Jan 01, 1970
Kudzidza Kutsva Kunofumura OpenVPN Fingerprintability, Kusimudza Zvekuvanzika Zvinonetsa by@virtualmachine
407 kuverenga
Kudzidza Kutsva Kunofumura OpenVPN Fingerprintability, Kusimudza Zvekuvanzika Zvinonetsa
Kurebesa; Kuverenga
Tsvagiridzo iyi inotsanangura nzira dzezvigunwe zveOpenVPN traffic, kuwana 85% kunyatsoita, kusimudza kunetsekana nezve VPN kuvharika uye countermeasures.Vanyori:
(1) Diwen Xue, Yunivhesiti yeMichigan;
(2) Reethika Ramesh, University of Michigan;
(3) Arham Jain, Yunivhesiti yeMichigan;
(4) Arham Jain, Merit Network, Inc.;
(5) J. Alex Halderman, Yunivhesiti yeMichigan;
(6) Jedidiah R. Crandall, Arizona State University/Breakpointing Bad;
(7) Roya Ensaf, University of Michigan.
Table of Links
3 Matambudziko muChaiyo-nyika VPN Kuonekwa
4 Muvengi Muenzaniso uye Deployment
5 Hunhu, Kuvanzika, uye Kuzivisa Mutoro
6 Kuziva Fingerprinting Features uye 6.1 Opcode-based Fingerprinting
6.3 Active Server Fingerprinting
6.4 Kugadzira Mafirita uye Maprobers
7 Kurongeka-kurongeka kweKuendesa uye 7.1 ACK Fingerprint Threshold
7.2 Sarudzo Yekutarisa Hwindo N
7.3 Mhedzisiro yePaketi Kurasika
7.4 Server Churn yeAsynchronous Probing
7.5 Probe UDP uye Obfuscated OpenVPN Servers
9 Ongororo & Zvawanikwa uye 9.1 Mhedzisiro yekudzora VPN inoyerera
10 Kukurukurirana Uye Kuderedza
Abstract
Kutorwa kweVPN kwakaona kukura kwakasimba mumakore gumi apfuura nekuda kwekuwedzera kwekuziva kweveruzhinji nezvekuvanzika uye kutyisidzira kwekutarisa. Mukupindura, dzimwe hurumende dziri kuyedza kurambidza kupinda kweVPN nekuona maratidziro vachishandisa "dual use" DPI tekinoroji. Kuti tiongorore mukana weVPN kuvharika, isu tinogadzira nzira dzekunyatso kubatanidza zvigunwe uchishandisa OpenVPN, iyo inonyanya kufarirwa protocol yekutengeserana VPN masevhisi. Isu tinocherekedza zvigunwe zvitatu zvinoenderana neprotocol maficha senge byte pateni, saizi yepakiti, uye server mhinduro. Tichitamba chinhambwe cheanorwisa anodzora network, isu tinogadzira maviri-chikamu furemu inoita yekungoona zvigunwe uye inoshingaira kuongorora mukutevedzana. Isu tinoongorora hurongwa hwedu takabatana nemamiriyoni evashandisi ISP uye tinoona kuti tinoona pamusoro pe85% yeOpenVPN inoyerera iine manyepo asina basa, zvichiratidza kuti OpenVPN-based masevhisi anogona kuvharika zvinobudirira nekukuvadzwa kushoma. Kunyangwe mamwe maVPN ekutengesa achiisa matanho ekudzivirira kuti asaonekwe, sisitimu yedu yakabudirira kuona kubatanidza kune makumi matatu nemana kubva makumi mana neimwe "obfuscated" maVPN magadzirirwo. Isu tinokurukura zvinorehwa neVPN zvigunwe zvigunwe zvemhando dzakasiyana dzekutyisidzira uye tinokurudzira dziviriro yenguva pfupi. Nekufamba kwenguva, tinokurudzira vanopa VPN vekutengesa kuti vanyatsobuda pachena nezve nzira dzavo dzekubiridzira uye kutora matanho ekuona ane hunyanzvi, akadai seaya akagadzirwa mukutsvaga kwekuongorora.
1 Nhanganyaya
ISPs, vashambadziri, uye hurumende dzenyika dziri kuwedzera kukanganisa, kushandura, uye kutarisa Internet traffic [16, 22, 27, 47, 69]. Nekuda kweizvozvo, kugamuchirwa kwakavanzika kwetiweki (VPN) kwave kukura nekukurumidza, kwete chete pakati pevaratidziri nevatapi venhau vane mhando dzekutyisidzira zvakanyanya asiwo pakati pevashandisi vepakati, vanoshandisa VPNs nezvikonzero kubva pakuchengetedza kuvanzika kwavo pamanetiweki asina kuvimbika kusvika pakunzvenga censorship. Semuenzaniso ichangoburwa, nekupfuura kwemutemo mutsva wekuchengetedza nyika weHong Kong, vapeji veVPN vane mukurumbira vakacherekedza kuwedzera kakapetwa ka120 mukudhawunirodha nekuda kwekutya kuwedzera kuongororwa uye censorship [62].
Mukupindura kukurumbira kuri kukura kweVPNs, maISP mazhinji nehurumende dzave kutsvaga kuteedzera kana kuvhara VPN traffic kuitira kuchengetedza kuoneka uye kutonga pamusoro pemotokari mukati mehutongi hwavo. Binxing Fang, mugadziri weGreat Firewall yeChina (GFW) akati kune "hondo isingaperi" pakati peFirewall neVPNs, uye nyika yakaraira maISPs kuti ataure uye avhare munhu VPN kushandiswa [60,61]. Munguva pfupi yapfuura, Russia neIndia vakafunga kuvharira masevhisi eVPN munyika dzavo, vese vachidaidza VPNs kutyisidzira kwenyika cybersecurity [44, 59]. Commerce ISPs zvakare inokurudzirwa kuteedzera VPN kubatana. Semuyenzaniso, mukutanga kwa2021, ISP hombe muSouth Africa, Rain, Ltd., yakatanga kutenderedza VPN kubatana neinopfuura 90 muzana kuitira kuti isimbise kurambidzwa kwemhando-ye-sevhisi muzvirongwa zvavo zvedata [64].
ISPs uye censors vanozivikanwa kushandisa nzira dzakasiyana-siyana dzakareruka dzekudzivirira VPN, dzakadai sekutsvaga kuwirirana kunobva pazita reIP, kuvhara VPN mupi (mupi kubva pano) mawebsite, uye kuisa mitemo kana mitemo yebasa inorambidza kushandiswa kweVPN [46,53, 60]. Asi, nzira idzi hadzina kusimba; vanokurudzirwa vashandisi vanowana nzira dzekuwana masevhisi eVPN kunyangwe iwo. Zvisinei, kunyange maISP asina simba uye macensors ave kuwana matekinoroji akadai seyemutakuri-giredhi yakadzika packet inspection (DPI) yavanokwanisa kushandisa mamwe maitiro akaomarara ekuona zvichienderana neprotocol semantics [43, 48].
Mupepa rino, tinoongorora zvinorehwa neDPI pakuona kweVPN nekuvhara nekudzidza zvigunwe zveOpenVPN (iyo inonyanya kufarirwa protocol yekutengeserana VPN masevhisi [6]) kubva pakuona kweanopikisa ISP. Isu tinotsvaga kupindura mibvunzo miviri yekutsvagisa: (1) ISPs nehurumende dzinogona kuona mafambiro emigwagwa seOpenVPN kubatana munguva chaiyo? uye (2) vanogona kuzviita pa-scale pasina kuunza kukuvadzwa kukuru kwechibatiso kubva kune zvenhema? Kupindura mibvunzo iyi kunoda zvinopfuura kungoziva kusakwana kweminwe; kunyangwe zvichinetsa, isu tinofanirwa kuratidza maitiro anoshanda pasi pezvipingamupinyi zvemashandisiro anoita ISPs uye nyika-nyika censors munyika chaiyo.
Isu tinovaka dhizaini yekuona iyo inofemerwa nekuvakwa kweGreat Firewall [1,11,71], inosanganisira Filter uye Prober zvikamu. Sefa inoita sefa yekusefa pamusoro pekupfuura netiweki traffic munguva chaiyo, ichishandisa protocol quirks yatakaona mu OpenVPN's handshake stage. Mushure mekunge kuyerera kwacherechedzwa neSefa, kero yekuenda inopfuudzwa
kuProber inoita kushingaira kuongorora sesimbiso. Nekutumira maprobes akanyatsogadzirirwa kuunza maitiro akanangana neprotocol, Prober inokwanisa kuona sevha yeOpenVPN ichishandisa nzira dzeparutivi kunyangwe sevha ichigonesa kuzvidzivirira kweOpenVPN pakurwisa kunoshanda. Yedu-chikamu chechikamu chinokwanisa kugadzirisa ISP-chiyero chetraffic pamutsara-kumhanya ine yakanyanya kuderera yenhema yakanaka mwero.
Pamusoro pepakati kana "vanilla" OpenVPN, isu tinosanganisirawo zvekutengesa "obfuscated" VPN masevhisi muchidzidzo ichi. Mukupindura kupindira kuri kuwedzera kubva kuISPs uye censors, akabatikana VPN masevhisi atanga kuwana traction, kunyanya kubva kune vashandisi vari munyika dzine inorema censorship kana mitemo inopokana nekushandiswa kwemunhu VPNs. Obfuscated VPN masevhisi, ayo vashandisi vanowanzovati "asingaoneki" uye "asingavharike" [5, 49, 54], anowanzo shandisa OpenVPN nekuwedzera obfuscation layer kudzivirira kuonekwa [2, 66].
Kudyidzana neMerit (yepakati-saizi yedunhu ISP inoshandira huwandu hwevashandisi vane miriyoni imwe), isu tinotumira sisitimu yedu pane sevhavha inocherekedza 20 Gbps yekupinda uye egress traffic inotaridzwa kubva kuMerit point-of-presence. (Tarisa ku § 5 yehutsika.) Isu tinoshandisa PF_RING [38] mu zero-copy mode yekukurumidza kugadzirisa packet ne parallelized Filters. Mumiyedzo yedu, tinokwanisa kuona 1718 kubva mu2000 inoyerera ichibva kune inodzora mutengi muchina unogara mukati metiweki, inoenderana makumi matatu nepfumbamwe kubva makumi mana akasarudzika "vanilla" OpenVPN masisitimu.
Zvinotonyanya kushamisa, isu zvakare takabudirira kuona zvinopfuura zvikamu zviviri muzvitatu zveObfuscated OpenVPN inoyerera. Vasere pavaridzi vepamusoro gumi vanopa masevhisi akaomeswa, asi ese akamisikidzwa neSefa yedu. Zvisinei nevanopa vanopa zvichemo zvekusatarisika (zvakadai se "... kunyangwe mupi wako weInternet haazive kuti uri kushandisa VPN" [49]), tinowana mashandisirwo mazhinji emasevhisi akafukidzwa akafanana neOpenVPN yakavharwa neiyo nyore XOR-Patch. [36], zviri nyore kudhinda zvigunwe. Kushaikwa kwekusarongeka padding pane obfuscation layer uye co-nzvimbo ine vanilla OpenVPN maseva zvakare anoita kuti iyo obfuscated masevhisi ave panjodzi yekuonekwa.
Muzuva rakajairwa, yedu single-server setup inoongorora 15 TB yetraffic uye 2 bhiriyoni inoyerera. Pamusoro pekuongorora kwemazuva masere, sisitimu yedu yakaratidza 3,638 inoyerera seOpenVPN yekubatanidza. Pakati peizvi, isu tinokwanisa kuwana humbowo hunotsigira mhedzisiro yedu yekuona ye3,245 inoyerera, ichiratidzira yepamusoro-yakasungwa yenhema-yakanaka mwero mitatu yehukuru yakaderera pane yapfuura ML-based approaches [3, 14, 26].
Isu tinogumisa kuti kutevera nekuvhara kushandiswa kweOpenVPN, kunyangwe iine nzira dzazvino dzekubiridzira, dzakatwasuka uye mukati mekusvika kune chero ISP kana network opareta, pamwe nevenyika-nyika vadzivisi. Kusiyana nematurusi ekutenderera akadai seTor kana Refraction Networking [8, 74], iyo inoshandisa nzira dzakasimba kudzivirira kuonekwa, nzira dzakasimba dzekubiridzira dzave dzisipo zviri pachena kubva kuOpenVPN uye yakakura VPN ecosystem. Kune vashandisi vepakati, izvi zvinoreva kuti vanogona kutarisana nekuvhara kana kudonha kubva kuISPs, asi kune yakakwirira-mbiri, vashandisi vane hanya, izvi zvigunwe zvinogona kutungamira mukurwiswa kwekutevera kunovavarira kukanganisa kuchengetedzeka kweOpenVPN tunnel [40, 51]. Isu tinoyambira vashandisi vane yakawedzera kutyisidzira modhi kuti vasatarisire kuti mashandisiro avo eVPN achange asingaonekwe, kunyangwe akabatana nemasevhisi akabatikana. Kunyange isu tichikurudzira dziviriro yenguva pfupi yekuzvidzivirira kwezvigunwe zvinotsanangurwa mubepa rino, isu tinotya kuti, nekufamba kwenguva, katsi-ne-mbeva mutambo wakafanana neuyo pakati peGreat Firewall neTor wave pedyo muVPN ecosystem. zvakanaka. Isu tinoteterera vanogadzira VPN uye vanopa kuti vagadzirise, vamire, uye vatore akasimba, akanyatso simbiswa obfuscation mazano uye agadzirise iwo sekutyisidzira kunounzwa nevavengi kuri kuramba kuchiitika.
Iri bepa rinowanikwa pa arxiv pasi peCC BY 4.0 DEED rezinesi.
L O A D I N G
. . . comments & more!
. . . comments & more!
