{"title":"保护流量免受dpi系统干扰的方法","authors":"A. Ilyenko, Sergii Ilyenko, Oleksandr Vertypolokh","doi":"10.28925/2663-4023.2020.10.7587","DOIUrl":null,"url":null,"abstract":"This article discusses further ways to protect traffic from DPI systems. The possibilities of using network protocols and application of DPI systems are investigated in the article. The analysis of the problem made it possible to identify vulnerabilities in the DNS protocol, which is based on the UDP protocol. These vulnerabilities include spoofing, interception, and traffic tethering. Also on the basis of the analysis of methods of protection of DNS traffic from interference, the authors substantiate and define the following: 1) all DNS queries are transmitted in the open; 2) existing approaches to traffic protection do not use encryption and, consequently, do not ensure the confidentiality of information; 3) there is only confirmation of the authenticity of the records. The authors have created a summary table, which identifies reliable methods of protecting DNS traffic. The authors propose the development of a full-fledged local proxy server to provide DNS traffic that can access trusted public DNS resolvers using doh and dot protocols. To understand the principles of protocol interaction, we developed our own local implementation of the main components of the network, which are most often dealt with by network users, namely: 1) web server; 2) DNS server; 3) server providing cryptographic protection and hiding open requests. The practical value of the obtained results lies in the software implementation of methods to protect traffic from DPI systems in Visual Studio Code by using the Python 3.8 programming language, which allows to provide cryptographic protection of traffic. The proposed solution of the local proxying server can be improved in the future by introducing local caching with the addition of the ability to create rules for certain domains and their subdomains. The implemented test doh server can be deployed on a trusted dedicated server outside of possible filter equipment installation points. This implementation will allow you to fully control your own traffic for resolving domain names. The authors further plan a number of scientific and technical solutions to develop and implement effective methods, tools to meet the requirements, principles and approaches to cyber security and traffic protection from interference by DPI systems in experimental computer systems and networks.","PeriodicalId":198390,"journal":{"name":"Cybersecurity: Education, Science, Technique","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":"{\"title\":\"METHOD FOR PROTECTION TRAFFIC FROM INTERVENTION OF DPI SYSTEMS\",\"authors\":\"A. Ilyenko, Sergii Ilyenko, Oleksandr Vertypolokh\",\"doi\":\"10.28925/2663-4023.2020.10.7587\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"This article discusses further ways to protect traffic from DPI systems. The possibilities of using network protocols and application of DPI systems are investigated in the article. The analysis of the problem made it possible to identify vulnerabilities in the DNS protocol, which is based on the UDP protocol. These vulnerabilities include spoofing, interception, and traffic tethering. Also on the basis of the analysis of methods of protection of DNS traffic from interference, the authors substantiate and define the following: 1) all DNS queries are transmitted in the open; 2) existing approaches to traffic protection do not use encryption and, consequently, do not ensure the confidentiality of information; 3) there is only confirmation of the authenticity of the records. The authors have created a summary table, which identifies reliable methods of protecting DNS traffic. The authors propose the development of a full-fledged local proxy server to provide DNS traffic that can access trusted public DNS resolvers using doh and dot protocols. To understand the principles of protocol interaction, we developed our own local implementation of the main components of the network, which are most often dealt with by network users, namely: 1) web server; 2) DNS server; 3) server providing cryptographic protection and hiding open requests. The practical value of the obtained results lies in the software implementation of methods to protect traffic from DPI systems in Visual Studio Code by using the Python 3.8 programming language, which allows to provide cryptographic protection of traffic. The proposed solution of the local proxying server can be improved in the future by introducing local caching with the addition of the ability to create rules for certain domains and their subdomains. The implemented test doh server can be deployed on a trusted dedicated server outside of possible filter equipment installation points. This implementation will allow you to fully control your own traffic for resolving domain names. The authors further plan a number of scientific and technical solutions to develop and implement effective methods, tools to meet the requirements, principles and approaches to cyber security and traffic protection from interference by DPI systems in experimental computer systems and networks.\",\"PeriodicalId\":198390,\"journal\":{\"name\":\"Cybersecurity: Education, Science, Technique\",\"volume\":null,\"pages\":null},\"PeriodicalIF\":0.0000,\"publicationDate\":\"1900-01-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"1\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Cybersecurity: Education, Science, Technique\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.28925/2663-4023.2020.10.7587\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Cybersecurity: Education, Science, Technique","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.28925/2663-4023.2020.10.7587","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 1
摘要
本文将进一步讨论保护流量免受DPI系统攻击的方法。本文探讨了采用网络协议的可能性和DPI系统的应用。通过对问题的分析,可以识别基于UDP协议的DNS协议中的漏洞。这些漏洞包括欺骗、拦截和通信阻塞。在分析DNS流量抗干扰方法的基础上,提出并定义了以下几点:1)所有的DNS查询都是公开传输的;2)现有的流量保护方法不使用加密,因此不能确保信息的机密性;3)只有对记录真实性的确认。作者创建了一个汇总表,其中确定了保护DNS流量的可靠方法。作者建议开发一个成熟的本地代理服务器来提供DNS流量,该流量可以使用doh和。协议访问可信的公共DNS解析器。为了理解协议交互的原理,我们开发了自己的本地实现网络的主要组件,这些组件最常由网络用户处理,即:1)web服务器;2) DNS服务器;3)提供加密保护和隐藏打开请求的服务器。所获得的结果的实用价值在于通过使用Python 3.8编程语言在Visual Studio Code中软件实现保护流量免受DPI系统攻击的方法,该方法允许对流量提供加密保护。通过引入本地缓存以及为特定域及其子域创建规则的能力,可以在将来改进所提出的本地代理服务器解决方案。实现的测试doh服务器可以部署在可能的过滤设备安装点之外的可信专用服务器上。此实现将允许您完全控制自己的流量解析域名。作者进一步规划了一些科学和技术解决方案,以开发和实施有效的方法、工具,以满足实验计算机系统和网络中DPI系统对网络安全和流量保护的要求、原则和方法。
METHOD FOR PROTECTION TRAFFIC FROM INTERVENTION OF DPI SYSTEMS
This article discusses further ways to protect traffic from DPI systems. The possibilities of using network protocols and application of DPI systems are investigated in the article. The analysis of the problem made it possible to identify vulnerabilities in the DNS protocol, which is based on the UDP protocol. These vulnerabilities include spoofing, interception, and traffic tethering. Also on the basis of the analysis of methods of protection of DNS traffic from interference, the authors substantiate and define the following: 1) all DNS queries are transmitted in the open; 2) existing approaches to traffic protection do not use encryption and, consequently, do not ensure the confidentiality of information; 3) there is only confirmation of the authenticity of the records. The authors have created a summary table, which identifies reliable methods of protecting DNS traffic. The authors propose the development of a full-fledged local proxy server to provide DNS traffic that can access trusted public DNS resolvers using doh and dot protocols. To understand the principles of protocol interaction, we developed our own local implementation of the main components of the network, which are most often dealt with by network users, namely: 1) web server; 2) DNS server; 3) server providing cryptographic protection and hiding open requests. The practical value of the obtained results lies in the software implementation of methods to protect traffic from DPI systems in Visual Studio Code by using the Python 3.8 programming language, which allows to provide cryptographic protection of traffic. The proposed solution of the local proxying server can be improved in the future by introducing local caching with the addition of the ability to create rules for certain domains and their subdomains. The implemented test doh server can be deployed on a trusted dedicated server outside of possible filter equipment installation points. This implementation will allow you to fully control your own traffic for resolving domain names. The authors further plan a number of scientific and technical solutions to develop and implement effective methods, tools to meet the requirements, principles and approaches to cyber security and traffic protection from interference by DPI systems in experimental computer systems and networks.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
