Friday, June 28, 2013

Tunnel trickery

I just added fraud-bridge to my github. It was worth
coding even if there exist a lot of DNS and ICMP
tunneling tools.


o tunneling of TCP-connections, keeping TCP-state
o via DNS: on UDP or UDP on IPv6
o via ICMP or ICMPv6
o HMAC (MD5) protecting of tunnel content
o transparently patching announced TCP-MSS to prevent
  fragmentation or DNS packet splitting
o using EDNS0 extension for DNS-tunneling to achieve good
  througput (larger DNS TXT-replies fit into one reply, honouring
  announced MSS)
o cope with bind9 limits/quota and still having good latency
  for interactive sessions and good throughput
o once started as root, continues to run as unprivileged user
  inside a chroot

If you want to know how a fraud-bridge looks like, check
current blog entry picture, taken during one of my lost-places