A TCP relay with segment morpher functionality.
In C/S system based on TCP (like SOCKSv5, Shadowsocks and ShadowsocksR), packets (with TCP segment wrapped in) are sent through internet directly like following:
These protocols are not designed to anti-censorship, so a DPI-box (or firewall) may detects these protocols by capturing packets, analyzing the traffic (with methods like clear-text attack, active-probe attack and even machine learning) and then blocks these protocols.
In practice, we have TLS/SSL to deal with clear-text attack and active-probe attack, but it can't resist detection of machine-learning based algorithms (like entropy analysis). So we need a mechanism to do this. That is the design purpose of this system.
The machine-learning based algorithms use series of "fingerprint" (or "features") to identify a protocol, including but not limited to:
- Packet/Segment size
- Flow duration
- Inter-arrival time
Among these features, packet/segment size is the most obvious one. So it is easy for us to change the "fingerprint" of inner protocols by changing the size of packets/segments.
In summary, we designed this system which can be worked as a transparent pluggable layer above the original protocol. See following diagram:
This system has two working mode - client and server. Their obfuscator/deobfuscator direction are different. You have to understand this carefully before configuring in order to get rid of unnecessary security vulnerabilities.
The obfuscator splits any incoming segment into several parts, adds padding to the tail and send it out. See following diagram:
To understand how the obfuscator works, you have to know about the "algorithm pipeline" which helps the obfuscator decide how to split input segments.
Each algorithm in a pipeline works as a function:
y = f(x)
where x is the size of input segment and y is the output segment size. Of course, f(x) can be chained:
y = p(x) = f3(f2(f1(x)))
Where p(x) is the pipeline algorithm function. You have to define a series of algorithms as p(x) in the configuration file.
For an incoming segment K, the system do following things:
- Calculate y = p(The unsplitted length of K)
- If y is less than or equal to the unsplitted length of K, splits the first y bytes off from K, wraps with a header and sends out. Go to the first step.
- Otherwise, adds padding to unsplitted bytes to y bytes, wraps with a header and sends out.
We will show you how to configure the algorithm pipeline in "Configuration" chapter.
| Package | Version |
|---|---|
| NodeJS | >= 8.7.0 |
To install XTCPMorpher, type following NPM command:
npm install xtcpmorpher -g
After installation, you can run xtcpmorpher in your terminal, like:
# Run demostration "01-simple".
# Server.
xtcpmorpher --log-level=info --configuration examples/01-simple/server.json --service server
# Client.
xtcpmorpher --log-level=info --configuration examples/01-simple/client.json --service client
# Run iperf3 server.
iperf3 -s -p 5082
# Run iperf3 client.
iperf3 -c localhost -p 5080 -R
This algorithm equals to "f(x) = x" which means "do nothing".
This algorithm has two modes – "set" and "increase".
In "set" mode, we will return a fixed integer. In "increase" mode, we will add a fixed incremental to the input and then return it.
For example, in "set" mode, if the input is 1000 and the fixed value is 500, you will get the result 500. In "increase" mode, you will get the result 1500.
Use following JSON to configure this algorithm:
{
"type": "fixed",
"mode": "set" (or "increase"),
"value": [The value]
}
Use a pseudo-random number generator (PRNG) to generate an integer as the incremental of the input. For example, if the PRNG generates 1, 2, 3, 4 and the inputs are 10, 20, 30, 40, the output will be 11, 22, 33, 44.
The algorithm accepts 4 parameters, includes the min/max value of generated integers, the seed and the probability distribution segment count. Generally, the segment count and the entropy are inversely related.
Use following JSON to configure this algorithm:
{
"type": "random",
"min": [Min value],
"max": [Max value],
"segments": [Segment count (1 <= K <= max - min + 1)]
}
The algorithm adds an integer X to the input. X was drawn from an array cyclically.
Use following JSON to configure this algorithm:
{
"type": "round-robin",
"values": [The array]
}
The algorithm give thresholds to the input value. If the min threshold was set and the input value is lower than that, the output value will be set to the min threshold. Similarly, if the max threshold was set and the input value is larget that than, the output value will be set to the max threshold. Otherwise, the output will be the same as the input value.
Use following JSON to configure this algorithm:
{
"type": "threshold",
"min": [Min threshold] (Optional),
"max": [Max threshold] (Optional)
}
Use an array to chain algorithms in a pipeline, like following:
[
{
// Configuration for the first algorithm.
},
{
// Configuration for the second algorithm.
},
...
{
// Configuration for the last algorithm.
}
]
Here is a configuration template:
{
"local": {
"address": "0.0.0.0",
"port": 5080,
"timeout": null, // Optional (milliseconds, not set by default).
"no-delay": true, // Optional (disable the nagle algorithm, false by default).
"keep-alive": true // Optional (send keep-alive packet, false by default).
},
"remote": {
"address": "127.0.0.1",
"port": 5081,
"timeout": null, // Optional (milliseconds, not set by default).
"no-delay": true, // Optional (disable the nagle algorithm, false by default).
"keep-alive": true // Optional (send keep-alive packet, false by default).
},
"buffer": {
"receiver": 4194304, // Optional (bytes, receiver buffer).
"sender": 65536 // Optional (bytes, sender buffer).
},
"obfuscator": {
"max-chunk": 65536, // Max chunk length (generally equals to MTU - 80).
"pipeline": [
... // Algorithm pipeline.
]
},
"deobfuscator": {
"max-segment": 65536, // Max output segment length (generally don't modify).
"max-chunk": 65536 // Max allowed chunk length (generally don't modify).
}
}
See "examples" directory.
This system has neither encryption nor active-probe resistance. You must use something like TLS/SSL to wrap our system to protect this system from being identified.