Inyigisho nshya Yerekana Gufungura Urutoki rwa VPN, Kuzamura Ibanga

Imbonerahamwe

Ibisobanuro na 1 Intangiriro

2 Amavu n'amavuko Akazi

3 Imbogamizi Mubyukuri-VPN Kumenya

4 Icyitegererezo cy'abanzi no kohereza

5 Imyitwarire, ubuzima bwite, no gutangaza amakuru

6 Kumenya ibiranga urutoki na 6.1 Opcode ishingiye ku rutoki

6.2 Gucapa urutoki ACK

6.3

6.4 Kubaka Akayunguruzo n'Abashakashatsi

7 Kuringaniza neza kubyoherejwe hamwe na 7.1 ACK Urutoki

7.2 Guhitamo Indorerezi Idirishya N.

7.3 Ingaruka zo Gutakaza Amapaki

7.4 Serveri ya Churn yo Kubabaza Asinchronous

7.5 Probe UDP hamwe na seriveri ya OpenVPN

8 Igenamigambi-ryukuri ryoherejwe

9 Isuzuma & Ibisubizo na 9.1 Ibisubizo byo kugenzura imigendekere ya VPN

9.2 Ibisubizo kubitemba byose

10 Ikiganiro na Mitiweli

11 Umwanzuro

12 Gushimira hamwe

Umugereka

Ibisobanuro

Iyemezwa rya VPN ryagiye ryiyongera mu myaka icumi ishize kubera ko abaturage barushijeho kumenya ibanga ndetse n’iterabwoba. Mu gusubiza, guverinoma zimwe na zimwe ziragerageza kubuza VPN kubona uburyo bwo guhuza hakoreshejwe ikoranabuhanga rya DPI. Kugirango dukore iperereza kubishobora guhagarika VPN, dutezimbere uburyo bwo guhuza neza urutoki dukoresheje OpenVPN, protocole izwi cyane kuri serivisi z'ubucuruzi VPN. Tumenye ibikumwe bitatu dushingiye kumiterere ya protocole nkuburyo bwa byte, ingano yipaki, hamwe nigisubizo cya seriveri. Gukina uruhare rwigitero kiyobora umuyoboro, dushushanya ibyiciro bibiri bikora urutoki rworoshye kandi rukora iperereza mukurikirana. Turasuzuma urwego rwacu ku bufatanye na miriyoni ISP kandi dusanga tumenye hejuru ya 85% ya OpenVPN itemba ifite ibyiza gusa bitari byiza, byerekana ko serivisi zishingiye kuri OpenVPN zishobora guhagarikwa neza hamwe n’ibyangiritse bike. Nubwo VPN zimwe zubucuruzi zishyira mubikorwa ingamba zo kwirinda kugirango tumenye, urwego rwacu rwerekanye neza isano ihuza 34 kuri 41 kuri “VFuscated” iboneza rya VPN. Turaganira ku ngaruka ziterwa no gutunga urutoki VPN kubintu bitandukanye byugarije iterabwoba kandi tunasaba kwirwanaho mugihe gito. Mu gihe kirekire, turasaba abatanga ubucuruzi bwa VPN kurushaho gukorera mu mucyo ku bijyanye n’uburyo bwabo bwo kwifata no gufata ingamba nyinshi zo guhangana n’ibisubizo, nk’ibyakozwe mu bushakashatsi bwakozwe ku kugenzura.

1 Intangiriro

ISP, abamamaza, na guverinoma z'igihugu biragenda bihungabanya, gukoresha, no gukurikirana urujya n'uruza rwa interineti [16, 22, 27, 47, 69]. Kubera iyo mpamvu, imiyoboro yihariye y’abikorera (VPN) yagiye yiyongera cyane, atari mu barwanashyaka n’abanyamakuru bafite urugero rw’iterabwoba gusa ahubwo no mu bakoresha bakoresha, bakoresha VPN kubera impamvu ziva mu kurinda ubuzima bwite bwabo ku miyoboro itizewe kugeza kurenga ku kugenzura. Nkurugero ruheruka, hamwe n’itegeko rishya ry’umutekano ry’igihugu cya Hong Kong, abatanga serivisi za VPN babonye ko inshuro 120 zimaze gukururwa bitewe n’ubwoba bwo kongera ubugenzuzi n’ubugenzuzi [62].

Mu rwego rwo kurushaho kwamamara kwa VPNs, ISP na guverinoma nyinshi zirashaka gukurikirana cyangwa guhagarika traffic VPN mu rwego rwo gukomeza kugaragara no kugenzura ibinyabiziga biri mu bubasha bwabo. Binxing Fang, wapanze umushinga ukomeye wa Firewall w'Ubushinwa (GFW) yavuze ko hari “intambara y'iteka” hagati ya Firewall na VPNs, kandi igihugu cyategetse ISP gutanga raporo no guhagarika imikoreshereze ya VPN ku giti cye [60,61]. Vuba aha, Uburusiya n'Ubuhinde byasabye guhagarika serivisi za VPN mu bihugu byabo, byombi byita VPN ku rwego rw'igihugu kibangamira umutekano wa interineti [44, 59]. ISP z'ubucuruzi nazo zirashishikarizwa gukurikirana imiyoboro ya VPN. Kurugero, mu ntangiriro za 2021, ISP nini muri Afrika yepfo, Imvura, Ltd, yatangiye guhagarika imiyoboro ya VPN hejuru ya 90% kugirango hubahirizwe ireme rya serivisi muri gahunda zabo [64].

ISP hamwe nabagenzuzi bazwiho gukoresha uburyo butandukanye bworoshye bwo kurwanya VPN, nko gukurikirana imiyoboro ishingiye ku cyubahiro cya IP, guhagarika imbuga za VPN (utanga kuva aha), no gushyiraho amategeko cyangwa amategeko abuza gukoresha VPN [46,53, 60]. Nyamara, ubu buryo ntabwo bukomeye; abakoresha bashishikajwe no gushakisha uburyo bwo kugera kuri serivisi za VPN nubwo bwose. Nubwo bimeze bityo ariko, na ISP zidafite imbaraga nke hamwe nabashinzwe kugenzura ubu bafite uburyo bwikoranabuhanga nko kugenzura ibipimo byimbitse byabatwara (DPI) aho bashobora gushyira mubikorwa uburyo buhanitse bwo gutahura bishingiye kumasomo ya protocole [43, 48].

Muri iyi nyandiko, turasesengura ingaruka za DPI mugushakisha VPN no guhagarika twiga igikumwe cya OpenVPN (protocole izwi cyane kuri serivisi z'ubucuruzi VPN [6]) duhereye kuri ISP idahwitse. Turashaka gusubiza ibibazo bibiri byubushakashatsi: (1) ISP na leta birashobora kwerekana urujya n'uruza rwumuhanda nka OpenVPN ihuza mugihe nyacyo? kandi (2) barashobora kubikora kurwego rutarinze kwangiriza ingwate kubintu byiza? Gusubiza ibi bibazo bisaba ibirenze kumenya intege nke zo gutunga urutoki; nubwo bitoroshye, dukeneye kwerekana ibikorwa bifatika dukoresheje imbogamizi zukuntu ISP hamwe nabashinzwe kugenzura ibihugu byigihugu bakora kwisi.

Twubaka urwego rwo gutahura ruyobowe nubwubatsi bwa Firewall nini [1,11,71], igizwe na Filter na Prober. Akayunguruzo gashungura gushungura hejuru yumuhanda uhuza mugihe nyacyo, ukoresheje protocole yibibazo twabonye mugice cya OpenVPN. Nyuma yo gutemba byerekanwe na Akayunguruzo, aderesi yerekanwe

Kuri Prober ikora iperereza rikora nkukwemeza. Kohereza iperereza ryitondewe kugirango ritange imyitwarire yihariye ya protocole, Prober irashoboye kumenya seriveri ya OpenVPN ikoresheje imiyoboro yo kuruhande nubwo seriveri ituma OpenVPN yirwanaho itabishaka. Ibikorwa byacu byiciro bibiri birashobora gutunganya ISP-nini yimodoka kumurongo-umuvuduko hamwe nigipimo gito cyibinyoma cyiza.

Usibye ibyingenzi cyangwa "vanilla" OpenVPN, dushyiramo na serivisi za VPN zubucuruzi "obfuscated" muri ubu bushakashatsi. Mu rwego rwo kongera kwivanga kwa ISP hamwe n’abashinzwe kugenzura, serivisi za VPN zitemewe zatangiye gukurura, cyane cyane ku bakoresha mu bihugu bifite ubugenzuzi bukabije cyangwa amategeko abuza gukoresha VPN ku giti cye. Serivise za VPN zitemewe, abayikora bakunze kuyita "itagaragara" na "idahagarikwa" [5, 49, 54], mubisanzwe bakoresha OpenVPN hamwe nibindi byongeweho kugirango birinde kumenyekana [2, 66].

Gufatanya na Merit (hagati ya ISP yo hagati yo mu karere ikorera abaturage babarirwa muri miriyoni 1), twohereza urwego rwacu kuri seriveri ikurikirana igenzura Gbps 20 zo kwinjira hamwe na traffic egress zerekanwe kuva muri Merit point-ya-ahari. . Mu bizamini byacu, turashoboye kumenya 1718 kuri 2000 bitemba bituruka kumashini igenzura abakiriya iba murusobe, bihuye na 39 kuri 40 idasanzwe ya "vanilla" OpenVPN.

Igitangaje cyane, natwe tumenye neza hejuru ya bibiri bya kabiri bya OpenVPN bitemba. Umunani kuri 10 ba mbere batanga serivise zitagaragara, nyamara zose zashyizwe kumurongo na Akayunguruzo kacu. Nubwo abatanga ibyifuzo bisabwa bidashobora gukurikiranwa (nka "... ndetse nu mutanga wa interineti ntashobora kuvuga ko ukoresha VPN" [49]), dusanga gushyira mubikorwa byinshi bya serivise zisa na OpenVPN zipfundikijwe na XOR-Patch yoroshye [36], byoroshye gutunga urutoki. Kubura padi idasanzwe kurwego rwa obfuscation hamwe no gufatanya na seriveri ya vanilla OpenVPN nayo ituma serivisi zitemewe zishobora kwibasirwa.

Umunsi usanzwe, seriveri imwe imwe isesengura TB 15 yimodoka na miliyari 2 zitemba. Mu isuzuma ryiminsi umunani, urwego rwacu rwerekanye 3,638 rutemba nka OpenVPN ihuza. Muri ibyo, turashoboye kubona ibimenyetso bifasha ibisubizo byacu byo gutahura ibintu 3,245 bitemba, byerekana igipimo cyo hejuru cyibinyoma-cyiza cyateganijwe inshuro eshatu zubunini buri munsi yuburyo bwa ML bushingiye [3, 14, 26].

Twanzuye ko gukurikirana no guhagarika ikoreshwa rya OpenVPN, ndetse nuburyo bwinshi bwa obfuscation bugezweho, biroroshye kandi bigerwaho na ISP cyangwa umukoresha uwo ari we wese, kimwe nabanzi bigihugu. Bitandukanye nibikoresho byo kuzenguruka nka Tor cyangwa Refraction Networking [8, 74], ikoresha ingamba zihamye zo kwirinda gutahura, tekiniki zikomeye za obfuscation zabuze bigaragara muri OpenVPN hamwe n’ibinyabuzima bigari bya VPN. Ku bakoresha impuzandengo, ibi bivuze ko bashobora guhura noguhagarika cyangwa guterwa na ISP, ariko kubakoresha cyane, abakoresha ibyiyumvo, uku gutunga urutoki birashobora gutuma bakurikirana ibitero bigamije guhungabanya umutekano wumurongo wa OpenVPN [40, 51]. Turaburira abakoresha bafite urugero rwiterabwoba rudakwiye gutegereza ko imikoreshereze yabo ya VPN itazakurikiranwa, kabone niyo yaba ihujwe na serivisi zitemewe. Mugihe dusaba kwirwanaho mugihe gito kubikorwa byo gutunga urutoki byasobanuwe muriyi mpapuro, dufite ubwoba ko, mugihe kirekire, umukino winjangwe nimbeba umeze nkuwari hagati ya Firewall nini na Tor uri hafi muri ecosystem ya VPN nkuko neza. Turasaba abaterankunga ba VPN nababitanga kugirango batezimbere, basuzume, kandi bemeze ingamba zikomeye, zemejwe neza na obfuscation no kuzihuza nigihe iterabwoba ryatewe nabanzi rikomeje kwiyongera.