feat: sniffer support stun protocol#2761
Open
BLxcwg666 wants to merge 1 commit intoMetaCubeX:Metafrom
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem Background
In
redir-hostmode, WebRTC STUN traffic can leak the user's real IP address because STUN traffic cannot be correctly routed to the proxy in the following scenarios:withMappingmiddleware uses DNS TTL as the cache expiration time. After expiration,FindHostByIPfails to reverse lookup,metadata.Hostis empty, and rule matching can only rely on the IP address.mapping.In these cases, STUN traffic lacks domain name information for rule matching. Without precise IP rule coverage, it will reach DIRECT, causing the STUN server to see the user's real exit IP address.
FakeIP mode is unaffected because all domains have a bidirectional mapping from FakeIP to the domain name.
Proposal
Add STUN protocol sniffing and a general
SNIFF-PROTOCOLrule type, allowing users to define proxy rules based on protocols.STUN Protocol Detection
Based on three characteristics from RFC 8489 Section 6, a single packet can be used to determine:
Magic Cookie This is an identifier specifically designed by the RFC for protocol multiplexing, with a false positive rate of approximately
1/2^32. It can be safely detected across all ports without relying on port numbers.Unlike QUIC/TLS/HTTP sniffers, the STUN protocol does not carry domain name information. Therefore, a new mechanism is needed for the rule engine to utilize the protocol detection results.
SNIFF-PROTOCOL Rule
Add a SniffProtocol field to the Metadata. When the sniffer recognizes the protocol but cannot extract the domain name (SniffData returns an empty host), set this field to the protocol name (e.g., "stun"). Add a SNIFF-PROTOCOL rule type to match this field:
Design Considerations
Test Results
It passed the tests on several WebRTC Leak Test websites.
问题背景
在
redir-host模式下,WebRTC 的 STUN 流量会泄露用户真实 IP,原因是 STUN 流量在以下场景中无法被正确路由到代理:DNS mapping 缓存未命中 —
withMapping中间件使用 DNS TTL 作为缓存过期时间,过期后FindHostByIP反查失败,metadata.Host为空,规则匹配只能依赖 IP浏览器绕过了 DNS 查询 — WebRTC 可以直接通过 IP 地址连接到 STUN 服务器,
mapping中根本不存在对应记录在这些情况下,STUN 流量没有域名信息可供规则匹配,如果没有精确的 IP 规则覆盖,就会走到 DIRECT,导致 STUN 服务器看到用户的真实出口 IP
FakeIP 模式不受此影响,因为所有域名都有 FakeIP 到域名的双向映射
提案
新增 STUN 协议嗅探和通用的
SNIFF-PROTOCOL规则类型,让用户可以基于协议来制定代理规则STUN 协议检测
基于 RFC 8489 Section 6 的三个特征,单个数据包即可判定:
Magic Cookie 是 RFC 专门为协议多路复用设计的标识符,误报率约
1/2^32,无需依赖端口号即可安全地在全端口范围检测与 QUIC/TLS/HTTP sniffer 不同的是,STUN 协议不携带域名信息,因此需要一种新的机制来让规则引擎利用协议检测结果
SNIFF-PROTOCOL 规则
在 Metadata 上新增 SniffProtocol 字段,当 sniffer 识别到协议但无法提取域名时(SniffData 返回空 host),设置该字段为协议名称(如 "stun")。新增 SNIFF-PROTOCOL 规则类型匹配该字段:
设计考量
测试结果
在数个 WebRTC Leak Test 网站上均可通过检测
