new | ask | show | jobs
catlifeonmars 3 months ago  [ - ]

What would you reach for out of curiosity?

For me RTP+rateless erasure codes come to mind, but I’m feeling Rube Goldbergy today.

m132 3 months ago  [ - ]

All boils down to the kind of DPI you're trying to work around, but generally the most common encrypted or otherwise difficult to process protocols strike me as the most preferable.

RTP isn't a bad choice, especially the WebRTC flavor of it:

- it's UDP; there's no need to worry avoid the TCP meltdown

- it's most commonly used for peer-to-peer and PBX communication; packets going in and out, from and to random IPs are expected

- high bandwidth RTP traffic is normal, so are high irregularities

- it most often carries video; huge room for steganography

- WebRTC makes encryption mandatory

I've come across corporate networks that do block non-intranet WebRTC, however this probably isn't feasible at the Internet scale.

Other good choices are QUIC and WebSockets (assuming your network doesn't do MitM), and SSH, which by default comes with strong protection against MitM and actually has SOCKS5 tunneling built into the most popular implementations (try `ssh -D`). SSH is what some of my friends successfully use to bypass the Great Firewall.

That being said, the shift of client-to-server SMTP from a common part of everyday internet traffic to something rather esoteric may have created some potential for firewall misconfigurations, and those might result in it being passed with minimal inspection. All depends on your particular firewall in the end.

sebazzz 3 months ago  [ - ]

I think HTTP web sockets would be an interesting tunneling protocol.

bauruine 3 months ago  [ - ]

Tor has a transport using exactly that.

https://blog.torproject.org/introducing-webtunnel-evading-ce...

megous 3 months ago  [ - ]

You don't need websockets, just Connection: Upgrade to anything you want. You can upgrade directly to ssh protocol and just pass on decrypted data from https socket to local port 22 from then on with no further processing.

ranger_danger 3 months ago  [ - ]

Proper DPI can tell that wouldn't be acting like a typical HTTP stream, encrypted or not.

catlifeonmars 3 months ago  [ - ]

Hehe true, SSH traffic is so characteristically obvious that the packet size and timing can be used as a side channel to leak information about a session.

Tangential: but I recall reading about a similar technique used on SRTP packets to guess the phonemes being uttered without needing to decrypt the traffic.

ranger_danger 3 months ago  [ - ]

I guess you would need to either mimic a protocol that always uses a fixed packet size/rate (like a MPEG-TS video stream or something), or artificially pad/delay your packets to throw off detection methods.

megous 3 months ago  [ - ]

would not be able to tell from websockets uses

ranger_danger 3 months ago  [ - ]

I think most websockets do not sustain large amounts of bidirectional traffic for prolonged periods, so IMO this would immediately be suspicious.

megous 3 months ago  [ - ]

My typical ssh session does not either.

nofunsir 3 months ago  [ - ]

IP over Avian Carriers

catlifeonmars 3 months ago  [ - ]

I love the fact that this is a thing.