How nDPI Identifies Fully Encrypted Protocols

Posted · Add Comment

In the paper How the Great Firewall of China Detects and Blocks Fully Encrypted Traffic it is described a technique used in censorship to identify and block fully encrypted protocols. This technique, limited to TCP flows, uses a few techniques that are applied on the first TCP packet with payload, making it fast and convenient although with a small (< 1%)  percentage of false positives:

  • Ex1: popcount(pkt) ≤ 3.4 or popcount(pkt) ≥ 4.6. len(pkt) len(pkt)
  • Ex2: The first six (or more) bytes of pkt are [0x20, 0x7e].
  • Ex3: More than 50% of pkt’s bytes are [0x20, 0x7e].
    Ex4: More than 20 contiguous bytes of pkt are [0x20, 0x7e].
  • Ex5: It matches the protocol fingerprint for TLS or HTTP.
  • Block if none of the above hold.

The above technique has been implemented in nDPI (only the heuristic of course) and in case of match we display a new flow risk indicating that this TCP connection (not HTTP or TLS based) is fully encrypted.

6 TCP <-> [proto: 305/Threema][IP: 305/Threema][Encrypted][Confidence: Match by IP][DPI packets: 13][cat: Chat/9][8 pkts/775 bytes <-> 5 pkts/472 bytes][Goodput ratio: 31/28][60.00 sec][bytes ratio: 0.243 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1/29 9996/31 59845/33 22293/2][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 97/94 257/146 62/33][Risk: ** Fully encrypted flow **][Risk Score: 50][Plen Bins: 0,50,25,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]

With this nDPI extension we want to increase network administrators awareness  about TCP encrypted traffic not using standard protocols (e.g. TLS) flowing in their network that can indicate a VPN used to circumvent the network security polices.

Enjoy !