Skip to content

Latest commit

 

History

History
121 lines (112 loc) · 9.44 KB

mitigations.md

File metadata and controls

121 lines (112 loc) · 9.44 KB

Mitigation Strategies Analysis for xtls/xray-core

Mitigation Strategy: Strict Inbound/Outbound Validation (within xray-core config)

  • Mitigation Strategy: Strict Inbound/Outbound Validation (within xray-core config)
  • Description:
    1. Define Allowed Protocols: Within the xray-core configuration file itself, explicitly specify the allowed protocols for inbounds and outbounds (e.g., vmess, vless, trojan, shadowsocks). Do not rely solely on external validation.
    2. Port Range Restrictions: Define strict port ranges for inbounds and outbounds within the configuration. Avoid using overly broad ranges or default ports if possible.
    3. TLS Settings Validation (within config):
      • Ensure allowInsecure is set to false in the streamSettings for all inbounds and outbounds unless there's a very specific and justified reason (and even then, document it extensively).
      • Specify valid certificate and key file paths within the configuration. Xray-core will perform basic checks for file existence.
      • Configure serverName (SNI) appropriately for outbound connections in streamSettings.
      • Use alpn to specify allowed application-layer protocols.
    4. Disable Unused Features: Explicitly disable any xray-core features that are not required, such as specific sniffing configurations or routing rules that are not in use. This minimizes the attack surface.
    5. IP/CIDR Restrictions (using routing rules): While xray-core doesn't have direct "whitelist" settings, you can achieve similar results using its powerful routing capabilities. Use rules in the routing section to:
      • Direct traffic from specific source IPs/CIDRs to specific inbounds.
      • Direct traffic to specific destination IPs/CIDRs to specific outbounds.
      • Block traffic that doesn't match any defined rules (using a "block" outbound). This effectively creates a whitelist.
  • Threats Mitigated:
    • Exposure of Internal Services: (Severity: High)
    • Bypassing Security Controls: (Severity: High)
    • Data Leaks: (Severity: High)
    • Man-in-the-Middle (MitM) Attacks: (Severity: High)
    • Unintentional Proxying of Malicious Traffic: (Severity: Medium)
    • Configuration Errors: (Severity: Medium)
  • Impact:
    • Exposure of Internal Services: Risk significantly reduced.
    • Bypassing Security Controls: Risk significantly reduced.
    • Data Leaks: Risk significantly reduced.
    • MitM Attacks: Risk significantly reduced (if TLS settings are correct).
    • Unintentional Proxying of Malicious Traffic: Risk reduced.
    • Configuration Errors: Risk significantly reduced.
  • Currently Implemented:
    • Basic protocol and port settings are configured in the xray-core config.
    • allowInsecure is set to false.
  • Missing Implementation:
    • Comprehensive use of routing rules for IP/CIDR-based whitelisting is not implemented.
    • Strict SNI configuration in streamSettings is incomplete.
    • Explicit disabling of unused features is not systematically done.

Mitigation Strategy: Protocol Hardening (within xray-core config)

  • Mitigation Strategy: Protocol Hardening (within xray-core config)
  • Description:
    1. Minimize Supported Protocols: In the xray-core configuration, only include inbounds and outbounds for the protocols that are absolutely necessary. Remove any unused protocol configurations.
    2. Prioritize Secure Protocols: If supporting multiple protocols, configure xray-core to prefer newer, more secure protocols (e.g., VLESS over VMess) where possible. This might involve setting up separate inbounds/outbounds for different protocols and using routing rules to prioritize.
    3. Disable Deprecated Protocols: Explicitly remove any configurations related to deprecated or known-vulnerable protocols.
    4. Cipher Suite Restrictions (via TLS settings): Within the streamSettings -> tlsSettings section of the xray-core configuration, use the cipherSuites option (if available and supported by the xray-core version) to specify a list of allowed, strong cipher suites. This restricts the TLS connections to use only those ciphers.
  • Threats Mitigated:
    • Exploitation of Protocol-Specific Vulnerabilities: (Severity: High)
    • Use of Weak Cryptography: (Severity: Medium)
  • Impact:
    • Exploitation of Protocol-Specific Vulnerabilities: Risk reduced (proportional to the number of protocols removed).
    • Use of Weak Cryptography: Risk significantly reduced (if cipherSuites is configured correctly).
  • Currently Implemented:
    • The configuration includes inbounds/outbounds for VMess and VLESS.
  • Missing Implementation:
    • A formal review and justification for the chosen protocols is missing (should be documented).
    • Explicit disabling of deprecated protocols is not consistently done.
    • cipherSuites configuration within tlsSettings is not implemented.

Mitigation Strategy: Traffic Obfuscation (using xray-core features)

  • Mitigation Strategy: Traffic Obfuscation (using xray-core features)
  • Description:
    1. Realistic TLS Configuration (within streamSettings):
      • Use valid certificates from reputable CAs (configure paths in certificateFile and keyFile).
      • Set realistic serverName (SNI) values in outbound streamSettings.
      • Use appropriate alpn values.
    2. Explore streamSettings Options: Utilize the various streamSettings options within xray-core to obfuscate traffic:
      • tcpSettings: Use header to configure HTTP header obfuscation.
      • kcpSettings: Explore options for mKCP protocol.
      • wsSettings: Configure WebSocket settings, including path and headers.
      • httpSettings: Use for HTTP/2.
      • quicSettings: Explore options for QUIC protocol.
      • grpcSettings: Explore options for gRPC protocol.
      • Carefully evaluate the performance impact of each option.
    3. Avoid Default Ports: Change the default ports used by xray-core protocols to less common ports.
  • Threats Mitigated:
    • Traffic Analysis and Fingerprinting: (Severity: Medium)
    • Deep Packet Inspection (DPI) based blocking: (Severity: Medium)
  • Impact:
    • Traffic Analysis and Fingerprinting: Risk reduced (effectiveness depends on the chosen streamSettings).
    • DPI based blocking: Risk reduced.
  • Currently Implemented:
    • Basic TLS is configured with certificate files.
  • Missing Implementation:
    • Realistic serverName (SNI) is not consistently used.
    • Advanced streamSettings options (beyond basic TLS) are not utilized.
    • Default ports are still used in some configurations.

Mitigation Strategy: Connection Limiting (using routing and policy)

  • Mitigation Strategy: Connection Limiting (using routing and policy)
  • Description:
    1. Policy Configuration: Utilize the policy section within the xray-core configuration.
      • Set levels to define different user levels (if applicable).
      • Configure handshake timeout (time to establish a connection).
      • Configure connIdle timeout (time before an idle connection is closed).
      • Configure uplinkOnly and downlinkOnly timeouts (time for data transfer).
      • Set statsUserUplink and statsUserDownlink to true to enable per-user traffic statistics (required for some limits).
      • Use bufferSize to control buffer sizes.
    2. Routing Rules: Combine policy with routing rules.
      • Use domain and ip rules within the routing section to direct traffic based on source/destination.
      • Use userLevel in routing rules to apply different policies to different users (if using user levels).
      • Use routing rules to send traffic to specific inbounds/outbounds based on connection characteristics.
    3. Limit Concurrent Connections (Indirectly): While xray-core doesn't have a direct "max connections" setting per se, you can achieve a similar effect by combining:
      • Strict handshake, connIdle, uplinkOnly, and downlinkOnly timeouts in the policy section.
      • Routing rules that limit the number of users or IP addresses that can connect to specific inbounds.
      • Careful configuration of system resources (e.g., file descriptor limits) outside of xray-core.
  • Threats Mitigated:
    • Resource Exhaustion (DoS/DDoS): (Severity: High)
  • Impact:
    • Resource Exhaustion (DoS/DDoS): Risk reduced (effectiveness depends on the configured timeouts and routing rules).
  • Currently Implemented:
    • Basic policy settings (timeouts) are configured.
  • Missing Implementation:
    • Comprehensive use of policy and routing rules to limit concurrent connections is not fully implemented.
    • Per-user traffic statistics (statsUserUplink, statsUserDownlink) are not enabled.
    • bufferSize is not optimized.