wangyu- / udp2raw

A Tunnel which Turns UDP Traffic into Encrypted UDP/FakeTCP/ICMP Traffic by using Raw Socket,helps you Bypass UDP FireWalls(or Unstable UDP Environment)
MIT License
7.35k stars 1.17k forks source link

Does udp2raw support SPA? #506

Closed mxmkeep closed 8 months ago

mxmkeep commented 10 months ago

One of the purposes of using the UDP protocol is service hiding(avoiding port scanning), which using SPA(Single Packet Authorization) mechanism. So can udp2raw support SPA? For example, the client adds a specical tcp option into SYN packet, and the server checks it. If it does not match, do not reply SYN-ACK, just drop it to avoid the port being scanned.

wangyu- commented 10 months ago

no, in the current version no such mechanism in the SYN.

For example, the client adds a special tcp option into SYN packet, and the server checks it. If it does not match, do not reply SYN-ACK, just drop it to avoid the port being scanned.

Is there an existing software that has implemented this feature? I wonder how practical it is

problems that might arise in this method:

  1. how is the compatibility ofspecial tcp option
  2. even if this is implemented. How to prevent replay attack of the SYN packet without synchronized clock?
mxmkeep commented 9 months ago

Is there an existing software that has implemented this feature?

No, but there are similar ones, such as TOA(tcp option address) feature originated from LVS full-nat mode, then commonly used to bypass client real ip for proxy project. https://github.com/ucloud/ucloud-toa

  1. how is the compatibility ofspecial tcp option

Yes, the tcp option may be drop or replaced by the cloud vendor, depending on the choice of option code

  1. even if this is implemented. How to prevent replay attack of the SYN packet without synchronized clock?

It just add one more checking logic when receive SYN packet, if this logic be bypassed, the orignal checking logic of program is still in effect.