METHOD FOR PROTECTION TRAFFIC FROM INTERVENTION OF DPI SYSTEMS

Authors

DOI:

https://doi.org/10.28925/2663-4023.2020.10.7587

Keywords:

Internet protocol, model TCP / IP, TLS, DNS, HTTPS, DNS-over-HTTPS, DNS-over-TLS, DPI

Abstract

This article discusses further ways to protect traffic from DPI systems. The possibilities of using network protocols and application of DPI systems are investigated in the article. The analysis of the problem made it possible to identify vulnerabilities in the DNS protocol, which is based on the UDP protocol. These vulnerabilities include spoofing, interception, and traffic tethering. Also on the basis of the analysis of methods of protection of DNS traffic from interference, the authors substantiate and define the following: 1) all DNS queries are transmitted in the open; 2) existing approaches to traffic protection do not use encryption and, consequently, do not ensure the confidentiality of information; 3) there is only confirmation of the authenticity of the records. The authors have created a summary table, which identifies reliable methods of protecting DNS traffic. The authors propose the development of a full-fledged local proxy server to provide DNS traffic that can access trusted public DNS resolvers using doh and dot protocols. To understand the principles of protocol interaction, we developed our own local implementation of the main components of the network, which are most often dealt with by network users, namely: 1) web server; 2) DNS server; 3) server providing cryptographic protection and hiding open requests. The practical value of the obtained results lies in the software implementation of methods to protect traffic from DPI systems in Visual Studio Code by using the Python 3.8 programming language, which allows to provide cryptographic protection of traffic. The proposed solution of the local proxying server can be improved in the future by introducing local caching with the addition of the ability to create rules for certain domains and their subdomains. The implemented test doh server can be deployed on a trusted dedicated server outside of possible filter equipment installation points. This implementation will allow you to fully control your own traffic for resolving domain names. The authors further plan a number of scientific and technical solutions to develop and implement effective methods, tools to meet the requirements, principles and approaches to cyber security and traffic protection from interference by DPI systems in experimental computer systems and networks.

Downloads

Download data is not yet available.

References

Harold F., Krause M. Information Security Management Handbook, Sixth Edition. – Taylor &. Francis Group, 2007. – 3231 c. (in English)

Arends R., Kosters M., Blacka D. DNS Security (DNSSEC) Opt-In, RFC 4956. – verisign, 2007. – 15 с. (in English)

Dnscrypt 2 Protocol. [Online]. – Available: https://dnscrypt.info/protocol/ (in English)

Hu Z., Zhu L., Heidemann J., Mankin A., Wessels D., Hoffman P. Specification for DNS over Transport Layer Security (TLS), RFC 7858. – USC/ISI, Verisign Labs, ICANN, 2016. – 18 с. (in English)

Hoffman P., mcmanus P. DNS Queries over HTTPS (doh), RFC 8484. – ICANN, Mozilla, 2018. – 21 c. (in English)

Huitema C., Shore M., Mankin A., Dickinson S., Iyengar J. Specification of DNS over Dedicated QUIC Connections. – Private Octopus, Fastly, Salesforce, 2019. – 18 c. (in English)

Cid C., Jacobson M.J. Selected Areas in Cryptography. 25th International Conference Calgary, 2019. – 499 с. (in English)

Stallings W. Cryptography and Network Security. Principles and Practice. 7th ed. – Pearson Education Limited, 2017. – 766 c. (in English)

Oppliger R. SSL and TLS Theory and Practice, Second Edition. – Artech House, London, 2016. – 280 c. (in English)

Mockapetris P. Domain names - concepts and facilities, RFC 1034. – USC/Information Science Institute, 1987. – 55 c. (in English)

Mockapetris P. Domain names - implementation and specification, RFC 1035. – USC/Information Science Institute, 1987. – 55 c. (in English)

Pollard B. HTTP2 in Action. – Manning Publications, 2019. – 384 c. (in English)

Bishop M. Hypertext Transfer Protocol Version 3 (HTTP/3). – IETF Draft, 2016. – 70 с.

Iyengar J., Thomson M. QUIC: A UDP-Based Multiplexed and Secure Transport. – IETF Draft, 2016. – 182 с. (in English).

Downloads


Abstract views: 560

Published

2020-12-24

How to Cite

Ilyenko , A., Ilyenko , S., & Vertypolokh , O. (2020). METHOD FOR PROTECTION TRAFFIC FROM INTERVENTION OF DPI SYSTEMS. Electronic Professional Scientific Journal «Cybersecurity: Education, Science, Technique», 2(10), 75–87. https://doi.org/10.28925/2663-4023.2020.10.7587

Most read articles by the same author(s)