Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

VPN traffic profiling

  • 21-06-2006 8:56am
    #1
    Closed Accounts Posts: 194 ✭✭


    Blaster99 wrote:
    Vodafone blocks VoIP in other markets where this service is available.
    How are they blocking VoIP? If it is by port number then just tunnel through port 80. Or are they IP blocking the VoIP providers? Seems like an impossible task to me.


Comments

  • Registered Users, Registered Users 2 Posts: 849 ✭✭✭jwt


    No VoIP provider I know of provides VoIP on port 80 so you cant use it that way.

    If you try to tunnel from your machine/router/firewall to the Voip provider over port 80 you need somewhere to tunnel to.

    Typically you would have another machine you own or control elsewhere on the internet, say web hosting server.

    You configure that server to act as the receiving end of the tunnel on port 80 and from there your standard VoIP ports are used to access the VoIP provider.

    Your VoIP provider would see the IP traffic originating from your web server where ever that is located.

    Alternatively if you know someone or have access to another machine using a BB provider who doesn't block VoIP, use that.

    Have a look at Zebedee.

    For the die hard linux guys heres one way to SSH tunnel



    John


  • Registered Users, Registered Users 2 Posts: 32,417 ✭✭✭✭watty


    Traffic shaping. It is possible.


  • Banned (with Prison Access) Posts: 25,234 ✭✭✭✭Sponge Bob


    they can 'traffic shape' the voip inside or outside a vpn.

    I have been reliably informed that when they 'inspect vpns' for shaping purposes that they can spot and shape H.323 anytime and spot and shape SIP with certain codecs but not IAX apparently and not SIP with all codecs :D

    You will have to vpn or tunnel thru the bastids though . They will murder those protocols and eat their babies outside a tunnel.


  • Registered Users, Registered Users 2 Posts: 849 ✭✭✭jwt


    I would be very interested in how they can spot anything other than data size in a VPN tunnel.

    Unless they have figured out how to unencrypt the VPN on the fly?


    John


  • Banned (with Prison Access) Posts: 25,234 ✭✭✭✭Sponge Bob


    JWT , if you put your hand on a black wavin cold water pipe you can 'feel' when water is going thru and when it is not . You cannot see the water but you know its carrying water from evidence on the surface. The judders tell you if its carrying a lot of water very suddenly or if its a trickle .

    These ripples 'on the outside' of the VPN are what drives the shaping algorithms and then Voda will have all sorts of excuses as usual to explain the rest when you complain as some poor fools will, thinking Voda is listening to them .

    "We don't guarantee indoor coverage etc yadda yadda ****e "

    Your best bet is to keep that VPN pipe open at all times which will severely impair the accuracy of the shaping algorithm .......innit :D


  • Advertisement
  • Moderators, Motoring & Transport Moderators, Technology & Internet Moderators Posts: 23,276 Mod ✭✭✭✭bk


    Sponge if they can tell what is going on inside VPN, then the encryption algorithms used by VPN are fundamentally broken. What you describe is not possible with most well written encryption algorithms.

    This is a very well known problem in encryption.

    I find it very hard to believe, please point us at an article about this.


  • Closed Accounts Posts: 2,784 ✭✭✭Urban Weigl


    Using a properly secured VPN, this should not be possible (unless they degrade VPN's in general, of course).


  • Banned (with Prison Access) Posts: 25,234 ✭✭✭✭Sponge Bob


    bk wrote:
    Sponge if they can tell what is going on inside VPN, then the encryption algorithms used by VPN are fundamentally broken.

    They cannot tell whats inside, they can merely infer from the external evidence and then throttle just enough to thwart the codec. Thats VoIP degraded or crippled.

    Its called deep packet inspection. The other target is P2P traffic .

    http://www.securityfocus.com/infocus/1817
    n general, the DPI engine scrutinizes each packet (including the data payload) as it traverses the firewall, and rejects or allows the packet based upon a ruleset (or prioritises SB) that is implemented by the firewall administrator. The inspection engine implements the ruleset based upon signature-based comparisons, heuristic, statistical, or anomaly-based techniques, or some combination of these.

    Deep Packet Inspection promises to enhance firewall capabilities by adding the ability to analyze and filter SOAP and other XML messages, dynamically open and close ports for VoIP application traffic, perform in-line AV and spam screening, dynamically proxy IM traffic, eliminate the bevy of attacks against NetBIOS-based services, traffic-shape or do away with the many flavors of P2P traffic (recently shown to account for ~35% of internet traffic), and perform SSL session inspection.

    And thats where it was at a year back, things have moved on.


  • Moderators, Motoring & Transport Moderators, Technology & Internet Moderators Posts: 23,276 Mod ✭✭✭✭bk


    Sponge Bob wrote:
    They cannot tell whats inside, they can merely infer from the external evidence and then throttle just enough to thwart the codec. Thats VoIP degraded or crippled.

    Its called deep packet inspection. The other target is P2P traffic .

    http://www.securityfocus.com/infocus/1817



    And thats where it was at a year back, things have moved on.

    That simply won't work with VPN, there is absolutely no way to differentiate a VPN packet carrying a part of an email versus a VoIP packet.

    This is computer security 101, I mean this was literally one of the first things any student learning computer security or encryption learns in college.

    All encrpyted information blocks are padded with random data to the same size, so there is no way of telling what might be held in the data block.

    If this was broken it would be the biggest news in the computer industry since the year 2000 bug. It would mean that most of the security of big banks and government is broken. I'm afraid your friend is simply misinformed.

    BTW many P2P apps (like bitorrent) are now using encryption to succesfully circumvent traffic shaping by ISPs.

    BBTW Of course the ISP could identify packets as being VPN and throttle that, but then they would lose most of their customers as most business travellers use VPN to connect to work.


  • Banned (with Prison Access) Posts: 25,234 ✭✭✭✭Sponge Bob


    This technology works on approximation bk not by cracking a vpn but by making statistical assumptions based on overall packetisation

    vpn technology itself has not changed much in 5 or 6 years but will no doubt respond by introducing randomisation and different padding methods to thwart the statistical assumptions .

    I suspect the specific shaping product is a derivation of this stuff here

    http://wireless.ittoolbox.com/press/display.asp?i=109981

    http://www.prweb.com/releases/2006/2/prweb350618.htm

    developed because <cough>

    http://www.flashnetworks.com/files/pdf/WirelesseuropeOctNov04.pdf

    beyond that I am in NDA territory, soz :D


  • Advertisement
  • Closed Accounts Posts: 2,630 ✭✭✭Blaster99


    What SB is saying is that you can look at the shape of the VPN traffic and determine with some level of certainty that it's a voice stream, not an e-mail. The VoIP codecs use 20ms or 30ms frames. I'm sure a steady stream of such packets, even encrypted, is detectable. Seeing as the VoIP codecs are sensitive to loss or delay, it's pretty easy to muck up the calls without affecting any other incorrectly shaped traffic much.

    Clearwire is very good at killing P2P, so I don't think your encrypted P2P theory is correct either.

    But I don't think Vodafone would worry too much about VoIP over VPN in any event. That would be a very marginal threat to them. And tunnelling is not going to do the voice quality any favours plus we're talking NLOS wireless technology which is hardly an ideal backdrop for VoIP quality in the first place.

    I know from having talked to senior Vodafone people that they're very worried about VoIP, for obvious reasons. This is why they've delayed flat rate data access for so long. Perhaps they've found a good traffic shaping solution now.


  • Banned (with Prison Access) Posts: 25,234 ✭✭✭✭Sponge Bob


    Blaster99 wrote:
    What SB is saying is that you can look at the shape of the VPN traffic and determine with some level of certainty that it's a voice stream, not an e-mail.

    exactly, and certain VoIP codecs are susceptible to some level of latency that would not affect SMB chatter to the same degree.

    it need not be perfect either.


  • Moderators, Motoring & Transport Moderators, Technology & Internet Moderators Posts: 23,276 Mod ✭✭✭✭bk


    watty wrote:
    If you made VOIP look like something else by merging it with another stream before transmission you suffer two problems:
    1) The extra bandwidth needed to "hide" the traffic profile even in a VPN is significant.

    2) The latency increases.

    If I do an encrypted rush hour traffic report encrypted each day, a good analyst would tell from other factors that maybe it is a rush hour report without breaking the code. If I hide that report in a larger /longer encrypted report, that runs all day then the rush hour report existance is harder to infer.

    In WW2 code breakers could deduce from source and time of transmissions what kind of report it was , without decryption at all, so you don't need to decrypt VPN traffic to know if it is email (small challange / response and large asymetric traffic), video (continous one way traffic), voice (similar size packets similar quality each way in a charactristic burst) etc.

    Thanks watty, that explains very well what I was trying to say earlier. This is a very well known problem in the computer security area and I had assumed that VPN had been designed to avoid this problem.

    From what you guys are saying, it seems I'm wrong and VPN wasn't designed to avoid this problem. I therefore consider VPN broken. This is very worrying as I know lots of big companies, banks and even militaries around the world use VPN.


  • Registered Users, Registered Users 2 Posts: 7,042 ✭✭✭kaizersoze


    bk wrote:
    Thanks watty, that explains very well what I was trying to say earlier. This is a very well known problem in the computer security area and I had assumed that VPN had been designed to avoid this problem.

    From what you guys are saying, it seems I'm wrong and VPN wasn't designed to avoid this problem. I therefore consider VPN broken. This is very worrying as I know lots of big companies, banks and even militaries around the world use VPN.
    But is it really broken if all that can be determined is the type of traffic rather than the exact contents? I'm not dismissing your arguement (as I'm not really familiar with VPN and have never used it), just posing the question.


  • Closed Accounts Posts: 182 ✭✭aaronc


    bk wrote:
    From what you guys are saying, it seems I'm wrong and VPN wasn't designed to avoid this problem. I therefore consider VPN broken. This is very worrying as I know lots of big companies, banks and even militaries around the world use VPN.
    A VPN is a concept so you can't really say they are broken, you could say they are a bad idea but since they are popular and prevalent that would also seem unlikely. You could say a VPN implementation was broken and there are probably some of those around.

    As with everything in IT there are different kinds of VPNs, http://en.wikipedia.org/wiki/VPN, but in this discussion the main focus is on one that can provide data confidentiality to stop a traffic carrier from being able to detect a certain class of traffic. As mentioned previously in the thread no VPN worth it's salt is going to be feasible for a carrier to decrypt so this means the carrier will have to rely on using statistical or other means to identify traffic, this was also previously mentioned.

    In my opinion using "other means" to identify traffic is not that easy (except for just blocking IP addresses but that could cause legal problems). Sure if you were in a lab monitoring traffic between two routers with Ethereal and some fancy analysis tools you could probably do it. If you're a carrier concerned about getting vast amounts of data across your network I suspect that the expense, expertise and even technology to do the same thing with large traffic volumes is going to make it a big headeache if it is even possible. As an aside the traffic profile of things like gaming, webcams, netmeeting etc. would all look very similar to VoIP so filtering one could block innocent traffic resulting in an increase in support calls which can be could be an even bigger cost. The technology is definitely there to filter high volume plaintext traffic and in fact it can be as easy as dropping undesireable SIP INVITE requests to stop a big portion of VoIP traffic but to do the same thing with encrypted traffic I'm not so sure.

    If I had to choose between detecting and filtering certain types of traffic on a VPN or working out mechanisms to get the traffic through undetected I would choose the latter as being the easier task.

    Aaron


  • Moderators, Motoring & Transport Moderators, Technology & Internet Moderators Posts: 23,276 Mod ✭✭✭✭bk


    kaizersoze wrote:
    But is it really broken if all that can be determined is the type of traffic rather than the exact contents? I'm not dismissing your arguement (as I'm not really familiar with VPN and have never used it), just posing the question.

    Yes, it really would be broken from a computer security point of view.

    In previous wars armies couldn't always decrypt their enemies communications, but when they saw an increase in a certain type of messages, they knew that an attack was coming and put their forces on alert, often with devastating.

    I don't particularly care about VoIP in VPN, I'm surprised that VPN is so popular if this is true. If it is true, I'd say in time VPN will have to fix this problem and traffic shaping won't be possible anymore.


  • Registered Users, Registered Users 2 Posts: 816 ✭✭✭Cryos


    bk wrote:
    Thanks watty, that explains very well what I was trying to say earlier. This is a very well known problem in the computer security area and I had assumed that VPN had been designed to avoid this problem.

    From what you guys are saying, it seems I'm wrong and VPN wasn't designed to avoid this problem. I therefore consider VPN broken. This is very worrying as I know lots of big companies, banks and even militaries around the world use VPN.

    I dont really get what your saying here, looks like your saying vpn dosnt work over 3g/gprs or such ?

    I can say definatly it does work, as its what i use to get my mail. Do my timesheets on the corporate intranet and use internal messaging ? Using Contivity VPN


  • Moderators, Motoring & Transport Moderators, Technology & Internet Moderators Posts: 23,276 Mod ✭✭✭✭bk


    Blitz wrote:
    I dont really get what your saying here, looks like your saying vpn dosnt work over 3g/gprs or such ?

    I can say definatly it does work, as its what i use to get my mail. Do my timesheets on the corporate intranet and use internal messaging ? Using Contivity VPN

    Oh, technically it works fine, I use it myself. What I mean is that from a computer security perspective, it has significant weaknesses in the way that it protects the information being sent over the wire. It doesn't give 100% protection of the information being sent from being analysed and potentially being abused by a third party.


  • Registered Users, Registered Users 2 Posts: 17,441 ✭✭✭✭jesus_thats_gre


    bk wrote:
    Oh, technically it works fine, I use it myself. What I mean is that from a computer security perspective, it has significant weaknesses in the way that it protects the information being sent over the wire. It doesn't give 100% protection of the information being sent from being analysed and potentially being abused by a third party.

    What information can a third party, other than the network owner, get from a stream of VPN packets so? TBH, what can the network provider get?


  • Moderators, Motoring & Transport Moderators, Technology & Internet Moderators Posts: 23,276 Mod ✭✭✭✭bk


    What information can a third party, other than the network owner, get from a stream of VPN packets so? TBH, what can the network provider get?

    Buy this superb and interesting book on encryption through the ages and you will find out:

    http://www.simonsingh.net/The_Code_Book.html

    The book is really good and you don't need to be good at maths or anything like that to understand it.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 17,441 ✭✭✭✭jesus_thats_gre


    bk wrote:
    Buy this superb and interesting book on encryption through the ages and you will find out:

    http://www.simonsingh.net/The_Code_Book.html

    The book is really good and you don't need to be good at maths or anything like that to understand it.

    Why thank you.


  • Registered Users, Registered Users 2 Posts: 849 ✭✭✭jwt


    bk wrote:
    Buy this superb and interesting book on encryption through the ages and you will find out:

    http://www.simonsingh.net/The_Code_Book.html

    The book is really good and you don't need to be good at maths or anything like that to understand it.


    Already have it, it's a bit old now, but the basics remain.

    The crux of the issue is that someone monitoring your VPN can make some educated guesses about the data passing through the VPN by the size of the VPN. for example

    VPN upstream odd packet downstream huge.....downloading a large file, video etc.

    If the downstream spike is approx 700 MB of data I can make a guess that you are downloading something CD sized.

    If its consistently two 700 MB lumps of data then I'd make a better guess that you were downloading parts 1 and 2 of a DIVX videos.

    But I can't be sure.

    If I see consistent max upload and max download your either using P2P software or video conferencing. Again a guess but probably accurate.

    If I see 64k - 128k both ways with regular blips and lasting irregular amounts of time predominantly during the day, I can again make a guess that it's VoIP.

    But nowhere can I be sure of what's in the data.

    And although, as pointed out above, the enigma code was broken by guessing the topic of the data and that the Germans stupidly repeated the initial call sign twice at the start of the message, modern VPN encryption algorithms are complex, the data wildly varied and in some cases you are tunnelling already encrypted traffic which is pseudo random anyway.

    I'm not saying that VPN is unbreakable, but in volume scenarios it's as good as you could reasonably want.

    Any assumptions on the types of data being transmitted are just that. Assumptions.


    John


  • Registered Users, Registered Users 2 Posts: 3,889 ✭✭✭cgarvey


    Moved from this thread in IoffL


  • Closed Accounts Posts: 1,467 ✭✭✭bushy...


    Surely a better way to approach shaping is to send stuff you can identify straight away one way , and let stuff that needs further sussing off for deeper inspection ,instead of the other way around of trying to block/limit things ?
    Old idea of block everything ,allow what you want


  • Closed Accounts Posts: 716 ✭✭✭JohnnieM


    brilliant stuff lads...makes great reading


  • Registered Users, Registered Users 2 Posts: 4,676 ✭✭✭Gavin


    Bk, your comments regarding a VPN are unfounded. The security of any system is based on the threat model it is designed against, saying that a VPN has no security, without defining the threat model is meaningless.

    VPNs come in many shapes and guises. I've seen plain text tunnels runnning over the Internet that are referred to as VPNs because they link two networks. The typical VPN that I encounter is designed to offer confidential linking of a network. And the majority do this very well using standard asymmetric and symmetric key encryption.

    JWT explains it quite well. Even if you had perfect secrecy on the link, using a one time pad for example, traffic analysis, or signals intelligence (SIGINT), allows an attacker to perform statistical analysis of the traffic stream. For an example, read up on SSH keystroke timing attacks.

    The problem of offering sufficient traffic masking without wasting bandwidth is a difficult one, and there is a lot of ongoing research. If you are actually interested, have a look at www.freehaven.net/anonbib for a list of research papers in the area.

    Gav


Advertisement