Allot Communications

[David Fifield]

In investigating obfs4 blocking in Kazakhstan, my colleague found some
evidence pointing to Allot Communications, a DPI company:
https://bugs.torproject.org/20348#comment:184

You might be interested in this timeline of detection updates, which
specifically mentions Tor, Psiphon, obfs4, ScrambleSuit, meek, Signal,
OpenVPN, Freegate, Tunnelbear, and other VPNs.

https://www.allot.com/products/platforms/supported-protocols/#1460974307058-a61550f0-8196 (https://archive.is/AuA8b)

> January 26th, 2015
>
> Allot’s latest DART Protocol Pack helps you identify traffic from users
> of the Psiphon circumvention system, which has becoming a popular way to
> bypass content-filtering systems in order to access sites that have been
> blocked due to geographical or regulatory restrictions. It’s also used
> to add a layer of identity protection. In this pack, we refined the
> Psiphon signature to cover all operation modes, including SSH, SSH+ and
> VPN. We also added two new Psiphon signatures for identifying traffic to
> and from:
>
> Psiphon Proxy Server
> Psiphon CDN (Meek mode)

> March 16th, 2015
>
> A growing trend in Internet connectivity is the desire to remain
> anonymous. People are using a variety of anonymizers such as VPN and
> proxy server applications designed to provide high speed connections and
> to prevent network operators and servers from identifying the private
> details and location of the user. This is a growing phenomenon as these
> tools have become readily available and easier to use. To get an
> accurate picture of data usage in your network, you need to identify and
> monitor this kind of traffic. That’s why we’re adding some of the most
> popular anonymizer applications to Allot’s Dynamic Actionable
> Recognition Technology (DART). Get Allot’s latest DART Protocol Pack so
> you can identify:
>
> VPN Unlimited (on MS Windows, MAC OS, Android, and iOS)
> OpenVPN (an open source VPN application for PCs)

> April 27th, 2015
>
> In recent weeks we announced the new anonymizer applications that were
> added to Allot’s signature library. This week we focused on updating and
> refining existing DART signatures for these popular VPN and encryption
> protocols:
>
> TOR (default mode, 3 available bridge modes, CDN meek)
> Psiphon
> Spotflux

> October 19th, 2015
>
> In Allot’s latest DART Protocol Pack, we continue to revisit and refine
> many of our existing application signatures in response to changes that
> we notice in application behavior, packet structure, or other
> characteristics. This week, the focus is on anonymizer applications.
> Allot’s DPI research team is constantly alert and able to respond
> rapidly to application and protocol updates to assure accurate traffic
> monitoring and classification. This week, we refined these popular VPN
> applications:
>
> Freegate (used by millions in China, Cuba, Iran, North Korea and
> many other countries)
> Open VPN (open source VPN application for PCs)

> February 2nd, 2016
>
> TOR is popular anonymizer application that uses the “onion router.”
> Onion Router is a website that takes requests for web-pages and routes
> them through other onion router nodes, until your requested page reaches
> you. Onion routers encrypt the traffic which means no one can see what
> you’re asking for, and the layers of the onion don’t know who they’re
> working for. In Allot’s latest DART Protocol Pack we added signatures
> that identify these TOR transport protocols that use the Onion Router
> network:
>
> TOR ScrambleSuit (pluggable proxy transport protocol)
> TOR Obfs4 (TCP obfuscation layer)

> April 4th, 2016
>
> Online anonymity is often viewed as counter-productive and there is a
> vigorous and ongoing debate regarding the unprecedented anonymity
> enabled by the Internet. The creators of the Tor project are
> understandably pro-anonymity, arguing in favor of the many positive and
> productive uses of TOR by all kinds of people, including IT
> professionals, law enforcement, journalists, bloggers, business execs,
> researchers and everyday users who want to protect their privacy. In
> Allot’s latest DART Protocol Pack we revisited and refined these TOR
> transport protocols to assure accurate detection of their use:
>
> TOR ScrambleSuit (pluggable proxy transport protocol)
> TOR Obfs4 (TCP obfuscation layer)
> TOR

> April 11th, 2016
>
> Open Whisper Systems developed one of the most widely respected
> encrypted communications apps called “Signal” which runs on Android and
> iOS devices. Every message and phone call is encrypted and completely
> private without the users having to do anything. Following an audit by
> independent security experts and a nod of recognition by Edward Snowden,
> the app has become popular with high-profile legal departments, cyber
> security professionals and others who require absolute privacy. Want to
> know how much Signal traffic is on your network? Just use Allot’s latest
> DART Protocol Pack with the new granular signatures for:
>
> Signal (Instant Messaging)
> Signal Calls (VoIP)

> June 13, 2016
>
> Private VPN services provided by the Tor project are used by millions
> the world over, including IT professionals, law enforcement,
> journalists, bloggers, business execs, researchers and everyday users
> who want to protect their privacy. A number of applications, like
> bridges and pluggable transports have sprouted up around Tor to improve
> the privacy and the experience. Some Tor browsers provide bridges by
> default. And if not, these tools can be downloaded at any time. A bridge
> is a tool that makes Tor traffic look like any other traffic, such that
> censors and other monitors do not identify it as Tor per se. In Allot’s
> latest DART Protocol Pack, we refined our signature for the Tor obfs4
> safe transport, to assure accruate identification of this kind of
> traffic on your network:
>
> Tor Obfs4

> August 3, 2016
>
> VPN applications that allow Internet users to maintain their privacy
> online have become quite popular on Android and iPhone devices. As these
> tools get easier to use, they also proliferate, giving mobile users lots
> of choice regarding how private and anonymous they want or need to be.
> In addition to the many anonymizer applications that Allot already
> supports, Allot’s latest DART Protocol Pack adds granular signatures
> that enable you to track usage of these global VPN services:
>
> VPN Master (Android)
> TunnelBear (iPhone)
> Hotspot Shield (Android, iPhone)

> September 12, 2016
>
> A few weeks ago, we announced that TunnelBear had been added to our
> signature library, enabling detection of this popular VPN application on
> iPhone devices. In Allot’s latest DART Protocol Pack, we’ve refined this
> signature to identify TunnelBear on Android devices as well, giving you
> a more complete picture of who’s using TunnelBear and how much traffic
> it generates on your network.
>
> TunnelBear (Android)

[Eric Wustrow]

Has anyone from the privacy/anticensorship community ever had access to this or other DPI boxes that do this kind of detection? I'm mostly curious to get the binaries (or source code!) that implements this detection; reverse engineering this would teach us an awful lot about what lengths these companies/countries go to, and how we could better design protocols to withstand detection/fingerprinting.

How expensive are these "high end" DART boxes? And what's their return policy?

--
You received this message because you are subscribed to the Google Groups "Network Traffic Obfuscation" group.
To unsubscribe from this group and stop receiving emails from it, send an email to traffic-obf+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[David Fifield]

On Wed, Jan 18, 2017 at 10:17:25PM -0700, Eric Wustrow wrote:
> Has anyone from the privacy/anticensorship community ever had access to this or
> other DPI boxes that do this kind of detection? I'm mostly curious to get the
> binaries (or source code!) that implements this detection; reverse engineering
> this would teach us an awful lot about what lengths these companies/countries
> go to, and how we could better design protocols to withstand detection/
> fingerprinting.
>
> How expensive are these "high end" DART boxes? And what's their return policy?

I didn't find any prices online. I would suppose that companies like
this are more interested in selling you a support contract than in
selling you hardware, so they want you to call and talk to a
salesperson. (That's just my guess, though.)
http://www.allot.com/mobile/request-a-quote/
I happened to also find a reseller:
http://www.allotworks.com/

Back when we were looking at Sophos Cyberoam devices, Nicholas Weaver
bought one of their SOHO firewall/routers. I inspected it, though, and
it didn't have the Tor-blocking feature we had observed in one of their
more production-oriented firewalls.

I seem to remember that Brandon Wiley once had physical access to some
censor devices, but I don't remember the details.

Buying something second hand, e.g. off eBay, could also be an option.

[Vinicius Fortuna [vee-NEE-see.oos]]

There's one Allot NetEnforcer on Ebay for US $2,550.00:

http://www.ebay.com/itm/ALLOT-NETENFORCER-AC-2540-AC-2540-COP-AC-/231028887967

And one for $100:

http://www.ebay.com/itm/Allot-NetEnforcer-AC-402-402-45M-HD-Network-Bandwidth-Controller/381913895288

New York State bought a few for $5k and up:

https://www.ogs.ny.gov/purchase/prices/7701821350PL_Layer3.pdf

It seems the Netenforcer model has the DART engine:

http://www.allot.com/products/platforms/netenforcer/

 

--
You received this message because you are subscribed to the Google Groups "Network Traffic Obfuscation" group.

To unsubscribe from this group and stop receiving emails from it, send an email to traffic-obf...@googlegroups.com.

[Philipp Winter]

On Wed, Jan 18, 2017 at 09:54:45PM -0800, David Fifield wrote:
> Back when we were looking at Sophos Cyberoam devices, Nicholas Weaver
> bought one of their SOHO firewall/routers. I inspected it, though, and
> it didn't have the Tor-blocking feature we had observed in one of their
> more production-oriented firewalls.

Did you only inspect the UI, or was it possible to remove the hard drive
and inspect the file system or even code? I wonder how many vendors
encrypt the hard drive with some on-device key to complicate reverse
engineering.

[David Fifield]

I only looked at the UI and attempted bootstrapping Tor through it. It
was just some cheap wireless access point thing.

[David Fifield]

Last year we were talking about Allot Communications and their "DART"
traffic classification technology that advertises support for a variety
of circumvention protocols:
https://groups.google.com/d/msg/traffic-obf/yzxlLpFyXLI/VhuxOZIvAQAJ

Today Qurium published a report on a scandal involving the Azerbaijani
government's use of Allot firewalls for censorship.
https://www.qurium.org/alerts/azerbaijan/corruption_censorship_and_a_dpi_vendor/

The government bought the Allot devices for $3M in 2015 and activated
the DPI in March 2017. Media outlets including Azadliq.info,
Azadliq.org, Meydan.tv and Abzas.net got blocked. Virtualroad.org
recently mirrored the sites on Google Cloud Storage in order to
circumvent the block:
https://storage.googleapis.com/qurium/index.html

Last year, we were talking about acquiring an Allot device for research.
I don't know if anyone followed through on that. The Qurium authors
found an Allot "SG-Sigma E14" device for sale for half a million
dollars(!). But they also found cheaper "NetEnforcer" devices with model
numbers AC-1440 and AC-3000 that also claim to have DART, that go for
only about $500. I couldn't tell, from the writeup, whether they
actually got one or not.