Vulnerability Research: Evading DPI via TCP Fragmentation
Tags: Networking, DPI, System Internals, Scapy
I’ve been spending a lot of time recently in Wireshark analyzing how modern Deep Packet Inspection (DPI) appliances handle encrypted traffic. The core issue we all face in hostile network environments is that even with TLS 1.3, the ClientHello message still leaks the Server Name Indication (SNI) in plaintext.
Middleboxes don't even need to break the encryption; they just read the SNI and drop the connection. While Encrypted Client Hello (ECH) is the long-term fix, its deployment is still fragmented.
The Experiment: Packet-Level Fragmentation
In my lab, I started testing how commercial firewalls handle TCP stream reassembly. The hypothesis: if we artificially fragment the TCP packets containing the ClientHello at the byte level, we can bypass poorly configured DPI signatures that only inspect the first few packets without performing full stateful reassembly.
Using Python and Scapy, I drafted a quick script to split the ClientHello across multiple tiny payloads.
Lab Findings:
1-Byte Fragments: Pushing the SNI one byte per packet successfully bypassed several signature-based IDS setups I tested. The overhead is massive, but it works as a proof of concept.
Stateful Firewalls: Advanced Next-Gen Firewalls (NGFWs) caught this immediately, either dropping the fragmented packets as anomalous or successfully reassembling and reading the SNI.
Takeaway: Relying on fragmentation is a cat-and-mouse game. For true secure architecture, we need to design protocols that either fully obfuscate the handshake length and entropy, or tunnel the initial handshake through a decoy protocol (like DNS over HTTPS) before establishing the primary tunnel.
References:
Bypassing DPI via TCP/IP fragmentation:
Censored Planet Research TLS 1.3 and SNI Leaks (RFC 8446)