• Does VPN traffic stand out from other traffic to the ISP?

    From Cordell James@110:300/11 to All on Wed Jan 29 00:00:03 2014
    What does the ISP actually *see* when VPN
    is trafficking his network?

    I realize he sees "gibberish", but, can he
    just look at that gibberish and say "that
    looks a lot like my subscriber is using VPN"?

    Does VPN traffic stand out from other traffic?

    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: Mixmin (110:300/11@linuxnet)
  • From Lusotec@110:300/11 to All on Wed Jan 29 01:23:05 2014
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256

    Cordell James wrote:
    What does the ISP actually *see* when VPN
    is trafficking his network?

    The ISP sees the encrypted packets stream, the TCP/IP packets headers, the packets sizes and the packets times.

    With the above information and without any significant computational power
    it is possible to infer what kind of traffic is going through the VPN (e.g. http, POP, interactive terminal/vnc/rdp session).

    Some VPN minimize/prevent this information leak by smoothing/flattening the packets sizes and times distributions, for example by constantly filling the channel with data to produce a constant rate of same sized packets. Dummy
    data is sent when there is no actual data to send.

    I realize he sees "gibberish", but, can he
    just look at that gibberish and say "that
    looks a lot like my subscriber is using VPN"?

    Yes and depending on the VPN software they may even be able to say "that
    looks a lot like a VNC transmitting HTTP/IMAP/vnc/whatever traffic.

    Does VPN traffic stand out from other traffic?

    Yes. It is very easy to spot encrypted traffic among all the traffic and different kinds of encrypted traffic (e.g. https, ssh, vpn, openssl, tor, imaps, pops) have somewhat distinct handshake and early traffic patterns so
    it is possible to make an educated guess on what kind of encrypted traffic
    it is.

    This kind of information leak can by minimized.

    - - Fill the channel with dummy data and use traffic shaping to flatten the packets distribution while transmitting the dummy traffic with the least priority, so that your real traffic can get to the destination with minimal delay.

    - - Multiplex/mix traffic in a single channel.

    - - Use a less suspicious encryption channel (e.g. https) to encrypt a more suspicious encryption channel (e.g. vpn).

    - - Use proxies with lots of encrypted traffic to obscure your own traffic.

    - - Use proxy chaining, preferably in various countries.

    - - Use tor to anonymize your traffic and also give you plausible deniability.

    The above is more than enough to defeat a ISP level adversary but for nation/state level adversaries always remember that brute-force rubber-hose decryption is very effective and computationally free.

    Regards
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.10 (GNU/Linux)

    iF4EAREIAAYFAlLoV/kACgkQGQjO2ccW76rODQD/QvXhqVU6wS8O+Exzz5NP627r eJiyzfeCkR6bClpmeSIA/R/9GGbNXyv10LI9LmpOGxQJw1fo3FlmpnIYivc+l2yv
    =ghyQ
    -----END PGP SIGNATURE-----


    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: A noiseless patient Spider (110:300/11@linuxnet)
  • From ps56k@110:300/11 to All on Wed Jan 29 17:19:43 2014
    interesting - just reading the thread....

    "Lusotec" <nomail@nomail.not> wrote in message news:lc9l5p$1j0$1@dont-email.me...
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256

    Cordell James wrote:
    What does the ISP actually *see* when VPN
    is trafficking his network?

    The ISP sees the encrypted packets stream, the TCP/IP packets headers, the packets sizes and the packets times.

    With the above information and without any significant computational power
    it is possible to infer what kind of traffic is going through the VPN
    (e.g.
    http, POP, interactive terminal/vnc/rdp session).

    Some VPN minimize/prevent this information leak by smoothing/flattening
    the
    packets sizes and times distributions, for example by constantly filling
    the
    channel with data to produce a constant rate of same sized packets. Dummy data is sent when there is no actual data to send.

    I realize he sees "gibberish", but, can he
    just look at that gibberish and say "that
    looks a lot like my subscriber is using VPN"?

    Yes and depending on the VPN software they may even be able to say "that looks a lot like a VNC transmitting HTTP/IMAP/vnc/whatever traffic.

    Does VPN traffic stand out from other traffic?

    Yes. It is very easy to spot encrypted traffic among all the traffic and different kinds of encrypted traffic (e.g. https, ssh, vpn, openssl, tor, imaps, pops) have somewhat distinct handshake and early traffic patterns
    so
    it is possible to make an educated guess on what kind of encrypted traffic
    it is.

    This kind of information leak can by minimized.

    - - Fill the channel with dummy data and use traffic shaping to flatten
    the
    packets distribution while transmitting the dummy traffic with the least priority, so that your real traffic can get to the destination with
    minimal
    delay.

    - - Multiplex/mix traffic in a single channel.

    - - Use a less suspicious encryption channel (e.g. https) to encrypt a
    more
    suspicious encryption channel (e.g. vpn).

    - - Use proxies with lots of encrypted traffic to obscure your own
    traffic.

    - - Use proxy chaining, preferably in various countries.

    - - Use tor to anonymize your traffic and also give you plausible deniability.

    The above is more than enough to defeat a ISP level adversary but for nation/state level adversaries always remember that brute-force
    rubber-hose
    decryption is very effective and computationally free.

    Regards
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.10 (GNU/Linux)

    iF4EAREIAAYFAlLoV/kACgkQGQjO2ccW76rODQD/QvXhqVU6wS8O+Exzz5NP627r eJiyzfeCkR6bClpmeSIA/R/9GGbNXyv10LI9LmpOGxQJw1fo3FlmpnIYivc+l2yv
    =ghyQ
    -----END PGP SIGNATURE-----




    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: me (110:300/11@linuxnet)
  • From ohreally@110:300/11 to All on Thu Jan 30 06:09:19 2014
    Lusotec <nomail@nomail.not> wrote in news:lc9l5p$1j0$1@dont-email.me:

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256

    Cordell James wrote:
    What does the ISP actually *see* when VPN
    is trafficking his network?

    The ISP sees the encrypted packets stream, the TCP/IP packets headers,
    the packets sizes and the packets times.

    With the above information and without any significant computational
    power it is possible to infer what kind of traffic is going through
    the VPN (e.g. http, POP, interactive terminal/vnc/rdp session).

    Some VPN minimize/prevent this information leak by
    smoothing/flattening the packets sizes and times distributions, for
    example by constantly filling the channel with data to produce a
    constant rate of same sized packets. Dummy data is sent when there is
    no actual data to send.

    I realize he sees "gibberish", but, can he
    just look at that gibberish and say "that
    looks a lot like my subscriber is using VPN"?

    Yes and depending on the VPN software they may even be able to say
    "that looks a lot like a VNC transmitting HTTP/IMAP/vnc/whatever
    traffic.

    Does VPN traffic stand out from other traffic?

    Yes. It is very easy to spot encrypted traffic among all the traffic
    and different kinds of encrypted traffic (e.g. https, ssh, vpn,
    openssl, tor, imaps, pops) have somewhat distinct handshake and early
    traffic patterns so it is possible to make an educated guess on what
    kind of encrypted traffic it is.

    That contradicts what other (self-appointed?) experts have told me, that
    is, that vpn traffic over https/p443 is indistinguishable from email or
    other https traffic.


    This kind of information leak can by minimized.

    - - Fill the channel with dummy data and use traffic shaping to
    flatten the packets distribution while transmitting the dummy traffic
    with the least priority, so that your real traffic can get to the
    destination with minimal delay.

    - - Multiplex/mix traffic in a single channel.

    - - Use a less suspicious encryption channel (e.g. https) to encrypt a
    more suspicious encryption channel (e.g. vpn).

    - - Use proxies with lots of encrypted traffic to obscure your own
    traffic.

    - - Use proxy chaining, preferably in various countries.

    - - Use tor to anonymize your traffic and also give you plausible deniability.

    The above is more than enough to defeat a ISP level adversary but for nation/state level adversaries always remember that brute-force
    rubber-hose decryption is very effective and computationally free.

    Regards
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.10 (GNU/Linux)

    iF4EAREIAAYFAlLoV/kACgkQGQjO2ccW76rODQD/QvXhqVU6wS8O+Exzz5NP627r eJiyzfeCkR6bClpmeSIA/R/9GGbNXyv10LI9LmpOGxQJw1fo3FlmpnIYivc+l2yv
    =ghyQ
    -----END PGP SIGNATURE-----



    - --- news://freenews.netfront.net/ - complaints: news@netfront.net ---

    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: Netfront http://www.netfront.net/ (110:300/11@linuxnet)
  • From Lusotec@110:300/11 to All on Thu Jan 30 12:42:04 2014
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256

    ohreally wrote:
    Lusotec wrote:
    Cordell James wrote:
    Does VPN traffic stand out from other traffic?

    Yes. It is very easy to spot encrypted traffic among all the traffic
    and different kinds of encrypted traffic (e.g. https, ssh, vpn,
    openssl, tor, imaps, pops) have somewhat distinct handshake and early
    traffic patterns so it is possible to make an educated guess on what
    kind of encrypted traffic it is.

    That contradicts what other (self-appointed?) experts have told me, that
    is, that vpn traffic over https/p443 is indistinguishable from email or
    other https traffic.

    My advice is to do a search for *encrypted traffic analysis* and start reading, in particular the many research paper on the subject. I bet you
    will be surprised.

    Regards
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.10 (GNU/Linux)

    iF4EAREIAAYFAlLqSJ0ACgkQGQjO2ccW76pkiQD/bff9FYPRDBkElIRWhHdeMkuU U5guLLUSOUwy28ddLT8A/1Lb7FW7SWlYNdRBXZ2KkerhLgy82h+4AyPdmD4iddZm
    =iAGv
    -----END PGP SIGNATURE-----


    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: A noiseless patient Spider (110:300/11@linuxnet)
  • From ohyeah@110:300/11 to All on Fri Jan 31 02:44:36 2014
    Lusotec <nomail@nomail.not> wrote in news:lc9l5p$1j0$1@dont-email.me:

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256

    Cordell James wrote:
    What does the ISP actually *see* when VPN
    is trafficking his network?

    The ISP sees the encrypted packets stream, the TCP/IP packets headers,
    the packets sizes and the packets times.

    With the above information and without any significant computational
    power it is possible to infer what kind of traffic is going through
    the VPN (e.g. http, POP, interactive terminal/vnc/rdp session).

    Some VPN minimize/prevent this information leak by
    smoothing/flattening the packets sizes and times distributions, for
    example by constantly filling the channel with data to produce a
    constant rate of same sized packets. Dummy data is sent when there is
    no actual data to send.

    I realize he sees "gibberish", but, can he
    just look at that gibberish and say "that
    looks a lot like my subscriber is using VPN"?

    Yes and depending on the VPN software they may even be able to say
    "that looks a lot like a VNC transmitting HTTP/IMAP/vnc/whatever
    traffic.

    Does VPN traffic stand out from other traffic?

    Yes. It is very easy to spot encrypted traffic among all the traffic
    and different kinds of encrypted traffic (e.g. https, ssh, vpn,
    openssl, tor, imaps, pops) have somewhat distinct handshake and early
    traffic patterns so it is possible to make an educated guess on what
    kind of encrypted traffic it is.

    This kind of information leak can by minimized.

    - - Fill the channel with dummy data and use traffic shaping to
    flatten the packets distribution while transmitting the dummy traffic
    with the least priority, so that your real traffic can get to the
    destination with minimal delay.

    - - Multiplex/mix traffic in a single channel.

    - - Use a less suspicious encryption channel (e.g. https) to encrypt a
    more suspicious encryption channel (e.g. vpn).

    - - Use proxies with lots of encrypted traffic to obscure your own
    traffic.

    - - Use proxy chaining, preferably in various countries.

    - - Use tor to anonymize your traffic and also give you plausible deniability.

    The above is more than enough to defeat a ISP level adversary but for nation/state level adversaries always remember that brute-force
    rubber-hose decryption is very effective and computationally free.

    Regards
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.10 (GNU/Linux)

    iF4EAREIAAYFAlLoV/kACgkQGQjO2ccW76rODQD/QvXhqVU6wS8O+Exzz5NP627r eJiyzfeCkR6bClpmeSIA/R/9GGbNXyv10LI9LmpOGxQJw1fo3FlmpnIYivc+l2yv
    =ghyQ
    -----END PGP SIGNATURE-----



    Really? I was told by another expert (self-appointed?) that VPN SSL
    traffic over p443 is indistinguishable from other ssl traffic, for
    example, email.

    - --- news://freenews.netfront.net/ - complaints: news@netfront.net ---

    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: Netfront http://www.netfront.net/ (110:300/11@linuxnet)
  • From Thomas Keusch@110:300/11 to All on Sun Feb 2 14:43:23 2014
    On 2014-01-31, ohyeah <ohyea@idonthingso.com> wrote:

    Really? I was told by another expert (self-appointed?) that VPN SSL
    traffic over p443 is indistinguishable from other ssl traffic, for
    example, email.

    Maybe you should stop listening to this expert.

    Do you really think someone's traffic created by him downloading an ISO
    image over a VPN looks the same as reading a couple of emails over a
    VPN?

    Content decryption may be hard/impossible for now, but really, an
    encrypted stream of 800MB does not look like somebody is just opening
    and reading an email.

    --

    * Freelance Linux & BSD Systemengineer // IT Consultant *
    -=- Homepage: http://www.bsd-solutions-duesseldorf.de -=-

    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: /dev/null Boring Headers Inc. (110:300/11@linuxnet)
  • From Dave@110:300/11 to All on Mon Feb 17 05:58:08 2014
    Thomas Keusch wrote:

    On 2014-01-31, ohyeah <ohyea@idonthingso.com> wrote:

    Really? I was told by another expert (self-appointed?) that VPN SSL
    traffic over p443 is indistinguishable from other ssl traffic, for
    example, email.

    Maybe you should stop listening to this expert.

    Do you really think someone's traffic created by him downloading an ISO
    image over a VPN looks the same as reading a couple of emails over a
    VPN?

    Content decryption may be hard/impossible for now, but really, an
    encrypted stream of 800MB does not look like somebody is just opening
    and reading an email.

    What about if it's an email containing an 800MB ISO image? :-)

    --
    Dave
    Too many gadgets, too little time

    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: A noiseless patient Spider (110:300/11@linuxnet)