Offline DPI workaround and an effective way to bypass site locks by IP address

Providers of the Russian Federation, for the most part, use the systems of deep traffic analysis (DPI, Deep Packet Inspection) to block sites included in the register of banned. There is no single standard for DPI, there is a large number of implementations from different DPI providers that differ in the type of connection and type of work.

There are two common types of DPI connection: passive and active.
Passive DPI
Passive DPI-DPI connected to the provider network in parallel (not in the section) either through a passive optical splitter or using the mirroring of user traffic. This connection does not slow down the speed of the network provider in the case of insufficient DPI performance, which is why it is used by large providers. DPI with this type of connection can technically only detect an attempt to query for prohibited content, but not to suppress it. To circumvent this restriction and block access to the denied site, DPI sends a specially crafted HTTP packet to the user requesting the blocked URL, redirecting to the stub page of the provider, as if the requested resource itself had been sent by the user (the IP address of the sender and the TCP sequence are forged). Because the DPI is physically located closer to the user than the requested site, the forged response reaches the user's device faster than the real response from the site.

Detect and block passive DPI packets
Fake packets generated by DPI are easily detected by the traffic analyzer, for example, Wireshark.
We try to go to the blocked site:

We see that first comes a packet from DPI, with HTTP redirection code 302, and then a real response from the site. The response from the site is regarded as a retransmission and discarded by the operating system. The browser navigates by the link specified in the DPI response, and we see the lock page.

Consider the package from DPI more:

HTTP/1.1 302 Found
Connection: close
In the DPI response, the "Do not Fragment" flag is not set, and the Identification field is set to 1. The servers on the Internet usually set the "Do not Fragment" bit, and packets without this bit are infrequent. We can use this as a distinctive feature of packages from DPI, along with the fact that such packets always contain HTTP redirection code 302, and write an iptables rule that blocks them:
# iptables -A FORWARD -p tcp --sport 80 -m u32 --u32 "0x4=0x10000 && 0x60=0x7761726e && 0x64=0x696e672e && 0x68=0x72742e72" -m comment --comment "Rostelecom HTTP" -j DROP What it is? The iptables u32 module allows you to perform bit operations and compare operations on 4-byte data in a packet. At offset 0x4, a 2-byte Indentification field is stored, followed immediately by the 1-byte Flags and Fragment Offset fields.
Starting at offset 0x60, the redirection domain is located (HTTP Header Location).
If Identification = 1, Flags = 0, Fragment Offset = 0, 0x60 = "warn", 0x64 = "ing.", 0x68 = "", then discard the packet and get the real response from the site.

In the case of HTTPS sites, the DPI sends a TCP Reset packet, also with Identification = 1 and Flags = 0.
Active DPI
Active DPI - DPI, connected to the network of the provider in the usual way, like any other network device. The provider configures routing so that DPI receives traffic from users to blocked IP addresses or domains, and DPI already decides whether to skip or block traffic. Active DPI can check both outgoing and incoming traffic, however, if the provider applies DPI only to block sites from the registry, it is most often configured to check only outbound traffic.

DPI systems are designed to process traffic at the highest possible speed, examining only the most popular ones and ignoring untypical requests, even if they fully comply with the standard.
We study the HTTP standard
Typical HTTP requests in a simplified form look like this:
GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/50.0
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
The request starts with an HTTP method, followed by one space, followed by a path, followed by one more space, and the line ends with the protocol and the wrapping of the CRLF string.
Headings begin with a capital letter, after the colon a space character is put.

Let's take a look at the latest version of the standard HTTP / 1.1 from 2014. According to RFC 7230, HTTP headers are case-insensitive, and after the colon there can be an arbitrary number of spaces (or not at all).
Each header field consists of a case-insensitive field name followed
by a colon (":"), optional leading whitespace, the field value, and
optional trailing whitespace.

header-field = field-name ":" OWS field-value OWS

field-name = token
field-value = *( field-content / obs-fold )
field-content = field-vchar [ 1*( SP / HTAB ) field-vchar ]
field-vchar = VCHAR / obs-text

obs-fold = CRLF 1*( SP / HTAB )
; obsolete line folding
OWS - optional one or more space or tab characters, SP - single space character, HTAB - tab, CRLF - line break and carriage return (\ r \ n).

This means that the request below fully complies with the standard, it should be accepted by many web servers that adhere to the standard:
GET / HTTP/1.1
user-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/50.0
Accept-Encoding: gzip, deflate, br
CoNNecTion: keep-alive ← here is a tab character between a colon and a value
In fact, many web servers do not like the tab character as a delimiter, although the vast majority of servers normally handle both the absence of spaces between the colon in the headers, and a lot of gaps.

The old standard, RFC 2616, recommends condescendingly parsing queries and responses to broken Web servers and clients, and correctly handling an arbitrary number of spaces in the very first line of HTTP requests and replies in those places where only one is required:
Clients SHOULD be tolerant in parsing the Status-Line and servers tolerant when parsing the Request-Line. In particular, they SHOULD accept any amount of SP or HT characters between fields, even though only a single SP is required.
Not all web servers adhere to this recommendation. Because of the two gaps between the method and the path, some sites are broken.
Descend to the TCP level
The TCP connection starts with the SYN request and the SYN / ACK response. In the request, the client, among other information, indicates the size of the TCP Window (TCP Window Size) - the number of bytes that it is ready to receive without acknowledgment of the transfer. The server also indicates this value. The Internet uses the value of MTU 1500, which allows you to send up to 1460 bytes of data in a single TCP packet.
If the server specifies the TCP window size is less than 1460, the client will send in the first data packet as much as specified in this parameter.

If the server sends TCP Window Size = 2 in the SYN / ACK package (or we change it to this value on the client side), the browser will send the HTTP request with two packets:

Package 1:
GE Package 2: T / HTTP / 1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/50.0
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Using HTTP and TCP features to bypass the active DPI
Many DPI solutions expect headers only in the standard form.
To block sites by domain or URI, they search for the string " Host: " in the body of the request. It is worth replacing the header "Host" with "hoSt" or removing the space after the colon, and the requested site is opened before you.
Not all DPI can be fooled with such a simple trick. DPI of some providers correctly analyze HTTP headers in accordance with the standard, but they can not collect TCP-flow from several packets. For such DPI, fragmentation of the packet is suitable, by artificially reducing the TCP Window Size.

At the moment, in the Russian Federation, DPI is installed both at the end providers and on the channels of transit traffic. There are cases when one way you can bypass the DPI of your ISP, but you see a stub of the transit provider. In such cases, you need to combine all available methods.
DPI Workaround
I wrote a program to bypass DPI for Windows: GoodbyeDPI .
It can block packets with redirection from passive DPI, replace Host with hoSt, remove the space between the colon and host value in the Host header, "fragment" HTTP and HTTPS packets (install TCP Window Size), and add an extra space between the HTTP method and By way of.
The advantage of this workaround is that it is completely stand-alone: ​​there are no external servers that can block.

By default, the options are activated, aimed at maximum compatibility with providers, but not on the speed of work. Run the program as follows:
goodbyedpi.exe -1 -a If blocked sites are opened, your ISP's DPI can be bypassed.
Try running the program with the-2 option and go to the blocked HTTPS site. If everything continues to work, try mode-3 and-4 (fastest).
Some providers, for example, Megafon and Yota, do not let fragmented packets through HTTP, and sites stop opening at all. With such providers use option-3 -a
Effective proxying to bypass IP locks
In case of locks by IP address, providers filter only outbound requests for IP addresses from the registry, but not incoming packets from these addresses.
The ReQrypt program acts as an efficient proxy server: packets sent from the client are sent to the ReQrypt server in encrypted form, the ReQrypt server forwards them to the destination server with the substitution of the outgoing IP address to the client , the destination server responds directly to the client, bypassing ReQrypt.


If our computer is behind NAT, we can not just send a request to the ReQrypt server and expect a response from the site. The answer will not come, because The entry for this IP address is not created in the NAT table.
To "pierce" NAT, ReQrypt sends the first packet in the TCP connection directly to the site, but with TTL = 3. It adds the entry to the router's NAT table, but does not reach the destination site.

For a long time the development was frozen due to the fact that the author could not find the server with the possibility of spoofing. Spoofing IP addresses is often used to amplify attacks through DNS, NNTP and other protocols, which is why it is forbidden by the vast majority of providers. But the server still was found, though not the most successful one. The development continues.
Conclusion and TL; DR
GoodbyeDPI is a Windows program that allows you to bypass passive and active DPI. Just download and run it, and blocked sites will be available again.
For Linux, there is a similar program - zapret .

Use the cross-platform program ReQrypt , if your ISP blocks sites by IP address.

You can determine the type of site blocking by Blockcheck . If you see in DPI tests that the sites are opening, or you see the line "Passive DPI is detected," GoodbyeDPI will help you. If not, use ReQrypt.
v1d0q 17 august 2017, 17:40
Vote for this post
Bring it to the Main Page


Leave a Reply

Avaible tags
  • <b>...</b>highlighting important text on the page in bold
  • <i>..</i>highlighting important text on the page in italic
  • <u>...</u>allocated with tag <u> text shownas underlined
  • <s>...</s>allocated with tag <s> text shown as strikethrough
  • <sup>...</sup>, <sub>...</sub>text in the tag <sup> appears as a superscript, <sub> - subscript
  • <blockquote>...</blockquote>For  highlight citation, use the tag <blockquote>
  • <code lang="lang">...</code>highlighting the program code (supported by bash, cpp, cs, css, xml, html, java, javascript, lisp, lua, php, perl, python, ruby, sql, scala, text)
  • <a href="http://...">...</a>link, specify the desired Internet address in the href attribute
  • <img src="http://..." alt="text" />specify the full path of image in the src attribute