-
Notifications
You must be signed in to change notification settings - Fork 894
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Traffic analysis of HTTP/2 CONNECT tunnels #1
Comments
Short lengths indicate h2 control frames. Real h2: Tunnel (the tunnel itself): Tunnel (stream controls): Tunnel (tunneled streams): |
Real h2 inference -64: The first packet from client side has a fixed size. (Magic + SETTINGS + WINDOW_UPDATE) Tunnel inference 13*n: A lot of WINDOW_UPDATE, a dynamic signature of HAProxy (1.8.3) 10: 200 HEADERS, too short (fix: Add paddings) Can't really hide the stuff-in-TLS-in-h2 DATA overhead. |
Recent evaluations of website fingerprinting against multiplexed HTTP/2: https://tools.ietf.org/html/draft-wood-pearg-website-fingerprinting-00 |
As of version 64.x.y.z.
Negative means traffic from the client; positive means traffic from the server.
An example of tunneled TLS data:
The lengths being counted here are the length of "Encryped Data" in the above diagram, because these lengths are cleartext and are independent from TCP segmentation. Cleartext TLS handshakes are not counted in the lengths.
Payload length -2000:2000:
The largest spikes from server side are: 1024, 1179 (Google servers), 1389 (Cloudflare?), 1427/1429 (TCP MSS?). These should be various self-imposed MTU/MSS related optimizations.
Large spikes from the client are mostly TLS handshakes being tunneled in h2 DATA frames:
-526: padded ClientHello with session resumption.
-267: some ECDH (pubkey len: 32) ClientKeyExchange + ChangeCipherSpec + 2x Encrypted Handshake Message.
? ~ -193: the bell curve covers unpadded ClientHellos with SNIs of various sizes. (-193 is the lower bound with an empty SNI.)
-225: ChangeCipherSpec + 2x Encrypted Handshake Message.
-135: some ECDH ClientKeyExchange (pubkey len: 65) + Encrypted Handshake Message.
-102: some ECDH ClientKeyExchange (pubkey len: 32) + Encrypted Handshake Message.
The text was updated successfully, but these errors were encountered: