mirror of
https://github.com/apernet/OpenGFW.git
synced 2024-12-23 01:19:21 +08:00
feat: Trojan analyzer based on github.com/XTLS/Trojan-killer
This commit is contained in:
parent
00d88d7fbf
commit
1041d5fde1
@ -23,6 +23,7 @@ Linux that's in many ways more powerful than the real thing. It's cyber sovereig
|
|||||||
- HTTP, TLS, DNS, SSH, and many more to come
|
- HTTP, TLS, DNS, SSH, and many more to come
|
||||||
- "Fully encrypted traffic" detection for Shadowsocks,
|
- "Fully encrypted traffic" detection for Shadowsocks,
|
||||||
etc. (https://gfw.report/publications/usenixsecurity23/data/paper/paper.pdf)
|
etc. (https://gfw.report/publications/usenixsecurity23/data/paper/paper.pdf)
|
||||||
|
- Trojan (proxy protocol) detection based on Trojan-killer (https://github.com/XTLS/Trojan-killer)
|
||||||
- [WIP] Machine learning based traffic classification
|
- [WIP] Machine learning based traffic classification
|
||||||
- Flow-based multicore load balancing
|
- Flow-based multicore load balancing
|
||||||
- Connection offloading
|
- Connection offloading
|
||||||
@ -90,6 +91,10 @@ to [Expr Language Definition](https://expr-lang.org/docs/language-definition).
|
|||||||
action: block
|
action: block
|
||||||
expr: fet != nil && fet.yes
|
expr: fet != nil && fet.yes
|
||||||
|
|
||||||
|
- name: block trojan
|
||||||
|
action: block
|
||||||
|
expr: trojan != nil && trojan.yes
|
||||||
|
|
||||||
- name: v2ex dns poisoning
|
- name: v2ex dns poisoning
|
||||||
action: modify
|
action: modify
|
||||||
modifier:
|
modifier:
|
||||||
|
@ -20,6 +20,7 @@ OpenGFW 是一个 Linux 上灵活、易用、开源的 [GFW](https://zh.wikipedi
|
|||||||
- 完整的 IP/TCP 重组,各种协议解析器
|
- 完整的 IP/TCP 重组,各种协议解析器
|
||||||
- HTTP, TLS, DNS, SSH, 更多协议正在开发中
|
- HTTP, TLS, DNS, SSH, 更多协议正在开发中
|
||||||
- Shadowsocks 等 "全加密流量" 检测 (https://gfw.report/publications/usenixsecurity23/data/paper/paper.pdf)
|
- Shadowsocks 等 "全加密流量" 检测 (https://gfw.report/publications/usenixsecurity23/data/paper/paper.pdf)
|
||||||
|
- 基于 Trojan-killer 的 Trojan 检测 (https://github.com/XTLS/Trojan-killer)
|
||||||
- [开发中] 基于机器学习的流量分类
|
- [开发中] 基于机器学习的流量分类
|
||||||
- 基于流的多核负载均衡
|
- 基于流的多核负载均衡
|
||||||
- 连接 offloading
|
- 连接 offloading
|
||||||
@ -85,6 +86,10 @@ workers:
|
|||||||
action: block
|
action: block
|
||||||
expr: fet != nil && fet.yes
|
expr: fet != nil && fet.yes
|
||||||
|
|
||||||
|
- name: block trojan
|
||||||
|
action: block
|
||||||
|
expr: trojan != nil && trojan.yes
|
||||||
|
|
||||||
- name: v2ex dns poisoning
|
- name: v2ex dns poisoning
|
||||||
action: modify
|
action: modify
|
||||||
modifier:
|
modifier:
|
||||||
|
91
analyzer/tcp/trojan.go
Normal file
91
analyzer/tcp/trojan.go
Normal file
@ -0,0 +1,91 @@
|
|||||||
|
package tcp
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
|
||||||
|
"github.com/apernet/OpenGFW/analyzer"
|
||||||
|
)
|
||||||
|
|
||||||
|
var _ analyzer.TCPAnalyzer = (*TrojanAnalyzer)(nil)
|
||||||
|
|
||||||
|
// CCS stands for "Change Cipher Spec"
|
||||||
|
var trojanCCS = []byte{20, 3, 3, 0, 1, 1}
|
||||||
|
|
||||||
|
const (
|
||||||
|
trojanUpLB = 650
|
||||||
|
trojanUpUB = 1000
|
||||||
|
trojanDownLB1 = 170
|
||||||
|
trojanDownUB1 = 180
|
||||||
|
trojanDownLB2 = 3000
|
||||||
|
trojanDownUB2 = 7500
|
||||||
|
)
|
||||||
|
|
||||||
|
// TrojanAnalyzer uses a very simple packet length based check to determine
|
||||||
|
// if a TLS connection is actually the Trojan proxy protocol.
|
||||||
|
// The algorithm is from the following project, with small modifications:
|
||||||
|
// https://github.com/XTLS/Trojan-killer
|
||||||
|
// Warning: Experimental only. This method is known to have significant false positives and false negatives.
|
||||||
|
type TrojanAnalyzer struct{}
|
||||||
|
|
||||||
|
func (a *TrojanAnalyzer) Name() string {
|
||||||
|
return "trojan"
|
||||||
|
}
|
||||||
|
|
||||||
|
func (a *TrojanAnalyzer) Limit() int {
|
||||||
|
return 16384
|
||||||
|
}
|
||||||
|
|
||||||
|
func (a *TrojanAnalyzer) NewTCP(info analyzer.TCPInfo, logger analyzer.Logger) analyzer.TCPStream {
|
||||||
|
return newTrojanStream(logger)
|
||||||
|
}
|
||||||
|
|
||||||
|
type trojanStream struct {
|
||||||
|
logger analyzer.Logger
|
||||||
|
active bool
|
||||||
|
upCount int
|
||||||
|
downCount int
|
||||||
|
}
|
||||||
|
|
||||||
|
func newTrojanStream(logger analyzer.Logger) *trojanStream {
|
||||||
|
return &trojanStream{logger: logger}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *trojanStream) Feed(rev, start, end bool, skip int, data []byte) (u *analyzer.PropUpdate, done bool) {
|
||||||
|
if skip != 0 {
|
||||||
|
return nil, true
|
||||||
|
}
|
||||||
|
if len(data) == 0 {
|
||||||
|
return nil, false
|
||||||
|
}
|
||||||
|
if !rev && !s.active && len(data) >= 6 && bytes.Equal(data[:6], trojanCCS) {
|
||||||
|
// Client CCS encountered, start counting
|
||||||
|
s.active = true
|
||||||
|
}
|
||||||
|
if s.active {
|
||||||
|
if rev {
|
||||||
|
// Down direction
|
||||||
|
s.downCount += len(data)
|
||||||
|
} else {
|
||||||
|
// Up direction
|
||||||
|
if s.upCount >= trojanUpLB && s.upCount <= trojanUpUB &&
|
||||||
|
((s.downCount >= trojanDownLB1 && s.downCount <= trojanDownUB1) ||
|
||||||
|
(s.downCount >= trojanDownLB2 && s.downCount <= trojanDownUB2)) {
|
||||||
|
return &analyzer.PropUpdate{
|
||||||
|
Type: analyzer.PropUpdateReplace,
|
||||||
|
M: analyzer.PropMap{
|
||||||
|
"up": s.upCount,
|
||||||
|
"down": s.downCount,
|
||||||
|
"yes": true,
|
||||||
|
},
|
||||||
|
}, true
|
||||||
|
}
|
||||||
|
s.upCount += len(data)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
// Give up when either direction is over the limit
|
||||||
|
return nil, s.upCount > trojanUpUB || s.downCount > trojanDownUB2
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *trojanStream) Close(limited bool) *analyzer.PropUpdate {
|
||||||
|
return nil
|
||||||
|
}
|
@ -89,6 +89,7 @@ var analyzers = []analyzer.Analyzer{
|
|||||||
&tcp.HTTPAnalyzer{},
|
&tcp.HTTPAnalyzer{},
|
||||||
&tcp.SSHAnalyzer{},
|
&tcp.SSHAnalyzer{},
|
||||||
&tcp.TLSAnalyzer{},
|
&tcp.TLSAnalyzer{},
|
||||||
|
&tcp.TrojanAnalyzer{},
|
||||||
&udp.DNSAnalyzer{},
|
&udp.DNSAnalyzer{},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user