mmanoj
commented
1 month ago @IvanNardi
Can we discuss the way forward for adding this support.I can generate more PCAPs with specific protocol scenarios.
Open mmanoj opened 1 month ago
mmanoj
commented
1 month ago @IvanNardi
Can we discuss the way forward for adding this support.I can generate more PCAPs with specific protocol scenarios.
0xA50C1A1
commented
1 month ago Such services are often used to circumvent censorship, so it will be a two-edged sword.
mmanoj
commented
1 month ago @0xA50C1A1 Thanks for the feedback, I totally agreed with you.However considering CSP perspective this is required to prevent/monitor ZERO-RATED FRAUD TECHNIQUES.
IvanNardi
commented
1 month ago I personally don't have any plans on working on that topic in the short term. Of course, I'll review any PR Having said that, it is a very complex topic. For example:
some hints to detect such attempts You can detect mismatches between the TLS Server Name Indication (SNI) and the HTTPS host header, and get a warning about domain fronting.
How is that useful from an implementation POV? We don't have access to the HTTP host header, do we?
mmanoj
commented
1 month ago @IvanNardi
Thanks for the feedback, regarding HTTP host header only server side can see, like cloud or hosting provider --> "Requests where the host header in HTTP/HTTPS requests that doesn't match the original TLS SNI extension used during the TLS negotiation gets blocked."
However I'm going to work with below approach for initially for detecting VPN/SNI injectors based on currently available nDPI features and infrastructure.
1.Capture sample PCAPS of same service with legitimate behavior and same service under VPN. 2.Create application signature/ snapshot of the packet behavior based on flow features 3.Use nDPI risk indicator and other packet feature like (number of flow packets. packet IAT, goodput ratio etc.) to build heuristic model 4.Compare the suspected flow with packet snapshot/application signature to check the flow behavior type.
Example suspected traffic analysis
Problem Description: Most Internet users use Specific zero-rated fraud techniques, including HTTP Header Injection, Domain Fronting, and DNS Spoofing to bypass DPI rules using zero-rated url or subscribed services.It's good to have improved detection such techniques.The simulation can be performed using HTTP-Injector mobile app.
some hints to detect such attempts You can detect mismatches between the TLS Server Name Indication (SNI) and the HTTPS host header, and get a warning about domain fronting.
Sample Captures Attached some pcap file with having initial handshake request such connection attempts http-inject_28_Sep_12_35_57.zip