search

ntop / nDPI

Open Source Deep Packet Inspection Software Toolkit
http://www.ntop.org
GNU Lesser General Public License v3.0
3.83k stars 896 forks source link

Add nDPI support for detecting Secured Socket Tunneling Protocol (SSTP) port:443 #61

Closed Mile-Lile closed 9 years ago

Mile-Lile commented 9 years ago

Secure Socket Tunneling Protocol was introduced by Microsoft in Windows Vista SP1, and it is now available for Linux, RouterOS and SEIL. SSTP uses SSL v3, and therefore offers similar advantages to OpenVPN (such as the ability to use to TCP port 443 to avoid NAT firewall issues), and because it is integrated into Windows may be easier to use and more stable. The following header structure is common to all types of SSTP packets:[8]

https://en.wikipedia.org/wiki/Secure_Socket_Tunneling_Protocol

here is pcap file https://drive.google.com/file/d/0B0SCwy1irn3qZE1kd2xPTWhOOGM/view?usp=sharing

lucaderi commented 9 years ago

We have looked at your trace and like OpenVPN it is just SSL and once decrypted we can see the real SSTP protocol. We could add a handler looking at the name of the server (xxx.freesstpvpn.com in your case) but as it is not too reliable and limited in scope, we prefer not to do that. Thanks for submitting your request

Mile-Lile commented 9 years ago

Ok. Thx for clarifying. By googling I found this:

SSTP works in this way: First, a TCP connection on port 443 is established. Second, SSL Negotiation starts, server certificate is downloaded and validated. Third, SSTP control over HTTP is sent. Fourth, PPP connection and authentication. Fifth, authentication verified bind for IP traffic flow. Sixth, PPP over SSTP encapsulated traffic between hosts.

Now, the key is in the third step. This CONNECT request sent by the SSTP client has a custom HTTP header named "SSTPVERSION" with value "1.0". Can we add a layer7 "rule" which inspects the CONNECT requests for this particular header. If this header is present, then it signifies that it is an SSTP connection request which is coming from within the managed network. You can choose to drop/block this request if you do not want users to establish SSTP connections from within your network, or to give it proper prioritization by tracking connection? Obviously it's not as easy as blocking a port or protocol, but with a Layer-7 policy we can beat the "new, fantastic and unbeatable" VPN protocol.