Examining How The Great Firewall Discovers Hidden Circumvention Servers

Similar documents
How the Great Firewall discovers hidden circumvention servers. Roya Ensafi David Fifield Philipp Winter Nick Weaver Nick Feamster Vern Paxson

The Great Firewall of China

Lab Exercise SSL/TLS. Objective. Step 1: Open a Trace. Step 2: Inspect the Trace

Facade: High-Throughput, Deniable Censorship Circumvention Using Web Search

(SHREL) Open Source Multi-Hop Networks (SHREL) Tor

Network Security TCP/IP Refresher

Chapter 15. Firewalls, IDS and IPS

Time has something to tell us about Network Address Translation

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

SSL/TLS. What Layer? History. SSL vs. IPsec. SSL Architecture. SSL Architecture. IT443 Network Security Administration Instructor: Bo Sheng

Lab Exercise SSL/TLS. Objective. Requirements. Step 1: Capture a Trace

Bit Chat: A Peer-to-Peer Instant Messenger

Protocol Rollback and Network Security

Firewall Testing Methodology W H I T E P A P E R

TLS and SRTP for Skype Connect. Technical Datasheet

CIT 380: Securing Computer Systems

ZMap. Fast Internet-Wide Scanning and its Security Applications. Zakir Durumeric Eric Wustrow J. Alex Halderman. University of Michigan

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

Overview of SSL. Outline. CSC/ECE 574 Computer and Network Security. Reminder: What Layer? Protocols. SSL Architecture

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Internet Protocol: IP packet headers. vendredi 18 octobre 13

Solution of Exercise Sheet 5

Slitheen: Perfectly imitated decoy routing through traffic replacement

Remote Network Analysis

Firewalls, IDS and IPS

Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213

Communication Security for Applications

Improving DNS performance using Stateless TCP in FreeBSD 9

TCP Packet Tracing Part 1

Using SYN Flood Protection in SonicOS Enhanced

How to launch and defend against a DDoS

Intrusion Detection Systems

Course Title: Penetration Testing: Security Analysis

SE 4C03 Winter 2005 Firewall Design Principles. By: Kirk Crane

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

Internet Infrastructure Measurement: Challenges and Tools

SSL DOES NOT MEAN SOL What if you don t have the server keys?

Covert Channels. Some instances of use: Hotels that block specific ports Countries that block some access

The Internet of Unpatched Things

The Secure Sockets Layer (SSL)

Enterprise Network Management. March 4, 2009

THE ROLE OF IDS & ADS IN NETWORK SECURITY

Security Technology White Paper

Format-Transforming Encryption

Understanding and Circumventing The Great Firewall of China

The Challenges of Stopping Illegal Peer-to-Peer File Sharing

Supporting Document Mandatory Technical Document. Evaluation Activities for Stateful Traffic Filter Firewalls cpp. February Version 1.

12. Firewalls Content

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

Web Security Considerations

Columbia - Verizon Research Securing SIP: Scalable Mechanisms For Protecting SIP-Based Systems

Spirent Abacus. SIP over TLS Test 编 号 版 本 修 改 时 间 说 明

Honeyd Detection via Packet Fragmentation

Sage ERP Accpac Online

Sage 300 ERP Online. Mac Resource Guide. (Formerly Sage ERP Accpac Online) Updated June 1, Page 1

Network Packet Monitoring Optimizations Powered By SDN

An apparatus for P2P classification in Netflow traces

A study of denial of service attacks on the Internet p.1/39

Effiziente Filter gegen Kinderpornos und andere Internetinhalte. Lukas Grunwald DN-Systems GmbH CeBIT Heise Forum 2010 Hannover

Traffic Analysis. CSF: Forensics Cyber-Security. Part II.B. Techniques and Tools: Network Forensics. Fall 2015 Nuno Santos

Project X Mass interception of encrypted connections

Intrusion Detection System

20. Switched Local Area Networks

The Internet. An Engineering Approach to Computer Networking

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

Detecting Forged TCP Reset Packets

Low-Level TLS Hacking

Barracuda Intrusion Detection and Prevention System

Firewall Design Principles

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Three attacks in SSL protocol and their solutions

3.2: Transport Layer: SSL/TLS Secure Socket Layer (SSL) Transport Layer Security (TLS) Protocol

Demystifying the Myth of Passive Network Discovery and Monitoring Systems

Networks: IP and TCP. Internet Protocol

How Mobile Applications are Reshaping Information Controls in Iran. Mahsa

Networking Overview. (as usual, thanks to Dave Wagner and Vern Paxson)

CS 3251: Computer Networking 1 Security Protocols I

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

SSL EXPLAINED SSL EXPLAINED

Internet Management and Measurements Measurements

V-ISA Reputation Mechanism, Enabling Precise Defense against New DDoS Attacks

Yarrp ing the Internet

Network Security and Penetration Testing

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

CSC Network Security

FIREWALL AND NAT Lecture 7a

Linux Network Security

XPROBE. Building Efficient Network Discovery Tools. Fyodor Yarochkin

CSC 474 Information Systems Security

architecture: what the pieces are and how they fit together names and addresses: what's your name and number?

TLS/SSL in distributed systems. Eugen Babinciuc

High Performance VPN Solutions Over Satellite Networks

A Distributed Defense Mechanism Against Low-Bandwidth TCP SYN Flooding Attacks

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Large-Scale TCP Packet Flow Analysis for Common Protocols Using Apache Hadoop

CSCI 4250/6250 Fall 2015 Computer and Networks Security

Denial of Service Attacks

co Characterizing and Tracing Packet Floods Using Cisco R

High-Performance IP Service Node with Layer 4 to 7 Packet Processing Features

Transcription:

Examining How The Great Firewall Discovers Hidden Circumvention Servers Roya Ensafi, David Fifield, Philipp Winter, Nick Feamster, Nicholas Weaver, and Vern Paxson Oct 29, 2015 1

Circumventing Internet Censorship Using Proxies Web servers Internet 2

Circumventing Internet Censorship Using Proxies Not everyone can connect to all web servers Web servers Internet DPI 3

Circumventing Internet Censorship Using Proxies Not everyone can connect to all web servers Many use proxy servers to circumvent censorship Proxy server Web servers Internet DPI 4

Circumventing Internet Censorship Using Proxies Not everyone can connect to all web servers Many use proxy servers to circumvent censorship Governments are getting smarter at detecting proxy servers Proxy server Web servers Internet DPI 5

Circumventing Internet Censorship Using Proxies Not everyone can connect to all web servers Many use proxy servers to circumvent censorship Governments are getting smarter at detecting proxy servers How do governments find these proxies? Proxy server Web servers Internet DPI 6

How GFW Discovers Hidden Circumvention Servers We focus on the GFW and Tor GFW is a sophisticated censorship system Tor has a long history of being used for circumventing government censorship 7

Censorship Arms Race: GFW vs. Tor Time Use public Tor network to circumvent GFW 8

Censorship Arms Race: GFW vs. Tor Use public Tor network to circumvent GFW Time Download consensus and block relays 9

Censorship Arms Race: GFW vs. Tor Use public Tor network to circumvent GFW Time Download consensus and block relays Introduce private bridges, whose distribution is rate-limited 10

Censorship Arms Race: GFW vs. Tor Use public Tor network to circumvent GFW Time Download consensus and block relays Introduce private bridges, whose distribution is rate-limited Use DPI to detect Tor TLS handshake 11

Fingerprinting the Tor TLS Handshake TLS handshake is unencrypted and leaks information Tor s use of TLS has some peculiarities X.509 certificate life times Cipher suites Randomly generated server name indication (e.g., www.6qgoz6epdi6im5rvxnlx. com) GFW looks (at least) for cipher suites in the TLS client hello 12

Censorship Arms Race: GFW vs. Tor Use public Tor network to circumvent GFW Time Download consensus and block relays Introduce private bridges, whose distribution is rate-limited Use DPI to detect Tor TLS handshake Introduce pluggable transports to hide the handshake such as obfs2, obfs3 13

Tor Pluggable Transport Pluggable transports are drop-in modules for traffic obfuscation Many modules have been written, but we focus on obfs2 (First deployed module) First 20 bytes can be used to detect Tor traffic with high confidence. obfs3 (obfs2 s successor) Makes Tor traffic look like a uniformly random byte stream 14

Censorship Arms Race: GFW vs. Tor Use public Tor network to Detection of pluggable transports is uncertain circumvent GFW Time Download consensus and block relays Implies false positives collateral damage Introduce private bridges, whose distribution is rate-limited Use DPI to detect Tor TLS handshake, then probe and block bridges Introduce pluggable transports to hide the handshake such as obfs2, obfs3 15

Censorship Arms Race: GFW vs. Tor Use public Tor network to Detection of pluggable transports is uncertain circumvent GFW Time Download consensus and block relays Implies false positives collateral damage Introduce private bridges, whose GFW added active probing distribution is rate-limited to complement the DPI fingerprinting Use DPI to detect Tor TLS handshake, then probe and block bridges Introduce pluggable transports to hide the handshake such as obfs2, obfs3 16

How does GFW Block Tor Hidden Circumvention Servers? 1. Network monitoring (e.g., switch mirror port) 2. DPI for suspicious traffic (e.g., cipher suite) 3. Actively probing server to verify suspicion 4. Blocking server 17

Censorship Arms Race: GFW vs. Tor Use public Tor network to circumvent GFW Time Download consensus and block relays Introduce private bridges, whose distribution is rate-limited Use DPI to detect Tor TLS handshake Introduce pluggable transports to hide the handshake such as obfs2, obfs3 Use DPI + Active probing 18

Many Questions about Active Probing are Unanswered! Only two blog posts and Winter s FOCI 12 paper We lack a comprehensive picture of more complicated questions We want to know: Implementation, i.e., how does it block? Architecture, i.e., how is a system added to China s backbone? Policy, i.e., what kind of protocols does it block? Effectiveness, i.e., what s the degree of success at discovering Tor bridges? 19

Overview of Our Datasets: Shadow Infrastructure EC2-Vanilla EC2-Obfs2 EC2-Obfs3 EC2-Vanilla EC2-Obfs2 EC2-Obfs3 Amazon AWS CERNET Network Unicom ISP Clients in China 20

Overview of Our Datasets: Sybil Infrastructure Shadow Infrastructure 30000.. 30300 EC2-Vanilla EC2-Obfs2 EC2-Obfs3 EC2-Vanilla EC2-Obfs2 EC2-Obfs3 Amazon AWS.. CERNET Network 30600 Vanilla Tor Client in China Forwarding 600 ports to Tor port Unicom ISP Clients in China 21

Overview of Our Datasets: Sybil Infrastructure Shadow Infrastructure 30000.. 30300 EC2-Vanilla EC2-Obfs2 EC2-Obfs3 EC2-Vanilla EC2-Obfs2 EC2-Obfs3 Amazon AWS.. CERNET Network 30600 Vanilla Tor Client in China Forwarding 600 ports to Tor port Unicom ISP Clients in China Server Log Analysis Application logs of a web server that also runs a Tor bridge since 2010. 22

Overview of Our Datasets: For the Shadow and the Sybil datasets: We had pcap files of both the clients and the bridges. For the Log dataset, we only had application logs. Dataset Time span Shadow Dec 2014 -- Feb 2015 (3 months) Sybil Jan 29, 2015 -- Jan 30, 2015 (20 hours) Log Jan 2010 -- Aug 2015 (5 years) 23

How to Distinguish Probers from Genuine Clients? 24

How to Distinguish Probers from Genuine Clients? Detecting probers in Sybil dataset is easy, all the probers: Visited our vanilla Tor bridge after our client established connections Originated from China 25

How to Distinguish Probers from Genuine Clients? Detecting probers in Sybil dataset is easy, all the probers: Visited our vanilla Tor bridge after our client established connections Originated from China For the other datasets, we adopt an algorithm: If the cipher suites is in the TLS client hello => Vanilla bridge probes If the first 20 bytes can reveal Obfs2 => Obfs2 bridges probers... 26

How Many Unique Probers did We Find? 27

How Many Unique Probers did We Find? Using Sybil, Shadow and Log dataset In total, we collected 16,083 unique prober IP addresses Shadow 135 2 IP: GFW s famous 202.108.181.70 Log (3 months) 20 14,802 1,090 (22 hours) (Over 5 years) 89 Sybil 28

Can We Fingerprint Active Probers? 29

Can We Fingerprint Active Probers? TCP layer TSval slope: timestamp clock rate TSval intercept: (rough) system uptime GFW likely operate a handful of physical probing systems Shadow exp. with 158 Prober IPs Sybil exp. with 1,182 Prober IPs Log dataset with 14,912 Prober IPs 30

Can We Fingerprint Active Probers? TCP layer Striking pattern in initial sequence numbers (derived from time) of 1,182 probes Shared pattern in TSval for all three datasets Initial sequence number 31

What do These Patterns Mean? Active probing connections leak shared state ISNs, TSval, source ports,... GFW likely operates only few physical systems Thousands of IP addresses are controlled by central source 32

How Quickly do Active Probes Show Up? 33

How Quickly do Active Probes Show Up? Sybil dataset shows that system now works in real time Median delay between Tor connection and subsequent probing connection is ~500ms 1,182 distinct probes showed up in 22 hours 34

Is Active Probing Successful? 35

Is Active Probing Successful? 36

Is Active Probing Successful? Tor clients succeed in connecting roughly every 25 hours Might reflect implementation artifact of GFW 37

Is Active Probing Successful? Tor clients succeed in connecting roughly every 25 hours Might reflect implementation artifact of GFW obfs2 and obfs3 (~98%) were almost always reachable for clients Surprising because GFW can probe and block obfs2 and obfs3 38

Takeaway messages Our results show that the active probing system Makes use of a large amount of IP addresses, clearly centrally controlled We can not just blacklist probers IP addresses Operates in real time Probes Vanilla, Obfs2, and Obfs3 Bridge Tor s pluggable transports led to GFW s pluggable censorship 39

Q&A Project page: https://nymity.ch/active-probing/ Log and Sybil data sets are available online Contact: rensafi@cs.princeton.edu 40

What Is the Characteristic of the Probing System? Sensor responsible for triggering probes operates single-sidedly: SYN, followed by ACK, then Tor s TLS client hello) => trigger probe. The sensor does not seem to robustly reassemble TCP: The fragmented data did not trigger an active probe, which differs from the GFW Traceroute to the sensors suggested: Unicom s sensor appears to operate on the same link as the GFW CERNET sensor appears one hop closer to our server 41

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information