DPI setting features
This article does not consider the full DPI setting and everything together is connected, but the scientific value of the text is minimal. But it describes the simplest way to bypass DPI, which many companies have not considered.
Warning number 1: this article is research in nature, does not encourage anyone to do anything and use. The idea is based on personal experience, and any coincidences are random.
Warning number 2: the article does not reveal the secrets of Atlantis, the search for the Holy Grail and other riddles of the universe, all the material is in the public domain and perhaps more than once was described on Habré.(I did not find it, I will be grateful for the link)
')
For those who read the warnings begin.
DPI or Deep Packet Inspection is a technology for accumulating statistical data, checking and filtering network packets by analyzing not only packet headers, but also full traffic content at the OSI model levels from the second and higher, which allows detecting and blocking viruses, filtering information that does not meet specified criteria .
There are two types of DPI connections that are described by ValdikSS on github :
Not only the efficiency of blocking traffic depends on the type of connection, but also the load on the DPI, so it is possible not to check all the traffic, but only certain:
In order not to reduce the data transfer rate, is it necessary to use a “Normal” passive DPI, which allows efficiently? block any? resources, the default configuration is as follows:
But problems begin, if the resource will use a different port in order not to lose users , then you will have to check each packet, for example, you can give:
Because of this, you will have to either switch to “Active” DPI, or use blocking using an additional DNS server.
One way to block access to a resource is to intercept a DNS query using a local DNS server and return the IP address of the “stub” to the user, rather than the required resource. But this does not give a guaranteed result, since it is possible to prevent the substitution of an address:
Option 1: Editing the hosts file (for desktop)
The hosts file is an integral part of any operating system, which allows you to always use it. To access a resource, a user needs to:
The advantage of this method is its complexity and the requirement for administrator rights.
Option 2: DoH (DNS over HTTPS) or DoT (DNS over TLS)
These methods allow you to protect a DNS request from spoofing by using encryption, but the implementation is not supported by all applications. Consider the ease of setting up a DoH for Mozilla Firefox version 66 by the user:
Although this method is more complex, it does not require user rights as an administrator, and there are many other ways to protect a DNS query that are not described in this article.
Option 3 (for mobile devices):
Using the app from Cloudflare for Android and IOS .
To check the lack of access to resources, a domain blocked in the territory of the Russian Federation was temporarily purchased:
I hope this article will be useful and encourage not only administrators to understand the topic in more detail, but also give an understanding that resources will always be on the side of the user, and the search for new solutions should be an integral part for them.
Warning number 1: this article is research in nature, does not encourage anyone to do anything and use. The idea is based on personal experience, and any coincidences are random.
Warning number 2: the article does not reveal the secrets of Atlantis, the search for the Holy Grail and other riddles of the universe, all the material is in the public domain and perhaps more than once was described on Habré.
')
For those who read the warnings begin.
What is DPI?
DPI or Deep Packet Inspection is a technology for accumulating statistical data, checking and filtering network packets by analyzing not only packet headers, but also full traffic content at the OSI model levels from the second and higher, which allows detecting and blocking viruses, filtering information that does not meet specified criteria .
There are two types of DPI connections that are described by ValdikSS on github :
Passive DPI
DPI, connected to the provider network in parallel (not in a section) either through a passive optical splitter, or using traffic mirroring from users. Such a connection does not slow down the speed of the provider's network in case of insufficient DPI performance, which is why it is used by large providers. A DPI with this type of connection can technically only detect an attempt to request prohibited content, but not suppress it. To circumvent this restriction and block access to a banned site, the DPI sends the user who requests a blocked URL a specially crafted HTTP packet with redirection to the provider stub page, as if the response was sent by the requested resource itself (spoofing the sender's IP address and TCP sequence). Due to the fact that DPI is physically located closer to the user than the requested site, the forged response reaches the user's device faster than the real response from the site.
Active DPI
Active DPI - A DPI connected to the provider's network in the usual way, like any other network device. The provider configures the routing so that the DPI receives traffic from users to blocked IP addresses or domains, and the DPI already decides whether to allow or block traffic. Active DPI can check both outgoing and incoming traffic, however, if a provider uses DPI only to block sites from the registry, most often it is configured to check only outgoing traffic.
Not only the efficiency of blocking traffic depends on the type of connection, but also the load on the DPI, so it is possible not to check all the traffic, but only certain:
"Normal" DPI
By “regular” DPI is meant a DPI that filters a certain type of traffic only on the most common ports for this type. For example, “normal” DPI detects and blocks prohibited HTTP traffic only on port 80, HTTPS traffic on port 443. This type of DPI will not track forbidden content if you send a request with a blocked URL to an unblocked IP or a non-standard port.
"Full" DPI
Unlike the “normal” DPI, this type of DPI classifies traffic regardless of IP address and port. Thus, blocked sites will not open, even if you use a proxy server on a completely different port and unlocked IP address.
Use of DPI
In order not to reduce the data transfer rate, is it necessary to use a “Normal” passive DPI, which allows efficiently? block any? resources, the default configuration is as follows:
- HTTP filter on port 80 only
- HTTPS only on port 443
- BitTorrent only on ports 6881-6889
But problems begin, if the resource will use a different port in order not to lose users , then you will have to check each packet, for example, you can give:
- HTTP works on port 80 and 8080
- HTTPS on port 443 and 8443
- BitTorrent on any other band
Because of this, you will have to either switch to “Active” DPI, or use blocking using an additional DNS server.
DNS blocking
One way to block access to a resource is to intercept a DNS query using a local DNS server and return the IP address of the “stub” to the user, rather than the required resource. But this does not give a guaranteed result, since it is possible to prevent the substitution of an address:
Option 1: Editing the hosts file (for desktop)
The hosts file is an integral part of any operating system, which allows you to always use it. To access a resource, a user needs to:
- Find out the IP address of the required resource
- Open for editing the hosts file (administrative rights are required) located in:
- Linux: / etc / hosts
- Windows:% WinDir% \ System32 \ drivers \ etc \ hosts
- Add a line in the format: <ip-address> <resource name>
- Save changes
The advantage of this method is its complexity and the requirement for administrator rights.
Option 2: DoH (DNS over HTTPS) or DoT (DNS over TLS)
These methods allow you to protect a DNS request from spoofing by using encryption, but the implementation is not supported by all applications. Consider the ease of setting up a DoH for Mozilla Firefox version 66 by the user:
- Go to about: config in Firefox
- Confirm that the user assumes all risk.
- Change the value of the network.trr.mode parameter to:
- 0 - disable TRR
- 1 - automatic selection
- 2 - enable DoH by default
- Change the network.trr.uri setting by selecting a DNS server
- Cloudflare DNS: mozilla.cloudflare-dns.com/dns-query
- Google DNS: dns.google.com/experimental
- Change the network.trr.boostrapAddress parameter to:
- If Cloudflare DNS is selected: 1.1.1.1
- If Google DNS is selected: 8.8.8.8
- Change the value of the network.security.esni.enabled parameter to true
- Verify proper configuration using Cloudflare service
Although this method is more complex, it does not require user rights as an administrator, and there are many other ways to protect a DNS query that are not described in this article.
Option 3 (for mobile devices):
Using the app from Cloudflare for Android and IOS .
Testing
To check the lack of access to resources, a domain blocked in the territory of the Russian Federation was temporarily purchased:
Conclusion
I hope this article will be useful and encourage not only administrators to understand the topic in more detail, but also give an understanding that resources will always be on the side of the user, and the search for new solutions should be an integral part for them.
useful links
Supplement out of article
The test on Cloudflare cannot be passed through the Tele2 operator’s network, and a properly configured DPI blocks access to the test site.
PS So far this is the first provider to correctly block resources.
PS So far this is the first provider to correctly block resources.
Source: https://habr.com/ru/post/453260/
All Articles