Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Detecting Psiphon? #1099

Closed
MDMCK10 opened this issue Dec 27, 2020 · 6 comments
Closed

Detecting Psiphon? #1099

MDMCK10 opened this issue Dec 27, 2020 · 6 comments

Comments

@MDMCK10
Copy link

MDMCK10 commented Dec 27, 2020

So recently I've had to deal with the issue of VPNs being used to bypass network restrictions, while I've had success detecting most VPNs using both nDPI and other solutions, I've come across one I can't quite figure out how to detect, and that is Psiphon.

While I did check that there was a previous issue regarding this specific VPN, it seems that the original issue didn't go anywhere.

So: How does one detect this "Psiphon" VPN using nDPI?

@MDMCK10
Copy link
Author

MDMCK10 commented Dec 27, 2020

While I don't quite know how to make PCAPs of it properly, I used the "any.run" service to do network analysis of the application itself and it seems that "any.run" provides PCAPs of the network traffic of the machine the application was ran in.
I've attached said "any.run" tasks below, along with the PCAPs generated by "any.run"
https://app.any.run/tasks/38ee0b69-18d2-4ed1-b778-4a3e6c74a71e/ (default configuration, machine has full network access)
https://drive.google.com/file/d/10aFlVlyquZCxrc3CPAUw3U6KPLf6jr0H/view?usp=sharing

https://app.any.run/tasks/9ff353c3-58e2-480a-8952-ef7f6b85261c/ ("Fake net" enabled, which makes all requests fail, in this one it shows more clearly that the application tries to use different methods to connect)
https://drive.google.com/file/d/1BeRUjEKZ-CFT9eFiarYuab50cciTlLv9/view?usp=sharing

@MDMCK10
Copy link
Author

MDMCK10 commented Jan 5, 2021

Anyone have anything useful related to this?

@lucaderi
Copy link
Member

lucaderi commented Jan 7, 2021

I have analysed the two pcaps and I see a lot of junk connections like this. Not sure I can identify the few with the protocol you are mentioning

1	UDP 192.168.100.23:52569 -> 194.36.108.26:554 [proto: 188/QUIC][cat: Web/5][16 pkts/19872 bytes -> 0 pkts/0 bytes][Goodput ratio: 97/0][41.52 sec][ALPN: h3-24][TLS Supported Versions: TLSv1.3][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 2965/0 16094/0 5033/0][Pkt Len c2s/s2c min/avg/max/stddev: 1242/0 1242/0 1242/0 0/0][TLSv1.3][Client: paristeltel.org][JA3C: 19fc5c235882855f161c8e8ce2aa445a][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0]
2	UDP 192.168.100.23:65119 -> 213.108.105.184:554 [proto: 188/QUIC][cat: Web/5][16 pkts/19872 bytes -> 0 pkts/0 bytes][Goodput ratio: 97/0][29.31 sec][ALPN: h3-24][TLS Supported Versions: TLSv1.3][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 2093/0 12800/0 3507/0][Pkt Len c2s/s2c min/avg/max/stddev: 1242/0 1242/0 1242/0 0/0][TLSv1.3][Client: nanopuzzle.net][JA3C: 19fc5c235882855f161c8e8ce2aa445a][PLAIN TEXT (ispJTS)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0]
3	UDP 192.168.100.23:65361 -> 88.208.230.106:443 [proto: 188/QUIC][cat: Web/5][16 pkts/19872 bytes -> 0 pkts/0 bytes][Goodput ratio: 97/0][46.51 sec][ALPN: h3-24][TLS Supported Versions: TLSv1.3][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 3322/0 21076/0 6026/0][Pkt Len c2s/s2c min/avg/max/stddev: 1242/0 1242/0 1242/0 0/0][TLSv1.3][Client: www.rayindianaarticle.net][JA3C: 19fc5c235882855f161c8e8ce2aa445a][PLAIN TEXT (02 Pwa)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0]
4	UDP 192.168.100.23:63712 -> 109.228.54.54:443 [proto: 188/QUIC][cat: Web/5][14 pkts/17388 bytes -> 0 pkts/0 bytes][Goodput ratio: 97/0][23.48 sec][ALPN: h3-24][TLS Supported Versions: TLSv1.3][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1956/0 10839/0 3245/0][Pkt Len c2s/s2c min/avg/max/stddev: 1242/0 1242/0 1242/0 0/0][Risk: ** Suspicious DGA domain name **][TLSv1.3][Client: www.brasilfabulouspublicationspark.org][JA3C: 19fc5c235882855f161c8e8ce2aa445a][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0]
5	UDP 192.168.100.23:52230 -> 217.174.240.141:554 [proto: 188/QUIC][cat: Web/5][13 pkts/16146 bytes -> 0 pkts/0 bytes][Goodput ratio: 97/0][12.61 sec][ALPN: h3-24][TLS Supported Versions: TLSv1.3][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1146/0 6399/0 1911/0][Pkt Len c2s/s2c min/avg/max/stddev: 1242/0 1242/0 1242/0 0/0][TLSv1.3][Client: vcuiempiredowntown.net][JA3C: 19fc5c235882855f161c8e8ce2aa445a][PLAIN TEXT (QqBmern)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0]
6	TCP 192.168.100.23:49901 <-> 151.101.1.194:443 [proto: 91/TLS][cat: Web/5][16 pkts/10064 bytes <-> 10 pkts/2985 bytes][Goodput ratio: 91/81][0.02 sec][ALPN: h2;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: 0.542 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1/2 7/5 2/2][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 629/298 1514/1453 637/418][Risk: ** SNI TLS extension was missing **][TLSv1.3][JA3C: 19cc194917b610d58ad29129e7c3f1cf][JA3S: f4febc55ea12b31ae17cfb7e614afda8][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 13,0,6,0,0,0,0,13,0,0,0,0,0,0,0,6,13,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,34,0,0]
7	TCP 192.168.100.23:50611 <-> 193.148.19.242:443 [proto: 91/TLS][cat: Web/5][14 pkts/10059 bytes <-> 10 pkts/2985 bytes][Goodput ratio: 92/81][0.02 sec][ALPN: h2;http/1.1][TLS Supported Versions: GREASE;TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: 0.542 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1/2 7/6 2/2][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 718/298 1514/1453 639/418][Risk: ** SNI TLS extension was missing **][TLSv1.3][JA3C: 8c23d614aa018ed7bc6c88b545ece240][JA3S: f4febc55ea12b31ae17cfb7e614afda8][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 13,0,6,0,0,0,0,13,0,0,0,0,0,0,0,0,13,0,0,0,6,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,34,0,0

@MDMCK10
Copy link
Author

MDMCK10 commented Jan 8, 2021

@lucaderi well, the thing with Psiphon is that it's actually designed to be more of a censorship circumvention style VPN rather than just a normal one, meaning it tries it's hardest to make blocking it pretty difficult (well, not surprising given how it can even bypass the GFW in China), although I do hope something can be done to detect it.
If you need any more info like more PCAPs, specific tests involving the application, etc, do let me know.

@MDMCK10
Copy link
Author

MDMCK10 commented Jan 19, 2021

@lucaderi Has there been any progress in regards to this?

@lucaderi
Copy link
Member

No I have not plan/time to implement this protocol but you can submit a PR with the code for supporting it.

utoni added a commit to utoni/nDPI that referenced this issue Jul 3, 2022
 * The traces are not up to date, but this is the best we got so far.

Signed-off-by: Toni Uhlig <[email protected]>
utoni added a commit to utoni/nDPI that referenced this issue Jul 4, 2022
 * The traces are not up to date, but this is the best we got so far.

Signed-off-by: Toni Uhlig <[email protected]>
utoni added a commit that referenced this issue Jul 4, 2022
* The traces are not up to date, but this is the best we got so far.

Signed-off-by: Toni Uhlig <[email protected]>
utoni added a commit to utoni/nDPI that referenced this issue Jul 4, 2022
 * The traces are not up to date, but this is the best we got so far.

Signed-off-by: Toni Uhlig <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants