From 7a7e4ee69f272900d6869b8fa07800653c4298a1 Mon Sep 17 00:00:00 2001 From: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> Date: Mon, 28 Feb 2022 15:25:58 +0100 Subject: Add a new flow risk `NDPI_ANONYMOUS_SUBSCRIBER` (#1462) The main goal of a DPI engine is usually to determine "what", i.e. which types of traffic flow on the network. However the applications using DPI are often interested also in "who", i.e. which "user/subscriber" generated that traffic. The association between a flow and a subscriber is usually done via some kind of DHCP/GTP/RADIUS/NAT mappings. In all these cases the key element of the flow used to identify the user is the source ip address. That usually happens for the vast majority of the traffic. However, depending on the protocols involved and on the position on the net where the traffic is captured, the source ip address might have been changed/anonymized. In that case, that address is useless for any flow-username association. Example: iCloud Private Relay traffic captured between the exit relay and the server. See the picture at page 5 on: https://www.apple.com/privacy/docs/iCloud_Private_Relay_Overview_Dec2021.PDF This commit adds new generic flow risk `NDPI_ANONYMOUS_SUBSCRIBER` hinting that the ip addresses shouldn't be used to identify the user associated with the flow. As a first example of this new feature, the entire list of the relay ip addresses used by Private Relay is added. A key point to note is that list is NOT used for flow classification (unlike all the other ip lists present in nDPI) but only for setting this new flow risk. TODO: IPv6 --- doc/flow_risks.rst | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'doc') diff --git a/doc/flow_risks.rst b/doc/flow_risks.rst index 4b363365b..e3b661150 100644 --- a/doc/flow_risks.rst +++ b/doc/flow_risks.rst @@ -272,4 +272,9 @@ NDPI_HTTP_CRAWLER_BOT =================================== The risk is set whenever a crawler/bot/robot has been detected +.. _Risk 045: +NDPI_ANONYMOUS_SUBSCRIBER +=================================== +The risk is set whenever the (source) ip address has been anonymized and it can't be used to identify the subscriber. +Example: the flow is generated by an iCloud-private-relay exit node. -- cgit v1.2.3