Introduction
INTANG is a research project for circumventing the "TCP reset attack" from the Great Firewall of China (GFW) by disrupting/desynchronizing the TCP Control Block (TCB) on the censorship devices. INTANG runs as a client-side only tool in background to protect the TCP connections from being interfered (or even monitored) by the GFW. It works on TCP/IP layers instead of application layer, thus considered more general and can help all application layer protocols to evade censorship, e.g. HTTP, DNS over TCP, OpenVPN, Tor. It can also be run on a proxy to make the deployment easier for those who are incapable of running INTANG (using OSes other than Linux or doesn't have root privillige).
Platform
Linux (must has netfilter supported in kernel)
Tested with Ubuntu 12.04/14.04/16.04.
Dependencies
- libnetfilter-queue-dev
- libnfnetlink-dev
- redis-server
- libhiredis-dev
- libev-dev
- python-redis (optional)
- python-scapy (optional)
Compilation
- Install prerequisite packages:
sudo apt-get update
sudo apt-get install libnetfilter-queue-dev libnfnetlink-dev redis-server libhiredis-dev libev-dev python-redis python-scapy
or
./install_deps.sh
- Compile:
make
And the binary will be located under bin folder.
How to Run
- Use
run.sh
to start the daemon. Logs are by default written to /var/log/intangd.log. If you want to test a specific strategy, userun.sh <strategy ID>
. Strategy IDs can be checked withrun.sh -h
. - Use
stop.sh
to stop the daemon. It simply send SIGINT signal to the daemon.
The daemon needs root privilege to run. If you are using Virtual Machine, you'll need to configure the networks in Bridge Mode.
Source Code Organization
/
βββ main.c Entry point and Main Thread
βββ globals.h Global constants
βββ protocol.h Definition of protocol(IP/TCP/UDP/DNS) headers
βββ memcache.c In-memory cache
βββ cache.c Cache Thread
βββ order.c Shared in-memory queue between Main Thread and Cache Thread
βββ redis.c Communication interfaces to Redis
βββ dns.c DNS Thread
βββ dnscli.c Functions for Main Thread to send requests to DNS Thread.
βββ logging.c Logging functions
βββ strategy.c Strategy registration and selection
βββ discrepancy.c Implementation of low-level "insertion packets", such as wrong checksum
βββ socket.c Socket related functions, sending crafted packets
βββ feedback.c Log uploading functions
βββ helper.c Shared global helper functions
βββ ttl_probing.c Functions for TTL probing and maintaining
βββ test.c Testing functions
βββ run.sh/stop.sh Run/Stop INTANG
βββ distgen.sh Generating distributable code tarball
βββ strategies/
β βββ dummy.c Dummy strategy (do nothing)
β βββ rst_***.c TCB teardown strategies
β βββ do_***.c Buffer prefilling(data overlapping) strategies
β βββ reverse_tcb.c TCB reversal strategy
β βββ multiple_syn.c Multiple SYN (Resync-Desync) strategy
β βββ mixed_***.c Combined strategies.
β βββ ...
βββ tools/ Folder containing python scripts for data analysis
β βββ dump_stats.py Show success rates of strategies by reading from Redis. (INTANG must be running)
β βββ dump_stats_from_log.py Show success rates of strategies by reading from log.
β βββ ...
Disclaimer
INTANG is a research-oriented project. Anyone using it should be aware of the potential risks and responsible for his/her own actions against the censorship authority.
Contact
Any questions could be direct to [email protected]
Paper Published
Zhongjie Wang, Yue Cao, Zhiyun Qian, Chengyu Song, and Srikanth V. Krishnamurthy. 2017. Your State is Not Mine: A Closer Look at Evading Stateful Internet Censorship. In Proceedings of IMC β17. ACM, New York,NY, USA, 14 pages. https://doi.org/10.1145/3131365.3131374
FAQ
Please see FAQ page.