-
In many large enterprises and in some countries, some access restrictions are usually made to restrict employees or people from accessing certain websites or using certain network applications. Restriction methods usually include router IP filtering and forced use of proxy servers.
Router IP filtering refers to adding external network or foreign IP blacklists to the router so that the internal network or domestic cannot access these external network or foreign IPs to achieve the purpose of restricting access. The filtering method of forcing the use of proxy servers is usually only applied in large enterprises. It means that the internal network must pass through the proxy server to access the external network. Then a more complex filtering mechanism can be implemented on the proxy server. This article mainly talks about the offensive and defensive battles of IP filtering. The offensive and defensive battles of proxy servers will be discussed next time. The following describes the continuous escalation process of network access attack and defense:
First of all, if you want to prohibit people from accessing certain websites, the router administrator can set IP filtering rules in the router and add the IPs of these websites to the blacklist. Naturally, people will not be able to access these websites.
People then use proxy servers to bypass restrictions in order to continue accessing these sites. There are thousands of proxy server IPs and they are constantly changing, making the work of restricting network access passive.
However, since the proxy server protocol is in clear text, by monitoring network data packets and creating a program for automatic collection and sorting, you can know which proxy servers people have visited and automatically add the IP of the proxy server to the IP blacklist. In this way, ordinary proxy servers can be used to bypass The method of overcoming access restrictions is ineffective, and the work of bypassing network access restrictions is in a rather passive situation.
Therefore, in order to avoid the detection of the proxy server address, encrypted proxy software came into being. The communication protocol between the user and the proxy server is encrypted, making it impossible to simply analyze the IP address of the proxy server by listening to network data packets. Once again, efforts to restrict network access have been put in a passive position.
However, the encryption proxy software also needs to communicate with the proxy server and needs to know the IP address of the encryption proxy server. Therefore, the encrypted proxy software will generally go to some places that publish the IP address of the encrypted proxy server to obtain the IP of the encrypted proxy server when it is started. Then, you only need to take out a separate computer, start the encryption agent software, and monitor the network communication of this computer. Then you can know the place where the encryption agent IP address is published, and then perform IP filtering on the publishing point. And it can be made into a program to automatically start the encryption agent software, automatically monitor data packets, and automatically add the IP of the publishing location of the encryption agent IP to the blacklist. In this way, the encryption agent software cannot obtain the IP of the encryption agent, and the encryption agent software will become invalid and bypass network restrictions. The job is once again in a very disadvantageous position.
In order to deal with this situation, the encryption proxy software needs to mix the traffic accessing the proxy IP publishing point with the traffic accessing the non-proxy IP publishing point. For example, when the encrypted proxy software is started, it first visits a large number of other websites, and then visits the proxy IP publishing point at one of the visits to other websites. This mixes the traffic and cannot obtain the proxy IP publishing through simple network packet interception. IP address of the point. If all intercepted addresses are added to the blacklist, many websites will be blocked by mistake. Efforts to limit network access are again at a disadvantage.
Then, in order to continue to restrict network access, the network administrator turns to filtering the IP of the encryption proxy (rather than the IP of the publishing point). After the encryption agent software is started, a large file is downloaded through the encryption agent, and the IP with relatively large traffic is the IP of the encryption agent. Through this method, network administrators can still create programs that automatically block encryption proxy software, and the work of bypassing network restrictions fails again.
Then, the encrypted proxy software can adopt the same idea, mix the traffic accessing the proxy IP with other traffic, divide the scattered traffic equally and continuously change the proxy IP, making it impossible to obtain the encrypted proxy IP through network packet traffic statistics. People can once again bypass network access restrictions. However, because traffic is split evenly, network speeds are often only a fraction of that, and most of the traffic is consumed by programs that confuse network administrators.
At this point, the network access attack and defense war seems to have come to an end, but smart network administrators are not helpless. By reverse engineering the encrypted proxy software, you can still find the publishing point of the proxy IP and filter this publishing point. However, it is no longer possible to analyze network traffic and use programs to automatically find IPs for filtering.
Finally, in order to prevent reverse engineering, the encryption agent software itself performs software encryption processing, making reverse engineering very difficult. What follows is an intellectual battle between software encryption and cracking.
Summary: If network traffic is not obfuscated, the program can automatically find useful IPs for filtering. If the encryption software is not encrypted, it is easier to be reverse engineered to find useful IPs for filtering. Authors of encrypted proxy software need to always beware of the software being cracked. Once cracked, the encryption proxy software needs to be upgraded, so that the work of restricting network access requires re-cracking the software before it can continue to be implemented.
The author's Twitter: @davidsky2012, the author's Google Reader: https://www.google.com/reader/shared/lehui99