-
Notifications
You must be signed in to change notification settings - Fork 892
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TLS not detected #1946
Comments
@IvanNardi |
Yes, I downloaded it. |
@IvanNardi I maked this file public for everyone. I see that there is quite a lot of such traffic. For 5 minutes about 2300 connections. |
I made a PR, but it may not be a very accurate option. |
This kind of traffic doesn't look random to me, but some kind of evasion technique...
Evading firewall/dpi engines/censorship systems with overlapping segments has been a well know technique for decades... unfortunately nDPI lacks any generic logic to handle it. Tomorrow I'll take a proper look at you patch |
It is highly unlikely that this is an evasion technique. https://bugs.centos.org/view.php?id=14435 |
Did you find the same pattern in traffic other than TLS? If it is a "generic" issue we should find it with all kinds of TCP traffic (plain HTTP or SSH, for example) |
@vel21ripn , could you share some other flows, please? (even TLS) |
I will collect a sufficient set of such traffic. |
Perfect. In the meantime, could you take a look at #1948? It is still a draft, but it should work |
I wouldn't rush this PR without a sufficient set of traffic and traffic samples to test. |
Statistics showed that padding does not depend on the application protocol. |
Ok, are you able to collect and share some of these flows? |
I am now looking for different samples. This is very slow as it requires a lot of manual work. |
I posted typical traffic examples and a utility for analyzing tcp-sequence in my repository in the "pagging" branch. |
In some networks, there are some anomalous TCP flows where the smallest ACK packets have some kind of zero padding. It looks like the IP and TCP headers in those frames wrongly consider the 0x00 Ethernet padding bytes as part of the TCP payload. While this kind of packets is perfectly valid per-se, in some conditions they might be treated by the TCP reassembler logic as (partial) overlaps, deceiving the classification engine. Add an heuristic to detect these packets and to ignore them, allowing correct detection/classification. This heuristic is configurable. Default value: * in the library, it is disabled * in `ndpiReader` and in the fuzzers, it is enabled (to ease testing) Credit to @vel21ripn for the initial patch. Close ntop#1946
In some networks, there are some anomalous TCP flows where the smallest ACK packets have some kind of zero padding. It looks like the IP and TCP headers in those frames wrongly consider the 0x00 Ethernet padding bytes as part of the TCP payload. While this kind of packets is perfectly valid per-se, in some conditions they might be treated by the TCP reassembler logic as (partial) overlaps, deceiving the classification engine. Add an heuristic to detect these packets and to ignore them, allowing correct detection/classification. This heuristic is configurable. Default value: * in the library, it is disabled * in `ndpiReader` and in the fuzzers, it is enabled (to ease testing) Credit to @vel21ripn for the initial patch. Close ntop#1946
In some networks, there are some anomalous TCP flows where the smallest ACK packets have some kind of zero padding. It looks like the IP and TCP headers in those frames wrongly consider the 0x00 Ethernet padding bytes as part of the TCP payload. While this kind of packets is perfectly valid per-se, in some conditions they might be treated by the TCP reassembler logic as (partial) overlaps, deceiving the classification engine. Add an heuristic to detect these packets and to ignore them, allowing correct detection/classification. This heuristic is configurable. Default value: * in the library, it is disabled * in `ndpiReader` and in the fuzzers, it is enabled (to ease testing) Credit to @vel21ripn for the initial patch. Close ntop#1946
In some networks, there are some anomalous TCP flows where the smallest ACK packets have some kind of zero padding. It looks like the IP and TCP headers in those frames wrongly consider the 0x00 Ethernet padding bytes as part of the TCP payload. While this kind of packets is perfectly valid per-se, in some conditions they might be treated by the TCP reassembler logic as (partial) overlaps, deceiving the classification engine. Add an heuristic to detect these packets and to ignore them, allowing correct detection/classification. This heuristic is configurable. Default value: * in the library, it is disabled * in `ndpiReader` and in the fuzzers, it is enabled (to ease testing) Credit to @vel21ripn for the initial patch. Close #1946
An issue with TLS detection has been found due to extra null bytes in the packet.
This is an "ACK only" packet that cannot contain data.
The traffic dump is available on google.drive https://drive.google.com/file/d/1oGhkGCqo__M2dTtGly8XW5-4vI6G2HOg/view?usp=sharing
The packets 3 and 4 is overlapped by seq_number!
The packets 5 and 6 is overlapped by seq_number!
If these empty bytes are ignored, then NDPI considers that the fourth packet is "tcp retransmission" :( and the 517 byte packet does not get into the TLS handler.
If these extra bytes are ignored, then TLS is successfully detected.
I can't offer a PR yet.
The text was updated successfully, but these errors were encountered: