在本周三伦敦举行的 ACM IMC 2017 会议上,加州大学河滨分校的研究人员发表了论文《Your State is Not Mine: A Closer Look at Evading Stateful Internet Censorship》(PDF),介绍了对防火长城干预TCP连接状态的最新研究,并提出了绕过防火长城的新策略,新策略的平均成功率在 90% 以上,最高达到 98%。
互联网审查和监视系统如 NSA 的 PRISM 和中国的 GFW 都能实时分析 TB 级的流量,明文协议如 HTTP、DNS、IMAP 在被监视的同时还可能遭到政府的纂改,加密协议如 SSH、TLS/SSL、PPTP/MPPE 和 Tor 则能通过流量指纹识别出来,然后在 IP 层屏蔽。审查系统背后的关键技术是深度包检测(DPI),GFW 使用的网络入侵检测系统据报道是部署在骨干网的旁路和边界路由器上。部署在旁路的审查系统通过镜像数据包然后对其进行深入分析,能处理极端高的吞吐量。为 了用 DPI 检查应用层内容,GFW 首先需要从数据包重组 TCP 数据流,然后转发到上层供进一步分析。GFW 能分析广泛的应用协议,能应用基于规则的探测引擎检测敏感应用内容。它常用的审查技术包括了 'TCP连接重置' 和 DNS 污染。由于旁路的属性,它不能丢弃终端和主机之间不想要的数据包,它采用的方法是注入伪造包,强行关闭连接,或中断建立连接,并维持中断约 90 秒钟。在此期间,任何 SYN 包都会触发伪造的 SYN/ACK 包,阻断合法的握手,其它数据包则会触发伪造的 RST 和 RST/ACK 包,关闭连接。研究人员对 GFW 测试了现有的规避策略,发现绝大多数不再有效,主要原因是 GFW 的升级。他们测量和分析了新的 GFW TCP状态机,提出了新的规避策略,发布了新的工具 INTANG(只支持 Linux桌面系统)。
来自http://www.solidot.org/story?sid=54363
--------------------------------
Introduction
INTANG is research project for circumventing the "TCP reset attack" from the Great Firewall of China (GFW) by disrupting/desynchronizing the TCP Control Block (TCB) on the censorship devices. INTANG runs as a client-side only tool in background to protect the TCP connections from being interfered (or even monitored) by the GFW. It works on TCP/IP layers instead of application layer, thus considered more general and can help all application layer protocols, e.g. HTTP, DNS over TCP, OpenVPN, Tor, evading censorship. It can also be run on a proxy to make the deployment easier for those who are incapable of running INTANG (using OSes other than Linux or doesn't have root privillige).
Platform
Linux (must has netfilter supported in kernel)
Tested with Ubuntu 12.04/14.04/16.04.
Dependencies
- libnetfilter-queue-dev
- libnfnetlink-dev
- redis-server
- libhiredis-dev
- libev-dev
- python-redis (optional)
- python-scapy (optional)
Compilation
- Install prerequisite packages:
sudo apt-get update
sudo apt-get install libnetfilter-queue-dev libnfnetlink-dev redis-server libhiredis-dev libev-dev python-redis python-scapy
or
./install_deps.sh
- Compile:
make
And the binary will be located under bin folder.
How to Run
- Use
run.sh
to start the daemon. Logs are by default written to /var/log/intangd.log. If you want to test a specific strategy, userun.sh <strategy ID>
. Strategy IDs can be checked withrun.sh -h
. - Use
stop.sh
to stop the daemon. It simply send SIGINT signal to the daemon.
The daemon needs root privilege to run. If you are using Virtual Machine, you'll need to configure the networks in Bridge Mode.
Source Code Organization
/
├── main.c Entry point and Main Thread
├── globals.h Global constants
├── protocol.h Definition of protocol(IP/TCP/UDP/DNS) headers
├── memcache.c In-memory cache
├── cache.c Cache Thread
├── order.c Shared in-memory queue between Main Thread and Cache Thread
├── redis.c Communication interfaces to Redis
├── dns.c DNS Thread
├── dnscli.c Functions for Main Thread to send requests to DNS Thread.
├── logging.c Logging functions
├── strategy.c Strategy registration and selection
├── discrepancy.c Implementation of low-level "insertion packets", such as wrong checksum
├── socket.c Socket related functions, sending crafted packets
├── feedback.c Log uploading functions
├── helper.c Shared global helper functions
├── ttl_probing.c Functions for TTL probing and maintaining
├── test.c Testing functions
├── run.sh/stop.sh Run/Stop INTANG
├── distgen.sh Generating distributable code tarball
├── strategies/
│ ├── dummy.c Dummy strategy (do nothing)
│ ├── rst_***.c TCB teardown strategies
│ ├── do_***.c Buffer prefilling(data overlapping) strategies
│ ├── reverse_tcb.c TCB reversal strategy
│ ├── multiple_syn.c Multiple SYN (Resync-Desync) strategy
│ ├── mixed_***.c Combined strategies.
│ ├── ...
├── tools/ Folder containing python scripts for data analysis
│ ├── dump_stats.py Show success rates of strategies by reading from Redis. (INTANG must be running)
│ ├── dump_stats_from_log.py Show success rates of strategies by reading from log.
│ ├── ...
Disclaimer
INTANG is a reasearch-oriented project. Anyone using it should be aware of the potential risks and responsible for his/her own actions against the censorship authority.
Contact
Any questions could be direct to intang.box@gmail.com
Paper Published
Zhongjie Wang, Yue Cao, Zhiyun Qian, Chengyu Song, and Srikanth V. Krishnamurthy. 2017. Your State is Not Mine: A Closer Look at Evading Stateful Internet Censorship. In Proceedings of IMC ’17. ACM, New York,NY, USA, 14 pages. https://doi.org/10.1145/3131365.3131374
FAQ
Please see FAQ page.
from https://github.com/seclab-ucr/INTANG
----
----
A pretty fresh project, from 2017, which has lots of useful DPI circumvention techniques.
INTANG is research project for circumventing the “TCP reset attack” from the Great Firewall of China (GFW) by disrupting/desynchronizing the TCP Control Block (TCB) on the censorship devices. INTANG runs as a client-side only tool in background to protect the TCP connections from being interfered (or even monitored) by the GFW. It works on TCP/IP layers instead of application layer, thus considered more general and can help all application layer protocols, e.g. HTTP, DNS over TCP, OpenVPN, Tor, evading censorship. It can also be run on a proxy to make the deployment easier for those who are incapable of running INTANG (using OSes other than Linux or doesn’t have root privillige).
No comments:
Post a Comment