Skip to main content

Documentation Index

Fetch the complete documentation index at: https://none-38c466ad.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

The Transport Layer addresses network and TLS-level anomalies. While the Timing Layer governs cadence, the Transport Layer governs path and handshake posture. Modern adversaries cluster on egress IP space, proxy distribution, and TLS signatures, combining these to isolate automated clients. This layer introduces controlled variability in transport policy (egress selection) and credible TLS client signatures. The design acknowledges a critical constraint: proxy rotation alone is not stealth. Excessive churn is as suspicious as rigid persistence. Two cooperating mechanisms enforce this balance:
  1. Proxy management – resolves and rotates egress paths with bounded diversity.
  2. TLS signature management – enforces credible handshake profiles consistent with real client populations.
Together they ensure requests emerge through plausible network paths and align with observed TLS populations, while remaining under deterministic operator control.

7.1 Design Philosophy

Adversaries fuse IP-level and TLS-level signals. A client fixed to one network prefix is as conspicuous as one that rotates constantly. Likewise, a TLS fingerprint that never changes is anomalous, but so is one that mutates too frequently. The Transport Layer takes the stance of plausibility over maximum diversity. Egress diversity is introduced gradually, TLS profiles are drawn from a small curated set, and rotation follows deterministic rules. This yields stability while remaining consistent with population baselines. Common pitfalls
  • Excessive proxy churn producing churn storms
  • Persistent binding to narrow ASN/prefix sets
  • TLS signatures not aligned with claimed browser headers
  • Simultaneous rotations of proxy and identity layers
  • Neglecting diversity entropy, collapsing into outlier clusters

7.2 Proxy Management

Proxy management selects one egress policy per domain and reuses it to avoid cold-start probing. Rotation occurs only under failure conditions or scheduled diversity windows, preventing instability. Invariant:
For domain dd, policy(d)={cached(d),if availableargminp{probe(p,d)=success},otherwisedirect,if all fail\text{policy}(d) = \begin{cases} \text{cached}(d), & \text{if available} \\\\ \arg\min_p \{\text{probe}(p,d) = \text{success}\}, & \text{otherwise} \\\\ \text{direct}, & \text{if all fail} \end{cases} where policy(d)\text{policy}(d) is the chosen transport and probe(p,d)\text{probe}(p,d) tests feasibility of path pp. Parameters omitted by design.

7.3 TLS Signature Management

TLS signature management ensures handshake fingerprints align with claimed browser identities. Each domain is deterministically mapped to a profile from a bounded set of common client configurations. Rotation is slow and controlled, never flooding observed distributions. Invariant:
  • Headers must align with TLS profiles.
  • TLS fingerprints remain within observed population baselines.
  • Diversity is introduced gradually to prevent statistical outliers.
This prevents adversaries from isolating clients based on rare handshake patterns or inconsistent protocol negotiations.

7.4 Adversary Perspective

Defenders build clustering models from:
  • TLS-level features: TLS client handshake fingerprints, extension ordering, ALPN negotiation.
  • Network-level features: ASN, subnet prefix, distribution of egress endpoints.
  • Application-level alignment: consistency of headers, cookies, and TLS posture.
A simplified adversary cluster key can be expressed as: k=H(tls, ASN,  ⁣/24 ⁣, ALPN),k = H(\mathrm{tls},\ \mathrm{ASN},\ \!/24\!,\ \mathrm{ALPN}), where HH is a hash over handshake and network features. The Transport Layer does not attempt to prevent clustering entirely (impossible). Instead, it ensures traffic blends into existing population clusters, making bot clusters indistinguishable from background clients.

7.5 Combined Flow

Transport handling follows a staged process: select or reuse proxy mapping, align TLS signature with fingerprint, dispatch request, and rotate only under structured conditions. Combined Flow

7.6 Operational Outcome

The Transport Layer transforms egress from a detection liability into camouflage.
  • Stable per-domain mappings reduce churn artifacts.
  • TLS signatures aligned with baselines prevent outliers.
  • Deterministic, bounded diversity ensures population plausibility.
The result is traffic that, when clustered by adversaries, is absorbed into background user populations rather than isolated botnets.