Hacker News new | past | comments | ask | show | jobs | submit login

Someone on Reddit highlighted that the block seems to key off of the SSL SNI header, regardless of which IP you try to connect to. There must be some Deep Packet Inspection going on here, then?

https://www.reddit.com/r/europe/comments/56h0s3/they_just_bl...

Is the blocking able to handle stuff like fragrouter where the TCP stream is broken down into 1byte payload packets?




We started seeing more sophisticated DPI capabilities after the Feb '14 internet regulations[0] that required ISPs to block by URL and content strings

IMO blocking so many sites so broadly is a sign that their DPI is failing, because their preference seems to be to block as narrowly as possible because of negative economic effects.

[0] http://aa.com.tr/en/turkey/turkey-s-general-assembly-ratifie...


With ssl the best they can do is this host level blocking unless they perform mitm attacks.


> unless they perform mitm attacks

Which any state-sponsored actor can easily do, of course.


Please tell me how Turkey is going to MITM Google on a recurring basis, enough to implement filtering.


By using a CA they control to generate a fake certificate for Google like they've already "accidentally" done:

http://arstechnica.com/security/2013/01/turkish-government-a...


Which they can only pull off once before their CA is distrusted. See: how Chinese government CA was restricted to .cn domains only


Snort can at least get you close. A custom snort module maybe able to do the specific cert: https://www.snort.org/faq/readme-ssl

It's stream5 preprocessor can deal with most evasion techniques as it does full tcp stream reconstruction.

http://manual-snort-org.s3-website-us-east-1.amazonaws.com/n...


But does that scale to ISP or even country level of traffic? Having enough RAM to reassemble all the TCP connections in a country sounds wild.


Snort is now owned by Cisco (the company is formerly known as Sourcefire). It makes money via hardware integrated with snort. I think a single 3U box pushes 60Gbps. Though that number is highly dependent on the tuning for stream5 and other preprocessors. You don't need to reconstruct the entire stream, just enough to know what the connection is doing. Normally it's only a few packets per stream.

Stream fragmentation has its own entire configuration in snort as it is a known attack method to bypass detection.

Last I remember that top end box was 2x 12 or 16 core Xeon CPUs with 256GB ram.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: