UPDATE: The video is added after the last slide.
After OONI report about internet censorship in Egypt, I'm publishing some technical logs that discusses the existence of an active DPI with MITM capabilities in Egypt.
Encrypted Traffic in Egypt - an attempt to understand
1. Encrypted Traffic in Egypt
An attempt to understand
Ahmed Mekkawy
CEO | Founder
Spirula Systems
2. About the Presenter
●
Founder and CEO of Spirula Systems.
●
Co-founder of OpenEgypt.
●
Free Software Foundation (FSF) member.
●
Independent consultant at MCIT.
●
Advisory board member at Mushtarak TechHub.
●
One of the authors of the Egyptian national FOSS adoption strategy.
3. Scope of this Presentation
● Facts by me: authenticity not proven
● Online screenshots
● Facts by OONI
● My conclusion
7. OpenVPN / UDP1194 – May 20th
● Server: No logs
● Client:
May 20 08:48:27 localhost NetworkManager[1109]: <info> VPN connection 'vpn2' (Connect)
reply received.
May 20 08:48:28 localhost nm-openvpn[5705]: Control Channel Authentication: using
'/path/to/ta.key' as a OpenVPN static key file
May 20 08:48:28 localhost nm-openvpn[5705]: UDPv4 link local: [undef]
May 20 08:48:28 localhost nm-openvpn[5705]: UDPv4 link remote: [AF_INET]VPN_IP:1194
May 20 08:48:28 localhost nm-openvpn[5705]: TLS Error: cannot locate HMAC in incoming
packet from [AF_INET]VPN_IP:1194
May 20 08:49:07 localhost NetworkManager[1109]: <warn> VPN connection 'vpn2' (IP
Config Get) timeout exceeded.
...
May 20 08:48:58 localhost nm-openvpn[5705]: message repeated 4 times: [ TLS Error:
cannot locate HMAC in incoming packet from [AF_INET]VPN_IP:1194]
May 20 08:49:07 localhost nm-openvpn[5705]: SIGTERM[hard,] received, process exiting
8. OpenVPN / UDP53 – May 20th
● Server: No logs
● Client:
May 20 08:58:51 localhost NetworkManager[1109]: <info> VPN connection 'vpn2' (Connect)
reply received.
May 20 08:58:51 localhost nm-openvpn[5897]: Control Channel Authentication: using
'/path/to/ta.key' as a OpenVPN static key file
May 20 08:58:51 localhost nm-openvpn[5897]: UDPv4 link local: [undef]
May 20 08:58:51 localhost nm-openvpn[5897]: UDPv4 link remote: [AF_INET]VPN_IP:53
May 20 08:58:51 localhost nm-openvpn[5897]: TLS Error: cannot locate HMAC in incoming
packet from [AF_INET]VPN_IP:53
May 20 08:59:31 localhost NetworkManager[1109]: <warn> VPN connection 'vpn2' (IP
Config Get) timeout exceeded.
...
May 20 08:59:21 localhost nm-openvpn[5897]: message repeated 4 times: [ TLS Error:
cannot locate HMAC in incoming packet from [AF_INET]VPN_IP:53]
May 20 08:59:31 localhost nm-openvpn[5897]: SIGTERM[hard,] received, process exiting
9. OpenVPN / TCP443 – May 20th
● Server: No logs
● Client:
May 20 08:52:54 localhost nm-openvpn[5791]: Attempting to establish TCP
connection with [AF_INET]VPN_IP:1194 [nonblock]
May 20 08:52:55 localhost nm-openvpn[5791]: TCP connection established with
[AF_INET]VPN_IP:1194
May 20 08:52:55 localhost nm-openvpn[5791]: TCPv4_CLIENT link local: [undef]
May 20 08:52:55 localhost nm-openvpn[5791]: TCPv4_CLIENT link remote:
[AF_INET]VPN_IP:1194
May 20 08:52:55 localhost nm-openvpn[5791]: Connection reset, restarting [0]
May 20 08:52:55 localhost nm-openvpn[5791]: SIGUSR1[soft,connection-reset]
received, process restarting
10. OpenVPN / TCP8000 – May 20th
● Client and Server logs normal
● Connectivity within the tunnel:
$ ping -c 10 vpn2
--- vpn2 ping statistics ---
10 packets transmitted, 10 received, 0% packet loss, time 9014ms
rtt min/avg/max/mdev = 94.359/96.217/99.897/1.902 ms
$ ping -c 10 10.8.0.5
PING 10.8.0.5 (10.8.0.5) 56(84) bytes of data.
--- 10.8.0.5 ping statistics ---
10 packets transmitted, 0 received, 100% packet loss, time 8999ms
29. Report Highlights
● Media censorship
– Collateral damage
● HTTPS throttling
– Inaccessible URLs
● Attempts to block Tor
● Advertisement and malware injection
– Third party tools (curl) showing injected content
30. Conclusion
● DPI with MITM capabilities
● Possible daily Big Data analytics to enhance the DPI rules
through a certain AI model
● All this is a testing phase