nDPI icon indicating copy to clipboard operation
nDPI copied to clipboard

Adding support to detection: SNI Injection/SSL Tunnel/DNS Tunnel/Shadowsocks/V2Ray/Xray/Hysteria/

Open mmanoj opened this issue 4 months ago • 5 comments

Problem Description: Most Internet users use Specific zero-rated fraud techniques, including HTTP Header Injection, Domain Fronting, and DNS Spoofing to bypass DPI rules using zero-rated url or subscribed services.It's good to have improved detection such techniques.The simulation can be performed using HTTP-Injector mobile app.

some hints to detect such attempts You can detect mismatches between the TLS Server Name Indication (SNI) and the HTTPS host header, and get a warning about domain fronting.

Sample Captures Attached some pcap file with having initial handshake request such connection attempts http-inject_28_Sep_12_35_57.zip

mmanoj avatar Sep 28 '24 09:09 mmanoj