[HN Gopher] Doxx/Darkflare: DarkFlare TCPoCDN (TCP over CDN)
___________________________________________________________________
Doxx/Darkflare: DarkFlare TCPoCDN (TCP over CDN)
Author : josephscott
Score : 146 points
Date : 2024-11-20 22:49 UTC (1 days ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| tomsonj wrote:
| chisel is a similar tool in this space
| https://github.com/jpillora/chisel
|
| I don't get why headers and requests need to be spoofed if all
| traffic is over https?
| Titan2189 wrote:
| > I don't get why headers and requests need to be spoofed if
| all traffic is over https?
|
| https://en.wikipedia.org/wiki/Deep_packet_inspection
| fragmede wrote:
| how are they looking inside the packet if it's encrypted?
| sodality2 wrote:
| DPI doesn't have to decrypt it to make certain guesses
| about its content. For example, timing information, packet
| sizes, routing info, etc could lead you to believe it's
| certain kinds of things (SSH, VPN, etc).
| mhio wrote:
| The headers are seen by the monster-in-the-middle CDN.
|
| It's obfuscation at best. I'm not sure the encrypted traffic
| will look particularly php-ish for example. Compressed formats
| might look vaguely passable.
|
| I can't see any stenography code or libraries in the repo.
| tomsonj wrote:
| yeah if the CDN is not trusted this tool won't help but then
| little would
| coretx wrote:
| Because SNI. Also, State (sponsored) Actors are certificate
| authorities. HTTPS is the biggest scam in internet history.
| https://en.wikipedia.org/wiki/Server_Name_Indication
| astrange wrote:
| This certainly was an issue but it's solved by ECH/DoH. As
| long as they aren't blocked on your network anyway.
|
| > Also, State (sponsored) Actors are certificate authorities.
|
| To generate a fake certificate as a CA you have to either put
| it in the Certificate Transparency log, in which case
| everyone will notice, or don't, in which case browsers will
| notice (they know what top sites' certificates are supposed
| to look like) and your CA will get shut down.
| hamilyon2 wrote:
| Someone should really test it, real red team black hat
| style and then fully publish the results. Try to mitm https
| with real unlogged certs and see what happens. Preregister
| the whole fully detailed procedure on blockchain. And
| report to public results fully, with proofs of being
| caught.
| account42 wrote:
| SNI doesn't expose headers and request paths.
| duskwuff wrote:
| > I don't get why headers and requests need to be spoofed if
| all traffic is over https?
|
| Because the traffic is to a CDN endpoint (like Cloudflare)
| which expects it to be a HTTP message.
| tomsonj wrote:
| it can still be an https message, who cares what the path,
| query string, or headers look like? that is all encrypted
| ignoramous wrote:
| You could straight up connect to the destination (over TCP) from
| Cloudflare without needing relays; a project I wrote demonstrates
| TCP over HTTP (for Deno Deploy) and TCP over WebSockets (for
| Workers): https://github.com/serverless-proxy/serverless-proxy
|
| Proxying projects utilising HTTP/TLS are popular in the anti-
| censorship community (discussion board:
| https://github.com/net4people/bbs) and there are many variants of
| it; ex:
|
| - KCP (over UDP): https://github.com/xtaci/kcp-go
|
| - Bepass: https://github.com/bepass-org/bepass-worker
| a-ve wrote:
| Is this something like WebTunnel from the Tor Project?
|
| https://gitlab.torproject.org/tpo/anti-censorship/pluggable-...
| est wrote:
| > Services like Cloudflare, Akamai Technologies, Fastly, and
| Amazon CloudFront ... support millions of websites across
| critical sectors, including government and healthcare, making
| them indispensable
|
| The author is pretty naive. There is a reason why Google was left
| out of the list, in the 2010s people argue "Google is too
| important and China never dare to block it" then google's whole
| IP range is blocked.
|
| Amazon Cloudfront, Akmai, Fastly are also (partially) blocked and
| barely working.
|
| IMHO cleve tricks like "domain fronting" is just freebooting
| dlenski wrote:
| > IMHO cleve tricks like "domain fronting" is just freebooting
|
| What do you mean by "freebooting"?
|
| We added domain fronting support to the OpenConnect TLS-VPN
| client _in 2022_ because it is still working and useful for
| many people working in censored countries and environments.
| https://gitlab.com/openconnect/openconnect/-/merge_requests/...
| est wrote:
| > because it is still working
|
| That's a big "still" and you don't loose anything in case the
| real owner of the "fronted" domain suffers loss.
| notpushkin wrote:
| I don't think it's right to assign blame here to any party
| other than the authoritarian regime that decides to block
| the whole CDN.
| vundercind wrote:
| > What do you mean by "freebooting"?
|
| https://en.m.wikipedia.org/wiki/Filibuster_(military)
|
| Private attempts to meddle in the security and interests of
| states.
| novakwok wrote:
| There seems another way to achieve this, using Cloudflare's own
| cloudflared tunnel.
|
| Install a cloudflared tunnel on your remote server, configure it
| to forward traffic to that server's hosts proxy server(maybe
| Shadowsocks) using Zero Trust dashboard, and run the following
| command on your local computer:
|
| cloudflared access tcp --hostname some.your-domain.tld --url
| localhost:8080
|
| Then localhost:8080's traffic will be forwarded to cloudflareds'
| host, the whole traffic is using HTTP2 so might look legitimate
| to Firewall.
|
| For example if using Shadowsocks on server, your Shadowsocks's
| local client can connect to localhost:8080 as server to forward
| traffic.
| theblazehen wrote:
| How does this differ from tunneling a VPN over something like
| wstunnel?
|
| We've been running that in prod for several years without any
| issues, also going through cloudflare
| ameshkov wrote:
| I made a similar thing once to relay UDP traffic over WebSocket
| and it supports Cloudflare if needed:
| https://github.com/ameshkov/udptlspipe
|
| The use case is to relay WireGuard over TCP/CF in a restrictive
| network, confirmed to work in China, obviously not too fast.
| peter_d_sherman wrote:
| >"Why CDNs?
|
| Services like Cloudflare, Akamai Technologies, Fastly, and Amazon
| CloudFront are not only widely accessible but also integral to
| the global internet infrastructure. In regions with restrictive
| networks, alternatives such as CDNetworks in Russia, ArvanCloud
| in Iran, or ChinaCache in China may serve as viable proxies.
| These CDNs support millions of websites across critical sectors,
| including government and healthcare, making them indispensable.
|
| _Blocking them risks significant collateral [commercial,
| commerce] damage, which inadvertently makes them reliable
| pathways for bypassing restrictions._ "
|
| (There's also TCP/IP (Internet) via HAM radio (packet radio)
| and/or StarLink (or more broadly, satellite Internet)...)
|
| Observation: If a large enough commercial corporation has an
| interest relating to commerce (in whatever area), then if that
| commerce conflicts with a government block (foreign or domestic)
| of whatever sort, then the large commercial interest, given
| enought time, will usually (*) win (they can usually hire better
| Lawyers, foreign or domestic...)
|
| (*) But not always...
| mschuster91 wrote:
| > There's also TCP/IP (Internet) via HAM radio (packet radio)
|
| I get the idea and the spirit behind using ham radio to evade
| censorship, but...
|
| - you're not allowed to run encrypted content over ham packet
| radio, at least by regulations, plain HTTP is fine but anything
| SSL is not... don't be a dick and ruin the fun for everyone
| else.
|
| - ham radio comms is, outside of emergencies such as widespread
| blackouts or natural disasters, supposed to only be between ham
| radio operators themselves - no message-passing for others.
|
| - at least in the long-range bands that you'd actually use for
| cross-country communications, bandwidth is scarce - and you may
| disturb a lot of people by doing that, or by just blasting
| around with huge transmitters... Monday late evening in
| Germany, try to listen in on 80m, there's so damn many Russians
| on there with extremely powerful transmitters.
|
| Ham radio frequencies are scarce enough as it is and
| politicians, particularly in authoritarian countries, already
| aren't happy about it (in North Korea, for example, it's banned
| and it's one of the rarest countries to DX with). Please don't
| make life for hams more complex than it already is by abusing
| what it stands for.
| tripplyons wrote:
| Reminds me of how people forward requests through CloudFlare
| workers as a cheap way to get around IP-based rate limits.
| buremba wrote:
| Is there any tool that does the other way around? I simply need
| an alternative to cloudflared tunnel
| (https://blog.cloudflare.com/tunnel-for-everyone/) for exposing
| localhost port to a public domain that lets me supports anonymous
| clients. All cloud solutions charge based on users so they
| unfortunately doesn't work
___________________________________________________________________
(page generated 2024-11-21 23:01 UTC)