How ISPs block websites with DPI - Technical Dive (Deep Packet Inspection)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

previously we saw how is piece can block websites by acting as a DNS provider so when you want to access a website oh you you ask them what's the website's address and they give you a fake address so you can never look at the website that is a pretty easy way for them to do it because there's very little computation power involved but there's another new method of blocking websites which makes use of dpi or deep packet inspection so as an example packets look like this you have network transactions going on all the time of different protocols and different different types of network communication and all of this happens through your ISP so this is your computer and you wanna connect to Facebook YouTube whatever it doesn't matter it has to go through your ISP your eyes be could be your local cable like your internet provider by a cable or your mobile data provider but they are the ones who connect you to the internet so all of this traffic goes through them and if they want if they're willing to expend the computational power they can go through all those packets and that is how another type of button works so with deep packet inspection you can block you can block websites based on unsafe DNS queries or even if a website has HTTPS it can be blocked so of course if you use your ISPs DNS server they can block anything but say your your bit smarter so you use a clock you use cloud first yes ever so CloudFlare has the DNS server 1.1 to 1.1 right so let's say you use this I'm gonna first you want to command which will clear my DNS cache ok now let's let's filter only DNS packets okay and let me restart this ok so now we're only capturing DNS packets so let's say example it's just you have simple ping request to Google calm right now you can see there's a DNS query to 1.1.11 cloud for our server which says give me the IP address for google.com and then cloud for a response to me saying the IP address is two 16.5 8.2 or 7.23 a we seen a command prompt that is what we got and that's what we're trying to connect him let's do one more example okay hmm Facebook all right you can see it now we the query facebook.com/ the IP address for Facebook is this and that's what we couldn't get to a ping is just a simple command to check it with website us online or not but here you can see how typing in a domain name might the query to the IP address and these are packets their eyes we can see so this stuff going on is exactly what can be seen by your ISP they can see this there's no doubt about it I mean if we're not considering using VPN thread okay just normal Internet traffic they can see this kind of stuff so let's take a look at the packet itself the raw packet is this in hex but it's basically a query saying I have a question and my question is Google calm I want to know it's a ipv4 address there's an ipv6 address which is aaaa but Bret know you know using ipv4 so give me google.com IP address right we ask that to the destination CloudFlare and we get a response the IP address for google is right and the answer is this to 16.5 8 207 2 3 8 now we're not using the ISB as our dns server anymore we have CloudFlare but factors this packet goes through our ISP so we ask them so let me add CloudFlare here Claire okay so through our ISP we ask them and Clark for replies now because DNS is not encrypted cloud Fleur can see the stuff they can see the websites were asking for sorry the ISP our ISP can see the websites were asking for okay so what that means is if they want they can they can manipulate this data so let's say the response comes in write this response Google is this IP address if they're willing to put in the computational power they can check if a packet is a response for google.com change the IP address and then this would be something else or they could say if I'm asking a question what is the IP address of google.com don't reply so I would never get this response so the man in the middle who can see all of my queries right my DNS queries can say hey is he asking for a stick exam over torrent website so asking for Pirate Bay don't reply and then we'll never get the answers so he won't be able to access the website so this is not this is technically a flaw in DNS that it's not encrypted and the solution to that is a secure encrypted form of DNS call known as DNS over HTTP right but is HTTP secure yes and no so when you connect to observe HTTPS what happens is whatever you're communicating with the website that is safe so let's take another example right so let's say you go to google.com or Facebook right let's say you go to Facebook over HTTP now if you enter your email and password right this data will be encrypted so if I check the data here I will not be able to see the email and password so the ISP cannot see the email and password they cannot see this if for a bit unclear about this you can also check out my other video on encryption it covers this in much more detail but ok this data is safe but what's not safe is the website you're connecting to the name of the website is still available in plain text okay now to take another example of HTTP so we're going to cover we'll see how HTTP is insecure so we're gonna open up an example website on HTTP okay you can see it says not secure and this is what we see now let's see what the ISP can see okay so we have HTTP request here saying request get the index from example.org so this is from us two example servers and we have a response and if you see the response is the entire HTML source of that website in fact I'll show you in chrome if I click view page source right you see this example domain auditive it's exactly what we see here so this means that your isp can see exactly the information you're you're exchanging with a website if it's on HTTP so HTTP is completely insecure if it was HTTP it's a bit more secure okay now we're gonna check out HTTP traffic so I've filtered it to TLS which is the protocol for HTTPS and let's open a web site say Pirate Bay on HTTPS okay so if I enter that okay I can see this page I see the green lock it's secure let's open it up in a Wireshark and okay so we have different parts of the protocol here we have a client hello server hello and then you see a lot of application data so in the client hello okay let me see if I can find it here client hello there's a lot of information some random numbers session ID for security and stuff but the biggest problem is there's an extension the server name and that has the name of the website we try to visit the parameter org and this is in plain text so anyone in the middle including an ISP can see this right so say again we're back to this situation if they can see the name over here they can see this then they can block it right so that's the problem HTTP is secure after that so after the client and server exchange the keys see this thing called application data and that's encrypted so whatever happens next it looks like garbage no one knows no one can tell what it means that's the whole point so although the data afterwards is encrypted the server name itself is not encrypted and therefore someone can tell which website you're connecting to and the problem with that is with that information they can check which websites you've connected to or to block websites so for example the client hello to pirate or gorgey yours your ISP in the middle could just drop it they could just say you know what we don't want this so client hello they will never they will never pass it on to the Pirate Bay let's say this is the Pirate Bay right it will never reach here or if it does the response will never reach so that is somewhat of a flaw in HTTP which is that the name of the website they were thinking to is feet although the data is not least this stuff what I typed here is secure the response is secure no one else can see this no one else knows what I typed but what they do know is that I connected to the pirate bay door orgy or I tried to connect and based on this based on the packets I'm sending out rumor the ISP can see all of this they can block the connection ok so now let's check how in Firefox we can prevent this so I'm gonna flush my DNS cache just to ensure that nothing is in there and we can log all DNS requests let's open up part pick it up orgy ok you can see the lock and secure or are they now ok there's a few different requests let me see okay so this one sorry about that this one you can sees for some Mozilla website this is the one we're interested in if she's the one for Pirate Bay now I don't know that for sure but I'm assuming and if you see you can't see the name anywhere and if I scroll to the bottom here there's an extension called an encrypted server name and encrypted SNI so what that means is the person in the middle your ISP cannot see they cannot see their the name anymore right they cannot see the server name this is not available now what they see is an encrypted SNI and an encrypted server name so they can see you're trying to connect to a website they do not know that you're trying to connect to the Pirate Bay so this is how it secures it a little bit more and it also in Firefox if you configure it correctly it does not make any dns any public unencrypted DNS requests so you can see in DNS I only have this random Microsoft thing of what we open up a random website as well so oh sorry a website so calm you can see it's that one didn't come up here but if I was to say use ping or something right ping random website calm you can see there's a request there's a query to this website your ISP can see this query but the DNS query is made via Firefox configured correctly do not show up there encrypted as is the server name identification now it's important to keep in mind that this the encrypted server name and that cryptid SMI is a new standard it's not supported by all websites yet by default all websites on a cloud flower support it but there are websites for which it will not work for example Twitter does not support encrypted sni but Twitter is not blocked yet so if a website is blocked using so ok so let's let's summarize a bit so thank deep packet inspection the highest you can see DNS queries what website you're trying to visit HTTP server name indication which is also what website we're trying to is it what website you're visiting and take what they cannot see the information you're exchanging with the website they cannot see what you're searching for what the website is sending to you they cannot see that all they see is as an example the Pirate Bay orgy that's all they see and they know that okay we want to block this website so right there when they see the the TLS handshake request or the DNS query for the Pirate Bay dot org they will just drop the packet they won't send it to its final destination and you'll never get a reply and you won't be able to connect however using DNS over HTTP and if big if the website supports es ni then with a configured browser you can access it

Info

Channel: spaghetti code

Views: 2,010

Rating: 4.875 out of 5

Keywords: piracy, isp, blocking, website, vpn, dpi, deep packet inspection, jio blocking, https, dns over https, esni, safe browsing, privacy

Id: hkwenjoUgyg

Channel Id: undefined

Length: 16min 4sec (964 seconds)

Published: Mon Apr 13 2020