固执的人是什么性格| 生脉饮适合什么人群| 肚脐上三指是什么地方| 守夜是什么意思| 老汉推车是什么姿势| 早上起来口苦吃什么药| 下肢浮肿是什么原因引起的| 为什么会有牙结石| 什么牙什么嘴| 海藻糖是什么| 演唱会安可是什么意思| 怀孕吃什么有营养| 原本是什么意思| 木九十眼镜什么档次| 列席人员什么意思| 军校出来能干什么| 雪里红是什么| 荔枝不能跟什么一起吃| 甘心的近义词是什么| gps是什么意思| 肛门疼痛吃什么药| 绞股蓝有什么作用| 长个子需要补充什么| 麻腮风疫苗是预防什么| 飘雪是什么茶| 三十八岁属什么生肖| 燕窝是什么| five是什么意思| 咳嗽吐黄痰是什么原因| 女属猪的和什么属相最配| 女性梅毒有什么症状| 抗日战争什么时候开始的| 三七粉有什么功效| 吃洋葱对身体有什么好处| 绘本是什么意思| 乌龙茶适合什么季节喝| 血小板为0意味着什么| 一什么露珠| 肾上腺素有什么用| 掉是什么意思| 黄疸是什么| 心脏供血不足吃什么药好| 胸痒痒是什么原因| 激光脱毛有什么副作用| 三十年婚姻是什么婚| 老年人总睡觉是什么原因| 肌层彩色血流星点状是什么意思| 刚愎自用什么意思| 卵巢囊性回声什么意思| 体制外是什么意思| 脾胃有火是什么症状| 三唑仑是什么药| 为什么会得飞蚊症| 多囊卵巢综合症吃什么药| 熊猫血是什么血型| 前庭功能障碍是什么病| 吃什么减肥瘦肚子| 老鼠屎长什么样子| 焦虑症吃什么药好| 凉虾是什么做的| hpv有什么症状吗| 白蛋白低有什么症状| 乳腺结节吃什么药| 两点是什么时辰| 轻轻地什么| 云加一笔是什么字| 做梦是什么原因| 液金是什么| 体育生能报什么专业| 辟谷是什么| 九月二十六是什么星座| 瞳距是什么| 什么水果去湿气效果最好| 黄金芽是什么茶| 时迁是什么意思| 腰间盘膨出吃什么药效果好| 翅膀最长的鸟是什么鸟| 癌变是什么意思| 长智齿说明了什么原因| 千里莺啼什么映什么| 用盐水洗脸有什么好处| 月经期能吃什么水果| 猫哭了代表什么预兆| 我不知道你在说什么英文| 酸菜炒什么好吃| 睡前吃什么有助于睡眠| 自相矛盾的道理是什么| 牙疼买什么药| 珞字五行属什么| 螃蟹喜欢吃什么| 招商是什么工作| 公务员是干什么的| 尖湿锐吃什么药最好| 什么松鼠| 方巾是干什么用的| 羊水破了是什么感觉| 身份证什么时候可以办| 怀孕胎盘低有什么影响| 白术是什么样子的图片| 你是什么意思| 什么是化学性肝损伤| 银装素裹什么意思| 5月27日什么星座| 7.1是什么星座| 伽马刀是什么意思| 氢化聚异丁烯是什么| 阴阳两虚吃什么| 补气血吃什么食物最好| 田七蒸瘦肉有什么功效| 龟是什么意思| 什么的田野| 魇是什么意思| 清蒸什么鱼好吃| 什么是功| 三个箭头朝下是什么牌子| 蜘蛛怕什么| 保险子是什么| 腹泻吃什么水果| 莫须有是什么意思| 骨加客读什么| 荨麻疹要用什么药| 狗什么东西不能吃| 办护照需要什么材料| 苦尽甘来是什么意思| 胸腺癌早期有什么症状| 什么是甲减病| lake是什么意思| 气血不足吃什么补得快| 骨皮质扭曲是什么意思啊| 朝鲜说什么语言| 马刺是什么| 什么叫凤凰男| 男人吃叶酸片有什么好处| 细菌属于什么生物| 小暑是什么意思啊| 脚后跟长痣有什么寓意| 皮肤溃烂用什么药治愈最快| ct挂号挂什么科| 火疖子是什么| 投资什么好| 十一月五号是什么星座| cr是什么检查| 法克是什么意思| 怀孕什么时候能测出来| 梦见砍竹子是什么意思| 头晕眼花是什么原因| 独在异乡为异客的异是什么意思| 膝超伸是什么| 公司监事是干什么的| 什么食物含镁| 胃痛吃什么药| 五点是什么时辰| 心跳太慢吃什么药| 玫瑰花和什么一起泡水喝好| 从未是什么意思| 代入感是什么意思| 虚情假意是什么意思| 天蝎座属于什么象星座| 塞是什么意思| 发际线是什么| 血压低是什么症状| 冥想有什么好处| 蛋白粉什么时候喝效果最好| 什么样的牙齿需要矫正| hbalc是什么意思| 梦到自己快要死了是什么意思| 男人梦见血是什么预兆| 灵隐寺求什么最灵验| 不可翻转干燥是什么意思| 红色的月亮是什么征兆| 头痛反胃想吐什么原因| 急性肠胃炎吃什么药好| 体检为什么要空腹| 小姨是什么关系| 不射精是什么原因| 94年属什么的| 肚子不舒服是什么原因| 什么是免疫组化检查| 高血糖吃什么| 安全期什么时候| 4月26日什么星座| 洋参片泡水喝有什么功效| 蝙蝠属于什么类| 眼睛做激光手术有什么后遗症| 气短是什么原因引起的| 山药和什么不能一起吃| 世界上最大的湖泊是什么湖| 已佚是什么意思| 女娲补天是什么生肖| 农转非是什么意思| 画蛇添足的故事告诉我们什么道理| 吃巧克力有什么好处| 白癜风是什么原因引起的| dna由什么组成| 遗精吃什么药最好| 炒熟的黑豆有什么功效| 为什么想吐却吐不出来| 十二指肠球炎是什么病| 牙刷什么样的刷毛最好| 薛之谦的真名叫什么| 餐饮行业五行属什么| 浩浩荡荡是什么意思| 这是什么颜色| 什么品牌的空气炸锅好| 姑姑的孩子叫什么| 古代新疆叫什么| 乌鸡白凤丸适合什么人吃| 被告不出庭有什么后果| 早上出汗是什么原因| 骨盐量偏低代表什么| 刘邦的老婆叫什么名字| 咂是什么意思| 司令是什么意思| 什么是梦魇| 火旺是什么意思| 夏天适合吃什么水果| 什么是心肌缺血| 迷你巴拉巴拉和巴拉巴拉什么关系| 手指头发红是什么原因| 紧急避孕药什么时候吃有效| 不可什么什么| 腿走路没劲发软是什么原因| 手麻脚麻是什么病| 凤凰男是什么意思| 什么头什么向| 粉瘤挂什么科| 五个月的宝宝能吃什么辅食| 片反过来念什么| 什么网名好听| 苋菜与什么食物相克| dic是什么| 金童玉女指什么生肖| 指甲长出来是白色的什么原因| 忌日是什么意思| 梦见撒尿是什么意思| 美女的胸长什么样| 汗疱疹涂什么药| 公关是什么意思| 什么叫无氧运动| 灰飞烟灭是什么意思| 2024年属什么年| 大便出油是什么原因| 言字五行属什么| 99属什么生肖| 迪丽热巴颜值什么水平| 急性肠炎吃什么食物好| 农历11月14日是什么星座| 结膜炎是什么原因引起的| 鸡蛋价格为什么这么低| 一热就咳嗽是什么原因| 大排是什么肉| 什么烧鸭子好吃| 三叉戟是什么车| jnby是什么牌子| 月经安全期是什么时候| 炖排骨汤放什么调料| 蜈蚣怕什么| 草莓是什么季节| 梦到屎是什么意思| 乙肝两对半和乙肝五项有什么区别| 喉咙有浓痰是什么原因| 红曲米是什么| 据悉是什么意思| 吃什么利尿| 百度Jump to content

胆儿真肥!非洲鱼鹰从鳄鱼口中攫取美餐

From Wikipedia, the free encyclopedia
(Redirected from Secure Shell tunneling)
百度 其中大家讨论的最为热烈的话题是电动汽车究竟是不是比传统燃油汽车更环保?这个问题涉及因素较为繁杂,计算方法也各不相同,所以众说纷纭。

In computer networks, a tunneling protocol is a communication protocol which allows for the movement of data from one network to another. They can, for example, allow private network communications to be sent across a public network (such as the Internet), or for one network protocol to be carried over an incompatible network, through a process called encapsulation.

Because tunneling involves repackaging the traffic data into a different form, perhaps with encryption as standard, it can hide the nature of the traffic that is run through a tunnel.

Tunneling protocols work by using the data portion of a packet (the payload) to carry the packets that actually provide the service. Tunneling uses a layered protocol model such as those of the OSI or TCP/IP protocol suite, but usually violates the layering when using the payload to carry a service not normally provided by the network. Typically, the delivery protocol operates at an equal or higher level in the layered model than the payload protocol.

Uses

[edit]

A tunneling protocol may, for example, allow a foreign protocol to run over a network that does not support that particular protocol, such as running IPv6 over IPv4.

Another important use is to provide services that are impractical or unsafe to be offered using only the underlying network services, such as providing a corporate network address to a remote user whose physical network address is not part of the corporate network.

Circumventing firewall policy

[edit]

Users can also use tunneling to "sneak through" a firewall, using a protocol that the firewall would normally block, but "wrapped" inside a protocol that the firewall does not block, such as HTTP. If the firewall policy does not specifically exclude this kind of "wrapping", this trick can function to get around the intended firewall policy (or any set of interlocked firewall policies).

Another HTTP-based tunneling method uses the HTTP CONNECT method/command. A client issues the HTTP CONNECT command to an HTTP proxy. The proxy then makes a TCP connection to a particular server:port, and relays data between that server:port and the client connection.[1] Because this creates a security hole, CONNECT-capable HTTP proxies commonly restrict access to the CONNECT method. The proxy allows connections only to specific ports, such as 443 for HTTPS.[2]

Other tunneling methods able to bypass network firewalls make use of different protocols such as DNS,[3] MQTT,[4] SMS.[5]

Technical overview

[edit]

As an example of network layer over network layer, Generic Routing Encapsulation (GRE), a protocol running over IP (IP protocol number 47), often serves to carry IP packets, with RFC 1918 private addresses, over the Internet using delivery packets with public IP addresses. In this case, the delivery and payload protocols are the same, but the payload addresses are incompatible with those of the delivery network.

It is also possible to establish a connection using the data link layer. The Layer 2 Tunneling Protocol (L2TP) allows the transmission of frames between two nodes. A tunnel is not encrypted by default: the TCP/IP protocol chosen determines the level of security.

SSH uses port 22 to enable data encryption of payloads being transmitted over a public network (such as the Internet) connection, thereby providing VPN functionality. IPsec has an end-to-end Transport Mode, but can also operate in a tunneling mode through a trusted security gateway.

To understand a particular protocol stack imposed by tunneling, network engineers must understand both the payload and delivery protocol sets.

Common tunneling protocols

[edit]
  • IP in IP (IP protocol 4): IP in IPv4/IPv6
  • SIT/IPv6 (IP protocol 41): IPv6 in IPv4/IPv6
  • GRE (IP protocol 47): Generic Routing Encapsulation
  • OpenVPN (UDP port 1194)
  • SSTP (TCP port 443): Secure Socket Tunneling Protocol
  • IPSec (IP protocols 50 and 51): Internet Protocol Security
  • L2TP (UDP port 1701): Layer 2 Tunneling Protocol
  • L2TPv3 (IP protocol 115): Layer 2 Tunneling Protocol version 3
  • VXLAN (UDP port 4789): Virtual Extensible Local Area Network
  • PPTP (TCP port 1723 for control, GRE for data): Point-to-Point Tunneling Protocol
  • PPPoE (EtherType 0x8863 for control, 0x8864 for data): Point-to-Point Protocol over Ethernet
  • GENEVE
  • WireGuard (UDP dynamic port)

TCP meltdown problem

[edit]

Tunneling a TCP-encapsulating payload (such as PPP) over a TCP-based connection (such as SSH's port forwarding) is known as "TCP-over-TCP", and doing so can induce a dramatic loss in transmission performance — known as the TCP meltdown problem,[6][7] which is why virtual private network (VPN) software may instead use a protocol simpler than TCP for the tunnel connection. TCP meltdown occurs when a TCP connection is stacked on top of another. The underlying layer may detect a problem and attempt to compensate, and the layer above it then overcompensates because of that, and this overcompensation causes said delays and degraded transmission performance.

Secure Shell tunneling

[edit]

A Secure Shell (SSH) tunnel consists of an encrypted tunnel created through an SSH protocol connection. Users may set up SSH tunnels to transfer unencrypted traffic over a network through an encrypted channel. It is a software-based approach to network security and the result is transparent encryption.[8]

For example, Microsoft Windows machines can share files using the Server Message Block (SMB) protocol, a non-encrypted protocol. If one were to mount a Microsoft Windows file-system remotely through the Internet, someone snooping on the connection could see transferred files. To mount the Windows file-system securely, one can establish a SSH tunnel that routes all SMB traffic to the remote fileserver through an encrypted channel. Even though the SMB protocol itself contains no encryption, the encrypted SSH channel through which it travels offers security.

Local and remote port forwarding with ssh executed on the blue computer

Once an SSH connection has been established, the tunnel starts with SSH listening to a port on the   remote or local host. Any connections to it are forwarded to the specified   address and port originating from the   opposing (remote or local, as previously) host.

The TCP meltdown problem is often not a problem when using OpenSSH's port forwarding, because many use cases do not entail TCP-over-TCP tunneling; the meltdown is avoided because the OpenSSH client processes the local, client-side TCP connection in order to get to the actual payload that is being sent, and then sends that payload directly through the tunnel's own TCP connection to the server side, where the OpenSSH server similarly "unwraps" the payload in order to "wrap" it up again for routing to its final destination.[9] Naturally, this wrapping and unwrapping also occurs in the reverse direction of the bidirectional tunnel.

SSH tunnels provide a means to bypass firewalls that prohibit certain Internet services – so long as a site allows outgoing connections. For example, an organization may prohibit a user from accessing Internet web pages (port 80) directly without passing through the organization's proxy filter (which provides the organization with a means of monitoring and controlling what the user sees through the web). But users may not wish to have their web traffic monitored or blocked by the organization's proxy filter. If users can connect to an external SSH server, they can create an SSH tunnel to forward a given port on their local machine to port 80 on a remote web server. To access the remote web server, users would point their browser to the local port at http://localhost/

Some SSH clients support dynamic port forwarding that allows the user to create a SOCKS 4/5 proxy. In this case users can configure their applications to use their local SOCKS proxy server. This gives more flexibility than creating an SSH tunnel to a single port as previously described. SOCKS can free the user from the limitations of connecting only to a predefined remote port and server. If an application does not support SOCKS, a proxifier can be used to redirect the application to the local SOCKS proxy server. Some proxifiers, such as Proxycap, support SSH directly, thus avoiding the need for an SSH client.

In recent versions of OpenSSH it is even allowed to create layer 2 or layer 3 tunnels if both ends have enabled such tunneling capabilities. This creates tun (layer 3, default) or tap (layer 2) virtual interfaces on both ends of the connection. This allows normal network management and routing to be used, and when used on routers, the traffic for an entire subnetwork can be tunneled. A pair of tap virtual interfaces function like an Ethernet cable connecting both ends of the connection and can join kernel bridges.

Cyberattacks based on tunneling

[edit]

Over the years, tunneling and data encapsulation in general have been frequently adopted for malicious reasons, in order to maliciously communicate outside of a protected network.

In this context, known tunnels involve protocols such as HTTP,[10] SSH,[11] DNS,[12][13] MQTT.[14]

See also

[edit]

References

[edit]
  1. ^ "Upgrading to TLS Within HTTP/1.1". RFC 2817. 2000. Retrieved March 20, 2013.
  2. ^ "Vulnerability Note VU#150227: HTTP proxy default configurations allow arbitrary TCP connections". US-CERT. 2025-08-05. Retrieved 2025-08-05.
  3. ^ Raman, D., Sutter, B. D., Coppens, B., Volckaert, S., Bosschere, K. D., Danhieux, P., & Buggenhout, E. V. (2012, November). DNS tunneling for network penetration. In International Conference on Information Security and Cryptology (pp. 65-77). Springer, Berlin, Heidelberg.
  4. ^ Vaccari, I., Narteni, S., Aiello, M., Mongelli, M., & Cambiaso, E. (2021). Exploiting Internet of Things Protocols for Malicious Data Exfiltration Activities. IEEE Access, 9, 104261-104280.
  5. ^ Narteni, S., Vaccari, I., Mongelli, M., Aiello, M., & Cambiaso, E. (2021). Evaluating the possibility to perpetrate tunnelling attacks exploiting shortmessage-service. Journal of Internet Services and Information Security, 11, 30-46.
  6. ^ Titz, Olaf (2025-08-05). "Why TCP Over TCP Is A Bad Idea". Archived from the original on 2025-08-05. Retrieved 2025-08-05.
  7. ^ Honda, Osamu; Ohsaki, Hiroyuki; Imase, Makoto; Ishizuka, Mika; Murayama, Junichi (October 2005). "Understanding TCP over TCP: effects of TCP tunneling on end-to-end throughput and latency". In Atiquzzaman, Mohammed; Balandin, Sergey I (eds.). Performance, Quality of Service, and Control of Next-Generation Communication and Sensor Networks III. Vol. 6011. Bibcode:2005SPIE.6011..138H. CiteSeerX 10.1.1.78.5815. doi:10.1117/12.630496. S2CID 8945952.
  8. ^ Barrett, Daniel J.; Barrett, Daniel J.; Silverman, Richard E.; Silverman, Richard (2001). SSH, the Secure Shell: The Definitive Guide. "O'Reilly Media, Inc.". ISBN 978-0-596-00011-0.
  9. ^ Kaminsky, Dan (2025-08-05). "Re: Extensions for long fat networks?". openssh-unix-dev@mindrot.org (Mailing list). the TCP forwarding code is pretty speedy as well. Just to pre-answer a question, ssh decapsulates and re-encapsulates TCP, so you don't have classic TCP-over-TCP issues.
  10. ^ Pack, D. J., Streilein, W., Webster, S., & Cunningham, R. (2002). Detecting HTTP tunneling activities. MASSACHUSETTS INST OF TECH LEXINGTON LINCOLN LAB.
  11. ^ Dang, F., Li, Z., Liu, Y., Zhai, E., Chen, Q. A., Xu, T., ... & Yang, J. (2019, June). Understanding fileless attacks on linux-based iot devices with honeycloud. In Proceedings of the 17th Annual International Conference on Mobile Systems, Applications, and Services (pp. 482–493).
  12. ^ Raman, D., Sutter, B. D., Coppens, B., Volckaert, S., Bosschere, K. D., Danhieux, P., & Buggenhout, E. V. (2012, November). DNS tunneling for network penetration. In International Conference on Information Security and Cryptology (pp. 65-77). Springer, Berlin, Heidelberg.
  13. ^ Aiello, M., Mongelli, M., Cambiaso, E., & Papaleo, G. (2016). Profiling DNS tunneling attacks with PCA and mutual information. Logic Journal of the IGPL, 24(6), 957-970.
  14. ^ Vaccari, I., Narteni, S., Aiello, M., Mongelli, M., & Cambiaso, E. (2021). Exploiting Internet of Things Protocols for Malicious Data Exfiltration Activities. IEEE Access, 9, 104261-104280.
[edit]
市人大副主任什么级别 大连六院是什么医院 马甲是什么意思? pv值是什么意思 食人鱼长什么样
甲状腺球蛋白抗体高是什么原因 腿肿脚肿是什么原因引起的 弦子为什么嫁给李茂 肚子老是胀是什么原因 火乐念什么
武昌鱼是什么鱼 夜间睡觉口干是什么原因 无故流鼻血是什么原因 白细胞偏低吃什么 胃大肚子大是什么原因
石斛有什么作用 qq2g在线是什么意思 cj什么意思 脸浮肿是什么原因 大黄鸭是什么牌子
怕冷是什么原因hcv7jop6ns7r.cn 脖子疼什么原因hcv8jop2ns0r.cn 手指缝痒是什么原因hcv8jop9ns0r.cn 什么是缓刑意思是什么kuyehao.com 电解质饮料有什么作用hcv8jop7ns2r.cn
肛门长期瘙痒是什么原因hcv8jop7ns4r.cn 独具一格是什么意思hcv9jop0ns7r.cn 忙碌的动物是什么生肖520myf.com 湿气重能吃什么水果hcv8jop8ns2r.cn 学护理需要什么条件hcv8jop1ns4r.cn
汉武帝叫什么名字hanqikai.com 元五行属什么hcv9jop6ns4r.cn 对牛弹琴是什么意思hanqikai.com 宫内孕和宫外孕有什么区别hcv8jop1ns9r.cn 手指头痒是什么原因hcv8jop0ns0r.cn
飞的最高的鸟是什么鸟hcv8jop3ns9r.cn 打碎碗是什么预兆1949doufunao.com 虎是什么意思hcv8jop1ns2r.cn hb什么意思hcv7jop9ns4r.cn 高锰酸钾什么颜色hcv9jop4ns9r.cn
百度