美尼尔综合征是什么原因引起的| 尾戒代表什么| 五什么四什么| 颌下淋巴结肿大挂什么科| 小孩风寒感冒吃什么药| 埋头苦干是什么生肖| 脚趾甲真菌感染用什么药| 珈字五行属什么| 什么样的大山| 让我爱你然后把我抛弃是什么歌| 什么颜色加什么颜色等于蓝色| 除皱针什么牌子效果最好| 什么病才查凝血四项呢| 小青蛙吃什么| 相对而行是什么意思| 水手服是什么| 鳞状上皮乳头状瘤是什么| 什么耳什么腮| 暖和的什么| 阿米巴是什么意思| 经常头疼是什么原因引起的| 梯是什么意思| 豺是什么动物| 无脑儿是什么意思| 右下腹有什么器官| 经常流鼻血是什么原因引起的| 腰突然疼是什么原因| 晚的反义词是什么| 七月四日是什么星座| 石男是什么意思| 博爱什么意思| 牛肉不能和什么食物一起吃| 五十坐地能吸土是什么意思| 排卵日是什么时候| 裸钻是什么| 五行缺什么| 胎儿双侧肾盂无分离是什么意思| 血肿不治疗有什么后果| 气山读什么| 现在最火的歌是什么| 白炽灯属于什么光源| 刘备和刘邦是什么关系| instagram是什么软件| 经期喝什么茶好| edc是什么| 李连杰是什么国籍| 中医讲肾主什么| 七情六欲是什么意思| 部首和偏旁有什么区别| 四月十七号是什么星座| 生粉是什么| 孕妇梦见老公出轨是什么意思| 脑白质脱髓鞘改变是什么意思| 看腋臭挂什么科| 什么病人要补氯化钾呢| 海蜇是什么| 黄飞鸿属什么生肖| 雨打棺材是什么征兆| 什么是前奶什么是后奶| 什么叫十二指肠球炎| 县局长是什么级别| 梦见大蛇是什么意思| 手术后为什么要平躺6小时| 热退疹出是什么病| 凉皮是什么材料做的| 白带是什么样子| 为什么指甲会凹凸不平| 脸上长黑痣是什么原因| 参片泡水喝有什么功效| 胃胀气是什么症状| 十月一是什么星座| 腰间盘突出是什么原因引起的| 斗战胜佛是什么意思| 中药一般什么时候喝最好| 长期喝豆浆有什么好处和坏处| 为什么脚底板会痛| 高考早点吃什么好| 心脏早搏是什么原因| 鸡蛋花的花语是什么| 脑梗适合吃什么水果| 头发老是出油是什么原因| 佛心果是什么东西| 什么药可以通血管| 梦见梳头发是什么意思| 风疹吃什么药好得快| 九眼天珠是什么做的| 吃完饭胃疼是什么原因| 低蛋白血症是什么意思| 每晚做梦是什么原因| 黑米和什么一起搭配煮粥最佳| 胃造影和胃镜有什么区别| hpv低危型是什么意思| 统招生是什么意思| 三月十五日是什么星座| 尼姑是什么生肖| 2月14日什么星座| 松绿色是什么颜色| 为什么隔夜茶不能喝| 指标是什么意思| 什么是双性人| 公价是什么意思| 消心痛又叫什么| 老人脚肿是什么原因| 喉咙痛喝什么| 心悸吃什么药| 做可乐鸡翅用什么可乐| 8月15号是什么日子| 咖啡因是什么| 精明是什么意思| 立是什么结构的字| 弓形虫是什么| 正师级相当于地方什么级别| 一个牙一个合是什么字| 两肺纹理增多模糊是什么意思| 紧急避孕药对身体有什么伤害| 头眩晕看什么科| 腋下有疙瘩是什么原因| 胃黏膜受损是什么症状| 护照补办需要什么材料| 胃不好能吃什么| 乳腺增生吃什么食物好| 苗字五行属什么| 八月初十是什么星座| 桃花什么时候开| 右手有痣代表什么| 肾脏炎有什么症状| 地中海贫血有什么症状| 16年属什么| 梦见自己被抢劫了预示什么| 什么是树洞| 10.16是什么星座| 2.17是什么星座| 肚子有腹水是什么症状| 尿素氮偏低是什么原因| 鸡胸挂什么科| 一黑一白是什么蛇| 秋天有什么花开| 吃山竹有什么好处和坏处| 腊梅什么时候开花| 负数是什么意思| 带状疱疹能吃什么| 老鼠的尾巴有什么作用| 水牛背满月脸是什么病| 中性粒细胞偏高是什么原因| 阴虚火旺喝什么茶好| 大力是什么药| 什么的水洼| 热的什么| 34岁属什么的生肖| 芫荽是什么| 哺乳期上火了吃什么降火最快| 头晕想吐是什么症状| 梦见前婆婆是什么意思| 支原体肺炎用什么药| 脚踝扭伤挂什么科| 嗜碱性粒细胞偏高是什么原因| 什么人容易得焦虑症| 梦见吃核桃是什么意思| 龙涎香是什么味道| 小便有血是什么原因| 肌肉萎缩吃什么药| 第一次世界大战是什么时候| 天花是什么病| 凌晨1点是什么时辰| 白带发绿是什么原因| 五月二十四是什么星座| 肝囊肿挂什么科| 乙亥五行属什么| 抑郁症吃什么食物好| 阴阳是什么意思| 左下腹痛是什么原因| 又什么又什么的什么| 荨麻疹是什么症状| 211985是什么意思| 沉香什么味道| 吃鹅蛋对孕妇有什么好处| 结肠多发息肉是什么意思| 百合什么时候开花| 什么是巨细胞病毒| 胆囊炎吃什么好| 蟋蟀吃什么东西| gary是什么意思| 鸡肉与什么食物相克| 脾胃湿热什么症状| 在岸人民币和离岸人民币什么意思| 什么无什么事| 有什么好听的网名| 井代表什么生肖| 男人补锌有什么好处| 人在什么情况下会发烧| 花花世界是什么生肖| 甲状腺功能减退是什么原因引起的| 嫁给香港人意味着什么| 超敏c反应蛋白高说明什么| 1998年的虎是什么命| 92年五行属什么| 鱼肝油又叫什么名字| 呼吸不顺畅是什么原因| 痛风是什么原因造成的| 除是什么意思| 炮灰是什么意思| 脂肪肝喝什么茶最好最有效| 封顶是什么意思| 尿酸高能吃什么鱼| 什么是病毒| 脚踝肿是什么病| 猪肉馅饺子配什么菜| 美国为什么不敢动朝鲜| 鱼豆腐是用什么做的| 莫迪是什么种姓| 8.26是什么星座| 牛后腿肉适合做什么| 2050年是什么年| 用什么能把牙齿洗白| 喜上眉梢是什么意思| 拉肚子吃什么药好使| 抗药性是什么意思| 灵敏度是什么意思| 大便干燥一粒一粒的吃什么药| 白细胞中性粒细胞高是什么原因| 为什么耳朵会痛| 尿道感染看什么科| 有什么黄色网站| 抬头纹用什么护肤品可以去除| 826是什么星座| 水光是什么| 下葬有什么讲究或忌讳| 父亲节做什么手工| 69年出生属什么| 周年祭日有什么讲究| 晚上七点半是什么时辰| 匀字五行属什么| 乌龟和鳖有什么区别| 处女是什么意思| 乙肝表面抗体是什么意思| 蜂王浆什么时间吃最好| 绝对值是什么| 生理期可以吃什么水果| 全身发冷是什么原因| 沈阳有什么大学| 勃起不够硬吃什么药| 腱鞘炎吃什么药最好| 爱思是什么| 总是放屁是什么原因引起的| 55岁属什么| 现在执行死刑用什么方法| 中将是什么级别的干部| 失足妇女是什么意思| 叕怎么读音是什么意思| vb6是什么药| 腿抽筋是什么原因造成的| 草莽是什么意思| 梦遗是啥意思是什么| jhs空调是什么牌子| 物料是什么意思| 脸过敏发红痒擦什么药| 冬天种什么蔬菜合适| 肚子疼一般是什么原因| 什么原因会怀上葡萄胎| 梦见小老虎是什么预兆| pw是什么| 百年灵手表什么档次| 什么入什么出| 治疗hpv病毒用什么药| 百度Jump to content

车讯:德系品质第二弹 广州车展宝沃BX5新车图

From Wikipedia, the free encyclopedia
百度 3月25日报道英媒称,中国制药公司正加大力度打入美国仿制药市场,2017年中国药企获批的仿制药品种增加近一倍。

In computer networks, a tunneling protocol is a communication protocol which allows for the movement of data from one network to another. They can, for example, allow private network communications to be sent across a public network (such as the Internet), or for one network protocol to be carried over an incompatible network, through a process called encapsulation.

Because tunneling involves repackaging the traffic data into a different form, perhaps with encryption as standard, it can hide the nature of the traffic that is run through a tunnel.

Tunneling protocols work by using the data portion of a packet (the payload) to carry the packets that actually provide the service. Tunneling uses a layered protocol model such as those of the OSI or TCP/IP protocol suite, but usually violates the layering when using the payload to carry a service not normally provided by the network. Typically, the delivery protocol operates at an equal or higher level in the layered model than the payload protocol.

Uses

[edit]

A tunneling protocol may, for example, allow a foreign protocol to run over a network that does not support that particular protocol, such as running IPv6 over IPv4.

Another important use is to provide services that are impractical or unsafe to be offered using only the underlying network services, such as providing a corporate network address to a remote user whose physical network address is not part of the corporate network.

Circumventing firewall policy

[edit]

Users can also use tunneling to "sneak through" a firewall, using a protocol that the firewall would normally block, but "wrapped" inside a protocol that the firewall does not block, such as HTTP. If the firewall policy does not specifically exclude this kind of "wrapping", this trick can function to get around the intended firewall policy (or any set of interlocked firewall policies).

Another HTTP-based tunneling method uses the HTTP CONNECT method/command. A client issues the HTTP CONNECT command to an HTTP proxy. The proxy then makes a TCP connection to a particular server:port, and relays data between that server:port and the client connection.[1] Because this creates a security hole, CONNECT-capable HTTP proxies commonly restrict access to the CONNECT method. The proxy allows connections only to specific ports, such as 443 for HTTPS.[2]

Other tunneling methods able to bypass network firewalls make use of different protocols such as DNS,[3] MQTT,[4] SMS.[5]

Technical overview

[edit]

As an example of network layer over network layer, Generic Routing Encapsulation (GRE), a protocol running over IP (IP protocol number 47), often serves to carry IP packets, with RFC 1918 private addresses, over the Internet using delivery packets with public IP addresses. In this case, the delivery and payload protocols are the same, but the payload addresses are incompatible with those of the delivery network.

It is also possible to establish a connection using the data link layer. The Layer 2 Tunneling Protocol (L2TP) allows the transmission of frames between two nodes. A tunnel is not encrypted by default: the TCP/IP protocol chosen determines the level of security.

SSH uses port 22 to enable data encryption of payloads being transmitted over a public network (such as the Internet) connection, thereby providing VPN functionality. IPsec has an end-to-end Transport Mode, but can also operate in a tunneling mode through a trusted security gateway.

To understand a particular protocol stack imposed by tunneling, network engineers must understand both the payload and delivery protocol sets.

Common tunneling protocols

[edit]
  • IP in IP (IP protocol 4): IP in IPv4/IPv6
  • SIT/IPv6 (IP protocol 41): IPv6 in IPv4/IPv6
  • GRE (IP protocol 47): Generic Routing Encapsulation
  • OpenVPN (UDP port 1194)
  • SSTP (TCP port 443): Secure Socket Tunneling Protocol
  • IPSec (IP protocols 50 and 51): Internet Protocol Security
  • L2TP (UDP port 1701): Layer 2 Tunneling Protocol
  • L2TPv3 (IP protocol 115): Layer 2 Tunneling Protocol version 3
  • VXLAN (UDP port 4789): Virtual Extensible Local Area Network
  • PPTP (TCP port 1723 for control, GRE for data): Point-to-Point Tunneling Protocol
  • PPPoE (EtherType 0x8863 for control, 0x8864 for data): Point-to-Point Protocol over Ethernet
  • GENEVE
  • WireGuard (UDP dynamic port)

TCP meltdown problem

[edit]

Tunneling a TCP-encapsulating payload (such as PPP) over a TCP-based connection (such as SSH's port forwarding) is known as "TCP-over-TCP", and doing so can induce a dramatic loss in transmission performance — known as the TCP meltdown problem,[6][7] which is why virtual private network (VPN) software may instead use a protocol simpler than TCP for the tunnel connection. TCP meltdown occurs when a TCP connection is stacked on top of another. The underlying layer may detect a problem and attempt to compensate, and the layer above it then overcompensates because of that, and this overcompensation causes said delays and degraded transmission performance.

Secure Shell tunneling

[edit]

A Secure Shell (SSH) tunnel consists of an encrypted tunnel created through an SSH protocol connection. Users may set up SSH tunnels to transfer unencrypted traffic over a network through an encrypted channel. It is a software-based approach to network security and the result is transparent encryption.[8]

For example, Microsoft Windows machines can share files using the Server Message Block (SMB) protocol, a non-encrypted protocol. If one were to mount a Microsoft Windows file-system remotely through the Internet, someone snooping on the connection could see transferred files. To mount the Windows file-system securely, one can establish a SSH tunnel that routes all SMB traffic to the remote fileserver through an encrypted channel. Even though the SMB protocol itself contains no encryption, the encrypted SSH channel through which it travels offers security.

Local and remote port forwarding with ssh executed on the blue computer

Once an SSH connection has been established, the tunnel starts with SSH listening to a port on the   remote or local host. Any connections to it are forwarded to the specified   address and port originating from the   opposing (remote or local, as previously) host.

The TCP meltdown problem is often not a problem when using OpenSSH's port forwarding, because many use cases do not entail TCP-over-TCP tunneling; the meltdown is avoided because the OpenSSH client processes the local, client-side TCP connection in order to get to the actual payload that is being sent, and then sends that payload directly through the tunnel's own TCP connection to the server side, where the OpenSSH server similarly "unwraps" the payload in order to "wrap" it up again for routing to its final destination.[9] Naturally, this wrapping and unwrapping also occurs in the reverse direction of the bidirectional tunnel.

SSH tunnels provide a means to bypass firewalls that prohibit certain Internet services – so long as a site allows outgoing connections. For example, an organization may prohibit a user from accessing Internet web pages (port 80) directly without passing through the organization's proxy filter (which provides the organization with a means of monitoring and controlling what the user sees through the web). But users may not wish to have their web traffic monitored or blocked by the organization's proxy filter. If users can connect to an external SSH server, they can create an SSH tunnel to forward a given port on their local machine to port 80 on a remote web server. To access the remote web server, users would point their browser to the local port at http://localhost/

Some SSH clients support dynamic port forwarding that allows the user to create a SOCKS 4/5 proxy. In this case users can configure their applications to use their local SOCKS proxy server. This gives more flexibility than creating an SSH tunnel to a single port as previously described. SOCKS can free the user from the limitations of connecting only to a predefined remote port and server. If an application does not support SOCKS, a proxifier can be used to redirect the application to the local SOCKS proxy server. Some proxifiers, such as Proxycap, support SSH directly, thus avoiding the need for an SSH client.

In recent versions of OpenSSH it is even allowed to create layer 2 or layer 3 tunnels if both ends have enabled such tunneling capabilities. This creates tun (layer 3, default) or tap (layer 2) virtual interfaces on both ends of the connection. This allows normal network management and routing to be used, and when used on routers, the traffic for an entire subnetwork can be tunneled. A pair of tap virtual interfaces function like an Ethernet cable connecting both ends of the connection and can join kernel bridges.

Cyberattacks based on tunneling

[edit]

Over the years, tunneling and data encapsulation in general have been frequently adopted for malicious reasons, in order to maliciously communicate outside of a protected network.

In this context, known tunnels involve protocols such as HTTP,[10] SSH,[11] DNS,[12][13] MQTT.[14]

See also

[edit]

References

[edit]
  1. ^ "Upgrading to TLS Within HTTP/1.1". RFC 2817. 2000. Retrieved March 20, 2013.
  2. ^ "Vulnerability Note VU#150227: HTTP proxy default configurations allow arbitrary TCP connections". US-CERT. 2025-08-05. Retrieved 2025-08-05.
  3. ^ Raman, D., Sutter, B. D., Coppens, B., Volckaert, S., Bosschere, K. D., Danhieux, P., & Buggenhout, E. V. (2012, November). DNS tunneling for network penetration. In International Conference on Information Security and Cryptology (pp. 65-77). Springer, Berlin, Heidelberg.
  4. ^ Vaccari, I., Narteni, S., Aiello, M., Mongelli, M., & Cambiaso, E. (2021). Exploiting Internet of Things Protocols for Malicious Data Exfiltration Activities. IEEE Access, 9, 104261-104280.
  5. ^ Narteni, S., Vaccari, I., Mongelli, M., Aiello, M., & Cambiaso, E. (2021). Evaluating the possibility to perpetrate tunnelling attacks exploiting shortmessage-service. Journal of Internet Services and Information Security, 11, 30-46.
  6. ^ Titz, Olaf (2025-08-05). "Why TCP Over TCP Is A Bad Idea". Archived from the original on 2025-08-05. Retrieved 2025-08-05.
  7. ^ Honda, Osamu; Ohsaki, Hiroyuki; Imase, Makoto; Ishizuka, Mika; Murayama, Junichi (October 2005). "Understanding TCP over TCP: effects of TCP tunneling on end-to-end throughput and latency". In Atiquzzaman, Mohammed; Balandin, Sergey I (eds.). Performance, Quality of Service, and Control of Next-Generation Communication and Sensor Networks III. Vol. 6011. Bibcode:2005SPIE.6011..138H. CiteSeerX 10.1.1.78.5815. doi:10.1117/12.630496. S2CID 8945952.
  8. ^ Barrett, Daniel J.; Barrett, Daniel J.; Silverman, Richard E.; Silverman, Richard (2001). SSH, the Secure Shell: The Definitive Guide. "O'Reilly Media, Inc.". ISBN 978-0-596-00011-0.
  9. ^ Kaminsky, Dan (2025-08-05). "Re: Extensions for long fat networks?". openssh-unix-dev@mindrot.org (Mailing list). the TCP forwarding code is pretty speedy as well. Just to pre-answer a question, ssh decapsulates and re-encapsulates TCP, so you don't have classic TCP-over-TCP issues.
  10. ^ Pack, D. J., Streilein, W., Webster, S., & Cunningham, R. (2002). Detecting HTTP tunneling activities. MASSACHUSETTS INST OF TECH LEXINGTON LINCOLN LAB.
  11. ^ Dang, F., Li, Z., Liu, Y., Zhai, E., Chen, Q. A., Xu, T., ... & Yang, J. (2019, June). Understanding fileless attacks on linux-based iot devices with honeycloud. In Proceedings of the 17th Annual International Conference on Mobile Systems, Applications, and Services (pp. 482–493).
  12. ^ Raman, D., Sutter, B. D., Coppens, B., Volckaert, S., Bosschere, K. D., Danhieux, P., & Buggenhout, E. V. (2012, November). DNS tunneling for network penetration. In International Conference on Information Security and Cryptology (pp. 65-77). Springer, Berlin, Heidelberg.
  13. ^ Aiello, M., Mongelli, M., Cambiaso, E., & Papaleo, G. (2016). Profiling DNS tunneling attacks with PCA and mutual information. Logic Journal of the IGPL, 24(6), 957-970.
  14. ^ Vaccari, I., Narteni, S., Aiello, M., Mongelli, M., & Cambiaso, E. (2021). Exploiting Internet of Things Protocols for Malicious Data Exfiltration Activities. IEEE Access, 9, 104261-104280.
[edit]
左耳朵痒代表什么预兆 什么茶属于绿茶 做梦哭醒了有什么征兆 上海有什么好玩的地方适合小孩子 畸形是什么意思
什么是世界观 无性恋是什么 女人胯骨疼是什么原因 血肿是什么意思 吃冰糖有什么好处和坏处
贫血要注意些什么 卵巢囊性结构是什么意思 脾肾亏虚的症状是什么 心脏除颤是什么意思 coach是什么牌子的包
sey什么意思 老年人反复发烧是什么原因引起的 鱼水之欢是什么意思 喝黑芝麻糊有什么好处 嘴角上方有痣代表什么
金匮肾气丸治什么病hcv8jop0ns0r.cn 检查淋巴挂什么科hcv8jop3ns9r.cn 钟表挂在客厅什么位置好hcv9jop6ns7r.cn 小孩磨牙是什么原因引起的hcv7jop5ns2r.cn 亚麻籽是什么hcv9jop3ns6r.cn
付字五行属什么hcv8jop9ns1r.cn 2018是什么生肖cj623037.com 白发用什么染发最安全hcv8jop4ns6r.cn 拉姆什么意思hcv7jop9ns9r.cn 78属什么生肖hcv7jop5ns2r.cn
胃在什么位置hcv9jop4ns7r.cn 归元寺求什么最灵验hcv8jop2ns4r.cn 左卵巢囊性回声什么意思hcv8jop8ns2r.cn 7一9点是什么时辰hcv7jop9ns9r.cn 糖尿病吃什么主食最好hcv9jop2ns2r.cn
不老莓是什么creativexi.com 智齿是什么样的hcv8jop5ns6r.cn 什么人不能吃榴莲hcv7jop4ns5r.cn 闰六月要给父母买什么hcv9jop3ns4r.cn 香干是什么hcv7jop9ns3r.cn
百度