error, if not MS-SSTP

Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 7

Chair for Network Architectures and Services Technical University of Munich (TUM)

Existing Solutions

◮ Existing HTTPS-VPN protocols, e.g. MS-SSTP ◮ Meek

◮ Domain-Fronting ◮ Different TLS SNI and HTTP Host ◮ Relies on 3rd-party Cloud / CDN providers ◮ Cooperate or blocked Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 8

Chair for Network Architectures and Services Technical University of Munich (TUM)

Motivation

◮ Design with detectability in mind ◮ HTTPS has become an integral part of the Internet

◮ Available in the most restrictive network environments ◮ Often only ports 80 and 443 can be reached ◮ No general blocking for practical and economic reasons

◮ No reliance on 3rd-party infrastructure

Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 9

Chair for Network Architectures and Services Technical University of Munich (TUM)

Approach

◮ General idea: Make connection look like between a regular

web browser and web server

◮ Design and implement a tunneling solution leveraging

existing HTTPS infrastructure

◮ Inherit safety and stability from well-tested software ◮ Simplicity ◮ Maintainability ◮ Works well with proxies ◮ Trend to offer services via Web API Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 10

Chair for Network Architectures and Services Technical University of Munich (TUM)

Approach: Architecture

SOCKS5 TUN TAP BoringSSL Nginx

WTP over HTTPS

SOCKS5 TUN TAP

WTP

webtun client webtun server

Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 11

Chair for Network Architectures and Services Technical University of Munich (TUM)

Approach: Active Probing Resistance

• 1. Connections established to regular web server
• 2. Web server delegates connections to tunneling server

◮ Only after pre-shared secret was exchanged

(e.g. Request Path, HTTP Auth, Cookie, . . . )

◮ Approach makes Active Probing useless

Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 12

Chair for Network Architectures and Services Technical University of Munich (TUM)

Approach: Deep Packet Inspection Resistance

◮ Goal: Greatly increase rate of false-positives ◮ Assumption: Censor uses blacklisting instead of

whitelisting

◮ Avoid detectable patterns

◮ Traffic-Shaping ◮ Behave like Browsers (e.g. Keep-Alive timeouts) Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 13

Chair for Network Architectures and Services Technical University of Munich (TUM)

Schedule

2016 March April May June July

TLS tunnel prototype Nginx integration HTTPS protocol Basic obfuscation Evaluation Thesis writing

Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 14

Chair for Network Architectures and Services Technical University of Munich (TUM)

Bibliography I

[1] M. Belshe, R. Peon, and M. Thomson. Hypertext Transfer Protocol Version 2 (HTTP/2). RFC 7540, RFC Editor, May 2015. http://www.rfc-editor.org/rfc/rfc7540.txt. [2] T. Dierks and E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246, RFC Editor, August 2008. http://www.rfc-editor.org/rfc/rfc5246.txt. [3] R. Ensafi, D. Fifield, P . Winter, N. Feamster, N. Weaver, and V. Paxson. Examining how the great firewall discovers hidden circumvention servers. In Proceedings of the 2015 ACM Conference on Internet Measurement Conference, IMC ’15, pages 445–458, 2015. [4] R. Fielding and J. Reschke. Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing. RFC 7230, RFC Editor, June 2014. http://www.rfc-editor.org/rfc/rfc7230.txt.

Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 15

Chair for Network Architectures and Services Technical University of Munich (TUM)

Bibliography II

[5] D. Fifield, C. Lan, R. Hynes, P . Wegmann, and V. Paxson. Blocking-resistant communication through domain fronting. Proceedings on Privacy Enhancing Technologies, 2015(2):46–64, 2015. [6] Microsoft. [MS-SSTP]: Secure Socket Tunneling Protocol (SSTP), 2015 (accessed February 16, 2016). http://download.microsoft.com/download/9/5/E/95EF66AF-9026-4BB0-A41D- A4F81802D92C/[MS-SSTP].pdf. [7] E. Rescorla. HTTP Over TLS. RFC 2818, RFC Editor, May 2000. http://www.rfc-editor.org/rfc/rfc2818.txt.

Julien Schmidt – Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections 16