Censored Planet Observatory Measuring Internet censorship globally, - - PowerPoint PPT Presentation

censored planet observatory
SMART_READER_LITE
LIVE PREVIEW

Censored Planet Observatory Measuring Internet censorship globally, - - PowerPoint PPT Presentation

May 16, 2023 114 likes •647 views

Censored Planet Observatory Measuring Internet censorship globally, continuously, and remotely Internet Measurement Village 2020 Ram Sundara Raman June 26, 2020 Measuring Censorship is a Complex Problem! Internet censorship practices are

slide-1
SLIDE 1

Ram Sundara Raman June 26, 2020

Censored Planet Observatory

Measuring Internet censorship globally, continuously, and remotely

Internet Measurement Village 2020

slide-2
SLIDE 2

Measuring Censorship is a Complex Problem!

2

Internet censorship practices are diverse in their methods, targets, timing, differing by regions (even within countries or networks), as well as across time.

slide-3
SLIDE 3

Server

?

Direct Censorship Measurement

  • Ask people on the ground, or deploy

software or hardware in censored region (e.g. OONI probe, FreedomHouse)

  • Use VPNs, or research networks (e.g.

PlanetLab, ICLab)

Client

3

slide-4
SLIDE 4

Synchronization

New updates and censorship measurement techniques must be pushed, and detection may be delayed

Ethics

Risky to run censorship measurements unless the proper precautions are taken

Challenges with Direct Measurements

Scale

Takes tremendous effort to recruit a large number of volunteers or access points

Coverage

Hard to obtain access points that cover a majority

  • f networks in the country

Continuity

Hard to continuously and repetitively run measurements using volunteers

4

slide-5
SLIDE 5

IPv4 hosts - Internet infrastructure is everywhere

5

slide-6
SLIDE 6

Remote Censorship Measurements

6

Can we detect whether pairs of hosts around the world can talk to each other without controlling either endpoint?

Client Server Measurement Machine

?

slide-7
SLIDE 7

Company ISP ISP DNS query censoredplanet.org

IP routing TCP handshake (opt) TLS handshake HTTP requests

Censorship can occur at multiple protocol layers

Challenge: Design methods to detect interference remotely at all network layers, without end-user participation.

7

Server Client DNS resolver

slide-8
SLIDE 8

Company ISP ISP

IP routing TCP handshake (opt) TLS handshake HTTP requests

Censorship can occur at multiple protocol layers

8

Server DNS query censoredplanet.org Client DNS resolver

Satellite and Iris (https://www.censoredplanet.org/projects/satellite)

slide-9
SLIDE 9

Company ISP ISP DNS query censoredplanet.org

IP routing TCP handshake (opt) TLS handshake HTTP requests

Censorship can occur at multiple protocol layers

9

Server Client DNS resolver

Spooky Scan and Augur (https://www.censoredplanet.org/projects/augur)

slide-10
SLIDE 10

Company ISP ISP DNS query censoredplanet.org

IP routing TCP handshake (opt) TLS handshake HTTP requests

Censorship can occur at multiple protocol layers

10

Server Client DNS resolver

Quack and Hyperquack (https://www.censoredplanet.org/projects/quack) (https://www.censoredplanet.org/projects/hyperquack)

slide-11
SLIDE 11

Remote Measurement Techniques

11

Satellite and Iris

Measure application-layer keyword censorship using Echo and HTTP(S) servers

Quack and Hyperquack

Measure DNS manipulation using Open DNS resolvers Measure global TCP/IP blocking using IP ID side channels

Spooky Scan and Augur

1 2 3

slide-12
SLIDE 12

Remote Measurement Techniques

12

Satellite and Iris

Measure application-layer keyword censorship using Echo and HTTP(S) servers

Quack and Hyperquack

Measure DNS manipulation using Open DNS resolvers Measure global TCP/IP blocking using IP ID side channels

Spooky Scan and Augur

1 2 3

slide-13
SLIDE 13

DNS query for https://censoredplanet.org 216.239.34.21 200.31.1.49

DNS Manipulation

13

Client DNS Resolver

slide-14
SLIDE 14

Satellite & Iris

OpenDNS Resolver DNS query for censoredplanet.org Test IP

1 2

Measurement Machine

14

slide-15
SLIDE 15

Satellite & Iris

OpenDNS Resolver DNS query for censoredplanet.org Test IP Control Resolvers D N S q u e r y f

  • r

c e n s

  • r

e d p l a n e t .

  • r

g C

  • n

t r

  • l

I P

1 2 3 4

Measurement Machine

15

slide-16
SLIDE 16

Satellite & Iris

OpenDNS Resolver DNS query for censoredplanet.org Test IP Control Resolvers D N S q u e r y f

  • r

c e n s

  • r

e d p l a n e t .

  • r

g C

  • n

t r

  • l

I P

Compare:

  • Test IP vs Control IP
  • HTTP content hashes
  • TLS certificates
  • ASN and AS Name

etc.

1 2 3 4 5

Measurement Machine

16

slide-17
SLIDE 17

Satellite Scale, Coverage and Ethics

  • More than 8.2 million OpenDNS resolvers in 232 countries
  • To reduce risk, we want to choose infrastructural resolvers
  • We use resolvers with a valid PTR record beginning with the subdomain

ns[0-9]* or nameserver[0-9]* → Likely to be part of big organizations

  • 30k resolvers in ~4,500 ASes in 175 countries
  • Stable DNS resolvers allow us to repetitively run measurements over time

17

slide-18
SLIDE 18

Remote Measurement Techniques

18

Satellite and Iris

Measure application-layer keyword censorship using Echo and HTTP(S) servers

Quack and Hyperquack

Measure DNS manipulation using Open DNS resolvers Measure global TCP/IP blocking using IP ID side channels

Spooky Scan and Augur

1 2 3

slide-19
SLIDE 19

Application-layer keyword blocking

TCP Handshake GET https://censoredplanet.org

RST RST

User Server

19

slide-20
SLIDE 20

Quack

Measurement Machine T C P E c h

  • S

e r v e r

GET https://ooni.org

TCP Handshake GET https://ooni.org

20

An Echo service simply sends back to the

  • riginating source any data it receives.
slide-21
SLIDE 21

Quack

Measurement Machine T C P E c h

  • S

e r v e r

GET https://censoredplanet.org

TCP Handshake Inject Inject GET https://censoredplanet.org

33,000 usable Echo Servers in ~2,800 ASes in 166 countries

21

slide-22
SLIDE 22

Hyperquack

22

Measurement Machine Web Server TCP Handshake

104.198.14.52

slide-23
SLIDE 23

Hyperquack

23

Measurement Machine Web Server TCP Handshake

104.198.14.52

slide-24
SLIDE 24

Hyperquack

24

Measurement Machine Web Server TCP Handshake

104.198.14.52

GET https://ooni.org

slide-25
SLIDE 25

Hyperquack

25

Measurement Machine Web Server TCP Handshake

104.198.14.52

GET https://censoredplanet.org

slide-26
SLIDE 26

Hyperquack

26

Measurement Machine Web Server TCP Handshake

104.198.14.52

GET https://torproject.org

slide-27
SLIDE 27

Hyperquack

Measurement Machine Web Server GET http://example{1,2,3}.com TCP Handshake HTTP reply (e.g., Status Code: 302 Found) Build Canonical template of server response

27

slide-28
SLIDE 28

Hyperquack

Measurement Machine Web Server GET http://example{1,2,3}.com TCP Handshake HTTP reply (e.g., Status Code: 302 Found) Build Canonical template of server response

28

GET http://censoredplanet.org Inject Response different from Canonical Template: Censorship

slide-29
SLIDE 29

Hyperquack Scale, Coverage and Ethics

  • More than 50 million web servers (all around the world)
  • To reduce risk, we want to choose infrastructural vantage points
  • Use web servers that produce a valid EV certificate, as they are more likely

to be organizational

  • After filtering for capacity, we regularly use 30k web servers in ~3,800 ASes

in 191 countries

29

slide-30
SLIDE 30

Remote Measurement Techniques

30

Satellite and Iris

Measure application-layer keyword censorship using Echo and HTTP(S) servers

Quack and Hyperquack

Measure DNS manipulation using Open DNS resolvers Measure global TCP/IP blocking using IP ID side channels

Spooky Scan and Augur

1 2 3

slide-31
SLIDE 31

31

Satellite & Iris Quack & Hyperquack Spooky Scan & Augur

slide-32
SLIDE 32

Censored Planet Observatory

The Censored Planet Observatory uses remote measurement tools to scalably, ethically and continuously measure different kinds of global Internet censorship

32

slide-33
SLIDE 33

Censored Planet Observatory

33

  • Launched in August 2018 and running continuously since
  • Continuous baseline of reachability data for 2000 sensitive domains

and IP addresses (From Alexa and Citizen Lab) each week

  • More than 95,000 vantage points in 221 countries and territories

(updated every week)

  • Rapid focus capabilities to analyze censorship events in detail
slide-34
SLIDE 34

25 billion

Measurements over 22 Months

221 countries

42%-360% increase compared to OONI, ICLab

8 ASes (median)/country

Median increase of 4-7 ASes per country

34

slide-35
SLIDE 35

Vantage Points in March 2020 (Scale 1 - 29,617)

35

slide-36
SLIDE 36

Vantage Points over time

36 Number of vantage points

slide-37
SLIDE 37

Identifying Network Censorship Devices

Censored Planet data identified the deployments of many network censorship devices

Publication - Measuring the Deployment of Network Censorship Filters at Global Scale; R. Sundara Raman, A. Stoll, J. Dalek, R. Ramesh, W. Scott, and

  • R. Ensafi; Network and Distributed System Security

Symposium (NDSS), 2020 37

slide-38
SLIDE 38

Investigating Russia’s Censorship Model

Censored Planet helped investigate large-scale ISP specific blocking of online resources in Russia’s authoritative blocklist.

Publication - Decentralized Control: A Case Study of Russia; R. Ramesh, R. Sundara Raman, M. Bernhard,

  • V. Ongkowikaya, L. Evdokimov, A. Edmundson, S.

Sprecher, M. Ikram, and R. Ensafi; Network and Distributed System Security Symposium (NDSS), 2020 38

slide-39
SLIDE 39

Complementing Direct Measurements

Censored Planet can complement in-depth direct measurements by providing higher scale. Censored Planet data confirmed OONI’s observation about the blocking of abortion rights websites.

Report - https://ooni.org/post/2019-blocking-abortion-right s-websites-women-on-waves-web/ 39

slide-40
SLIDE 40

Censored Planet’s Rapid Focus

Kazakhstan’s HTTPS interception https://censoredplanet.org/kazakhstan

40

slide-41
SLIDE 41

Kazakhstan’s National TLS Interception

  • July 17, 2019 : Government

started intercepting large fraction of HTTPS traffjc within its borders.

  • Local ISPs told to instruct users

to install a government-issued certificate on all devices and in every browser.

41

slide-42
SLIDE 42

How the interception works

42

slide-43
SLIDE 43

What does this mean for users?

  • Complete visibility
  • Traffjc modification
  • Selective blocking

Haven’t installed the fake cert?

  • Security warnings for all website

access

  • Access essentially blocked if

HSTS is enabled

43

slide-44
SLIDE 44

Detecting the interception

44

  • Hyperquack detects the use of rogue certificates
  • Measurements to some VPs in Kazakhstan saw the `Qaznet Trust Network` cert
slide-45
SLIDE 45

Running customized measurements

45

slide-46
SLIDE 46

Observations

46

  • Only 7.0 - 24% of TLS hosts tested had certificates injected →

interception only happened in a fraction of the country.

  • Using TTL-limited measurements, observed only certain portions of the

connections, passing through AS9198 (KazakhTelecom) were affected

slide-47
SLIDE 47

Observations

47

37 domains were affected - Mostly social media domains ○ 20 Google domains ○ 7 Facebook domains ○ 4 vk domains

slide-48
SLIDE 48

Longitudinal Tracking

48

slide-49
SLIDE 49

Browsers Take a Stand Against Interception

The use of ‘Qaznet Trust Network’ root CA certificate in Chrome, Firefox, and Safari is now prevented.

49

slide-50
SLIDE 50

50

https://censoredplanet.org/

  • bservatory

Website

Please contact us at: censoredplanet@umich.edu

slide-51
SLIDE 51

Some Future Plans

51

  • Expanding rapid focus capabilities - Ability to quickly run custom

measurements working with the community

  • Real-time data analysis pipeline and API for easy access into the

data

  • Collaborating with direct measurement platforms like OONI to

combine the power of both worlds

slide-52
SLIDE 52

https://censoredplanet.org Contact us at censoredplanet@umich.edu

Thank you!

52