Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.os.linux.security > #423

Re: Does VPN traffic stand out from other traffic to the ISP?

From ohreally <ohreally@maybenot.org>
Newsgroups comp.os.linux.security
Subject Re: Does VPN traffic stand out from other traffic to the ISP?
Date 2014-01-30 06:09 +0000
Organization Netfront http://www.netfront.net/
Message-ID <lccqa7$30df$1@adenine.netfront.net> (permalink)
References <lc9ga3$doq$3@news.mixmin.net> <lc9l5p$1j0$1@dont-email.me>

Show all headers | View raw

Lusotec <nomail@nomail.not> wrote in news:lc9l5p$1j0$1@dont-email.me:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> Cordell James wrote:
>> What does the ISP actually *see* when VPN
>> is trafficking his network?
> 
> The ISP sees the encrypted packets stream, the TCP/IP packets headers,
> the packets sizes and the packets times.
> 
> With the above information and without any significant computational
> power it is possible to infer what kind of traffic is going through
> the VPN (e.g. http, POP, interactive terminal/vnc/rdp session).
> 
> Some VPN minimize/prevent this information leak by
> smoothing/flattening the packets sizes and times distributions, for
> example by constantly filling the channel with data to produce a
> constant rate of same sized packets. Dummy data is sent when there is
> no actual data to send. 
> 
>> I realize he sees "gibberish", but, can he
>> just look at that gibberish and say "that
>> looks a lot like my subscriber is using VPN"?
> 
> Yes and depending on the VPN software they may even be able to say
> "that looks a lot like a VNC transmitting HTTP/IMAP/vnc/whatever
> traffic. 
> 
>> Does VPN traffic stand out from other traffic?
> 
> Yes. It is very easy to spot encrypted traffic among all the traffic
> and different kinds of encrypted traffic (e.g. https, ssh, vpn,
> openssl, tor, imaps, pops) have somewhat distinct handshake and early
> traffic patterns so it is possible to make an educated guess on what
> kind of encrypted traffic it is.

That contradicts what other (self-appointed?) experts have told me, that 
is, that vpn traffic over https/p443 is indistinguishable from email or 
other https traffic.

> 
> This kind of information leak can by minimized.
> 
> - - Fill the channel with dummy data and use traffic shaping to
> flatten the packets distribution while transmitting the dummy traffic
> with the least priority, so that your real traffic can get to the
> destination with minimal delay.
> 
> - - Multiplex/mix traffic in a single channel.
> 
> - - Use a less suspicious encryption channel (e.g. https) to encrypt a
> more suspicious encryption channel (e.g. vpn).
> 
> - - Use proxies with lots of encrypted traffic to obscure your own
> traffic. 
> 
> - - Use proxy chaining, preferably in various countries.
> 
> - - Use tor to anonymize your traffic and also give you plausible
> deniability. 
> 
> The above is more than enough to defeat a ISP level adversary but for 
> nation/state level adversaries always remember that brute-force
> rubber-hose decryption is very effective and computationally free.
> 
> Regards
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> 
> iF4EAREIAAYFAlLoV/kACgkQGQjO2ccW76rODQD/QvXhqVU6wS8O+Exzz5NP627r
> eJiyzfeCkR6bClpmeSIA/R/9GGbNXyv10LI9LmpOGxQJw1fo3FlmpnIYivc+l2yv
> =ghyQ
> -----END PGP SIGNATURE-----
> 


--- news://freenews.netfront.net/ - complaints: news@netfront.net ---

Back to comp.os.linux.security | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

Does VPN traffic stand out from other traffic to the ISP? Cordell James <cordell.james@gmail.com> - 2014-01-29 00:00 +0000
  Re: Does VPN traffic stand out from other traffic to the ISP? Lusotec <nomail@nomail.not> - 2014-01-29 01:23 +0000
    Re: Does VPN traffic stand out from other traffic to the ISP? "ps56k" <pschuman_no5pam_m3@interserv.com> - 2014-01-29 11:19 -0600
    Re: Does VPN traffic stand out from other traffic to the ISP? ohreally <ohreally@maybenot.org> - 2014-01-30 06:09 +0000
      Re: Does VPN traffic stand out from other traffic to the ISP? Lusotec <nomail@nomail.not> - 2014-01-30 12:42 +0000
    Re: Does VPN traffic stand out from other traffic to the ISP? ohyeah <ohyea@idonthingso.com> - 2014-01-31 02:44 +0000
      Re: Does VPN traffic stand out from other traffic to the ISP? Thomas Keusch <fwd+usenet-spam2013q4-1391351858@spam2013q4.bsd-solutions-duesseldorf.de> - 2014-02-02 14:43 +0000
        Re: Does VPN traffic stand out from other traffic to the ISP? Dave <noone$$@llondel.org> - 2014-02-16 21:58 -0800
  Re: Does VPN traffic stand out from other traffic to the ISP? Jared Twyler <admin@intl-alliance.com> - 2014-12-28 13:48 -0800

csiph-web