SlideShare a Scribd company logo

Meek and domain fronting public

Download as PPTX, PDF
A
antitree

This document discusses Meek and domain fronting as techniques for circumventing internet censorship. It provides an overview of censorship tools and the arms race between censors and circumvention methods. Meek uses domain fronting to hide proxy traffic by making encrypted requests to CDNs like Google and Cloudflare that appear as normal traffic, making the connections difficult for censors to block without blocking major sites. Meek has been implemented in tools like Psiphon and Tor to provide uncensorable access by tunneling their protocols over domain-fronted connections. While attacks from deep packet inspection are possible, Meek has so far proven very effective at evading censorship.

Technology
1 of 18
Downloaded 39 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Meek and Domain Fronting Mutually assured destruction for Internet censorship
Overview • Internet Censorship Overview and Tools • SNI and Domain Fronting • Meek • Meek and Psiphon • Meek and Tor • Meek and Others
Meek and domain fronting public
How Do I Block • DNS • IP blacklist • URL blacklist • Routing • DPI • Keyword (China) RST • Protocol Fingerprinting (China, JP/BroIDS) • Tor TLS ciphersuites
Meek and domain fronting public
Censorship Arms Race Censor Block URL Block Proxy sites Block Proxy protocol Fingerprint OSSH protocol … Block the Internet Evasion VPN/Proxy Hidden Proxy Obfuscate Proxy (OSSH) ScrambleSuit …
Meek Protocol • Protection against Balls Deep Packet Inspection(BDPI)™ • Uses SNI and CDN • “Domain Fronting” • To block it, you must block the CDN • Your move, motherfucker!
Server Name Extension (SNI) • Virtual hosting for SSL • One web server hosts multiple certificates • Used by CDN’s all the time https://www.google.com https://www.antitree.com GET / HTTP/1.1
Domain Fronting TLS connection with client TLS connection with www.google.com Ciphers and Extensions decided upon Handshake Established Client Sends “server_name” extension value of meek- server.antitree.com Receive request, send to server.antitree.com Server reads this value and looks up if it has a record for meek- server.antitree.com Response from server returned POST / <PROXIED TRAFFIC>
Meek • Uses Domain Fronting to hide the request to the final endpoint • Adversaries see that a connection is made to https://www.google.com • Subsequent connections are encrypted • For all intensive purposes, appears as a request to google.com, or cloudflare.net, or another CDN • Blocking of CDN’s would result in blocking of most of the top 100 sites
Meek Psiphon • Psiphon is a censorship circumvention tool (one hop proxy) • Supports Meek • Meek service hosted on Psiphon servers • Clients receive information about the servers configuration • Use Google and Cloudflare to proxy connections • So far unblockable
Meek Tor • Tor uses this as a transport for the Tor protocol • Run on unlisted Bridge Nodes • Instead of just a HTTP request (Psiphon, Lantern, Fog) the entire protocol is sent over it • Uses a web reflector to forward requests from the fronted domain to a Tor bridge
Meek Tor Tor Meek-client Meek Browser Client https://www.google.com https://meek- server.appspot.com Meek.bamsoftware.com:7002Meek-server Tor Bridge Node
Meek Tor Normal Tor
Meek Tor • Problem with HTTP keeping the tunnel alive • Use a polling method so the server sends a request • Server checks whether or not the client has data it wants to deliver • Done using POST requests over the tunnel • If there is no new data to send, an empty packet is sent to keep the tunnel open
Attacks/Defense from DPI • Polling period • This period is relatively random but over time can be profiled • Intervals increase geometrically • Payload Length • Normally this is dynamic but has a max size that can be profiled over time • TLS extensions • If you don’t use the browser plugin, it’s easy to fingerprint based on TLS extensions • Drop behavior • When a packet is RST for a web user, they just refresh. For Meek this kills the whole tunnel.
Success • Very successful right now • Only recently became popular • Other tools like ScrambleSuite, obfs4, and BananaPhone on deck for when this gets exploited
Review • Domain Fronting = SNI • Meek: Uses domain fronting to tunnel connections and evade censorship • ALL of the anti-censorship tools at this point are using it • You should host a Meek bridge

More Related Content

PPSX
Teorías del cuello de botella
Caterine Daniela Usuga Pérez
 
DOCX
Recuperación académica 2
Jesus Morales Hernandez
 
PDF
Albert Bandura.pdf
elizadoyce1
 
PPTX
Sesión 3 - Análisis Conductual Aplicado
Omar Enrique Clemente Vásquez
 
PPTX
Fundamentación psicológica del aprendizaje
Vesna Ivsic
 
PPTX
Origen y evolucion de la psicologia social conmunitaria
eduardoanfer
 
PDF
doku.pub_ignacio-martin-baro-sistema-grupo-y-poder-psicologia-social-desde-ce...
OliviaMamaniCalzada1
 
PPTX
Unidad 2. Condicionamiento Clásico
Laura O. Eguia Magaña
 
Teorías del cuello de botella
Caterine Daniela Usuga Pérez
 
Recuperación académica 2
Jesus Morales Hernandez
 
Albert Bandura.pdf
elizadoyce1
 
Sesión 3 - Análisis Conductual Aplicado
Omar Enrique Clemente Vásquez
 
Fundamentación psicológica del aprendizaje
Vesna Ivsic
 
Origen y evolucion de la psicologia social conmunitaria
eduardoanfer
 
doku.pub_ignacio-martin-baro-sistema-grupo-y-poder-psicologia-social-desde-ce...
OliviaMamaniCalzada1
 
Unidad 2. Condicionamiento Clásico
Laura O. Eguia Magaña
 

Viewers also liked (20)

PPT
Hacking Tor ( How does Tor work ?)
Saprative Jana
 
PDF
No Easy Breach DerbyCon 2016
Matthew Dunwoody
 
PDF
Just Mouse Jack Init
antitree
 
PPTX
Docker Security
antitree
 
PPTX
Reinventing anon email
antitree
 
PPT
Cleft sentences
Ana Mena
 
ODP
State of wifi_2016
antitree
 
ODP
Introduction to ethereum_public
antitree
 
PPTX
0x20 hack
antitree
 
PPTX
28c3 in 15
antitree
 
PPTX
How [not] to throw a b sides
antitree
 
PPTX
Image based automation
antitree
 
PPTX
Nsa and vpn
antitree
 
PPTX
Salander v bond 2600
antitree
 
PPTX
Laverna vs etherpad
antitree
 
PPTX
Syntax
Sovanna Kakk
 
PPTX
Chapter 2 syntax
Sovanna Kakk
 
PDF
Android Hacking
antitree
 
PPT
Syntax
Lyudmila Osinovskaya
 
PPTX
What is Syntax?
Mary Acevedo
 
Hacking Tor ( How does Tor work ?)
Saprative Jana
 
No Easy Breach DerbyCon 2016
Matthew Dunwoody
 
Just Mouse Jack Init
antitree
 
Docker Security
antitree
 
Reinventing anon email
antitree
 
Cleft sentences
Ana Mena
 
State of wifi_2016
antitree
 
Introduction to ethereum_public
antitree
 
0x20 hack
antitree
 
28c3 in 15
antitree
 
How [not] to throw a b sides
antitree
 
Image based automation
antitree
 
Nsa and vpn
antitree
 
Salander v bond 2600
antitree
 
Laverna vs etherpad
antitree
 
Syntax
Sovanna Kakk
 
Chapter 2 syntax
Sovanna Kakk
 
Android Hacking
antitree
 
Syntax
Lyudmila Osinovskaya
 
What is Syntax?
Mary Acevedo
 
Ad

Similar to Meek and domain fronting public (20)

PPTX
Anonymous Security Scanning and Browsing
Abhilash Venkata
 
PDF
Network
Ynon Perek
 
PPTX
Network tunneling techniques
inbroker
 
PDF
Setting Up .Onion Addresses for your Enterprise, v3.5
Alec Muffett
 
PDF
πP
Anant Narayanan
 
PDF
NZNOG 2020: DOH
APNIC
 
PPTX
Web technologies-course 01.pptx
Stefan Oprea
 
PPTX
Understanding Port Scanning: A Critical Tool in Web Security
Boston Institute of Analytics
 
PPTX
Port Scanning: Unveiling the Hidden Doors of a Website
Boston Institute of Analytics
 
PDF
Practical Malware Analysis Ch 14: Malware-Focused Network Signatures
Sam Bowne
 
PPT
Proxy servers
Kumar
 
PPTX
Application layer protocols
FabMinds
 
PPTX
501 ch 3 network technologies tools
gocybersec
 
PDF
Http2 in practice
Patrick Meenan
 
PDF
D1-3-Signaling
Oleg Levy
 
PPTX
Network latency - measurement and improvement
Matt Willsher
 
PPTX
Part 6 : Internet applications
Olivier Bonaventure
 
PDF
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
NiharikaDubey17
 
PPTX
Understanding DNS Security
Nihal Pasham, CISSP
 
PPTX
Vpn(virtual private network)
sonangrai
 
Anonymous Security Scanning and Browsing
Abhilash Venkata
 
Network
Ynon Perek
 
Network tunneling techniques
inbroker
 
Setting Up .Onion Addresses for your Enterprise, v3.5
Alec Muffett
 
πP
Anant Narayanan
 
NZNOG 2020: DOH
APNIC
 
Web technologies-course 01.pptx
Stefan Oprea
 
Understanding Port Scanning: A Critical Tool in Web Security
Boston Institute of Analytics
 
Port Scanning: Unveiling the Hidden Doors of a Website
Boston Institute of Analytics
 
Practical Malware Analysis Ch 14: Malware-Focused Network Signatures
Sam Bowne
 
Proxy servers
Kumar
 
Application layer protocols
FabMinds
 
501 ch 3 network technologies tools
gocybersec
 
Http2 in practice
Patrick Meenan
 
D1-3-Signaling
Oleg Levy
 
Network latency - measurement and improvement
Matt Willsher
 
Part 6 : Internet applications
Olivier Bonaventure
 
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
NiharikaDubey17
 
Understanding DNS Security
Nihal Pasham, CISSP
 
Vpn(virtual private network)
sonangrai
 
Ad

More from antitree (12)

ODP
Hardening ssh configurations
antitree
 
PPTX
Salander v bond b sides detroit final v3
antitree
 
PPTX
Pentesting embedded
antitree
 
PPTX
Tor
antitree
 
PPTX
Corporate Intelligence: Bridging the security and intelligence community
antitree
 
PPTX
Lock picking barcamp
antitree
 
PPTX
Lock picking 2600
antitree
 
PPTX
Anti tree firesheep
antitree
 
PPTX
Hackerspaces
antitree
 
PDF
Intro to IPv6 by Ben Woodruff
antitree
 
PPTX
Anonymity Systems: Tor
antitree
 
PPTX
Dll hijacking
antitree
 
Hardening ssh configurations
antitree
 
Salander v bond b sides detroit final v3
antitree
 
Pentesting embedded
antitree
 
Tor
antitree
 
Corporate Intelligence: Bridging the security and intelligence community
antitree
 
Lock picking barcamp
antitree
 
Lock picking 2600
antitree
 
Anti tree firesheep
antitree
 
Hackerspaces
antitree
 
Intro to IPv6 by Ben Woodruff
antitree
 
Anonymity Systems: Tor
antitree
 
Dll hijacking
antitree
 

Recently uploaded (20)

PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Cloud computing and distributed systems.
kkkkkhan
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Teaching material agriculture food technology
LiaRayya
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Encapsulation theory and applications.pdf
gurumoop
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 

Meek and domain fronting public

  • 1. Meek and Domain Fronting Mutually assured destruction for Internet censorship
  • 2. Overview • Internet Censorship Overview and Tools • SNI and Domain Fronting • Meek • Meek and Psiphon • Meek and Tor • Meek and Others
  • 4. How Do I Block • DNS • IP blacklist • URL blacklist • Routing • DPI • Keyword (China) RST • Protocol Fingerprinting (China, JP/BroIDS) • Tor TLS ciphersuites
  • 6. Censorship Arms Race Censor Block URL Block Proxy sites Block Proxy protocol Fingerprint OSSH protocol … Block the Internet Evasion VPN/Proxy Hidden Proxy Obfuscate Proxy (OSSH) ScrambleSuit …
  • 7. Meek Protocol • Protection against Balls Deep Packet Inspection(BDPI)™ • Uses SNI and CDN • “Domain Fronting” • To block it, you must block the CDN • Your move, motherfucker!
  • 8. Server Name Extension (SNI) • Virtual hosting for SSL • One web server hosts multiple certificates • Used by CDN’s all the time https://www.google.com https://www.antitree.com GET / HTTP/1.1
  • 9. Domain Fronting TLS connection with client TLS connection with www.google.com Ciphers and Extensions decided upon Handshake Established Client Sends “server_name” extension value of meek- server.antitree.com Receive request, send to server.antitree.com Server reads this value and looks up if it has a record for meek- server.antitree.com Response from server returned POST / <PROXIED TRAFFIC>
  • 10. Meek • Uses Domain Fronting to hide the request to the final endpoint • Adversaries see that a connection is made to https://www.google.com • Subsequent connections are encrypted • For all intensive purposes, appears as a request to google.com, or cloudflare.net, or another CDN • Blocking of CDN’s would result in blocking of most of the top 100 sites
  • 11. Meek Psiphon • Psiphon is a censorship circumvention tool (one hop proxy) • Supports Meek • Meek service hosted on Psiphon servers • Clients receive information about the servers configuration • Use Google and Cloudflare to proxy connections • So far unblockable
  • 12. Meek Tor • Tor uses this as a transport for the Tor protocol • Run on unlisted Bridge Nodes • Instead of just a HTTP request (Psiphon, Lantern, Fog) the entire protocol is sent over it • Uses a web reflector to forward requests from the fronted domain to a Tor bridge
  • 15. Meek Tor • Problem with HTTP keeping the tunnel alive • Use a polling method so the server sends a request • Server checks whether or not the client has data it wants to deliver • Done using POST requests over the tunnel • If there is no new data to send, an empty packet is sent to keep the tunnel open
  • 16. Attacks/Defense from DPI • Polling period • This period is relatively random but over time can be profiled • Intervals increase geometrically • Payload Length • Normally this is dynamic but has a max size that can be profiled over time • TLS extensions • If you don’t use the browser plugin, it’s easy to fingerprint based on TLS extensions • Drop behavior • When a packet is RST for a web user, they just refresh. For Meek this kills the whole tunnel.
  • 17. Success • Very successful right now • Only recently became popular • Other tools like ScrambleSuite, obfs4, and BananaPhone on deck for when this gets exploited
  • 18. Review • Domain Fronting = SNI • Meek: Uses domain fronting to tunnel connections and evade censorship • ALL of the anti-censorship tools at this point are using it • You should host a Meek bridge