网络穿透技术的研究
摘要
伴随网络快速发展,人们广泛采用防火墙、入侵检测/防御系统(IDS/IPS)等系统来检测和防御各种攻击。然而,网络穿透技术融合了代理技术、加密隧道与P2P技术、匿名通信技术等各种技术,可以轻易突破现有安全设备,达到访问不法网站,并将攻击代码、隐秘数据送到目标主机的目的,极大地扰乱和恶化了网络环境,威胁了个人、企业和国家的信息安全。因此,对网络穿透技术的开展研究具有重要的学术意义、社会意义和实用价值,而且也具有很大的挑战性。
本论文首先在基于对网络穿透中常用的代理技术、加密隧道技术、匿名通信技术等原理的分析基础上,针对常用工具Privoxy、Stunnel、TOR做了详尽的剖析和研究。并在此基础上,设计并实现了穿透代理系统PROProxy。该系统采用了目前流行的匿名系统TOR作为平台与外界进行匿名通信,实现了HTTP与SOCKS5代理模块的相互转化,解决了本地解析域名可能泄露被访问服务器地址的问题。另外,通过OPENSSL库实现SSL身份验证,弥补了TOR目前不支持身份验证功能;通过Crypto++库实现了加密通信功能,保证了匿名系统结构中发送者和可信代理之间的安全性。经测试对比,PROProxy运行稳定,性能优越,可成功穿透网络。
其次,本论文从正向研究穿透系统,目的是更深层次地理解和掌握穿透技术,从而设计并实现穿透防御过滤系统。为此,我们成功地将数据流管理概念引入穿透数据流的管理过滤中,设计并实现了过滤系统DSFS。该系统通过对捕获的包进行协议分析、包分类及流重组、特征匹配等处理后,能对网络流进行实时查询统计和过滤功能,性能稳定,运行良好。
最后对论文工作进行了总结,对穿透技术的未来研究进行了展望。
With the rapid development of network, Firewalls, IDS/IPS are widely adopted to detect and protect various network attacks. But, network penetrating technology is now hot and popular, which integrates proxy technology, encrypt tunnel and P2P technology, etc. It can easily penetrate the current security devices, so easily access illegal websites and put the attacking code and the private data to destination host, this damages network environment and threatens information security of individual, company and the nation. So the research of network penetrating technology is full of the important academic meaning, social significance and practical value, and is very challenging.
Firstly, this paper analyzes and researches the popular application tools like Privoxy, Stunnel and TOR; then, a penetrating proxy system which called PROProxy has been designed and implemented. This system uses TOR as the platform to communicate anonymously with outside, implements the mutual conversion between HTTP and SOCKS5 proxy modules, and solve the problem of leaking address of visiting server by local DNS. In addition, SSL authorization is implemented by OPENSSL library, which makes up of TOR to support authorization function; encrypted communication is implemented by Crypto++ library, which ensures the security between sender and trusted proxy in anonymous system. The test results show that PROProxy is stable, excellent, and can penetrate network security devices successfully.
Secondly, this paper makes a forward research to penetrating system, and aims at comprehending and mastering penetrating technique to design and implement penetrating protection filtering system. Thus, we bring data flow management concept to penetrating system successfully, and design and implement the filtering system DSFS. This system can inquire and filter the network behaviors on-line; it includes packet capturing, packet classification, flow recombination, pattern matching, and so on. This system runs well and stable.
At last, this paper summarizes all the work, and point out the future research of penetrating technology.
本论文首先在基于对网络穿透中常用的代理技术、加密隧道技术、匿名通信技术等原理的分析基础上,针对常用工具Privoxy、Stunnel、TOR做了详尽的剖析和研究。并在此基础上,设计并实现了穿透代理系统PROProxy。该系统采用了目前流行的匿名系统TOR作为平台与外界进行匿名通信,实现了HTTP与SOCKS5代理模块的相互转化,解决了本地解析域名可能泄露被访问服务器地址的问题。另外,通过OPENSSL库实现SSL身份验证,弥补了TOR目前不支持身份验证功能;通过Crypto++库实现了加密通信功能,保证了匿名系统结构中发送者和可信代理之间的安全性。经测试对比,PROProxy运行稳定,性能优越,可成功穿透网络。
其次,本论文从正向研究穿透系统,目的是更深层次地理解和掌握穿透技术,从而设计并实现穿透防御过滤系统。为此,我们成功地将数据流管理概念引入穿透数据流的管理过滤中,设计并实现了过滤系统DSFS。该系统通过对捕获的包进行协议分析、包分类及流重组、特征匹配等处理后,能对网络流进行实时查询统计和过滤功能,性能稳定,运行良好。
最后对论文工作进行了总结,对穿透技术的未来研究进行了展望。
With the rapid development of network, Firewalls, IDS/IPS are widely adopted to detect and protect various network attacks. But, network penetrating technology is now hot and popular, which integrates proxy technology, encrypt tunnel and P2P technology, etc. It can easily penetrate the current security devices, so easily access illegal websites and put the attacking code and the private data to destination host, this damages network environment and threatens information security of individual, company and the nation. So the research of network penetrating technology is full of the important academic meaning, social significance and practical value, and is very challenging.
Firstly, this paper analyzes and researches the popular application tools like Privoxy, Stunnel and TOR; then, a penetrating proxy system which called PROProxy has been designed and implemented. This system uses TOR as the platform to communicate anonymously with outside, implements the mutual conversion between HTTP and SOCKS5 proxy modules, and solve the problem of leaking address of visiting server by local DNS. In addition, SSL authorization is implemented by OPENSSL library, which makes up of TOR to support authorization function; encrypted communication is implemented by Crypto++ library, which ensures the security between sender and trusted proxy in anonymous system. The test results show that PROProxy is stable, excellent, and can penetrate network security devices successfully.
Secondly, this paper makes a forward research to penetrating system, and aims at comprehending and mastering penetrating technique to design and implement penetrating protection filtering system. Thus, we bring data flow management concept to penetrating system successfully, and design and implement the filtering system DSFS. This system can inquire and filter the network behaviors on-line; it includes packet capturing, packet classification, flow recombination, pattern matching, and so on. This system runs well and stable.
At last, this paper summarizes all the work, and point out the future research of penetrating technology.
引文
[1]杨永火,何丕廉,崔晓源等.基于P2P的语言IP穿越网络地址转换和防火墙的统一模型.计算机应用,第26卷第2期,2006年2月.p16-19.
[2]J.Rosenberg,J.Weinberger,C.Huitema,et al.STUN:Simple Traversal of User Datagram Protocol(UDP)through Network Address Translators(NATs).RFC 3489,IETF.Mar.2003.
[3]J.Rosenberg,R.Mahy,C.Huitema.TURN:traversal using relay NAT.Internet draft,Internet Engineering Task Force,July 2004.
[4]Salman A.Baset and Henning Schulzrinne.An Analysis of the Skype Peer-to-Peer Internet Telephony Protocol.September 15,2004
[5]Dogan Kesdogan,Mark Borning,and Michael Schmeink.Unobservable Surfing on the Word Wide Web:Is Private Information Retrieval an alternative to the MIX.In the Proceedings of Privacy Enhancing Technologies workshop(PET 2002),April 2002.
[6]Richard Clayton.Improving Onion Notation.In the Proceedings of Privacy Enhancing Technologies workshop(PET 2003),March 2003.
[7]Roger Dingledine,Nick Mathewson,and Paul Syverson.TOR:The Second-Generation Onion Router.In the Proceedings of the 13th USENIX Security Symposium,Aug.2004.
[8]吕锡香.基于网络探测的IP网络安全性分析的研究[学位论文].西安电子科技大学,2004年.
[9]曾志伟.基于SOCKS协议的HTTP协议过滤研究与实现[学位论文].四川大学.2002年.
[10]王彬,吴渝,王国胤.基于防火墙穿透技术Firewalking的安全探测系统.计算机应用研究.2003年.
[11]Privoxy 3.0.6 User Manual.From http://www.privoxy.org.
[12]邓子宽,范明枉,王光卫等.Snort入侵检测系统中TCP流重组的研究.信息安全与通信保密.2007年.
[13]李旭华,叶飞跃,蒙德龙.P2P网络中基于代理合作的匿名传输机制.计算机应用,2006年01期.
[14]Pfivoxy.http://www.pfivoxy.org/,2007-6-10
[15]Stunnel.http://www.stunnel.org/,2007-5-1
[16]喻小光,陈维斌,潘孝铭.一种基于SOCKS 5的Web安全代理技术.华侨大学学报.2007年03期.
[17]梅松,李之棠.一种新的基于IPSec over Http协议的VPN通信研究.小型微型计算机系统.2007年06期.
[18]张宇.基于Privoxy的多功能代理的研究与设计[学位论文].北京邮电大学.2005年.
[19]RFC 2637.http://www.ietf.org/rfc/rfc2637.txt/,2007-6-13
[20]RFC 2661.http://www.ietf.org/rfc/rfc2637.txt/,2007-6-13
[21]RFC 2401.http://www.ietf.org/rfe/rfc2401.txt/,2007-6-13
[22]Chaum D.The dining cryptographer's problems:unconditional sender and recipient untraceability.Journal of Cryptology.1988,1(1):65-75.
[23]Goldschlag D,Reed M,Syverson P,et al.Onion routing for anonymous and private internet connections.Communication of the ACM.1999,42(2):39-41.
[24]George Danezis,Roger Dingledine,Nick Mathewson.Mixminion:Design of a Type ⅢAnonymous Remailer Protocol.In the Proceedings of the 2003 IEEE Symposium on Security and Privacy,May 2003.
[25]Reiter M K,Rubin A D.Crowds:anonymity for Web transactions.ACM Transactions on Information and System Security,1998,1(1):66-92.
[26]Berthold O,federrath H,Kopsell S.WebMIXes:a system for anonymous and unobservable internet access.In:H.Federrath,Ed.Designing Privacy Enhancing Technologies:Desing Issues in Anonymity and Observability.Springer-Verlag,LNCS 2009,2000.
[27]Claudia Diaz,Stefan Seys,Joris Claessens,et al."Towards measuring anonymity".In Proceedings of Privacy Enhancing Technologies Workshop(PET 2002),April 2002.
[28]Towards an Information Theoretic Metric for Anonymity.Andrei Serjantov and George Danezis.Privacy Enhancing Technologies(PET).April 2002.LNCS(v.2482)
[29]Guan Yong,Fu Xin-wen,Bettati R.An optimal strategy for anonymous communication protocols.In:Proceedings of 22nd IEEE International Conference on Distributed Computing Systems(ICDCS 2002),2002.
[30]Jean-Francois Raymond.Traffic Analysis:Protocols,Attacks,Design Issues,and Open Problems.In the Proceedings of Designing Privacy Enhancing Technologies:on Design Issues in Anonymity and Unobservability,July 2000,pages 10-29.
[31]Nick Mathewson,Roger Dingledine.Practical Traffic Analysis:Extending and Resisting Statistical Disclosure.In the Proceedings of Privacy Enhancing Technologies workshop (PET 2004),May 2004.
[32]TOR-rnnning-routers.http://www.noreply.org/TOR-running-routers/
[33]Kevin Bauer,Damon McCoy,Dirk Grunwald,Tadayoshi Kohno Douglas Sicker.Low-Resource Routing Attacks against Tor.In the Proceedings of the Workshop on Privacy in the Electronic Society(WPES 2007),Washington,DC,USA,October 2007.
[34]Lasse φverlier,Paul Syverson.Locating Hidden Servers.In IEEE Symposium on Security and Privacy,May 2006
[35]彭乐,王春露.匿名通信系统评价研究.中文科技论文在线.2008年3月.
[36]Crypto++.http://www.cryptopp.org/
[37]杨照芳.基于HTTP隧道的非授权网络通信研究.网络安全技术与应用.2005年4月:17-19
[38]OPENSSL.http://www.openssl.org/.2007-5-1
[39]罗爱玲,马范援,姚鸿斌.虚拟专网安全性的研究与实现.计算机工程,2004年08期.
[40]A.Arasu,B.Babcock,S.Babu,et al.STREAM:The Stanford Stream Data Manager.In Proc.of the 2003 ACM SIGMOD Intl.Conf.on Management of Data,page 665,June 2003.
[41]A.Arasu and S.Babu and J.Widom.The CQL Continuous Query Language:Semantic Foundations and Query excution,Technical Report,Stanford University,Oct 2003.
[42]秦元坤,彭乐,薛一波.TSS数据流管理系统的设计与实现.清华数据流管理系统的设计与实现.计算机工程与设计,2008年7月刊.
[43]B.Babcock and M.Datar.Load Shedding Techniques for Data Stream Systems.Management and Processing of Data Streams,San Diego,California,USA,2003-06.
[2]J.Rosenberg,J.Weinberger,C.Huitema,et al.STUN:Simple Traversal of User Datagram Protocol(UDP)through Network Address Translators(NATs).RFC 3489,IETF.Mar.2003.
[3]J.Rosenberg,R.Mahy,C.Huitema.TURN:traversal using relay NAT.Internet draft,Internet Engineering Task Force,July 2004.
[4]Salman A.Baset and Henning Schulzrinne.An Analysis of the Skype Peer-to-Peer Internet Telephony Protocol.September 15,2004
[5]Dogan Kesdogan,Mark Borning,and Michael Schmeink.Unobservable Surfing on the Word Wide Web:Is Private Information Retrieval an alternative to the MIX.In the Proceedings of Privacy Enhancing Technologies workshop(PET 2002),April 2002.
[6]Richard Clayton.Improving Onion Notation.In the Proceedings of Privacy Enhancing Technologies workshop(PET 2003),March 2003.
[7]Roger Dingledine,Nick Mathewson,and Paul Syverson.TOR:The Second-Generation Onion Router.In the Proceedings of the 13th USENIX Security Symposium,Aug.2004.
[8]吕锡香.基于网络探测的IP网络安全性分析的研究[学位论文].西安电子科技大学,2004年.
[9]曾志伟.基于SOCKS协议的HTTP协议过滤研究与实现[学位论文].四川大学.2002年.
[10]王彬,吴渝,王国胤.基于防火墙穿透技术Firewalking的安全探测系统.计算机应用研究.2003年.
[11]Privoxy 3.0.6 User Manual.From http://www.privoxy.org.
[12]邓子宽,范明枉,王光卫等.Snort入侵检测系统中TCP流重组的研究.信息安全与通信保密.2007年.
[13]李旭华,叶飞跃,蒙德龙.P2P网络中基于代理合作的匿名传输机制.计算机应用,2006年01期.
[14]Pfivoxy.http://www.pfivoxy.org/,2007-6-10
[15]Stunnel.http://www.stunnel.org/,2007-5-1
[16]喻小光,陈维斌,潘孝铭.一种基于SOCKS 5的Web安全代理技术.华侨大学学报.2007年03期.
[17]梅松,李之棠.一种新的基于IPSec over Http协议的VPN通信研究.小型微型计算机系统.2007年06期.
[18]张宇.基于Privoxy的多功能代理的研究与设计[学位论文].北京邮电大学.2005年.
[19]RFC 2637.http://www.ietf.org/rfc/rfc2637.txt/,2007-6-13
[20]RFC 2661.http://www.ietf.org/rfc/rfc2637.txt/,2007-6-13
[21]RFC 2401.http://www.ietf.org/rfe/rfc2401.txt/,2007-6-13
[22]Chaum D.The dining cryptographer's problems:unconditional sender and recipient untraceability.Journal of Cryptology.1988,1(1):65-75.
[23]Goldschlag D,Reed M,Syverson P,et al.Onion routing for anonymous and private internet connections.Communication of the ACM.1999,42(2):39-41.
[24]George Danezis,Roger Dingledine,Nick Mathewson.Mixminion:Design of a Type ⅢAnonymous Remailer Protocol.In the Proceedings of the 2003 IEEE Symposium on Security and Privacy,May 2003.
[25]Reiter M K,Rubin A D.Crowds:anonymity for Web transactions.ACM Transactions on Information and System Security,1998,1(1):66-92.
[26]Berthold O,federrath H,Kopsell S.WebMIXes:a system for anonymous and unobservable internet access.In:H.Federrath,Ed.Designing Privacy Enhancing Technologies:Desing Issues in Anonymity and Observability.Springer-Verlag,LNCS 2009,2000.
[27]Claudia Diaz,Stefan Seys,Joris Claessens,et al."Towards measuring anonymity".In Proceedings of Privacy Enhancing Technologies Workshop(PET 2002),April 2002.
[28]Towards an Information Theoretic Metric for Anonymity.Andrei Serjantov and George Danezis.Privacy Enhancing Technologies(PET).April 2002.LNCS(v.2482)
[29]Guan Yong,Fu Xin-wen,Bettati R.An optimal strategy for anonymous communication protocols.In:Proceedings of 22nd IEEE International Conference on Distributed Computing Systems(ICDCS 2002),2002.
[30]Jean-Francois Raymond.Traffic Analysis:Protocols,Attacks,Design Issues,and Open Problems.In the Proceedings of Designing Privacy Enhancing Technologies:on Design Issues in Anonymity and Unobservability,July 2000,pages 10-29.
[31]Nick Mathewson,Roger Dingledine.Practical Traffic Analysis:Extending and Resisting Statistical Disclosure.In the Proceedings of Privacy Enhancing Technologies workshop (PET 2004),May 2004.
[32]TOR-rnnning-routers.http://www.noreply.org/TOR-running-routers/
[33]Kevin Bauer,Damon McCoy,Dirk Grunwald,Tadayoshi Kohno Douglas Sicker.Low-Resource Routing Attacks against Tor.In the Proceedings of the Workshop on Privacy in the Electronic Society(WPES 2007),Washington,DC,USA,October 2007.
[34]Lasse φverlier,Paul Syverson.Locating Hidden Servers.In IEEE Symposium on Security and Privacy,May 2006
[35]彭乐,王春露.匿名通信系统评价研究.中文科技论文在线.2008年3月.
[36]Crypto++.http://www.cryptopp.org/
[37]杨照芳.基于HTTP隧道的非授权网络通信研究.网络安全技术与应用.2005年4月:17-19
[38]OPENSSL.http://www.openssl.org/.2007-5-1
[39]罗爱玲,马范援,姚鸿斌.虚拟专网安全性的研究与实现.计算机工程,2004年08期.
[40]A.Arasu,B.Babcock,S.Babu,et al.STREAM:The Stanford Stream Data Manager.In Proc.of the 2003 ACM SIGMOD Intl.Conf.on Management of Data,page 665,June 2003.
[41]A.Arasu and S.Babu and J.Widom.The CQL Continuous Query Language:Semantic Foundations and Query excution,Technical Report,Stanford University,Oct 2003.
[42]秦元坤,彭乐,薛一波.TSS数据流管理系统的设计与实现.清华数据流管理系统的设计与实现.计算机工程与设计,2008年7月刊.
[43]B.Babcock and M.Datar.Load Shedding Techniques for Data Stream Systems.Management and Processing of Data Streams,San Diego,California,USA,2003-06.