[Masque] MASQUE detection through tracking trackers
Töma Gavrichenkov <ximaera@gmail.com> Tue, 05 November 2019 16:50 UTC
Return-Path: <ximaera@gmail.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 254001200C4 for <masque@ietfa.amsl.com>; Tue, 5 Nov 2019 08:50:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lRcdJb_vy17L for <masque@ietfa.amsl.com>; Tue, 5 Nov 2019 08:50:25 -0800 (PST)
Received: from mail-yb1-xb2c.google.com (mail-yb1-xb2c.google.com [IPv6:2607:f8b0:4864:20::b2c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B29A12001A for <masque@ietf.org>; Tue, 5 Nov 2019 08:50:25 -0800 (PST)
Received: by mail-yb1-xb2c.google.com with SMTP id b2so9632406ybr.8 for <masque@ietf.org>; Tue, 05 Nov 2019 08:50:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=kGm7kdQaXCER9V1oXsV3y/9BLOQwtehyZnlKam0Y9Bg=; b=XrwB+w/PJmadC75mLF4KlSdOt56qOwWGeGCx6lGKV9ESqB6Y3j5ABeWjrj2ykmOiD6 NdyM+Ajs0lYkdU0a2xal2GzBbVgSC3Nak4fX2SeNwSGsEke0g8sw9mb+iZdKvX6ewH99 vztxm7PD3ekPjiYYpfD9YEp36cGXa1N65yjEfPzD8rXjhBOfoFIt0dU+L9UQKhMC0K7E 7lh0nS5Os4O4cutk3IAqFgwx6T7FlOOFTYNt1DdlPYP2BucUghYxCPsiotWtQCXe1WTp ScfYuSziDht1CwTeqM5jwkk6gbt6pW9t5FNTd/W3uG3knEWqZYsM8mrR5SzzVw04SnUi QRdQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=kGm7kdQaXCER9V1oXsV3y/9BLOQwtehyZnlKam0Y9Bg=; b=bFMagv+qzPn13AbAA5m9KUGgw0qmZIZHqzY+6vGz0q37SOOwvlvP3LkO21Jnzo7bo+ 6Y7ieFNezS+lZ5dFCefVYCbCJuuDmqaa0YFWBTA4y/TQDfJISOMIgWjKhMZPSdc8in+h QyYRW23yaN+D1XRcW6648Wqa9/vPi+503Et0wCcwsMs6c9yXNHPQIWlegw8ZOLGIoYYs VmD4/vpiNwFk++GYD0b8a8fY2IxWKu9js46TYyyVOzY69u7zksOF/vHd+gHqZSwiKw5N OL/YdC3mpYoHFtWcVDcQ4Ct+TeCcVyAvOyKIeAJ9O4RfYH4aroyKSiKvUACYsYtVPz6j S8fA==
X-Gm-Message-State: APjAAAV8R9WKGpuh99wpyNLZ8Tr4PSvtz8qfVw6YbTEC9IceyJgXNW3K FJIBXXxHG52jqgj8m+E5TbrGCBAqU6yx74IV3LffaUfvQlI=
X-Google-Smtp-Source: APXvYqxYYBZCfVUXxEN2Q0SoExr76DOOjmcm90U55ghUCe6eXM75uQUeKiYiENkyXMqGe7b5xRXcxiR1aJQf+bNiqIs=
X-Received: by 2002:a05:6902:4c4:: with SMTP id v4mr679891ybs.312.1572972623616; Tue, 05 Nov 2019 08:50:23 -0800 (PST)
MIME-Version: 1.0
From: Töma Gavrichenkov <ximaera@gmail.com>
Date: Tue, 05 Nov 2019 19:50:08 +0300
Message-ID: <CALZ3u+Yd3wu3G2o-AJErNw6SSgU97F-osJfJhYaiuu5Sb9sF6g@mail.gmail.com>
To: masque@ietf.org
Content-Type: multipart/alternative; boundary="00000000000078dead05969c3a1c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/NRW2wg3-xg6JZ2MVwdGyJ1LF7XI>
Subject: [Masque] MASQUE detection through tracking trackers
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Nov 2019 16:50:28 -0000
Peace, A good friend of mine has been talking recently to a DPI vendor sales folk. Their appliance earned some good results in a testbed environment involving weekly packet captures from an actual Internet access provider. The particular brand is not important. Basically their product works as follows. First, it has a collection of IP addresses and some behavioral patterns of an order of hundreds to thousands of typical external resources Web sites use: CDNs, trackers (Google Analytics, Newrelic, JQuery, Recaptcha, to name a few, but there are more), etc. The list is meant to be being updated once in a few days if not hours. Then, if a client establishes a number of active bandwidth-heavy connections to remote servers but doesn't connect to a statistically significant number of those trackers within some timeframe (the thresholds are also being regularly updated I think), then it assumed to be using a VPN. All the established sessions (no matter if it's TCP or UDP) are dropped and the former endpoints (except some) are greylisted and reported, and the subsequent HTTP[S] connection establishment attempts get a redirect to a Web page which tells the user to switch off the VPN connection. The story: test runs have shown that false positives account for much less than 1% of the users, those mostly being the ones using self-hosted NASes and/or NoScript-enabled browsers. Evidently, NoScript is not only unpopular but most of said browsers are run by people who connect through VPNs anyway, therefore further limiting potential false positives. The vendor claims they don't look into DNS payload and analyse TLS parameters only marginally, and solution is therefore fully DoH and ESNI ready. As far as I know, DoH- and ESNI-secured conversations were not present in the test data set. I haven't seen the box myself. I wonder now how such a scenario would be considered in MASQUE and if there's a way to work around this issue within the MASQUE deployment guidelines. -- Töma
- [Masque] MASQUE detection through tracking tracke… Töma Gavrichenkov
- Re: [Masque] MASQUE detection through tracking tr… Ted Hardie
- Re: [Masque] MASQUE detection through tracking tr… Töma Gavrichenkov
- Re: [Masque] MASQUE detection through tracking tr… Ted Hardie
- Re: [Masque] MASQUE detection through tracking tr… Töma Gavrichenkov
- Re: [Masque] MASQUE detection through tracking tr… Nick Harper
- Re: [Masque] MASQUE detection through tracking tr… Töma Gavrichenkov
- Re: [Masque] MASQUE detection through tracking tr… David Schinazi
- Re: [Masque] MASQUE detection through tracking tr… Ben Schwartz
- Re: [Masque] MASQUE detection through tracking tr… Töma Gavrichenkov
- Re: [Masque] MASQUE detection through tracking tr… Töma Gavrichenkov
- Re: [Masque] MASQUE detection through tracking tr… Lucas Pardue
- Re: [Masque] MASQUE detection through tracking tr… Töma Gavrichenkov
- Re: [Masque] MASQUE detection through tracking tr… Töma Gavrichenkov
- Re: [Masque] MASQUE detection through tracking tr… Christian Huitema
- Re: [Masque] MASQUE detection through tracking tr… Lucas Pardue
- Re: [Masque] MASQUE detection through tracking tr… Stephen Farrell
- Re: [Masque] MASQUE detection through tracking tr… Derek Fawcus