Bypassing DPI with eBPF Sock_ops
The article discusses a method to bypass Deep Packet Inspection (DPI) using eBPF sock_ops. It describes how a fake ClientHello is sent to mislead the DPI while allowing the real connection to pass through. Additionally, it explains the use of a local DoH server to handle DNS queries securely.
- ▪The method involves sending a fake ClientHello with a different SNI to trick the DPI.
- ▪The eBPF program is used to manipulate TCP settings to fragment the real ClientHello.
- ▪A local DoH server is implemented to encrypt DNS queries and prevent interception.
Opening excerpt (first ~120 words) tap to expand
The problemA site I wanted to open never loaded. The TLS handshake stalled. Somewhere upstream, a middlebox was reading the SNI in my ClientHello and dropping the connection.DNS was the other half. Even if you slip past the DPI, the resolver hands you a fake IP that lands on a block page. So both have to be dealt with.Most fixes mean a VPN or a proxy. I didn’t want either. A VPN sends every byte you have through some remote server. Way too much for this. A proxy needs per-app configuration, and plenty of apps just ignore the system proxy. What I wanted was simpler: system-level, transparent, one command.sudo gecit run The ideaThe trick is simple. Send a fake ClientHello before the real one reaches the DPI.The fake carries a different SNI, www.google.com, with a low TTL.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at Bora.
Discussion
0 commentsMore from Bora
