Hello guys, I was wondering if these obfuscated ways of tunneling would also be needed to make the job of sysadmins a nightmare to block the SafeNetwork nodes.
There are several projects that attempt to use it as a proof of concept for data exfiltration but I think that it would be useful as an extra protocol to fall back if everything else fails lol
Iodinehttp://dev.kryo.se/iodine/
(and some others, but I think these are the main ones that are worth taking a look)
There is a VPN project in Japan that is offering VPN-over-ICMP and VPN-over-DNS features, and that is just the beginning: http://www.softether.org/
Look at all the crazy features they are providing, it is simply mindblowing: http://www.softether.org/3-spec
Some techniques are more exposed to statistical analysis of traffic and abnormal behavior, Heyoka seems to be more stealthy than the others DNS methods.
There is an interesting talk that addresses covert tunnels, and it may be interesting if these techniques can be tweaked and added to the Safe Network multiprotocol arsenal.
If you are in a network where TCP and UDP traffic is blocked, for all practical purposes your internet connection is blocked.
But sometimes they allow pinging other computers and DNS resolution, in those cases we can tunnel encapsulating tcp in wherever location they allow storing data. IP datagrams allow storing data up to 65,535 bytes and in DNS you can have data in the resource record.
This could be the last recourse fallback mechanism when all other attempts for connection has failed, and I think it would make the SafeNetwork resilient as hell.
We are currently integrating utp again, so tcp encapsulated in udp datagrams. I Think this will make a big difference. So we have the multi protocol multi port network that is fully encrypted. Also keys passed from overlay networks down, i.e. no key negotiation so MiTM resistant as well. We will get there I am pretty sure.
Yes, but I was imagining as a fallback option when there is for example Syria that blocked all Internet access to their citizens, or other Middle Eastern (Iraq, Libya) and African countries (Egypt, Uganda, Burundi, Ethiopia, Chad, Republic of Congo and Gabon) that basically âshut downâ the internet for everyone to restrict the voice of their people and the access to knowledge in critical times.
UDP and TCP traffic were dropped nationally.
In such extreme cases, a fallback mechanism to esoteric methods wouldnât be really a bad idea.
IF uTP fails, try ICMP; and if ICMP fails, try DNS.
It would be badass.
Are you sure it was not only DNS that was culled in these cases ? I have seen some corporate network ban Utp but allow Tcp etc. (I believe Google used to do that). I would imagine cutting off completely the internet would be physical disconnect, which would cripple a country I would think.
Was that not an âair gapâ cut off? Like Egypt too a while ago. They simply turned off the routers on links in/out of the country.
Iâd say this will be of minimal benefit if a country wishes to isolate its people from the outside internet. They would simply turn off the access. Why waste time programming the routers to block utp&tcp when turning them off is more secure.
I donât understand how it could be considered of âlittle benefitâ when you can leverage the OSI layer 3 in the case of having the whole layer 4 blocked. Also, having the option of tunneling through DNS when it is often neglected in firewall rules, it is also a nice trick to have under the sleeve.
Having more options is always good in my book, especially when these options are not standard and it can sneak through cleverly hacking itâs original purpose.
Also setting a drop rule is easier than walking through every building and cutting the cables. It is literally two lines of commands.
Btw, FYI, ICMP packets were reachable in the Egyptian internet blackout during the Arab spring.
Little benefit when routers are turned OFF because a country wants to cut off its people from the rest of the world. This is what that statement was limited to.
For other situations such as firewalls in companies etc then yes maybe. But what of the throughput? [quote=âpiluso, post:9, topic:12619â]
ICMP packets were reachable in the Egyptian internet blackout during the Arab spring.
[/quote]
Via sat internet that they forgot. Not only ICMP but full internet for some. That is how the video got out IIRC.
Censorship in the wild: Analyzing Internet filtering in Syria
Anatomy of Web Censorship in Pakistan
Internet Censorship in Iran: A first look
Inferring Mechanics of Web Censorship Around the World
The tl;dr version is every country has their own favorite recipe of censorship. Only Pakistan applies a simplistic DNS based filtering. The conflict in Egypt was more severe, 3500 BGP routes were withdrawn from the routing tables.
The rest of the world they mix a set of strategies, mainly to snoop and censor specific content or traffic.
But since I believe the main concern for the Safe Network is not tampering but connectivity, right?
Allowing to connect to the network through the layer 3 would be quite a nice trick to have under the sleeve imho.
The last paper is an eye opener, even in South Korea they are applying online censorship quite heavily.
@neo my understanding is that ICMP tunneling is quite fast, as fast as not using the tunnel at all, especially the âicmptunnelâ version.
DNS tunnels are slower and less reliable, unless you create a direct connection between the server and the client. What Iâve read is that in direct connections to the host in âiodineâ is surprisingly very fast.
I havenât tested them myself yet, but it sounds exciting.
Most routers allow MTU up to about 1500 bytes, as long as you donât exceed that you should be pretty much okay.
The application could execute pmtud to self-configure the max MTU allowed.
You could be extra sneaky by limiting it to max 64 bytes each package just to make it look like normal sized ping echo.