Open source utility can exploit machine states to avoid DPI checks
Academics have released a tool designed to bypass deep packet inspection (DPI) to the open source community.
Dubbed SymTCP, the software is described as a means to “automatically discover subtle discrepancies between two TCP implementations”.
Specifically, SymTCP can be used to find discrepancies between a server and DPI, and exploit these differences to avoid deep packet inspection.
DPI can be invaluable for preventing buffer overflow and man-in-the-middle (MitM) attacks in corporate setups, but it can also be used to conduct surveillance and establish censorship blocks at the ISP level.
In a paper (PDF) entitled ‘SymTCP: Eluding Stateful Deep Packet Inspection with Automated Discrepancy Discovery’, academics from the University of California’s Department of Computer Science and Engineering demonstrate how to bypass DPI mechanisms, regardless of their application.
According to the team, DPI systems often use simplified machine states of network stacks that are not exact implementation copies of end hosts. Discrepancies can then be exploited through packet fragmentation or manipulation.
SymTCP first runs ‘symbolic execution’ on a server’s TCP implementation, and the resulting scan collects execution paths labeled as either ‘accept’ or ‘drop’ for packet inspection.
The DPI system is then checked with generated packet sequences to ascertain which, if any, are processed in the same way by the DPI and the server.
If discrepancies in handling are detected, the open source tool is able to create packets that can reach core elements in the code responsible for accepting or dropping requests, thereby potentially avoiding DPI middlebox checks.
“Automatically identified packets are then fed through the DPI middlebox to determine if a discrepancy is induced and the middlebox can be eluded,” the paper reads.
The researchers say that existing methods to bypass DPI often require manually-crafted, malicious packets to execute and so can be labor-intensive and restricted in the scope of circumvention.
In comparison, the goal of the SymTCP project was to create an automatic means to develop adversarial packets.
The team says that focusing on symbolic execution proved to be “extremely effective”, and that it was possible to create “tens of thousands of candidate adversarial packets in less than an hour”.
Currently based on Linux, SymTCP has been tested against popular DPI systems Zeek and Snort, as well as the state-level censorship system known colloquially as the ‘Great Firewall of China’.
The researchers say the system can be “extended easily towards other combinations of operating systems and DPI middleboxes, and serves as a valuable tool for testing future DPIs’ robustness against evasion attempts”.
As far as the team is aware, most DPI products are not able to defend against the evasion methods employed in SymTCP.
Speaking to The Daily Swig, one of the authors of the paper, Zhiyun Qian, said the tool has been designed to be flexible enough for anyone to use, whether they are penetration testers, members of a red team, or seeking a means to circumvent ISP-level censorship.
However, Zhiyun has warned that as SymTCP was developed as a prototype for the purpose of academic research, “there may be unexpected issues which we have not discovered yet”.
Source code and datasets have been published on GitHub.