Detecting VPN Traffic through Encapsulated TCP Behavior
Authors: Michelina Hanlon (Stanford University), Gerry Wan (Stanford University), Anna Ascheman (Stanford University), Zakir Durumeric (Stanford University)
Year: 2024
Issue: 2
Pages: 77–82
Abstract: Virtual Private Networks (VPNs) are increasingly being used to protect online users’ privacy and security. However, there is an ongoing arms race between censors that aim to detect and block VPN usage, and VPN providers that aim to obfuscate their services from these censors. In this paper, we explore the feasibility of a simple, protocol-agnostic VPN detection technique based on identifying encapsulated TCP behaviors in UDP-based tunnels. We derive heuristics to distinguish TCP-over-UDP VPN traffic from plain UDP traffic using RFC-defined TCP behaviors. Our evaluations on real- world traffic show that this technique can achieve a false positive rate (FPR) of 0.11%, an order of magnitude lower than existing machine learning-based VPN detection methods. We suggest defenses to evade our detection technique and encourage VPN providers to proactively defend against such attacks.
Copyright in FOCI articles are held by their authors. This article is published under a Creative Commons Attribution 4.0 license.