Adding support to detection: SNI Injection/SSL Tunnel/DNS Tunnel/Shadowsocks/V2Ray/Xray/Hysteria/ #2573
Comments
|
Can we discuss the way forward for adding this support.I can generate more PCAPs with specific protocol scenarios. |
|
Such services are often used to circumvent censorship, so it will be a two-edged sword. |
|
@0xA50C1A1 |
|
I personally don't have any plans on working on that topic in the short term. Of course, I'll review any PR
How is that useful from an implementation POV? We don't have access to the HTTP host header, do we? |
|
Thanks for the feedback, regarding HTTP host header only server side can see, like cloud or hosting provider --> "Requests where the host header in HTTP/HTTPS requests that doesn't match the original TLS SNI extension used during the TLS negotiation gets blocked." However I'm going to work with below approach for initially for detecting VPN/SNI injectors based on currently available nDPI features and infrastructure. 1.Capture sample PCAPS of same service with legitimate behavior and same service under VPN. Example suspected traffic analysis
|
Problem Description:
Most Internet users use Specific zero-rated fraud techniques, including HTTP Header Injection, Domain Fronting,
and DNS Spoofing to bypass DPI rules using zero-rated url or subscribed services.It's good to have improved detection such techniques.The simulation can be performed using HTTP-Injector mobile app.
some hints to detect such attempts
You can detect mismatches between the TLS Server Name Indication (SNI) and the HTTPS host header, and get a warning about domain fronting.
Sample Captures
Attached some pcap file with having initial handshake request such connection attempts
http-inject_28_Sep_12_35_57.zip
The text was updated successfully, but these errors were encountered: