VPN traffic is obvious -- Cisco uses IPSEC, it is trivial to identify it even when running in "TCP" mode [which is not TCP but tries to look like TCP flows].

I would suggest looking into carrying the encrypted payload as stenographic HTTP posts
like this, but even this is obvious to any system that does user-level behavioral analysis

There is not really a good way. Even stenographic approaches will be screamingly obvious as atypical behavior if you have a single source. Some sort of distributed network of proxies [on both sides] to distribute the activity might work.. but might not.
posted by rr at 9:08 PM on June 22, 2009

you could theoretically tunnel through DNS, but its iffy and experimental (though probably good in a pinch). there is also freenet.

the best way not to be noticed is not to hide per-say, but to blend in with the crowd. by that, i mean use the MOST used protocol to do your dealings. its a lot harder to sift through a ton of legit traffic looking for data that is slightly different from legit traffic, than it is to find outliers that look nothing like normal traffic patterns. this is probably why proxies are working so well. set them up on port 80, and your traffic is with the rest of all the other chumps on the internet, gigs and gigs of data that would have to be sorted through.
posted by Mach5 at 9:39 PM on June 22, 2009

I believe that RR meant "steganography".
posted by Chocolate Pickle at 10:05 PM on June 22, 2009

Freenet, Tor and/or other forms of transport stenography are the best way to do this. the UDP/53 tunneling is difficult and kind of spotty. If you don't want it to look like SSH specifically, you're going to want to try GRE, IPSEC or PPTP, but encrypted traffic is encrypted traffic and short of hiding it in other legitimate packet types you're going to be found out if anyone is really watching. Tor and Freenet are attractive because they can obscure the source (you) and ultimate destination (your shell).
posted by iamabot at 10:08 PM on June 22, 2009

httptunnel - forward a TCP connection (say a full-featured SSH link) encapsulated inside HTTP request/response pairs.

I dunno how good their DPI is, but this may break up the SSH protocol stream enough to evade filtering/detection.
posted by russm at 10:15 PM on June 22, 2009

Important tail to my note above, GRE, PPTP, L2TP do not provide encryption, you'd need to layer on something on top of that.
posted by iamabot at 10:16 PM on June 22, 2009

iamabot - Tor helps hide your identity from detection at the far end ("who is connecting to my server?") but doesn't attempt to hide the fact that you're running Tor from your own network operator. The new-ish "UseBridges" options can help with this, but I believe your node will still be seen making DNS requests for the directory authorities (moria.mit.edu, etc).
posted by russm at 10:19 PM on June 22, 2009

Based on how the questions was phrased I believe that Tor will satisfy part of the posters question, which is obscuring ssh connections to the server in Europe. Tor encrypts hops through the onion network until the network is exited and directed to the non onion network node.
posted by iamabot at 10:28 PM on June 22, 2009

I guess there's 2 questions here - how to get traffic past a blocking system, and how to do that in a way that won't lead to a 4am knock on the door in a month or 2 when the situation has stabilised and they're backtracking through logged connection data to see who was doing prohibited things.

Evading blockage is easy, in a standard arms-race (switch tunneling tool, wait for it to be blocked, switch tunneling tool, etc, etc). Doing this in a way that won't leave obvious footprints is the hard bit.
posted by russm at 10:40 PM on June 22, 2009

Have you looked into httptunnel already? It seems to do what you're looking for — encapsulate SSH in HTTP — but I don't know if the DPI vendors have already programmed their boxes to see through it. I've played with it in the past but just because a technique works in one place doesn't mean it'll work in another; it all depends how the DPI machines are set up.
posted by Kadin2048 at 11:24 PM on June 22, 2009

as I understand it (grain of salt, etc) tor tries to look like plain https traffic as far as possible - some of it actually is plain https (directory updates?) and data circuits look like particularly long-lived https connections with a suspicious amount of bi-directional data in 'em. I've never pointed a packet sniffer at a tor node, but I believe that some identifiable traffic (DNS requests for the directory authorities in order to bootstrap) will be visible.

it's a while since I've looked at any of this, but the bridge relay stuff appears to be aimed at making the detection of tor traffic much harder when your adversary is your ISP.
posted by russm at 11:36 PM on June 22, 2009

Oh, russm beat me to it. Should have previewed. (I left the page open and came back to it much later. Mea culpa.)

Firepass also looks like it might be worth trying; it uses a slightly more complex tunneling method. Actually they have several proof-of-concept tools for different tunneling schemes; I don't know if any of them are really production quality, but they might serve as starting points.

Also just in terms of trying the easy solutions before creating a more difficult one, have you tried using a SSL VPN? They might "look" more like normal traffic then IPSEC does. (IPSEC is pretty obvious even on casual inspection of the packets; SSL VPN packets might look more like HTTPS. If they let HTTPS through, OpenVPN might work.)

Cisco has an SSL VPN product that doesn't require a VPN client on the remote machine — it pushes the VPN client software out via an ActiveX component — but to my knowledge there's nothing like this for OpenVPN. That's unfortunate because it strikes me as a nice feature to be able to fire up the VPN from any old kiosk machine rather than have to use one with potentially incriminating software installed.

If there's an off-the-shelf package (like OpenVPN or one of Cisco's boxes) that works right now, you might as well use it and in the meantime develop the next phase. As others have said it's going to be a cat-and-mouse game; you might as well drag it out by escalating slowly. Make them plug up all the big holes first, then exploit the small ones or force them to start doing detailed behavioral analysis when other approaches fail.
posted by Kadin2048 at 11:40 PM on June 22, 2009

Re: tor's traffic - it is entirely SSL (and uses DNS sometimes), plain and simple. Many people run their tor nodes on port 443 to allow access from sites that block everything besides "HTTPS". I'm not a tracking expert and assume you could still get pretty good heuristic detection of tor vs real HTTPS by looking at the timing of the data flow, but running stuff like this on a giant central firewall seems too complex and false-positive-prone to me.
posted by themel at 2:09 AM on June 23, 2009

Re: your original question - you probably want to piggyback on the "mask as HTTPS" strategy - run an SSL listener on port 443 that redirects to your internal SSH port, then run SSH over SSL (you want socat to do the plumbing on server/client side, probably.

For a billion points, use the fact that HTTP is a "client goes first" protocol while SSH is a "server goes first" protocol to make a fancy listener that waits for a second before redirecting. When it gets a HTTP request within that second, it forwards to a HTTP server instead of the SSH. Looks like HTTPS to a browser, looks like SSH to an SSH client. Neat.
posted by themel at 2:15 AM on June 23, 2009 [1 favorite]

Blog post with a proof-of-concept implementation of the "billion points idea" above.
posted by themel at 6:37 AM on June 23, 2009

This thread is closed to new comments.