Skip to content

Latest commit

 

History

History
123 lines (97 loc) · 10.8 KB

mitigations.md

File metadata and controls

123 lines (97 loc) · 10.8 KB

Mitigation Strategies Analysis for v2ray/v2ray-core

Mitigation Strategy: Strict Configuration Validation (v2ray-core specific aspects)

Mitigation Strategy: Strict Configuration Validation (v2ray-core specific)

  • Description:

    1. Schema Definition (v2ray-core): Utilize v2ray-core's own schema definitions (if available, or create a custom one based on the documented configuration structure) to validate the structure and data types of the configuration before passing it to v2ray-core.
    2. Semantic Validation (v2ray-core): Implement checks specific to v2ray-core's configuration options:
      • Inbound/Outbound Handler Compatibility: Verify that the chosen inbound and outbound handlers are compatible with each other.
      • streamSettings Validation: Validate the parameters within streamSettings (e.g., network, security, tcpSettings, kcpSettings, wsSettings, httpSettings, quicSettings, grpcSettings) according to v2ray-core's documentation. Check for valid values and combinations.
      • Routing Rule Validation (v2ray-core): Validate the syntax and semantics of v2ray-core's routing rules (routing.rules). Ensure that domain, ip, port, network, source, user, inboundTag, and protocol fields are used correctly.
      • DNS Configuration Validation (v2ray-core): Validate the dns section of the configuration, ensuring that servers are valid DNS server addresses (or hostnames if using DoH/DoT) and that hosts entries are correctly formatted.
      • policy Validation: If using v2ray-core's policy feature, validate the configuration of connection timeouts, buffer sizes, and other policy settings.
    3. Error Handling (v2ray-core): Capture and handle any errors returned by v2ray-core during configuration loading. Provide informative error messages to the user/administrator, referencing the specific v2ray-core configuration parameter that caused the error.

  • Threats Mitigated:

    • Exposure of Internal Services (Severity: High): Directly prevents misconfigurations within v2ray-core that could expose internal services.
    • Traffic Leaks (Severity: High): Ensures correct routing within v2ray-core, preventing leaks.
    • Use of Weak Protocols/Ciphers (Severity: High): Enforces the use of strong settings within v2ray-core.
    • DNS Leaks (Severity: High): Validates v2ray-core's DNS settings.
    • Unintentional Open Relays (Severity: High): Prevents misconfigured inbound handlers within v2ray-core.
    • v2ray-core Specific Configuration Errors (Severity: Medium): Reduces errors specific to v2ray-core's configuration format.

  • Impact:

    • All listed threats: Risk reduced significantly (effectiveness depends on the comprehensiveness of the validation).

  • Currently Implemented: [Example: Basic schema validation using a custom schema. Limited semantic validation of streamSettings.]

  • Missing Implementation: [Example: Comprehensive semantic validation of routing rules, DNS configuration, and policy settings. Robust error handling for v2ray-core specific errors.]

Mitigation Strategy: Protocol Hardening (v2ray-core configuration)

Mitigation Strategy: Protocol Hardening (v2ray-core configuration)

  • Description:

    1. streamSettings Configuration: Within the streamSettings of each inbound and outbound handler, explicitly configure:
      • network: Choose a secure network type (e.g., tcp, kcp, ws, http, quic, grpc). Avoid tcp without TLS.
      • security: Set to tls for all connections where possible.
      • TLS Settings: Within the tlsSettings (if security is set to tls):
        • allowInsecure: Set to false to prevent connections to servers with invalid certificates.
        • serverName: Set to the correct server hostname to prevent MITM attacks.
        • certificates: Configure server and/or client certificates as needed for authentication.
        • minVersion and maxVersion: Enforce TLS 1.3 by setting both to "1.3".
        • cipherSuites: Specify a list of allowed cipher suites, prioritizing strong, modern ciphers (e.g., those recommended by TLS 1.3).
      • Protocol-Specific Settings: Configure the settings for the chosen network type (e.g., tcpSettings, kcpSettings, etc.) according to security best practices.
    2. VMess Configuration (If Used):
      • alterId: Set to a high value (e.g., 64 or higher). Strongly consider migrating to VLESS or Trojan.
      • security: Use "aes-128-gcm" or "chacha20-poly1305" (AEAD ciphers).
    3. VLESS/Trojan Configuration (Recommended): Prefer using VLESS or Trojan over VMess for improved security and performance. Configure them with TLS and strong ciphers.

  • Threats Mitigated:

    • Use of Weak Protocols/Ciphers (Severity: High): Directly controls the protocols and ciphers used by v2ray-core.
    • Replay Attacks (Severity: Medium): Mitigates replay attacks against VMess (if used).
    • Downgrade Attacks (Severity: High): Prevents TLS downgrade attacks.
    • MITM Attacks (Severity: High): serverName and certificate validation prevent MITM attacks.

  • Impact:

    • All listed threats: Risk reduced significantly (effectiveness depends on the specific settings used).

  • Currently Implemented: [Example: security is set to tls for all connections. allowInsecure is false. Basic TLS settings are configured.]

  • Missing Implementation: [Example: cipherSuites is not explicitly configured. VMess is still used in some configurations (no alterId enforcement). No migration plan to VLESS/Trojan.]

Mitigation Strategy: DNS Security (v2ray-core configuration)

Mitigation Strategy: DNS Security (v2ray-core configuration)

  • Description:

    1. dns Configuration: Within the dns section of the v2ray-core configuration:
      • servers: Specify a list of trusted DNS server addresses using DoH or DoT URLs (e.g., "https://1.1.1.1/dns-query", "tls://8.8.8.8:853").
      • hosts: Use the hosts section to define static mappings for specific domains if needed (e.g., for local development or to override DNS resolution for certain domains). Ensure these mappings are correct and up-to-date.
      • clientIp: If your application is aware of client IP, use it to improve DNS query.
    2. Disable System DNS: Ensure that v2ray-core is not configured to use the system's default DNS resolver. This is usually the default, but it's important to verify.

  • Threats Mitigated:

    • DNS Leaks (Severity: High): Forces DNS queries through secure channels within v2ray-core.
    • DNS Hijacking/Poisoning (Severity: High): Reduces the risk by using trusted DoH/DoT servers.

  • Impact:

    • DNS Leaks: Risk reduced significantly (near elimination if configured correctly).
    • DNS Hijacking/Poisoning: Risk reduced.

  • Currently Implemented: [Example: servers is set to a single DoH server.]

  • Missing Implementation: [Example: No fallback DNS servers. hosts is not used. System DNS usage not explicitly checked.]

Mitigation Strategy: Obfuscation Techniques (v2ray-core configuration)

Mitigation Strategy: Obfuscation Techniques (v2ray-core configuration)

  • Description:

    1. streamSettings Configuration: Within the streamSettings of each inbound and outbound handler, configure obfuscation options based on the chosen network type:
      • tcpSettings: Use header to configure HTTP obfuscation.
      • kcpSettings: Use headerType to configure obfuscation (e.g., srtp, utp, wechat-video, dtls, wireguard).
      • wsSettings: Use path and headers to configure WebSocket obfuscation.
      • httpSettings: Use host and path to configure HTTP/2 obfuscation.
      • quicSettings: Use security and key to configure QUIC obfuscation.
      • grpcSettings: Use serviceName to configure gRPC obfuscation.
    2. Experimentation: Experiment with different obfuscation settings to find the most effective configuration for your specific network environment.
    3. Regular Review: Periodically review and adjust obfuscation settings as network conditions and censorship techniques evolve.

  • Threats Mitigated:

    • Traffic Analysis and Fingerprinting (Severity: Medium): Makes it more difficult for censors to identify and block v2ray traffic based on patterns.

  • Impact:

    • Traffic Analysis and Fingerprinting: Risk reduced (effectiveness varies depending on the obfuscation method and the sophistication of the censor).

  • Currently Implemented: [Example: WebSocket obfuscation is used with a custom path.]

  • Missing Implementation: [Example: No systematic experimentation with different obfuscation methods. No regular review of obfuscation effectiveness.]

Mitigation Strategy: Stay Updated (v2ray-core itself)

Mitigation Strategy: Stay Updated (v2ray-core itself)

  • Description:

    1. Direct Update of v2ray-core: This involves directly updating the v2ray-core binary or library files that your application uses. The specific steps depend on how v2ray-core is integrated:
      • Binary Distribution: If you're using a pre-compiled binary, replace the old binary with the new one.
      • Go Module: If you're using v2ray-core as a Go module, use go get -u github.com/v2ray/v2ray-core@latest (or a specific version) to update the module, then rebuild your application.
      • Other Integration Methods: Follow the appropriate update procedure for your specific integration method.
    2. Restart: After updating v2ray-core, restart your application to ensure that the new version is loaded.

  • Threats Mitigated:

    • Exploitation of Known Vulnerabilities (Severity: High to Critical): Directly addresses vulnerabilities within the v2ray-core code itself.

  • Impact:

    • Exploitation of Known Vulnerabilities: Risk reduced significantly (the faster updates are applied, the lower the risk).

  • Currently Implemented: [Example: Manual replacement of the v2ray-core binary when updates are announced.]

  • Missing Implementation: [Example: No automated update mechanism for the v2ray-core binary. No version pinning.]