Adding support to detection: SNI Injection/SSL Tunnel/DNS Tunnel/Shadowsocks/V2Ray/Xray/Hysteria/

[mmanoj]

Problem Description:
Most Internet users use Specific zero-rated fraud techniques, including HTTP Header Injection, Domain Fronting,
and DNS Spoofing to bypass DPI rules using zero-rated url or subscribed services.It's good to have improved detection such techniques.The simulation can be performed using HTTP-Injector mobile app.

some hints to detect such attempts
You can detect mismatches between the TLS Server Name Indication (SNI) and the HTTPS host header, and get a warning about domain fronting.

Sample Captures
Attached some pcap file with having initial handshake request such connection attempts
http-inject_28_Sep_12_35_57.zip

[mmanoj]

@IvanNardi

Can we discuss the way forward for adding this support.I can generate more PCAPs with specific protocol scenarios.

[0xA50C1A1]

Such services are often used to circumvent censorship, so it will be a two-edged sword.

[mmanoj]

@0xA50C1A1
Thanks for the feedback, I totally agreed with you.However considering CSP perspective this is required to prevent/monitor ZERO-RATED FRAUD TECHNIQUES.

[IvanNardi]

I personally don't have any plans on working on that topic in the short term. Of course, I'll review any PR
Having said that, it is a very complex topic.
For example:

some hints to detect such attempts
You can detect mismatches between the TLS Server Name Indication (SNI) and the HTTPS host header, and get a warning about domain fronting.

How is that useful from an implementation POV? We don't have access to the HTTP host header, do we?

[mmanoj]

@IvanNardi

Thanks for the feedback, regarding HTTP host header only server side can see, like cloud or hosting provider --> "Requests where the host header in HTTP/HTTPS requests that doesn't match the original TLS SNI extension used during the TLS negotiation gets blocked."

However I'm going to work with below approach for initially for detecting VPN/SNI injectors based on currently available nDPI features and infrastructure.

1.Capture sample PCAPS of same service with legitimate behavior and same service under VPN.
2.Create application signature/ snapshot of the packet behavior based on flow features
3.Use nDPI risk indicator and other packet feature like (number of flow packets. packet IAT, goodput ratio etc.) to build heuristic model
4.Compare the suspected flow with packet snapshot/application signature to check the flow behavior type.

Example suspected traffic analysis