Authors:
(1) Diwen Xue, University of Michigan;
(2) Reethika Ramesh, University of Michigan;
(3) Arham Jain, University of Michigan;
(4) Arham Jain, Merit Network, Inc.;
(5) J. Alex Halderman, University of Michigan;
(6) Jedidiah R. Crandall, Arizona State University/Breakpointing Bad;
(7) Roya Ensaf, University of Michigan.
Table of Links
Abstract and 1 Introduction
2 Background & Related Work
3 Challenges in Real-world VPN Detection
4 Adversary Model and Deployment
5 Ethics, Privacy, and Responsible Disclosure
6 Identifying Fingerprintable Features and 6.1 Opcode-based Fingerprinting
6.2 ACK-based Fingerprinting
6.3 Active Server Fingerprinting
6.4 Constructing Filters and Probers
7 Fine-tuning for Deployment and 7.1 ACK Fingerprint Thresholds
7.2 Choice of Observation Window N
7.3 Effects of Packet Loss
7.4 Server Churn for Asynchronous Probing
7.5 Probe UDP and Obfuscated OpenVPN Servers
8 Real-world Deployment Setup
9 Evaluation & Findings and 9.1 Results for control VPN flows
9.2 Results for all flows
10 Discussion and Mitigations
11 Conclusion
12 Acknowledgement and References
Appendix
12 Acknowledgement
The authors are grateful to Matthew Wright for shepherding the paper, and to the anonymous reviewers for their constructive feedback. This material is based upon work supported by the National Science Foundation under Grant No.1518888, 1823192, 2007741, 2042795, 2120400.
References
[1] Alice, Bob, Carol, J. Beznazwy, and A. Houmansadr. How China Detects and Blocks Shadowsocks. In ACM Internet Measurement Conference (IMC), 2020.
[2] Stealth VPN – Astrill VPN. https://www.astrill.com/ features/vpn-protocols/stealth-vpn.
[3] S. Bagui, X. Fang, E. Kalaimannan, S. C. Bagui, and J. Sheehan. Comparison of machine-learning algorithms for classification of vpn network traffic flow using time-related features. In Journal of Cyber Security Technology, 2017.
[4] L. Bernaille, R. Teixeira, I. Akodjenou, A. Soule, and K. Salamatian. Traffic classification on the fly. In Computer Communication Review, Association for Computing Machinery, 2006.
[5] BolehVPN Traffic Obfuscation Keeps You out of Trouble. https://www.vpnmentor.com/blog/bolehvpn-trafficobfuscation-keeps-you-out-of-trouble/.
[6] E. Crist and J. Keijser. Mastering OpenVPN. Packt Publishing, 2015.
[7] Cryptostorm – Port Stripping v2. https://cryptostorm.is/ blog/port-striping-v2.
[8] R. Dingledine, N. Mathewson, and P. Syverson. Tor: The second-generation onion router. In 13th USENIX Security Symposium (USENIX Security 04).
[9] A. Dunna, C. O’Brien, and P. Gill. Analyzing china’s blocking of unpublished tor bridges. In 8th USENIX Workshop on Free and Open Communications on the Internet (FOCI 18).
[10] Z. Durumeric, D. Adrian, A. Mirian, M. Bailey, and J. A. Halderman. A search engine backed by Internet-wide scanning. In 22nd ACM Conference on Computer and Communications Security, 2015.
[11] R. Ensafi, D. Fifield, P. Winter, N. Feamster, N. Weaver, and V. Paxson. Examining How the Great Firewall Discovers Hidden Circumvention Servers. In Proceedings of the 2015 Internet Measurement Conference.
[12] R. Ensafi, P. Winter, A. Mueen, and J. Crandall. Analyzing the great firewall of china over space and time. Proceedings on Privacy Enhancing Technologies, 2015.
[13] S. Frolov, J. Wampler, and E. Wustrow. Detecting Probe-resistant Proxies. In Network and Distributed System Security, 2020.
[14] P. Fu, C. Liu, Q. Yang, Z. Li, G. Gou, G. Xiong, and Z. Li. A NetFlow Sequence Attention Network for Virtual Private Network Traffic Detection. In International Conference on Web Information Systems Engineering.
[15] P. Gao, G. Li, Y. Shi, and Y. Wang. VPN Traffic Classification Based on Payload Length Sequence. In 2020 International Conference on Networking and Network Applications (NaNA).
[16] T. Garrett, L. E. Setenareski, L. M. Peres, L. C. Bona, and E. P. Duarte. Monitoring network neutrality: A survey on traffic differentiation detection. IEEE Communications Surveys & Tutorials, 2018.
[17] G. D. Gil, A. H. Lashkari, M. Mamun, and A. A. Ghorbani. Characterization of Encrypted and VPN Traffic Using Time-Related Features. In the 2nd International Conference on Information Systems Security and Privacy(ICISSP), 2016.
[18] Hide.me: Security Hardened OpenVPN Config with Traffic Obfuscation. https://hide.me/en/blog/securityhardened-openvpn-config-with-traffic-obfuscation/.
[19] H. Hoogstraaten. Evaluating server-side internet proxy detection methods (MSc thesis). 2018.
[20] A. Houmansadr, C. Brubaker, and V. Shmatikov. The Parrot Is Dead: Observing Unobservable Network Communications. In 2013 IEEE S&P.
[21] L. Izhikevich, R. Teixeira, and Z. Durumeric. LZR: Identifying unexpected internet services. In 30th USENIX Security Symposium (USENIX Security 21).
[22] F. Li, A. A. Niaki, D. Choffnes, P. Gill, and A. Mislove. A large-scale analysis of deployed traffic differentiation practices. In Proceedings of the ACM Special Interest Group on Data Communication. SIGCOMM, 2019.
[23] libprotoident: Library for application protocol identification. https://github.com/wanduow/libprotoident.
[24] M. Lotfollahi, M. J. Siavoshani, R. S. H. Zade, and M. Saberian. Deep packet: a novel approach for encrypted traffic classification using deep learning. In Soft Comput 24, 2019.
[25] MASSCAN: Mass IP port scanner. https://github.com/ robertdavidgraham/masscan.
[26] S. Miller, K. Curran, and T. Lunney. Multilayer Perceptron Neural Network for Detection of Encrypted VPN Network Traffic. In 2018 International Conference On Cyber Situational Awareness, Data Analytics And Assessment (Cyber SA).
[27] A. Molavi Kakhki, A. Razaghpanah, A. Li, H. Koo, R. Golani, D. Choffnes, P. Gill, and A. Mislove. Identifying traffic differentiation in mobile networks. In IMC’15.
[28] MullvadVPN: Intro to Shadowsocks. https://mullvad. net/en/help/intro-shadowsocks/.
[29] nDPI: Open Deep Packet Inspection Library. https:// www.ntop.org/products/deep-packet-inspection/ndpi/.
[30] OpenVPN Reliability Layer module. http://build. openvpn.net/doxygen/group__reliable.html#details.
[31] Nim Programming Language. https://nim-lang.org/.
[32] Obfs3 threat model. https://gitweb.torproject.org/ pluggable-transports/obfsproxy.git/tree/doc/obfs3.
[33] Learning more about the GFW’s active probing system. https://blog.torproject.org/learning-more-aboutgfws-active-probing-system.
[34] The History of OpenVPN. https://openvpn.net/blog/ the-history-of-openvpn/.
[35] Question about tls-crypt and port 443 firewall ducking. https://sourceforge.net/p/openvpn/mailman/ message/35560747/.
[36] OpenVPN_XORPatch. https://github.com/clayface/ openvpn_xorpatch.
[37] Y. Pang, S. Jin, S. Li, J. Li, and H. Ren. OpenVPN Traffic Identification Using Traffic Fingerprints and Statistical Characteristics. In Internation Conference on Trustworthy Computing and Services, 2012.
[38] PF_RING ZC (Zero Copy). https://www.ntop.org/ products/packet-capture/pf_ring/pf_ring-zc-zerocopy/.
[39] Pluggable transports. https://pluggabletransports.info/.
[40] Port shadows via network alchemy. https:// breakpointingbad.com/2021/09/08/Port-Shadowsvia-Network-Alchemy.html.
[41] Pywinauto. https://github.com/pywinauto/pywinauto.
[42] R. Ramesh, L. Evdokimov, D. Xue, and R. Ensafi. VPNalyzer: Systematic Investigation of the VPN Ecosystem. In Network and Distributed System Security, 2022.
[43] R. Ramesh, R. S. Raman, M. Bernhard, V. Ongkowijaya, L. Evdokimov, A. Edmundson, S. Sprecher, M. Ikram, and R. Ensafi. Decentralized Control: A Case Study of Russia. In Network and Distributed System Security, 2020.
[44] Attention to companies using vpn services in operation. https://rkn.gov.ru/news/rsoc/news73628.htm.
[45] Selenium. https://www.selenium.dev/.
[46] W. Seltzer. Infrastructures of censorship and lessons from copyright resistance. In Workshop on Free and Open Communications on the Internet (FOCI), 2011.
[47] R. Sundara Raman, L. Evdokimov, E. Wurstrow, J. A. Halderman, and R. Ensafi. Investigating Large Scale HTTPS Interception in Kazakhstan. In Proceedings of the 2020 ACM Internet Measurement Conference.
[48] R. Sundara Raman, A. Stoll, J. Dalek, R. Ramesh, W. Scott, and R. Ensafi. Measuring the Deployment of Network Censorship Filters at Global Scale. In Network and Distributed System Security, 2020. [49] Surfshark camouflage. https://surfshark.com/features.
[50] Hardening OpenVPN Security. https://openvpn.net/ community-resources/hardening-openvpn-security/.
[51] W. J. Tolley, B. Kujath, M. T. Khan, N. VallinaRodriguez, and J. R. Crandall. Blind In/On-Path Attacks and Applications to VPNs. In 30th USENIX Security Symposium (USENIX Security 21).
[52] Top10VPN: VPN Reviews. https://www.top10vpn. com/.
[53] Tor In China – The Onion Router. http:// www.mediafactory.org.au/2015-media6-deepweb/ 2015/10/01/tor-in-china/. [54] Stealth VPN Unblock Websites, Firewalls and VPN Blocks. https://torguard.net/stealth-vpn.php.
[55] GFW probes based on Tor’s SSL cipher list. https:// gitlab.torproject.org/legacy/trac/-/issues/4744.
[56] M. C. Tschantz, S. Afroz, Anonymous, and V. Paxson. SoK: Towards Grounding Censorship Circumvention in Empiricism. In 2016 IEEE Symposium on Security and Privacy (SP).
[57] Tunnelblick and openvpn_xorpatch. https://tunnelblick. net/cOpenvpn_xorpatch.html.
[58] Summary on Recently Discovered V2Ray Weaknesses. https://gfw.report/blog/v2ray_weaknesses/en/.
[59] Indian Parliamentary Committee Wants To Ban VPN Services In India. https://www.indiatimes.com/ technology/news/vpn-ban-indian-govt-vpn-servicesin-india-548493.html.
[60] Chinese government orders ISPs to block personal VPN use. https://privateinternetaccess.com/blog/ great-firewall-china-chinese-government-orders-ispsblock-personal-vpn-use-february-1st/.
[61] China’s firewall technology upgrades virtual private network management and control tightening. https://www.rfa.org/mandarin/yataibaodao/ cyl-12212012155229.html.
[62] VPN Downloads surge in response to Hong Kong Security Law. https://www.bloomberg.com/news/articles/ 2020-05-22/vpn-downloads-surge-in-response-tohong-kong-security-law.
[63] PTA sets deadline for VPN users to register by June 30th. https://privateinternetaccess.com/blog/ the-coming-pakistan-vpn-ban-pta-sets-deadline-forvpn-users-to-register-by-june-30th/.
[64] Rain throttles Internet speeds for customers on VPNs. https://mybroadband.co.za/news/internet/384642-rainthrottles-internet-speeds-for-customers-on-vpns.html.
[65] Biggest VPN Trends for 2020: Possibilities and Dangers. https://openvpn.net/blog/biggest-vpn-trends-for2020-possibilities-and-dangers/.
[66] How Chameleon Defeats VPN Blocking. https://www. vyprvpn.com/features/chameleon.
[67] L. Wang, K. Dyer, A. Akella, T. Ristenpart, and T. E. Shrimpton. Seeing through network-protocol obfuscation. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, 2015.
[68] W. Wang, M. Zhu, J. Wang, X. Zeng, and Z. Yang. End-to-end encrypted traffic classification with one-dimensional convolution neural networks. In 2017 IEEE International Conference on Intelligence and Security Informatics (ISI).
[69] N. Weaver, C. Kreibich, and V. Paxson. Redirecting DNS for Ads and Profit. In USENIX Workshop on Free and Open Communications on the Internet, 2011.
[70] A. T. Webb and A. N. Reddy. Finding proxy users at the service using anomaly detection. In 2016 IEEE Conference on Communications and Network Security (CNS). IEEE.
[71] P. Winter and S. Lindskog. How the great firewall of china is blocking tor. In 2nd USENIX Workshop on Free and Open Communications on the Internet (FOCI 12), Bellevue, WA, Aug. USENIX Association.
[72] WireGuard with obfuscation support. https://github. com/net4people/bbs/issues/88.
[73] WireGuard – Let’s talk about obfuscation again. https://lists.zx2c4.com/pipermail/wireguard/ 2018-September/003289.html.
[74] E. Wustrow, C. M. Swanson, and J. A. Halderman. Tapdance: End-to-middle anticensorship without flow blocking. In 23rd USENIX Security Symposium (USENIX Security 14). USENIX Association.
[75] The Zeek Network Security Monitor. https://zeek.org/.
[76] Q. Zhang, J. Li, Y. Zhang, H. Wang, and D. Gu. OhPwn-VPN! Security Analysis of OpenVPN-Based Android Apps. In CANS, 2017.
/cdn.vox-cdn.com/uploads/chorus_asset/file/25831693/2192157770.jpg)
