[Masque] MASQUE detection through tracking trackers

Töma Gavrichenkov <ximaera@gmail.com> Tue, 05 November 2019 16:50 UTC

Return-Path: <ximaera@gmail.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 254001200C4 for <masque@ietfa.amsl.com>; Tue, 5 Nov 2019 08:50:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id lRcdJb_vy17L for <masque@ietfa.amsl.com>; Tue, 5 Nov 2019 08:50:25 -0800 (PST)
Received: from mail-yb1-xb2c.google.com (mail-yb1-xb2c.google.com [IPv6:2607:f8b0:4864:20::b2c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B29A12001A for <masque@ietf.org>; Tue, 5 Nov 2019 08:50:25 -0800 (PST)
Received: by mail-yb1-xb2c.google.com with SMTP id b2so9632406ybr.8 for <masque@ietf.org>; Tue, 05 Nov 2019 08:50:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=kGm7kdQaXCER9V1oXsV3y/9BLOQwtehyZnlKam0Y9Bg=; b=XrwB+w/PJmadC75mLF4KlSdOt56qOwWGeGCx6lGKV9ESqB6Y3j5ABeWjrj2ykmOiD6 NdyM+Ajs0lYkdU0a2xal2GzBbVgSC3Nak4fX2SeNwSGsEke0g8sw9mb+iZdKvX6ewH99 vztxm7PD3ekPjiYYpfD9YEp36cGXa1N65yjEfPzD8rXjhBOfoFIt0dU+L9UQKhMC0K7E 7lh0nS5Os4O4cutk3IAqFgwx6T7FlOOFTYNt1DdlPYP2BucUghYxCPsiotWtQCXe1WTp ScfYuSziDht1CwTeqM5jwkk6gbt6pW9t5FNTd/W3uG3knEWqZYsM8mrR5SzzVw04SnUi QRdQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=kGm7kdQaXCER9V1oXsV3y/9BLOQwtehyZnlKam0Y9Bg=; b=bFMagv+qzPn13AbAA5m9KUGgw0qmZIZHqzY+6vGz0q37SOOwvlvP3LkO21Jnzo7bo+ 6Y7ieFNezS+lZ5dFCefVYCbCJuuDmqaa0YFWBTA4y/TQDfJISOMIgWjKhMZPSdc8in+h QyYRW23yaN+D1XRcW6648Wqa9/vPi+503Et0wCcwsMs6c9yXNHPQIWlegw8ZOLGIoYYs VmD4/vpiNwFk++GYD0b8a8fY2IxWKu9js46TYyyVOzY69u7zksOF/vHd+gHqZSwiKw5N OL/YdC3mpYoHFtWcVDcQ4Ct+TeCcVyAvOyKIeAJ9O4RfYH4aroyKSiKvUACYsYtVPz6j S8fA==
X-Gm-Message-State: APjAAAV8R9WKGpuh99wpyNLZ8Tr4PSvtz8qfVw6YbTEC9IceyJgXNW3K FJIBXXxHG52jqgj8m+E5TbrGCBAqU6yx74IV3LffaUfvQlI=
X-Google-Smtp-Source: APXvYqxYYBZCfVUXxEN2Q0SoExr76DOOjmcm90U55ghUCe6eXM75uQUeKiYiENkyXMqGe7b5xRXcxiR1aJQf+bNiqIs=
X-Received: by 2002:a05:6902:4c4:: with SMTP id v4mr679891ybs.312.1572972623616; Tue, 05 Nov 2019 08:50:23 -0800 (PST)
MIME-Version: 1.0
From: =?UTF-8?Q?T=C3=B6ma_Gavrichenkov?= <ximaera@gmail.com>
Date: Tue, 5 Nov 2019 19:50:08 +0300
Message-ID: <CALZ3u+Yd3wu3G2o-AJErNw6SSgU97F-osJfJhYaiuu5Sb9sF6g@mail.gmail.com>
To: masque@ietf.org
Content-Type: multipart/alternative; boundary="00000000000078dead05969c3a1c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/NRW2wg3-xg6JZ2MVwdGyJ1LF7XI>
Subject: [Masque] MASQUE detection through tracking trackers
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Nov 2019 16:50:28 -0000


A good friend of mine has been talking recently to a DPI vendor sales
folk.  Their appliance earned some good results in a testbed environment
involving weekly packet captures from an actual Internet access provider.
The particular brand is not important.

Basically their product works as follows.  First, it has a collection of IP
addresses and some behavioral patterns of an order of hundreds to thousands
of typical external resources Web sites use: CDNs, trackers (Google
Analytics, Newrelic, JQuery, Recaptcha, to name a few, but there are more),
etc.  The list is meant to be being updated once in a few days if not hours.

Then, if a client establishes a number of active bandwidth-heavy
connections to remote servers but doesn't connect to a statistically
significant number of those trackers within some timeframe (the thresholds
are also being regularly updated I think), then it assumed to be using a
VPN.  All the established sessions (no matter if it's TCP or UDP) are
dropped and the former endpoints (except some) are greylisted and reported,
and the subsequent HTTP[S] connection establishment attempts get a redirect
to a Web page which tells the user to switch off the VPN connection.

The story: test runs have shown that false positives account for much less
than 1% of the users, those mostly being the ones using self-hosted NASes
and/or NoScript-enabled browsers.  Evidently, NoScript is not only
unpopular but most of said browsers are run by people who connect through
VPNs anyway, therefore further limiting potential false positives.

The vendor claims they don't look into DNS payload and analyse TLS
parameters only marginally, and solution is therefore fully DoH and ESNI
ready.  As far as I know, DoH- and ESNI-secured conversations were not
present in the test data set.  I haven't seen the box myself.

I wonder now how such a scenario would be considered in MASQUE and if
there's a way to work around this issue within the MASQUE deployment