rethink-app icon indicating copy to clipboard operation
rethink-app copied to clipboard
verified publisher icon celzero

Question About Evading SNI filter

Open Lanius-collaris opened this issue 2 years ago • 9 comments

I found an interesting tool. https://codeberg.org/Spilopelia-chinensis/TCB-Teardown-test When it find a SYN+ACK packet ( not from ::1/128, fc::/7, 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 ), it will send an ACK packet and a RST+ACK packet with an IP TTL low enough to not make it to the receiver ( but high enough to be seen by the monitor ).

Is it possible to implement this feature without root on Android?

Lanius-collaris avatar Jun 01 '23 16:06 Lanius-collaris

Yes, but it isn't straight forward to do so. See also: https://github.com/celzero/firestack/issues/1

ignoramous avatar Jun 01 '23 18:06 ignoramous

Yes, but it isn't straight forward to do so. See also: celzero/firestack#1

Sorry, I am not familiar with Android. Can TUN devices write outgoing packets or read incoming packets?

Lanius-collaris avatar Jun 13 '23 08:06 Lanius-collaris

Yep, that's what the TUN devices are for.

ignoramous avatar Jun 13 '23 16:06 ignoramous

Ah, I remember that the common use of TUN devices is reading outgoing packets and writing incoming packets?

Lanius-collaris avatar Jun 13 '23 16:06 Lanius-collaris

My bad. Yes, in general, with TUN files: read egress, write ingress :)

But in rdns, you could write egress and read ingress ("emulating a TUN device" may be the right way to think about it) because we run a userspace TCP/IP stack.

Though, I'm curious how does it tie to evading firewalls, in particular?

ignoramous avatar Jun 13 '23 19:06 ignoramous

Normal tcp socket can't seem to send a TTL-limited RST before sending data. ClientHello Segmentation does not need privileges, but it does not work when accessing many websites from china (It works when accessing torproject.org). Domain Fronting needs man-in-the-middle attack, is it dangerous? Do you know some methods that don't need privileges?

Lanius-collaris avatar Jun 13 '23 20:06 Lanius-collaris

Oh, I see. If such evasion technique requires root access, then it wouldn't be possible unless Rethink is set up to emulate the TUN device (like does for turning WireGuard in to a TCP/UDP proxy).

Domain Fronting needs man-in-the-middle attack, is it dangerous?

Domain Fronting isn't dangerous. In fact, the ESNI standard is like Domain Fronting, in one sense.

Do you know some methods that don't need privileges?

Unfortunately, I don't.

ignoramous avatar Jun 17 '23 10:06 ignoramous

Domain Fronting isn't dangerous. In fact, the ESNI standard is like Domain Fronting, in one sense

In some cases, clients don't use Domain Fronting by themself, but a man-in-the-middle proxy performs Domain Fronting.
ClientHello Segmentation (e.g. rethink-app) and sending TTL-limited RST before sending data are transparent (invisible to clients and servers), so I prefer them. The second technique can't seem to be used on Android, I may need to upload the tool to my router. ☹️

Lanius-collaris avatar Jun 18 '23 19:06 Lanius-collaris

You can try to establish a connection, close, then reconnect with the same (src ip, src port, dest ip, dest port).

That will send a FIN to the destination that may confuse the middlebox. It seems to work in Turkmenistan. See Strategy 3: Free Pass at https://geneva.cs.umd.edu/papers/2023-web-turkmenistan.pdf

fortuna avatar Oct 24 '23 17:10 fortuna