Add an heuristic to detect encrypted/obfuscated OpenVPN flows (#2547)

vrr/nDPI

mirror of https://github.com/vel21ripn/nDPI.git synced 2026-04-30 16:09:43 +00:00

Based on the paper: "OpenVPN is Open to VPN Fingerprinting"
See: https://www.usenix.org/conference/usenixsecurity22/presentation/xue-diwen

Basic idea:
* the distribution of the first byte of the messages (i.e. the distribution
of the op-codes) is quite unique
* this fingerprint might be still detectable even if the OpenVPN packets are
somehow fully encrypted/obfuscated

The heuristic is disabled by default.

This commit is contained in:

Ivan Nardi

2024-09-16 18:38:26 +02:00

• committed by

GitHub

parent 47ea30fdaa

commit 0ddbda1f82

No known key found for this signature in database

GPG key ID: B5690EEEBB952194

13 changed files with 397 additions and 33 deletions

BIN
tests/cfgs/default/pcap/openvpn_obfuscated.pcapng Normal file

View file

Binary file not shown.

Rows
Columns

Add an heuristic to detect encrypted/obfuscated OpenVPN flows (#2547)

BIN tests/cfgs/default/pcap/openvpn_obfuscated.pcapng Normal file View file

BIN
tests/cfgs/default/pcap/openvpn_obfuscated.pcapng Normal file

View file