How the Great Firewall discovers hidden circumvention servers. Roya Ensafi David Fifield Philipp Winter Nick Weaver Nick Feamster Vern Paxson

Similar documents
Examining How The Great Firewall Discovers Hidden Circumvention Servers

Lab Exercise SSL/TLS. Objective. Step 1: Open a Trace. Step 2: Inspect the Trace

Solution of Exercise Sheet 5

Internet Privacy Options

Chapter 17. Transport-Level Security

Lab Exercise SSL/TLS. Objective. Requirements. Step 1: Capture a Trace

Bit Chat: A Peer-to-Peer Instant Messenger

Session Hijacking Exploiting TCP, UDP and HTTP Sessions

Midterm. Name: Andrew user id:

Cornerstones of Security

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

12/8/2015. Review. Final Exam. Network Basics. Network Basics. Network Basics. Network Basics. 12/10/2015 Thursday 5:30~6:30pm Science S-3-028

Covert Channels. Some instances of use: Hotels that block specific ports Countries that block some access

Evading Infrastructure Security Mohamed Bedewi Penetration Testing Consultant

Linux Network Security

tcpcrypt Andrea Bittau, Dan Boneh, Mike Hamburg, Mark Handley, David Mazières, Quinn Slack Stanford, UCL

A S B

Ignoring the Great Firewall of China

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Project X Mass interception of encrypted connections

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

Zorp and KZorp: Integrating Packet Filtering and Userspace proxying

Security vulnerabilities in the Internet and possible solutions

The Great Firewall of China

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Virtual Private Networks

Host Fingerprinting and Firewalking With hping

ZMap. Fast Internet-Wide Scanning and its Security Applications. Zakir Durumeric Eric Wustrow J. Alex Halderman. University of Michigan

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls


Passive Network Traffic Analysis: Understanding a Network Through Passive Monitoring Kevin Timm,

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

APNIC elearning: Network Security Fundamentals. 20 March :30 pm Brisbane Time (GMT+10)

Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology

Network Security. Routing and Firewalls. Radboud University Nijmegen, The Netherlands. Autumn 2014

GoToMyPC Corporate Advanced Firewall Support Features

Reverse Shells Enable Attackers To Operate From Your Network. Richard Hammer August 2006

Firewalls, Tunnels, and Network Intrusion Detection

A Guide to New Features in Propalms OneGate 4.0

Protocol Rollback and Network Security

Slitheen: Perfectly imitated decoy routing through traffic replacement

Format-Transforming Encryption

Topics in Network Security

Network Security Fundamentals

CS5008: Internet Computing

Security Overview Introduction Application Firewall Compatibility

Outline. CSc 466/566. Computer Security. 18 : Network Security Introduction. Network Topology. Network Topology. Christian Collberg

F-SECURE MESSAGING SECURITY GATEWAY

CIT 380: Securing Computer Systems

Firewall Firewall August, 2003

Fig : Packet Filtering

Tools for penetration tests 1. Carlo U. Nicola, HT FHNW With extracts from documents of : Google; Wireshark; nmap; Nessus.

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

Debugging With Netalyzr

Chapter 12 Supporting Network Address Translation (NAT)

Chapter 8 Network Security

Network Security. by David G. Messerschmitt. Secure and Insecure Authentication. Security Flaws in Public Servers. Firewalls and Packet Filtering

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Proxies. Chapter 4. Network & Security Gildas Avoine

CSE 127: Computer Security. Network Security. Kirill Levchenko

Bypassing PISA AGM Theme Seminar Presented by Ricky Lou Zecure Lab Limited

CS 3251: Computer Networking 1 Security Protocols I

Windows Remote Access

Chapter 8 Router and Network Management

Network: several computers who can communicate. bus. Main example: Ethernet (1980 today: coaxial cable, twisted pair, 10Mb 1000Gb).

Kaseya Server Instal ation User Guide June 6, 2008

TLS and SRTP for Skype Connect. Technical Datasheet

CSCI 4250/6250 Fall 2015 Computer and Networks Security

Communication Systems 16 th lecture. Chair of Communication Systems Department of Applied Sciences University of Freiburg 2009

Stopping secure Web traffic from bypassing your content filter. BLACK BOX

Internet Protocol: IP packet headers. vendredi 18 octobre 13

Web Application Firewall

Introduction to Computer Security Benoit Donnet Academic Year

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

Intro to Firewalls. Summary

Networks: IP and TCP. Internet Protocol

Network Security. Marcus Bendtsen Institutionen för Datavetenskap (IDA) Avdelningen för Databas- och Informationsteknik (ADIT)

Network and Services Discovery

Attacking the TCP Reassembly Plane of Network Forensics Tools

Networking Attacks: Link-, IP-, and TCP-layer attacks. CS 161: Computer Security Prof. David Wagner

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

NAT & IP Masquerade. Internet NETWORK ADDRESS TRANSLATION INTRODUCTION. NAT & IP Masquerade Page 1 of 5. Internal PC

SonicOS 5.9 One Touch Configuration Guide

Low-Level TLS Hacking

Voice over IP. Demonstration 1: VoIP Protocols. Network Environment

A Very Incomplete Diagram of Network Attacks

SSL EXPLAINED SSL EXPLAINED

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

Proxy Server, Network Address Translator, Firewall. Proxy Server

Deploy Remote Desktop Gateway on the AWS Cloud

Wharf T&T Limited DDoS Mitigation Service Customer Portal User Guide

ProxyCap Help. Table of contents. Configuring ProxyCap Proxy Labs

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Chapter 8 Security Pt 2

INTRODUCTION TO FIREWALL SECURITY

Filter Avoidance and Anonymous Proxy Guard

Transcription:

How the Great Firewall discovers hidden circumvention servers Roya Ensafi David Fifield Philipp Winter Nick Weaver Nick Feamster Vern Paxson

Much already known about GFW Numerous research papers and blog posts Open access library: censorbib.nymity.ch We know... What is blocked How it is blocked Where the GFW is, topologically Unfortunately, most studies are one-off Continuous measurements challenging

Many domains are blocked Client in China DNS resolver outside China DNS request for www.facebook.com

Many domains are blocked Client in China DNS resolver outside China DNS request for www.facebook.com

Many domains are blocked Client in China DNS resolver outside China DNS request for www.facebook.com facebook is at 8.7.198.45

Many domains are blocked Client in China DNS resolver outside China facebook: 8.7.198.45 DNS request for www.facebook.com facebook is at 173.252.74.68

Many keywords are blocked Client in China Web server outside China GET /www.facebook.com HTTP/1.1 Host: site.com

Many keywords are blocked Client in China Web server outside China GET /www.facebook.com HTTP/1.1 Host: site.com

TCP reset Many keywords are blocked Client in China Web server outside China GET /www.facebook.com HTTP/1.1 Host: site.com

Encryption reduces blocking accuracy Client in China Server in Germany Encrypted connection HTTPS? VPN? Tor?

Encryption reduces blocking accuracy Client in China Server in Germany Encrypted connection HTTPS? VPN? Tor? Port number? Type of encryption? Handshake parameters? Flow information?

Censors often test how far they can go

Censors often test how far they can go

Active Probing

Assume an encrypted tunnel Client in China Server in Germany TLS connection

1. GFW does DPI Client in China Server in Germany TLS connection

1. GFW does DPI Client in China c02bc02fc00ac009 c013c014c012c007 c011003300320045 0039003800880016 002f004100350084 000a0005000400ff TLS connection Server in Germany Cipher list in TLS client hello looks like vanilla Tor!

2. GFW launches active probe Client in China Server in Germany TLS connection Active prober Tor handshake

2. GFW launches active probe Client in China Server in Germany TLS connection Active prober Tor handshake Tor handshake

3. GFW blocks server Client in China Block server Server in Germany TLS connection Yes, it was vanilla Tor! Active prober Tor handshake Tor handshake

Our Shadow dataset Clients in China repeatedly connected to bridges under our control Clients in CERNET Tor, obfs2, obfs3 EC2 Tor bridge Tor, obfs2, obfs3 EC2 Tor bridge Clients in UNICOM

Our Sybil dataset Redirected 600 ports to Tor port Vanilla Tor bridge in France Client in China

Our Sybil dataset Redirected 600 ports to Tor port Vanilla Tor bridge in France Client in China Holy moly, 600 bridges on a single machine!

Our Log dataset Web server logs dating back to Jan 2010 Active probes Web server

Where are the probes coming from? Collected 16,083 unique prober IP addresses 95% of addresses seen only once Reverse DNS suggests ISP pools Sybil 1,090 Shadow 135 adsl-pool.sx.cn kd.ny.adsl online.tj.cn Majority of probes come from three Log 14,802 autonomous systems ASN 4837, 4134, and 17622

Where are the probes coming from? Collected 16,083 unique prober IP addresses 95% of addresses seen only once Reverse DNS suggests ISP pools adsl-pool.sx.cn kd.ny.adsl online.tj.cn Majority of probes come from three autonomous systems 202.108.181.70 Sybil 1,090 Log 14,802 Shadow 135 ASN 4837, 4134, and 17622

Are probes hijacking IP addresses? While probe is active, no other communication with probe possible Traceroutes time out several hops before destination Port scans say all ports are filtered What do probes have in common? IP TTL IP ID TCP ISN TCP TSval TLS client hello Pcaps online: nymity.ch/active-probing/ IP TCP TLS Tor

What do probes have in common? All probes Have narrow IP TTL distribution Use source ports in entire 16-bit port range Exhibit patterns in TCP TSval Does not seem like off-the-shelf networking stack User space TCP stack? IP TCP TLS Tor

TCP s initial sequence numbers TCP uses 32-bit initial sequence numbers (ISNs) Protects against off-path attackers Attacker must guess correct ISN range to inject segments Every SYN segment should have random ISN TCP connection Seq = 0x1AF93CBA TCP reset Seq =??? IP TCP TLS Tor

What we expected to see

What we did see

What we did see

TLS fingerprint Probes all share uncommon TLS client hello Not running original Tor client No randomly-generated SNI Unique (?) cipher suite Measured on a busy Tor guard relay: Observed 236,101 client hellos over 24 hours Only 67 (0.02%) had identical setup Recorded only client hellos, no IP addresses IP TCP TLS Tor

Tor probing Active prober Establish TCP and TLS connection Tor bridge VERSIONS VERSIONS NETINFO Close TCP and TLS connection IP TCP TLS Tor

Physical infrastructure State leakage shows that probes are controlled by centralised entity Not clear how central entity controls probes Proxy network? Geographically distributed set of proxy machines Off-path device in ISP s data centre? Machines connected to switch mirror ports

Blocking is reliable, but fails predictably

In 2012, probes were batch-processed

Today, probes are invoked in real-time Median arrival time of only 500 ms Odd, linearly-decreasing outliers

Blocked protocols

Protocols that are probed or blocked SSH In 2011, not anymore? VPN OpenVPN occasionally SoftEther Tor Vanilla Tor obfs2 and obfs3 AppSpot To find GoAgent? TLS Anything else?

Oddities in obfs2 and obfs3 probing Tor probes don t use reference implementations obfs3 padding sent in one segment instead of two Probes sometimes send duplicate payload State leakage?

Probe type and frequency since 2013

Find your own probes SoftEther: POST /vpnsvc/connect.cgi AppSpot: GET /twitter.com tcpdump host 202.108.181.70 More instructions on nymity.ch/active-probing

Trolling the GFW

Block list exhaustion for ip_addr in $ip_addrs ; do for port in $(seq 1 65535); do timeout 5 tor --usebridges 1 --bridge $ip_addr:$port done done One /24 network can add 16 million blocklist entries

File descriptor exhaustion Processes have OS-enforced file descriptor limit Often 1,024, but configurable Every new, open socket brings us closer to limit What s the limit for active probes? Attract many probes and don t ACK data, don t close socket Will GFW be unable to scan new bridges?

Make GFW block arbitrary addresses See VPN Gate s innocent IP mixing See censorbib.nymity.ch/#nobori2014a For a while, GFW blindly fetched and blocked IP addresses Add critical IP addresses to server list Windows update servers DNS root servers Google infrastructure GFW operators soon started verifying addresses

Circumvention

Problems in the GFW s DPI engine DPI engine must reassemble stream before pattern matching TCP stream often not reassembled Server-side manipulation of TCP window size can hide signature Exploited in brdgrd: gitweb.torproject.org/brdgrd.git/ Ambiguities in TCP/IP parsing See censorbib.nymity.ch/#khattak2013a TCP/IP-based circumvention difficult to deploy Hey, how about you run this kernel module for me?

Pluggable transports to the rescue SOCKS interface on client Turn Tor into something else Vanilla Tor obfs2 obfs3 Payload Flow Several APIs Python Go C Time

Pluggable transports that work in China ScrambleSuit Flow shape polymorphic Clients must prove knowledge of shared secret obfs4 Extends ScrambleSuit Uses Elligator elliptic curve key agreement meek Tunnels traffic over CDNs (Amazon, Azure, Google) FTE Shapes ciphertext based on regular expressions More is in the making! WebRTC-based transport

Q&A Roya Ensafi rensafi@cs.princeton.edu @_royaen_ David Fifield david@bamsoftware.com Philipp Winter phw@nymity.ch @ phw Code, data, and paper: nymity.ch/active-probing/

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information