The detection side of Sharing port 443 between a real website and a VLESS+Reality tunnel and the full bypass guide. Every defence in those has a matching signal; this is the blue-team view. All self-hosted, open-source.
Table of Contents#
- 5.1 Core: Session Stitching & Cadence
- 5.2 Provider/ASN & Cert-Family Clustering
- 5.3 DoH->TLS/WebSocket Coupling
- 5.4 QUIC/MASQUE Signals
- 5.5 SSH Pivoting / Jump Abuse
- 5.6 SOCKS/HTTP/Generic WS Tunnels (chisel/gost/wstunnel)
- 5.7 Tor Pluggable Transports (obfs4/meek/snowflake)
- 5.8 DNS/ICMP Tunnels
- 5.9 WebRTC/TURN Pivoting
1. Goals & Scope#
Detect and triage tunneling and pivoting attempts that masquerade as normal web traffic:
- Outer-WSS tunnels carrying WireGuard/NetBird (inner WS
/relay, mgmt/signal via WS). - MASQUE/HTTP-3 (QUIC) CONNECT-UDP and other QUIC-based tunnels.
- SOCKS/HTTP pivots over HTTPS (e.g., chisel, gost) and WebSocket transport (wstunnel).
- SSH-based pivoting (dynamic port forward
-D, reverse-R, jump chains). - Tor pluggable transports (obfs4, meek, snowflake/WebRTC).
- DNS/ICMP tunneling.
- WebRTC/TURN/STUN relayed data paths.
Constraints: outside-only visibility (egress mirror), no TLS decryption, minimal endpoint reliance.
2. Reference Stack (Self-Hosted)#
| Component | Purpose |
|---|---|
| Malcolm (Zeek + Suricata + Arkime + OpenSearch) | One-box NTA, dashboards, full-PCAP on demand |
| RITA | Beaconing & long-connection analytics (over Zeek logs) |
| pmacct / nfdump (optional) | Long-term NetFlow/IPFIX trending |
| Falco/eBPF (optional) | Lightweight endpoint hints (e.g., /dev/net/tun, wg, ssh -R/-D) on select choke hosts |
3. Threat Model & Obfuscation Levels#
| Level | Technique | What it hides |
|---|---|---|
| L0 | Raw WG/SSH/SOCKS | Nothing |
| L1 | WG->WSS, HTTP(S) proxy, SOCKS over TLS | Protocol identity |
| L2 | JA3/JA4 camouflage (uTLS/impersonation) | TLS client fingerprint |
| L3 | DoH/DoT | DNS infra |
| L4 | Anycast/CDN edges | Stable IP/host pinning |
| L5 | Session chopping (≤5 min + jitter) | Long-conn heuristics, ratios |
| L6 | Outer-WSS carrying inner control (NetBird /relay, mgmt/signal WS) | Inner SNI/SPKI entirely off-path |
| L7 | MASQUE/QUIC (CONNECT-UDP) | UDP tunneling as "web" |
| L8 | Tor PTs / WebRTC | DPI & SNI heuristics |
| L9 | DNS/ICMP tunnels | Port 443 controls, TLS telemetry |
4. Controls vs Evasions Matrix#
Read left->right: what the adversary uses, which simple control it bypasses, and what still catches it (with the concrete detectors in §5).
| Evasion | Bypasses | Still detectable by | Detector IDs |
|---|---|---|---|
| L1 WG->WSS / HTTP-proxy / SOCKS over TLS | UDP/WG sigs; L4 firewall only | Stitching, Provider cluster, Jitter | §5.1, §5.2, §5.2/5.1 |
| L2 uTLS/JA4 mimic | "Non-browser TLS" rules | Cadence, ASN cluster, DoH->TLS coupling | §5.1-5.4 |
| L3 DoH/DoT | Resolver logs/blocks | Temporal DoH->WSS pattern | §5.3 |
| L4 Anycast rotation | Single IP / SNI pinning | ASN/cert-family cluster, cadence | §5.2, §5.1 |
| L5 Session chopping w/ jitter | Long-conn, vol/ratio | Stitching, RITA beacons | §5.1, §5.1/5.2 |
| L6 Outer-WSS -> inner NetBird WS | NetBird SNI/SPKI | Same outer cadence + cluster + DoH | §5.1-5.4 |
| L7 MASQUE/HTTP-3 QUIC | "No UDP/443" heuristics | Long UDP/443, h3 ALPN, QUIC cadence | §5.4 |
| L8 Tor PTs (meek/obfs4/snowflake) | JA3/JA4, SNI | STUN/TURN patterns, WS cadence, broker hits | §5.7, §5.9 |
| L9 DNS/ICMP tunnel | TLS-only monitoring | RITA beacons, DNS QPS entropy, ICMP volume | §5.8 |
5. Production Detections#
5.1 Core: Session Stitching & Cadence#
Goal: Rebuild logical tunnels from many short TLS sessions.
OpenSearch monitor (per 1h window):
- Trigger when same
source.ip+destination.as.organizationshows ≥6 connects/hour AND ≥15 min cumulative duration. - (JSON monitor from earlier plan; keep thresholds adjustable per site.)
RITA (hourly):
rita import /opt/zeek/logs/$(date +%F) corp --silent
rita show-beacons corp --score 0.8 --limit 200What it defeats: L2-L6 session chopping & JA4 mimic.
5.2 Provider/ASN & Cert-Family Clustering#
KQL daily outlier:
event.dataset:zeek.conn and destination.port:443
| stats count() as conn, sum(duration) as dur_s by source.ip, destination.as.organization
| where conn >= 12 and dur_s >= 1800
| sort by dur_s descVariant (cert/SPKI where visible via Zeek/Suricata TLS logs).
Why: Anycast IPs rotate, ASN/cert family tends to remain stable.
5.3 DoH->TLS/WebSocket Coupling#
Sigma (2-minute window): Detect DoH (1.1.1.1/8.8.8.8/9.9.9.9) immediately followed by TLS 443 to an ASN cluster from the same source.ip. (Rule scaffold previously provided.)
Why: L3 obfuscation typically resolves right before reconnecting the outer tunnel.
5.4 QUIC/MASQUE Signals#
KQL: Long UDP/443 (QUIC)
event.dataset:suricata.flow and network.transport:udp and destination.port:443
| stats count(), sum(network.bytes) as bytes, avg(event.duration) as avg_dur
by source.ip, destination.as.organization
| where avg_dur > 300 and bytes > 5000000If Suricata/Zeek exports ALPN: filter alpn:"h3".
Why: Catch L7 CONNECT-UDP tunnels and QUIC-based obfuscation.
5.5 SSH Pivoting / Jump Abuse#
Signals (outside-only):
- Repeated SSH to a small VPS (22/tcp or 443/tcp ALPN ssh if wrapped), followed by multiple new internal egress destinations from the same NAT within ±2-5 min.
- High-duration SSH or burst SCP patterns to Internet hosts.
Zeek HASSH (if enabled) + KQL:
event.dataset:zeek.ssh
| stats count(), sum(duration) as dur by source.ip, destination.ip
| where dur > 900 or count() >= 5Correlate: internal egress fan-out after that SSH.
5.6 SOCKS/HTTP/Generic WS Tunnels (chisel/gost/wstunnel)#
Patterns:
- WS upgrades on 443 with persistent cadence (even when short).
- Reverse SOCKS (
-R) side-channel: outer WS cadence plus bursts toward new Internet IPs from the server side.
KQL (outer WS cadence):
event.dataset:zeek.conn and destination.port:443
| stats count() as c, sum(duration) as dur
by source.ip, destination.as.organization
| where c >= 6 and dur >= 900(Same core as §5.1; add filter for http.upgrade: "websocket" if Zeek's websocket analyzer is present and plaintext handshake is visible through proxies.)
5.7 Tor Pluggable Transports (obfs4/meek/snowflake)#
Signals (no decryption):
- STUN to well-known providers (UDP/3478, stun.*) + brief TLS 443 to broker/bridge infra.
- WebRTC flows with many short-lived UDP peers (snowflake).
KQL (STUN baseline):
(event.dataset:suricata.flow or event.dataset:zeek.conn) and network.transport:udp and destination.port:3478
| stats count() as hits by source.ip, destination.as.organization
| where hits >= 20Join with §5.1 cadence detector for the same source.
5.8 DNS/ICMP Tunnels#
RITA DNS module (if enabled) and simple flow heuristics:
KQL (DNS QPS anomaly + size skew):
event.dataset:zeek.dns
| stats count() as q, avg(dns.qtype) as t, avg(dns.length) as len by source.ip
| where q > 500 and len > 120ICMP volume:
event.dataset:suricata.flow and network.icmp.type:*
| stats sum(network.bytes) as b, count() as c by source.ip
| where b > 5000000 and c > 5005.9 WebRTC/TURN Pivoting#
Signals:
- UDP/3478 (STUN) and UDP 49152-65535 (TURN data) to cloud ASNs.
- Follow-on TLS to the same ASN with WS cadence (control channel).
KQL:
(event.dataset:suricata.flow and network.transport:udp and (destination.port:3478 or destination.port:[49152 TO 65535]))
| stats count() as c, sum(network.bytes) as b by source.ip, destination.as.organization
| where c > 50 and b > 50000006. Alerting Policies (ready-to-use)#
- A1 - WSS/HTTPS tunnel suspect (core): §5.1 monitor (≥6 connects/h AND ≥15 min cumulative to same ASN).
- A2 - DoH->TLS coupling: §5.3 Sigma/monitor (2-minute window).
- A3 - QUIC tunnel: §5.4 (avg UDP/443 duration > 300 s & bytes > 5 MB).
- A4 - SSH pivot risk: §5.5 (SSH ≥ 15 min OR ≥5 connects to same dest in 1 h + internal fan-out).
- A5 - STUN/TURN anomaly: §5.7/§5.9 (STUN/TURN volumes).
- A6 - DNS/ICMP tunnel risk: §5.8 thresholds.
- A7 - JA4 distribution drift (non-desktop): daily job: ≥20 Chrome-like JA4 connects from non-browser hosts.
All alerts: tag session series and write to an "investigation index" with src_ip, edge ASN, last 5 dest IPs, cumulative duration, cycles/h, DoH coupling flag to ensure traceability.
7. Response Runbook#
Triage the alert card: check cycles/h, cum. duration, ASN, DoH flag, transport (TCP/UDP).
Correlate: RITA beacon output and any STUN/TURN or DNS anomalies for the same source.
Classify:
- Outer-WSS pattern -> likely WG/NetBird/WS tunnel.
- UDP/443 long-lived -> MASQUE/QUIC.
- STUN/TURN heavy -> WebRTC/Tor snowflake.
- SSH anomalies -> pivot/jump abuse.
- DNS/ICMP spikes -> L9.
Contain minimally: block edge ASN or FQDN for that src_ip only; do not block 443 globally.
Forensics (Arkime PCAP for time slice), then ticket with all enriched fields and detection IDs (from §6).
8. Hardening, Tuning, and Maintenance#
Warm-up baseline: 14 days for cadence/ASN norms.
Initial thresholds:
- Stitch: ≥6 connects/h & ≥15 min cum (raise in noisy subnets).
- QUIC: avg_dur > 300 s & bytes > 5 MB.
- STUN/TURN: c > 50 & b > 5 MB/h.
- DNS tunnel: q > 500 & avg len > 120/h.
Scope control: prioritize server/CI/VDI egress over user NATs for lower false positives.
Lists you must maintain: public DoH endpoints, sanctioned ASN allowlists, internal browser hosts (to suppress A7).
Storage: OpenSearch 14 days; Arkime PCAP at least 72 h for reconstruction.
Summary#
- Don't chase protocol identity; measure behavior: stitch short sessions, score cadence, and cluster by provider.
- The comprehensive detectors here map every major evasive layer (L1-L9) to what it bypasses and what still trips it, with ready-to-run rules so you can trace each incident end-to-end.
Troubleshooting#
| Problem | Cause | Fix |
|---|---|---|
| RITA beacons show high scores for legitimate CDN traffic | CDN keep-alive patterns resemble tunnel cadence | Add CDN ASNs to the sanctioned allowlist; raise stitch threshold for those subnets |
| OpenSearch monitor fires constantly on VPN users | VPN traffic creates persistent sessions to a single ASN | Exclude known VPN gateway IPs from the stitching monitor; scope to server/CI egress |
| QUIC detector flags legitimate Google/YouTube traffic | Long UDP/443 sessions are normal for h3 browsing | Filter by ASN; only alert on non-browser user agents or hosts not in the browser host list |
| DoH coupling rule generates false positives | Some applications legitimately use DoH before HTTPS | Increase the coupling window or add application-specific source IP exceptions |
| STUN/TURN alerts on conferencing software (Teams, Zoom) | Video conferencing uses STUN/TURN heavily | Allowlist known conferencing ASNs and STUN server FQDNs |
| DNS tunnel detector fires on high-volume legitimate DNS | Monitoring tools or recursive resolvers generate many queries | Exclude known resolver IPs; adjust query-per-second and average length thresholds |
See Also#
- NetBird Outer-WSS Lab Build (TPROXY enforcement)
- TLS Handshake
- NFTables
- Censorship Bypass