search

ntop / nDPI

Open Source Deep Packet Inspection Software Toolkit
http://www.ntop.org
GNU Lesser General Public License v3.0
3.8k stars 892 forks source link

Detecting Psiphon? #1099

Closed MDMCK10 closed 3 years ago

MDMCK10 commented 3 years ago

So recently I've had to deal with the issue of VPNs being used to bypass network restrictions, while I've had success detecting most VPNs using both nDPI and other solutions, I've come across one I can't quite figure out how to detect, and that is Psiphon.

While I did check that there was a previous issue regarding this specific VPN, it seems that the original issue didn't go anywhere.

So: How does one detect this "Psiphon" VPN using nDPI?

MDMCK10 commented 3 years ago

While I don't quite know how to make PCAPs of it properly, I used the "any.run" service to do network analysis of the application itself and it seems that "any.run" provides PCAPs of the network traffic of the machine the application was ran in. I've attached said "any.run" tasks below, along with the PCAPs generated by "any.run" https://app.any.run/tasks/38ee0b69-18d2-4ed1-b778-4a3e6c74a71e/ (default configuration, machine has full network access) https://drive.google.com/file/d/10aFlVlyquZCxrc3CPAUw3U6KPLf6jr0H/view?usp=sharing

https://app.any.run/tasks/9ff353c3-58e2-480a-8952-ef7f6b85261c/ ("Fake net" enabled, which makes all requests fail, in this one it shows more clearly that the application tries to use different methods to connect) https://drive.google.com/file/d/1BeRUjEKZ-CFT9eFiarYuab50cciTlLv9/view?usp=sharing

MDMCK10 commented 3 years ago

Anyone have anything useful related to this?

lucaderi commented 3 years ago

I have analysed the two pcaps and I see a lot of junk connections like this. Not sure I can identify the few with the protocol you are mentioning

1   UDP 192.168.100.23:52569 -> 194.36.108.26:554 [proto: 188/QUIC][cat: Web/5][16 pkts/19872 bytes -> 0 pkts/0 bytes][Goodput ratio: 97/0][41.52 sec][ALPN: h3-24][TLS Supported Versions: TLSv1.3][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 2965/0 16094/0 5033/0][Pkt Len c2s/s2c min/avg/max/stddev: 1242/0 1242/0 1242/0 0/0][TLSv1.3][Client: paristeltel.org][JA3C: 19fc5c235882855f161c8e8ce2aa445a][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0]
2   UDP 192.168.100.23:65119 -> 213.108.105.184:554 [proto: 188/QUIC][cat: Web/5][16 pkts/19872 bytes -> 0 pkts/0 bytes][Goodput ratio: 97/0][29.31 sec][ALPN: h3-24][TLS Supported Versions: TLSv1.3][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 2093/0 12800/0 3507/0][Pkt Len c2s/s2c min/avg/max/stddev: 1242/0 1242/0 1242/0 0/0][TLSv1.3][Client: nanopuzzle.net][JA3C: 19fc5c235882855f161c8e8ce2aa445a][PLAIN TEXT (ispJTS)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0]
3   UDP 192.168.100.23:65361 -> 88.208.230.106:443 [proto: 188/QUIC][cat: Web/5][16 pkts/19872 bytes -> 0 pkts/0 bytes][Goodput ratio: 97/0][46.51 sec][ALPN: h3-24][TLS Supported Versions: TLSv1.3][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 3322/0 21076/0 6026/0][Pkt Len c2s/s2c min/avg/max/stddev: 1242/0 1242/0 1242/0 0/0][TLSv1.3][Client: www.rayindianaarticle.net][JA3C: 19fc5c235882855f161c8e8ce2aa445a][PLAIN TEXT (02 Pwa)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0]
4   UDP 192.168.100.23:63712 -> 109.228.54.54:443 [proto: 188/QUIC][cat: Web/5][14 pkts/17388 bytes -> 0 pkts/0 bytes][Goodput ratio: 97/0][23.48 sec][ALPN: h3-24][TLS Supported Versions: TLSv1.3][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1956/0 10839/0 3245/0][Pkt Len c2s/s2c min/avg/max/stddev: 1242/0 1242/0 1242/0 0/0][Risk: ** Suspicious DGA domain name **][TLSv1.3][Client: www.brasilfabulouspublicationspark.org][JA3C: 19fc5c235882855f161c8e8ce2aa445a][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0]
5   UDP 192.168.100.23:52230 -> 217.174.240.141:554 [proto: 188/QUIC][cat: Web/5][13 pkts/16146 bytes -> 0 pkts/0 bytes][Goodput ratio: 97/0][12.61 sec][ALPN: h3-24][TLS Supported Versions: TLSv1.3][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1146/0 6399/0 1911/0][Pkt Len c2s/s2c min/avg/max/stddev: 1242/0 1242/0 1242/0 0/0][TLSv1.3][Client: vcuiempiredowntown.net][JA3C: 19fc5c235882855f161c8e8ce2aa445a][PLAIN TEXT (QqBmern)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0]
6   TCP 192.168.100.23:49901 <-> 151.101.1.194:443 [proto: 91/TLS][cat: Web/5][16 pkts/10064 bytes <-> 10 pkts/2985 bytes][Goodput ratio: 91/81][0.02 sec][ALPN: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: 0.542 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1/2 7/5 2/2][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 629/298 1514/1453 637/418][Risk: ** SNI TLS extension was missing **][TLSv1.3][JA3C: 19cc194917b610d58ad29129e7c3f1cf][JA3S: f4febc55ea12b31ae17cfb7e614afda8][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 13,0,6,0,0,0,0,13,0,0,0,0,0,0,0,6,13,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,34,0,0]
7   TCP 192.168.100.23:50611 <-> 193.148.19.242:443 [proto: 91/TLS][cat: Web/5][14 pkts/10059 bytes <-> 10 pkts/2985 bytes][Goodput ratio: 92/81][0.02 sec][ALPN: h2;http/1.1][TLS Supported Versions: GREASE;TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: 0.542 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1/2 7/6 2/2][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 718/298 1514/1453 639/418][Risk: ** SNI TLS extension was missing **][TLSv1.3][JA3C: 8c23d614aa018ed7bc6c88b545ece240][JA3S: f4febc55ea12b31ae17cfb7e614afda8][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 13,0,6,0,0,0,0,13,0,0,0,0,0,0,0,0,13,0,0,0,6,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,34,0,0
MDMCK10 commented 3 years ago

@lucaderi well, the thing with Psiphon is that it's actually designed to be more of a censorship circumvention style VPN rather than just a normal one, meaning it tries it's hardest to make blocking it pretty difficult (well, not surprising given how it can even bypass the GFW in China), although I do hope something can be done to detect it. If you need any more info like more PCAPs, specific tests involving the application, etc, do let me know.

MDMCK10 commented 3 years ago

@lucaderi Has there been any progress in regards to this?

lucaderi commented 3 years ago

No I have not plan/time to implement this protocol but you can submit a PR with the code for supporting it.