The Anatomy of Web Censorship in Pakistan

Similar documents
The Value of Content Distribution Networks Mike Axelrod, Google Google Public

A Look at the Consequences of Internet Censorship through an ISP Lens

The secret life of a DNS query. Igor Sviridov <sia@nest.org>

How the Great Firewall discovers hidden circumvention servers. Roya Ensafi David Fifield Philipp Winter Nick Weaver Nick Feamster Vern Paxson

DNS Basics. DNS Basics

Where Do You Tube? Uncovering YouTube Server Selection Strategy

A Look at the Consequences of Internet Censorship Through an ISP Lens

Internet Content Distribution

Bypassing Internet Censorship for News Broadcasters

Internet Infrastructure

The Great DNS Wall of China

Understanding and Circumventing The Great Firewall of China

Content Filtering Client Policy & Reporting Administrator s Guide

Debugging With Netalyzr

McAfee Web Gateway Administration Intel Security Education Services Administration Course Training

DEPLOYMENT GUIDE Version 1.2. Deploying F5 with Oracle E-Business Suite 12

FortiGate Multi-Threat Security Systems I

Measuring the Web: Part I - - Content Delivery Networks. Prof. Anja Feldmann, Ph.D. Dr. Ramin Khalili Georgios Smaragdakis, PhD

How to Configure Captive Portal

Chapter 8 Router and Network Management

From Internet Data Centers to Data Centers in the Cloud

Detecting Search Lists in Authoritative DNS

DEPLOYMENT GUIDE Version 1.2. Deploying the BIG-IP System v10 with Microsoft IIS 7.0 and 7.5

CS 558 Internet Systems and Technologies

Lab 5 Explicit Proxy Performance, Load Balancing & Redundancy

Cape Girardeau Career Center CISCO Networking Academy Bill Link, Instructor. 2.,,,, and are key services that ISPs can provide to all customers.

Web Caching and CDNs. Aditya Akella

Content Delivery Networks (CDN) Dr. Yingwu Zhu

User-ID Best Practices

CDMA-based network video surveillance System Solutions

Distributed Systems. 23. Content Delivery Networks (CDN) Paul Krzyzanowski. Rutgers University. Fall 2015

efolder White Paper: Three Network Security Tools to Block Dropbox in the Workplace

How To Understand The Power Of A Content Delivery Network (Cdn)

Web Analytics Understand your web visitors without web logs or page tags and keep all your data inside your firewall.

Internet Content Distribution

Web Application Hosting Cloud Architecture

Networking Topology For Your System

Application notes for SIPERA UC-Sec 4.0 Remote User Enablement Solution with Avaya Multimedia Communication System 5100 release 4.0 Issue 1.

DEPLOYMENT GUIDE Version 1.2. Deploying the BIG-IP System v9.x with Microsoft IIS 7.0 and 7.5

Kids and the Internet - Parental Control made easy. Christian Donner

SuperLumin Nemesis. Administration Guide. February 2011

Evaluation Guide. Powerful & Immediate Business Web Security via the Cloud

Ignoring the Great Firewall of China

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Firewall Server 7.2. Release Notes. What's New in Firewall Server 7.2

How To Protect A Dns Authority Server From A Flood Attack

Configuring Your Gateman Server

A Guide to New Features in Propalms OneGate 4.0

bbc Adobe LiveCycle Data Services Using the F5 BIG-IP LTM Introduction APPLIES TO CONTENTS

BorderWare Firewall Server 7.1. Release Notes

CDN and Traffic-structure

Web Traffic Capture Butler Street, Suite 200 Pittsburgh, PA (412)

Request Routing, Load-Balancing and Fault- Tolerance Solution - MediaDNS

Clientless SSL VPN Users

Distributed Systems. 25. Content Delivery Networks (CDN) 2014 Paul Krzyzanowski. Rutgers University. Fall 2014

plixer Scrutinizer Competitor Worksheet Visualization of Network Health Unauthorized application deployments Detect DNS communication tunnels

VPNBee manual VPNBee is a firewall by Gayatri Hitech but it is more a product of products rather than a single product.

Implementing Reverse Proxy Using Squid. Prepared By Visolve Squid Team

Automatic Hotspot Logon

Basheer Al-Duwairi Jordan University of Science & Technology

Resonate Central Dispatch

Cisco Configuring Commonly Used IP ACLs

CENSURFRIDNS a.k.a. UNCENSOREDDNS. Thomas Steen Rasmussen

PingFederate. IWA Integration Kit. User Guide. Version 2.6

A Tool for Evaluation and Optimization of Web Application Performance

Step-by-Step Configuration

Enabling Media Rich Curriculum with Content Delivery Networking

REGULATORY OPTIONS TO FACILITATE THE ADOPTION OF INTERNET PARENTAL CONTROLS PUBLIC CONSULTATION RESPONSE FROM NETSWEEPER INC.

How to Train Your (Web) Dragon

User Guide. You will be presented with a login screen which will ask you for your username and password.

Source-Connect Network Configuration Last updated May 2009

Many network and firewall administrators consider the network firewall at the network edge as their primary defense against all network woes.

DEPLOYMENT GUIDE Version 2.1. Deploying F5 with Microsoft SharePoint 2010

F-Secure Messaging Security Gateway. Deployment Guide

Lab Diagramming External Traffic Flows

Tools and Technology of Internet Filtering

Pass Through Proxy. How-to. Overview:..1 Why PTP?...1

Load Balancing Web Applications

Are Second Generation Firewalls Good for Industrial Control Systems?

GLOBAL SERVER LOAD BALANCING WITH SERVERIRON

Configuration Guide. BlackBerry Enterprise Service 12. Version 12.0

Filter Avoidance and Anonymous Proxy Guard

Lecture 3: Scaling by Load Balancing 1. Comments on reviews i. 2. Topic 1: Scalability a. QUESTION: What are problems? i. These papers look at

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

Chapter 4 Restricting Access From Your Network

Index. AdWords, 182 AJAX Cart, 129 Attribution, 174

WPAD TECHNOLOGY WEAKNESSES. Sergey Rublev Expert in information security, "Positive Technologies"

Configuration Guide BES12. Version 12.1

DEPLOYMENT GUIDE DEPLOYING F5 WITH MICROSOFT WINDOWS SERVER 2008

Transcription:

The Anatomy of Web Censorship in Pakistan Zubair Nabi zubair.nabi@cantab.net Information Technology University, Pakistan* Presented by: Mobin Javed UC Berkeley * Now at IBM Research, Dublin

This website is not accessible in Pakistan! First study of the cause, effect, and mechanism of Internet censorship in Pakistan Upgrade to centralized system in the middle of the study (May 2013) Censorship mechanism varies across websites: some blocked at the DNS level; others at the HTTP level Public VPN services and web proxies popular tools to bypass restrictions

Outline Background: Pakistan and related work Methodology Results Alternative circumvention methods Summary Future work Qs

Internet in Pakistan 16 million users or 9% of total population (World Bank, 2012) Out of the total Internet users, 64% access news websites (YouGov, 2011) Largest IXP (AS17557) owned by the state Internet, fixed-line telephony, cable TV, and cellular services regulation by the Pakistan Telecommunication Authority (PTA) Also in charge of censorship

History of Censorship 2006: 12 websites blocked for blasphemous content 2008: A number of YouTube videos blocked IP-wide block via BGP misconfiguration YouTube rendered inaccessible for the rest of the world for 2 hours

History of Censorship (2) 2010: Facebook, YouTube, Flickr, and Wikipedia blocked in reaction to Everybody Draw Muhammad Day PTA sanctioned to terminate any telecom service

History of Censorship (3) 2012 (March): Government requests proposals for gatewaylevel blocking system Filtering from domain level to sub-folder level Blocking individual IPs and/or entire range Plug-and-play hardware units, capable of blocking 50 million URLs Latency < 1ms

History of Censorship (4) 2012 (September): Infinite ban on YouTube in retaliation to Innocence of Muslims Disruption of other Google services due to IP sharing

Related Work Verkamp and Gupta PlanetLab nodes and volunteer machines, 11 countries Key insight: censorship mechanisms vary across countries Mathrani and Alipour Private VPNs and volunteer nodes, 10 countries Key insight: restrictions applicable to all categories of websites: political, social, etc. Dainotti et al. Internet blockage during the Arab Spring

Methodology: Dataset Publicly available list with 597 websites Compiled in 2010 Not exhaustive but a fairly rich of complete domains and subdomains Dataset after cleaning: 307 websites Redundant, broken, and duplicates removed Checked with a public VPN beforehand to ensure connectivity

Methodology: Script Modified version of the CensMon system (FOCI '11) 1) DNS lookup Local and public (Google, Comodo, OpenDNS, Level3, and Norton) 2) IP blacklisting: TCP connection to port 80 3) URL keyword filtering: http://www.google.com/foourl 404 Not Found under normal operation 4) HTTP filtering: HTTP request, log response packet Also, logs transient connectivity errors, such as timeouts

Methodology: Networks ID Nature Location Network1 University Lahore Network2 University Lahore Network3 Home Lahore Network4 Home Islamabad Network5 Cellular (EDGE) Islamabad Network1 and 2: gigabit connectivity Network5 only used for post-april testing Tests performed at night time to minimize interaction with normal traffic Performed on multiple occasions for precision

Results: Pre-April Most websites blocked at DNS-level Local DNS: Non-Existent Domain (NXDOMAIN) Public DNS: NXDOMAIN for Google DNS and Level3 NXDOMAIN redirector in case of Norton DNS, Comodo, and OpenDNS No evidence of IP or URL-keyword filtering Some websites filtered through HTTP 302 redirection Triggered by hostname and object URI Done at the ISP level

ISP-level Warning Screens

Results: Post-April HTTP 302 redirection replaced with IXP-level 200 packet injection Triggered by hostname and URI Because of the 200 code, the browser believes it's a normal response Stops it from fetching content from the intended destination Original TCP connection times out Same response packet and screen across ISPs Except Network4 (still under the influence of pre- April censoring)

IXP-level Warning Screen Same results reported by The Citizen Lab in parallel in June, 2013 System attributed to the Canadian firm Netsweeper Inc. Also applicable to Qatar, UAE, Kuwait, and Yemen

Results: Survey 67 respondents Results biased towards individuals with above-average computer skills Public VPN services, such as Hotspot Shield, most popular Web proxies also popular

Results: Survey 67 respondents Results biased towards individuals with above-average computer skills Public VPN services, such as Hotspot Shield, most popular Web proxies also popular

Alternative Circumvention: Web-based DNS Generally, web-based service can also be used for lookup Results show that same websites also blocked at HTTP-level Similar to South Korea DNS filtering used for websites that resolve to a single site HTTP-level mechanism exclusively used for websites with IPs shared across hostnames and filtering needs to be selective YouTube, Wikipedia, etc.

Alternative Circumvention: CDNs and Search Engine Caches No URL-keyword filtering Blocked websites accessible via CoralCDN Cached pages of blocked content also accessible on Google, Bing, and Internet Archive

Summary Pakistan has undergone an upgrade from ISPlevel to centralized IXP-level censorship Most websites blocked at the DNS level, while a small number at the HTTP level Websites blocked at the DNS level also blocked at HTTP-level Most citizens use public VPNs and web proxies to circumvent restrictions

Future Work Expansion in the number of websites and networks Deeper analysis of DNS blockage For instance, not clear if censoring module maintains a list of all resolvers and their redirectors or it queries the actual resolver each time Examination of side-effects of DNS injection (similar to China) Analysis of Streisand Effect in Pakistan Early results look promising!

Q?

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information