随笔-流量伪装(流量混淆)
本文于2020年6月2日由AlvinCR更新
文章导引
1.流量伪装(流量混淆)
流量混淆技术是目前审查规避系统常用技术之一.
为了提升网络流量识别精度和监管能力,针对混淆流量的识别和追踪技术也备受关注.通过深入分析随机化、拟态和隧道这3类主流的流量混淆技术,对比了其技术框架、隐蔽性、易用性和应用场景; 分析了深度包检测、机器学习等两类识别技术,对比了其识别精度; 分析对比了被动关联、主动关联两类流量追踪技术.最后给出了流量混淆、识别和追踪技术的发展趋势.。
审查规避系统利用流量混淆技术将非正常流量隐藏于正常流量中, 难以区分.审查规避系统通常在接入匿名通信网的第1跳或连接VPN代理节点之前引入混淆技术.流量混淆技术的不断升级也增强了审查规避系统的抗审查能力.以Tor匿名通信网络为例, 它以传输插件的形式将混淆技术集成到Tor浏览器, 将HTTP报文混淆处理后发送出去.VPN则在VPN客户端将报文混淆处理后发往VPN代理节点.早期审查规避系统简单地依赖加密报文负载隐藏信息, 但是审查者依靠IP地址、服务端口号等特征可以轻易识别.
原地址:http://www.jos.org.cn/html/2018/10/5620.htm (科学学报),
2.原因和目的
2.1 原因
大意:
国家出于各种原因加强了审查
原文
Around the world, well-resourced governments seek to censor the Internet. Censorship is driven by governments’ desires to control access to information deemed politically or socially sensitive, or to protect national economic interests. For example, in China, performing Internet searches for information on Tiananmen Square reveals no information about the events in 1989, and communication platforms run by companies outside China, such as Gmail and Twi er, are among those that are routinely blocked. Although China’s “Great Firewall” is perhaps the best known example of Internet censorship by a nation-state, similar controls are enacted in Turkey, Iran, Malaysia, Syria, Belarus, and many other countries. (An excellent survey of the censorship policies by various governments around the world is provided by the OpenNet Initiative; opennet.net.
In this article, we focus on the technical underpinnings of automated censorship and of the network tra c obfuscation tools aimed at circumventing it. By automated censorship, we mean government-deployed or -mandated network monitoring equipment typically installed at ISPs. ese systems detect and disrupt the ow of censored information without any direct human involvement and are applied broadly to enforce government policies over all citizens. is di ers from targeted approaches to taking down Internet content, such as the US government’s takedown of the Silk Road, which was an Internet marketplace for illicit goods such as drugs and weapons.
论文:Network Traffic Obfuscation and Automated Internet Censorship
2.2 目的
虽然严格的监管有助于保护安全性,但是有些论文等等资源在国内无法获取,那么只需要将自己的访问请求伪装成其它内容,就能够骗过过滤机制,访问到当地无法访问的信息。
3.相关软件
3.1 Tor浏览器
传说中的洋葱浏览器,使用tor网络
Tor网络旨在为用户提供低延迟的匿名通信。 Tor客户使用公开列出的中继来构建电路以匿名到达目的地。但是,由于中继是公开列出的,因此可以通过审查对手轻松阻止它们。因此,Tor项目设想了通向Tor网络(通常称为网桥)的未列出入口点的可能性。
相关论文:SkypeMorph: protocol obfuscation for Tor bridges
3.2 Trojan
Trojan是一个比较新的软件,在设计时采用了更适应国情的思路。人们一般认为强加密和随机混淆可能会欺骗过滤机制。然而,Trojan实现了这个思路的反面:它模仿了互联网上最常见的HTTPS协议,以致认为它就是HTTPS,从而不被识别。
如图所示,Trojan工作在443端口,并且处理来自外界的HTTPS请求,如果是合法的Trojan请求,那么为该请求提供服务,否则将该流量转交给web服务器Nginx,由Nginx为其提供服务。基于这个工作过程可以知道,Trojan的一切表现均与Nginx一致,不会引入额外特征,从而达到无法识别的效果。当然,为了防止恶意探测,我们需要将80端口的流量全部重定向到443端口,并且服务器只暴露80和443端口,这样可以使得服务器与常见的Web服务器表现一致。
4 伪装方式
大意:
近年来已经开发出许多模糊处理系统来辅助检查过滤了加密的网络流量的审查规避方案。
原文:
Internet censors seek ways to identify and block internet access to information they deem objectionable. Increasingly, censors deploy advanced networking tools such as deep-packet inspection (DPI) to identify such connections. In response, activists and academic researchers have developed and deployed network traffic obfuscation mechanisms. These apply specialized cryptographic tools to attempt to hide from DPI the true nature and content of connections. This survey offers an overview of network traffic obfuscation and its role in circumventing Internet censorship.
论文:Marionette: A Programmable Network Traffic Obfuscation System
以上材料主要来自谷歌学术