From 257652fc5e56ae70ae66120bacf7e4a4b7e0bfc8 Mon Sep 17 00:00:00 2001 From: bol-van Date: Sun, 2 Feb 2020 19:31:11 +0300 Subject: [PATCH] readme : disorder2,split2 notice --- docs/readme.eng.txt | 5 +++-- docs/readme.txt | 2 ++ 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/docs/readme.eng.txt b/docs/readme.eng.txt index bab1ded..c4f9def 100644 --- a/docs/readme.eng.txt +++ b/docs/readme.eng.txt @@ -42,7 +42,7 @@ In short, the options can be classified according to the following scheme: This option is out of the scope of the project. If you do not allow ban trigger to fire, then you won’t have to deal with its consequences. 2) Modification of the TCP connection at the stream level. Implemented through a proxy or transparent proxy. -3) Modification of TCP connection at the packet level. Implemented through the NFQUEUE queue handler and raw sockets. +3) Modification of TCP connection at the packet level. Implemented through the NFQUEUE handler and raw sockets. For options 2 and 3, tpws and nfqws programs are implemented, respectively. You need to run them with the necessary parameters and redirect certain traffic with iptables. @@ -83,7 +83,6 @@ Then we can reduce CPU load, refusing to process unnecessary packets. iptables -t mangle -I POSTROUTING -o <внешний_интерфейс> -p tcp --dport 80 -m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 2:4 -m set --match-set zapret dst -j NFQUEUE --queue-num 200 --queue-bypass - ip6tables --------- @@ -190,6 +189,8 @@ Split mode is very similar to disorder but without segment reordering : 4. 2nd segment Mode 'split2' disables sending of fake segments. It can be used as a faster alternative to --wsize. +In disorder2 and split2 modes no fake packets are sent, so no fooling options are required. + There are DPIs that analyze responses from the server, particularly the certificate from the ServerHello that contain domain name(s). The ClientHello delivery confirmation is an ACK packet from the server with ACK sequence number corresponding to the length of the ClientHello+1. diff --git a/docs/readme.txt b/docs/readme.txt index edb87ed..2102cb8 100644 --- a/docs/readme.txt +++ b/docs/readme.txt @@ -224,6 +224,8 @@ nfqws Режим split2 отключает отправку поддельных частей. Он может быть использован как более быстрая альтернатива --wsize. +disorder2 и split2 не предполагают отсылку фейк пакетов, поэтому опции дурения неактуальны. + Есть DPI, которые анализируют ответы от сервера, в частности сертификат из ServerHello, где прописаны домены. Подтверждением доставки ClientHello является ACK пакет от сервера с номером ACK sequence, соответствующим длине ClientHello+1. В варианте disorder обычно приходит сперва частичное подтверждение (SACK), потом полный ACK.