Researchers have discovered three ways to detect OpenVPN sessions in transit traffic

Researchers have discovered three ways to detect OpenVPN sessions in transit traffic

A group of network specialists from the University of Michigan presented methods of identification (VPN Fingerprinting) of network connections to servers based on OpenVPN in the framework of two scientific papers (1 and 2) during monitoring of transit traffic of clients. Researchers have discovered three ways to identify the OpenVPN protocol among other network packets that can be used by traffic inspection systems to block OpenVPN-based virtual networks.

According to OpenNET’s explanation, experts have successfully tested the proposed methods on the network of the Internet provider Merit, which has more than a million users. Testing of the methods showed the ability to identify 85% of OpenVPN sessions with a negligible level of false positives.

To check the traffic monitoring, the experts prepared a toolkit that first passively determines OpenVPN traffic on the fly, and then certifies the correctness of the result through an active server check. A traffic flow with an intensity of approximately 20 Gbit/s was displayed on the analyzer created by the researchers.

In an experiment, the network analyzer developed by the engineers was able to successfully identify 1,718 out of 2,000 test OpenVPN connections established by a dummy client using 40 different typical OpenVPN configurations (the method worked successfully for 39 out of 40 configurations). In addition, during the eight days of the experiment, 3,638 OpenVPN sessions were detected in transit traffic, of which 3,245 sessions were confirmed.

The research notes that the upper limit of false positives in the proposed method is three orders of magnitude lower than in previously proposed methods based on the application of machine learning.

Separately, experts evaluated the performance of OpenVPN traffic tracking protection methods in commercial services. Of the 41 VPN services tested that use OpenVPN’s traffic cloaking techniques, the traffic was identified in 34 cases. Services that could not be detected other than OpenVPN used additional layers to hide traffic (for example, routing OpenVPN traffic through an additional encrypted tunnel). Most of the successfully detected services used XOR traffic distortion, additional obfuscation layers without proper random padding of the traffic, or having non-obfuscated OpenVPN services on the same server.

The methods used to identify researchers are based on binding to OpenVPN-specific patterns in unencrypted packet headers, the size of ACK packets, and the server’s response. In the first case, a binding to the opcode field in the packet header can be used as an object for identification at the stage of connection negotiation, which takes a fixed range of values ​​and changes in a certain way depending on the stage of connection establishment. Identification consists in detecting a certain sequence of opcode changes in the first N packets of the stream.

The second way is that ACK packets are used in OpenVPN only at the stage of connection negotiation and at the same time have a specific size. The identification is based on the fact that ACK packets of a given size only occur in certain parts of the session (for example, when using OpenVPN, the first ACK packet is usually the third data packet sent in the session).

The third method is an active check and is due to the fact that in response to a request to reset the connection, the OpenVPN server sends a certain RST packet (the check does not work when using the tls-auth mode, because the OpenVPN server ignores requests from clients not authenticated via TLS).

Related posts