'Tunnel Hunter' Detects Encrypted P2P Traffic With 90% Accuracy

Italian researchers say they can detect SSH tunnels with 99% accuracy and actual protocol (P2P, POP3, SMTP, HTTP) with 90% accuracy.

Italian Researchers at the Universita degli Studidi Brescia (University of Brescia Studies?) have developed a statistical method called "Tunnel Hunter" for detecting encrypted tunneling activities with 99% accuracy.

Using a naive Bayes approach to previously classify different protocols such as P2P, POP3, SMTP, and HTTP, they have used the same basic classification algorithm to detect SSH tunnels. Instead of using Deep Packet Inspection (DPI) they analyze three simple properties of IP packets: their size, inter-arrival time and arrival order.

The main theory they argue is that that a fingerprint can be derived by training the system on legitimate, non-tunneling SSH usage, and then later be used to detect application-layer tunnels that are run on top of a Secure Shell. As shown below, researchers were able to detect encrypted P2P traffic with a 88.77% accuracy.

To help rule out false-positives they also consider only the packets that carry application-layer data and discards those "without TCP payload." The system can also be configured to obtain any desired pre-set false-positive ratio.

Before you get too worried, "Tunnel Hunter" has several shortcomings, an analysis of which I offer from someone with a bit more technical SSH tunnel knowledge than myself:

Although their research is quite interesting there are a few things which limit its practicality. They can only detect tunnels going through ssh servers which they control. This is because their detection mechanism can only handle a single authentication type whereas an ssh server can (and usually does) allow multiple (e.g. public-key or password). This requires admins of the server to limit the allowed authentication options to a single consistent choice. They also require the ssh server _and_ client to disable compression. Their technique will also falsely classify a second login attempt (after a failed login) as a tunnel and drop the connection. In their words: “However, this should not be a major problem: simply, if the user is entitled to connect, they will try again.”

So it seems the use of a tool like this would be limited to an extremely controlled environment where users are limited to a white-list set of network protocols (so that they can’t use a different tunneling mechanism, SSH tunnel for example) and only allowed to ssh to servers under the control of the censoring party. In which case you would wonder why the admin wouldn’t just set the ssh servers’ AllowTcpForwarding option to false.

I think what's important to take from this study is the fact that network neutrality is more important then ever. Try as they may, copyright holders can't shutdown every illegal file-sharing site they encounter, however they could get ISPs to begin blocking or throttling encrypted P2P traffic and make file-sharing much more difficult for some.

In the UK and France they're already well on their way towards cracking down on file-sharing at the ISP level, so what's to say that copyright holders won't demand increased filtering and throttling of P2P traffic as time goes by? File-sharers have long been ahead of the capabilities of anti-piracy efforts, but it'll never be a solution to legislation that affirms the principles of a free and uncensored Internet.