On Wed, Oct 21, 2009, Alex Balashov wrote:
I was not aware that tools or techniques to do this are widespread or highly functional in a way that would get them adopted in an Internet access control application of a national scope.
Tell me more?
It's been a while since I tinkered with this for fun, but a quick abuse of google gives one relatively useful starting paper: http://ccr.sigcomm.org/online/files/p7-v37n1b-crotti.pdf Now, if you were getting multiple overlapping fingerprints inside a UDP packet stream you may conclude that it is a VPN tunnel of some sort. Just randomly padding the tunnel with a few bytes either side will probably just fuzz the classifier somewhat. Aggregating the packets up into larger packets may fuzz the classification methods but it certainly won't make the traffic look like "something else". It'll likely still stick out as being "different". :) Adrian