Traffic Obfuscation to escape Deep Paket Inspection
Posted: Tue Sep 11, 2012 10:14 am
Hi there,
some companies like T-mobile and Kabel Deutschland, use Deep Paket Inspection to filter traffic and apply traffic shaping to certain types of traffic - thereby interfering even with traffic over a VPN and disturbing proper VPN operation for some sorts of traffic. So I thought it was time for some nice features for traffic obfuscation in openVPN.
Look at the following scenario: You have a VOIP connection through a VPN. You have constant and probably equal upload and download paket rates over the VPN connection, so the DPI identifies the connection as some kind of symmetric stream. We could escape this, if openVPN would provide some support to
a) add random junk payload to the pakets or insert random junk pakets (at the expense of more traffic though),
b) run the up- and download streams over two different tcp connections or over two different udp ports (if in udp mode).
c) use even more than two connections, and randomly distribute the traffic over these connections, thereby making sure that the data is not uniformly distributed.
I suppose, in case b) for the DPI, the two separate connections would not look like a symmetrical stream anymore (unless they assume this from the fact, that they both end at the same peer address... But this could be normal traffic, like downloading from a webserver, and uploading to an ftp at the same host, so they would heavily interfere with users internet access, if they would block or interfere with this.)
Of course, case c) would add some latency and jitter issues for use cases like voip.. But tools like skype can cope with this pretty well and might work quite well over such a connection.
Does anybody have an idea if such or similar features are already implemented, or where to start and integrate such features? I would first like to go for the independent up-/down-stream stuff (at two different ports), then for adding junk packets - if needed, and last for the multi-connection random distribution.
some companies like T-mobile and Kabel Deutschland, use Deep Paket Inspection to filter traffic and apply traffic shaping to certain types of traffic - thereby interfering even with traffic over a VPN and disturbing proper VPN operation for some sorts of traffic. So I thought it was time for some nice features for traffic obfuscation in openVPN.
Look at the following scenario: You have a VOIP connection through a VPN. You have constant and probably equal upload and download paket rates over the VPN connection, so the DPI identifies the connection as some kind of symmetric stream. We could escape this, if openVPN would provide some support to
a) add random junk payload to the pakets or insert random junk pakets (at the expense of more traffic though),
b) run the up- and download streams over two different tcp connections or over two different udp ports (if in udp mode).
c) use even more than two connections, and randomly distribute the traffic over these connections, thereby making sure that the data is not uniformly distributed.
I suppose, in case b) for the DPI, the two separate connections would not look like a symmetrical stream anymore (unless they assume this from the fact, that they both end at the same peer address... But this could be normal traffic, like downloading from a webserver, and uploading to an ftp at the same host, so they would heavily interfere with users internet access, if they would block or interfere with this.)
Of course, case c) would add some latency and jitter issues for use cases like voip.. But tools like skype can cope with this pretty well and might work quite well over such a connection.
Does anybody have an idea if such or similar features are already implemented, or where to start and integrate such features? I would first like to go for the independent up-/down-stream stuff (at two different ports), then for adding junk packets - if needed, and last for the multi-connection random distribution.