Playing cat and mouse with Deep Packet Inspection

From IFF Wiki
Jump to: navigation, search
Playing cat and mouse with Deep Packet Inspection
Presenter(s) vmon
Title(s) St.
Organization(s) ASL19
Project(s) Stegotorus
Country(ies) Internetz
Social media vmon@riseup.net
2017 theme Tools & Technology

In this session we give a background on various censorship techniques based on deep packet inspection (DPI). We go through the a list of precedent of DPI censorship events around the world and we simulate them using NetFilter DPI tool. We then explain the concept of pluggable transports (PTs) and we evaluate some of usual PTs in evading and defeating the filters. We then experiment with new generation Stegotorus-based PTs and demonstrate their unique advantages in defeating DPIs. At the end we invite interested audience to engage in a cat and mouse game by developing simple filters for NetFilter or PTs for Stegotorus to defeat each others.


Format Hackathon
Target Groups Developers, Activists
Length 1
Skill Level Intermediate
Language English

Session Slides

You can download the slides from here:

Playing Cat and Mouse with Deep Packet Inspection

Cat and Mouse Playbook

nDPI Installation as iptables filter

You need to install the prerequisits:

 build-essential
 libpcap-dev

The lead repo of the nDPI can be found at ntop github account:

https://github.com/ntop/nDPI

However, this repo did not worked for me (after modprobe xt_ndpi, iptables rule based on ndpi never got invoked) for some reason. so I tried the following fork instead:

https://github.com/betolj/ndpi-netfilter

After following the instructions in INSTALL file, one needs to copy the generated shared library manually to its approperiate place:

 sudo cp ipt/libxt_ndpi.so /usr/lib/iptables/

(However the ko happened to be placed in the correct place by the "make install" script:

 /usr/lib/modules/4.9.11-1-ARCH/extra/xt_ndpi.ko.gz

)

Now we can load the kernel module:

 modprobe xt_ndpi

Run your personal access point

To setup your own censored internet provider, you can use create_ap:

 sudo create_ap wlp4s0 wlp4s0 Republic_of_Wadiya 12345678

Simulating censorship methods

We need to apply filters both to FORWARD (to censor traffic connecting to our censored access point) and OUTPUT ( to censor the traffic on your own machine) chains.

  • IP Blacklisting:
 sudo  iptables -t filter -I FORWARD -d wadiya.wikia.com -p tcp -j REJECT
 sudo  iptables -t filter -I OUTPUT -d wadiya.wikia.com -p tcp -j REJECT
  • Regex match blocking:
 sudo iptables -t filter -I FORWARD -d wadiya.wikia.com -m string --algo bm --string Wadiya -j REJECT
 sudo iptables -t filter -I OUTPUT -d wadiya.wikia.com -m string --algo bm --string Wadiya -j REJECT
  • Protocol (TLS) based blocking using ndpi:
  sudo iptables -I FORWARD -m ndpi --ssl -j REJECT
  sudo iptables -I FORWARD -m ndpi --ssl -j LOG
  sudo iptables -I OUTPUT -m ndpi --ssl -j REJECT
  sudo iptables -I OUTPUT -m ndpi --ssl -j LOG
    • Protocol (TLS) based throtteling:
  sudo iptables -A OUTPUT -m limit --limit 5/s -m ndpi --ssl -j ACCEPT
  sudo iptables -I OUTPUT -m ndpi --ssl -j REJECT
  sudo iptables -I OUTPUT -m ndpi --ssl -j LOG
    • Dropping all connection after 5 secs (while allowing ports 5001 and 22 traffic to simulate a bridge unknown to censor):
 sudo iptables -I FORWARD 1 -p tcp -m tcp --dport 5001 -j ACCEPT
 sudo iptables -I FORWARD 1 -p tcp -m tcp --sport 5001 -j ACCEPT
 sudo iptables -I FORWARD 1 -p tcp -m tcp --dport 22 -j ACCEPT
 sudo iptables -A FORWARD -p tcp -m state --state NEW -m recent --set
 sudo iptables -A FORWARD -p tcp -m state --state ESTABLISHED -m recent --rcheck --seconds 5 -j ACCEPT
 sudo iptables -A FORWARD -p tcp -m state --state ESTABLISHED -j LOGn
 sudo iptables -A FORWARD -p tcp -m state --state ESTABLISHED -j DROP
 sudo iptables -I OUTPUT 1 -p tcp -m tcp --dport 5001 -j ACCEPT
 sudo iptables -I OUTPUT 1 -p tcp -m tcp --sport 5001 -j ACCEPT
 sudo iptables -I OUTPUT 1 -p tcp -m tcp --dport 22 -j ACCEPT
 sudo iptables -A OUTPUT  -p tcp -m state --state NEW -m recent --set
 sudo iptables -A OUTPUT -p tcp -m state --state ESTABLISHED -m recent --rcheck --seconds 5 -j ACCEPT
 sudo iptables -A OUTPUT -p tcp -m state --state ESTABLISHED -j LOG
 sudo iptables -A OUTPUT -p tcp -m state --state ESTABLISHED -j DROP


Session Outputs

Next Steps

Additional Notes

Relevant Resources

Contributors