detecting probe resistant proxies
play

Detecting Probe-resistant Proxies Sergey Frolov, Jack Wampler, Eric - PowerPoint PPT Presentation

Oct 25, 2022 •19 likes •479 views

Detecting Probe-resistant Proxies Sergey Frolov, Jack Wampler, Eric Wustrow University of Colorado Boulder Proxies Censored User obfs3 proxy Censor-Controlled Network Active Probing obfs3?? Lets confirm! Censored User obfs3 proxy

  1. Detecting Probe-resistant Proxies Sergey Frolov, Jack Wampler, Eric Wustrow University of Colorado Boulder

  2. Proxies Censored User obfs3 proxy Censor-Controlled Network

  3. Active Probing obfs3?? Let’s confirm! Censored User obfs3 proxy Censor-Controlled Network

  4. Active Probing *speaks obfs3* Censored User obfs3 proxy Censor-Controlled Network

  5. Active Probing *speaks obfs3 back* Censored User obfs3 proxy Censor-Controlled Network

  6. Active Probing Okay, now I can safely block this endpoint. Censored User obfs3 proxy Censor-Controlled Network

  7. Thwarting Active Probing ● Probe-Resistant proxies ○ Require knowledge of shared secret to use ○ Don’t know secret? Server remains silent

  8. Thwarting Active Probing *Tries to speak obfs4 without knowing server’s password* Censored User obfs4 proxy Censor-Controlled Network

  9. Thwarting Active Probing *Remains silent* Censored User obfs4 proxy Censor-Controlled Network

  10. Thwarting Active Probing Not sure if I can block this Censored User obfs4 proxy Censor-Controlled Network

  11. Probing Probe-Resistant proxies Are these proxies actually probe-resistant in practice? ● How common is the behavior of proxies to never respond to HTTP, TLS, ...any protocol? ○ If not common, censor can block it.

  12. Probing Probe-Resistant proxies We need a source of TCP endpoints on the internet to compare their responses with Probe-Resistant proxies’ responses. We have 2 datasets: ZMap Dataset Tap Dataset 785k endpoints 433k endpoints

  13. Probing Probe-Resistant proxies We used the following probes: 1. HTTP 2. TLS ClientHello 3. Modbus 4. S7 5. Random bytes (23B - 17KB) 6. Empty probe 7. DNS zone Transfer 8. STUN

  14. Probing Probe-Resistant proxies For each probe we record 3 ‑ tuple result : ● Time to close ● Type of close (FIN, RST or TIMEOUT) ● Size of response data ● Probe-resistant proxies never respond!

  15. Endpoints that respond with data Probe Tap dataset TLS 87.8% HTTP 64.6% DNS-AXFR 58.8% S7 56.9% STUN 52.5% Modbus 51.4% Empty 8.4% Any 94.0% Response alone can distinguish 94% of endpoints in the realistic Tap dataset from proxies.

  16. Endpoints that respond with data Probe Tap dataset ZMap dataset TLS 87.8% 0.90% HTTP 64.6% 0.95% DNS-AXFR 58.8% 0.67% S7 56.9% 0.66% STUN 52.5% 0.56% Modbus 51.4% 0.54% Empty 8.4% 0.23% Any 94.0% 1.16% Very few “legitimate” services (lots of firewalls/honeypots)

  17. Probing Probe-Resistant proxies How do our probe-resistant proxies respond to those probes? We examine: ● obfs4 ● ObfuscatedSSH ● Lampshade ● MTProto Proxy ● Shadowsocks-Outline ● Shadowsocks-Python

  18. Probing ObfuscatedSSH How else can we distinguish proxies from remaining 6%? Probe Close Close Probe Close Close Time (s) Type Time (s) Type Modbus 30.237 FIN HTTP GET 0.250 RST S7 30.236 FIN TLS ClientHello 0.240 RST Random 23 30.238 FIN Random 25, 47, 0.237 - RST 51, 7KB, 17KB 0.251 Empty probe 30.238 FIN DNS AXFR 0.242 RST STUN 0.236 RST

  19. Proxy server code clientConn := listener.Accept()

  20. Proxy server code clientConn := listener.Accept() clientConn.SetDeadline(in30Seconds)

  21. Proxy server code clientConn := listener.Accept() clientConn.SetDeadline(in30Seconds) buffer := make([]byte, 50)

  22. Proxy server code clientConn := listener.Accept() clientConn.SetDeadline(in30Seconds) buffer := make([]byte, 50) error := io.ReadFull(clientConn, buffer) if error != nil { // didn’t get 50 bytes in 30s clientConn.Close() return }

  23. Proxy server code clientConn := listener.Accept() clientConn.SetDeadline(in30Seconds) buffer := make([]byte, 50) error := io.ReadFull(clientConn, buffer) if error != nil { // didn’t get 50 bytes in 30s clientConn.Close() return } if !checkCredentials(buffer) { clientConn.Close() return } // do the proxying here

  24. Close Thresholds Probe Size Response Close Close Size Time Type 49 bytes or fewer 0 30s FIN 50 bytes 0 Right away FIN 51 bytes or more 0 Right away RST Can probe-resistant proxies be distinguished from other servers due to such thresholds?

  25. Investigating Close Thresholds ● Built a threshold scanner to binary search for close thresholds ○ Send random data of different lengths ○ Scanned Tap/ZMap endpoints to compare with probe-resistant proxies ○ Check for “stability”

  26. Proxies’ thresholds FIN Threshold RST Threshold Proxy ObfuscatedSSH 24 B 25 B Shadowsocks-Python 50 B - Shadowsocks-Outline 50 B 51 B Lampshade 256 B 257 B obfs4 8 KB - 16 KB next mod 1448 MTProto - -

  27. Investigating Close Thresholds Tap Dataset ZMap Dataset Endpoints 433k 779k “Stable” thresholds 144k (33.5%) 116k (15%)

  28. Investigating Close Thresholds Tap Dataset ZMap Dataset Endpoints 433k 779k “Stable” thresholds 144k (33.5%) 116k (15%) Why so few stable close thresholds? Sent data response 257k (59.5%) 5k (0.7%) Error 3k (0.8%) 568k (73%) “Unstable” thresholds 27k (6.2%) 88k (11.3%)

  29. Tap Endpoints’ Stable Thresholds 5, 11 and no threshold are the most common.

  30. Decision Trees We built manual decision trees to detect Probe-Resistant proxies based on their responses to our probes. We also evaluated automatic decision trees, but they seemed less practical (see Appendix).

  31. Manual ObfuscatedSSH decision tree

  32. Manual Lampshade Decision Tree

  33. Decision tree results Decision Tree Labeled Proxy Tap ZMap Lampshade 0 1 ObfuscatedSSH 8 0 obfs4 2 0 Shadowsocks-Python 0 8 Shadowsocks-Outline 0 7 MTProto 3144 296

  34. Manual MTProto decision tree

  35. Defense Strategies ● Recommended: never respond, never close connection ○ 0.56% of Tap dataset ● Randomizing parameters, such as timeout, on a per-server basis increases the overall size of “Anonymity Set” for your transport. ● Stable thresholds are a fingerprint ○ To fix don’t close immediately after handshake fails and keep draining the buffer until the timeout

  36. Responsible Disclosure We disclosed the presence of unique close thresholds to the devs, and as a result, it was removed from: ● OSSH on May 13, 2019 ● obfs4 on June 21, 2019 (version 0.0.11) ● SS-Outline on September 4, 2019 (version 1.0.7) ● Lampshade on October 31, 2019 Timeouts still have to be chosen with care.

  37. Probe-indifferent Server Timeouts (Tap) TODO: timeouts! TODO: either put them here or in the backup But note: popular values might be limited to specific applications

  38. Conclusions ● Probe-resistant proxies aren’t (or weren’t!) ○ Never responding with data is uncommon on the Internet ○ Connection timeouts and thresholds can be used to fingerprint server applications ● Notified proxy developers ○ Removed thresholds ○ But choosing timeouts still tricky ● Long-term: investigate alternative proxy protocols ○ e.g. Domain Fronting, Refraction, HTTPS-proxy

  39. FIN Thank you for attention!

  40. Backup

  41. Internet Censorship Mean percentage of domains from Satellite input list blocked per country. Source: https://censoredplanet.org/data/visualizations

  42. https://gfw.report ● “ How China Detects and Blocks Shadowsocks ” describes evidence of a similar active probing attack occuring in China in 2019.

  43. Removing Close Threshold How to fix this behavior? Probe Size Response Close Close Size Time Type 49 bytes or fewer 0 30 sec FIN 50 bytes 0 Right away FIN 51 bytes or more 0 Right away RST

  44. Removing Close Threshold clientConn := listener.Accept() clientConn.SetDeadline(in30Seconds) buffer := make([]byte, 50) error := io.ReadFull(clientConn, buffer) if error != nil { // didn’t get 50 bytes in 30s clientConn.Close() return } if !checkCredentials(buffer) { clientConn.Close() return } // do the proxying here

  45. Removing Close Threshold clientConn := listener.Accept() clientConn.SetDeadline(in30Seconds) buffer := make([]byte, 50) error := io.ReadFull(clientConn, buffer) if error != nil { // didn’t get 50 bytes in 30s clientConn.Close() return } if !checkCredentials(buffer) { io.Copy(ioutil.Discard, clientConn) clientConn.Close() return }

  46. Removing Close Threshold Probe Size Response Close Close Size Time Type 49 bytes or fewer 0 30 sec FIN 50 bytes 0 30 sec FIN 51 bytes or more 0 30 sec FIN

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Optimized or Balanced Mix Design Crack Resistant Rut Resistant Resistant to Moisture

Optimized or Balanced Mix Design Crack Resistant Rut Resistant Resistant to Moisture

Optimized or Balanced Mix Design Crack Resistant Rut Resistant Resistant to Moisture Damage 1 Balanced Mix Design: ETG Definition Asphalt mix design using performance tests on appropriately conditioned specimens that address

480 views • 46 slides
12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic

12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic

12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic graphics 2.Detecting manipulated images Photo manipulation is the application of image editing techniques to photographs in order to create an

306 views • 13 slides
1 Executive Summary Database Proxies: Improves SQL read/write performance and

1 Executive Summary Database Proxies: Improves SQL read/write performance and

1 Executive Summary Database Proxies: Improves SQL read/write performance and reliability Deployment requires no application changes Demo 2 IMDG vs. Database Proxies Feature ProxySQL Automated Failover

335 views • 17 slides
POEMMA POEMMA: Probe of Extreme : Probe of Extreme Multi-Messenger Astrophysics Multi-Messenger

POEMMA POEMMA: Probe of Extreme : Probe of Extreme Multi-Messenger Astrophysics Multi-Messenger

POEMMA POEMMA: Probe of Extreme : Probe of Extreme Multi-Messenger Astrophysics Multi-Messenger Astrophysics Angela V. Olinto ICRC 2017:18 July NASA Probe Studies for 2020 Decadal Survey - NASA funding 10 Probe Class (below 1B$)

419 views • 29 slides
Metaprogramming & JavaScript Object Proxies What is metaprogramming ? Writing programs that

Metaprogramming & JavaScript Object Proxies What is metaprogramming ? Writing programs that

C152 Programming Language Paradigms Prof. Tom Austin, Fall 2014 Metaprogramming & JavaScript Object Proxies What is metaprogramming ? Writing programs that manipulate other programs. JavaScript Proxies Special metaprogramming

594 views • 24 slides
Wedge Probe Cards PCBs, Connectors, Applications HTT High Tech Trade GmbH HTT Wedge Probe Cards

Wedge Probe Cards PCBs, Connectors, Applications HTT High Tech Trade GmbH HTT Wedge Probe Cards

Wedge Probe Cards PCBs, Connectors, Applications HTT High Tech Trade GmbH HTT Wedge Probe Cards Dresden Location Hartmut Wauer, Rev1.0, January 2014 Zur Wetterwarte 50, Haus 337b Page 1 D-01109 Dresden Wedge Probe Cards made by HTT Probe Card

249 views • 14 slides
What is the Vehicle Probe Project? The VPP works with a traffic probe data marketplace

What is the Vehicle Probe Project? The VPP works with a traffic probe data marketplace

What is the Vehicle Probe Project? The VPP works with a traffic probe data marketplace first created in 2008. Three highly qualified vendors (HERE, INRIX and TomTom) were selected by a team of agency members to provide data to agencies

280 views • 14 slides
Interstellar Probe Study Webinar Series The Interstellar Probe Study Year 2 Update Ralph L.

Interstellar Probe Study Webinar Series The Interstellar Probe Study Year 2 Update Ralph L.

Interstellar Probe Study Webinar Series The Interstellar Probe Study Year 2 Update Ralph L. McNutt, Jr. Study Principal Investigator Johns Hopkins University Applied Physics Laboratory 12:05 PM Thursday, 28 May 2020 Interstellar Probe

519 views • 33 slides
On the Bi-Enhancement of Chordal-Bipartite Probe Graphs Elad Cohen Martin Charles Golumbic

On the Bi-Enhancement of Chordal-Bipartite Probe Graphs Elad Cohen Martin Charles Golumbic

On the Bi-Enhancement of Chordal-Bipartite Probe Graphs Elad Cohen Martin Charles Golumbic Marina Lipshteyn Michal Stern Outline Definitions C -probe problem Previous work C -probe graphs: Chordal probe

550 views • 20 slides
Detecting Chang Detecting Changes in W s in Water ter Qua Q ualit lity i lit lit i in L

Detecting Chang Detecting Changes in W s in Water ter Qua Q ualit lity i lit lit i in L

Detecting Chang Detecting Changes in W s in Water ter Qua Q ualit lity i lit lit i in L i L L Long ong I I Islan I l and S d S d S d Soun ound d with with NERACOOS Buoy y Observations James ODonnell, Todd Fake, Kay

815 views • 26 slides
Nernst effect as a probe of Nernst effect as a probe of electronic correlations Kamran Behnia

Nernst effect as a probe of Nernst effect as a probe of electronic correlations Kamran Behnia

Nernst effect as a probe of Nernst effect as a probe of electronic correlations Kamran Behnia Ecole Suprieure de Physique et de Chimie Industrielles Paris The team in ESPCI Romain Bel Alexandre Pourret Herv Aubin Marie-Aude

964 views • 60 slides
Scanning Probe Microscopy L. J. Heyderman 2 Scanning Probe Microscopy If an atom was as

Scanning Probe Microscopy L. J. Heyderman 2 Scanning Probe Microscopy If an atom was as

1 Scanning Probe Microscopy L. J. Heyderman 2 Scanning Probe Microscopy If an atom was as large as a ping-pong ball... ...the tip would have the size of the L. J. Heyderman Matterhorn! 3 Magnetic Force Microscopy Stray field

147 views • 14 slides
Practical Considerations in Atom Probe Tip Making Using FIB-SEM Nicholas Antoniou & Andrew

Practical Considerations in Atom Probe Tip Making Using FIB-SEM Nicholas Antoniou & Andrew

Practical Considerations in Atom Probe Tip Making Using FIB-SEM Nicholas Antoniou & Andrew Magyar Center for Nanoscale Systems Harvard University Outline The 3D Atom Probe Microscope Operation of the 3D Atom Probe Sample

192 views • 16 slides
Profometer PM-600 / PM-630 overview Profometer PM-600 / PM-630: - High resolution touch screen

Profometer PM-600 / PM-630 overview Profometer PM-600 / PM-630: - High resolution touch screen

Profometer PM-600 / PM-630 overview Profometer PM-600 / PM-630: - High resolution touch screen unit - Universal probe and Spot probe integrated in one unit - Detachable probe cart - LED indicators - Control buttons directly on the probe -

482 views • 9 slides
EEG Probe Project Grant G. Connell EEG Probe Project Design Objectives Investigate BCI

EEG Probe Project Grant G. Connell EEG Probe Project Design Objectives Investigate BCI

EEG Probe Project Grant G. Connell EEG Probe Project Design Objectives Investigate BCI for severely handicapped individuals Use time, frequency, and phase displays Use DSP techniques for near real time responses Use only

505 views • 27 slides
Metaprogramming & JavaScript Object Proxies Prof. Tom Austin San Jos State University

Metaprogramming & JavaScript Object Proxies Prof. Tom Austin San Jos State University

CS 152: Programming Language Paradigms Metaprogramming & JavaScript Object Proxies Prof. Tom Austin San Jos State University What is metaprogramming ? Writing programs that manipulate other programs. JavaScript Proxies

380 views • 27 slides
Prevention of Microarchitectural Covert Channels on an Open-Source 64-bit RISC-V Core Fourth

Prevention of Microarchitectural Covert Channels on an Open-Source 64-bit RISC-V Core Fourth

Prevention of Microarchitectural Covert Channels on an Open-Source 64-bit RISC-V Core Fourth Workshop on Computer Architecture Research with RISC-V (CARRV 2020) May 29 th , 2020 Nils Wistoff Moritz Schneider Frank K. Grkaynak Luca Benini

750 views • 58 slides
The generalized split probe problem Celina Miraglia Herrera de Figueiredo workshop on graphs and

The generalized split probe problem Celina Miraglia Herrera de Figueiredo workshop on graphs and

The generalized split probe problem Celina Miraglia Herrera de Figueiredo workshop on graphs and algorithms In honor of Derek Corneils contributions to graph theory and computer science C probe graphs Given a graph class C , a graph G = ( V ,

557 views • 16 slides
DTrace/SystemTap SDT Probes in OpenAFS Andrew Deason June 2019 OpenAFS Workshop 2019 1

DTrace/SystemTap SDT Probes in OpenAFS Andrew Deason June 2019 OpenAFS Workshop 2019 1

DTrace/SystemTap SDT Probes in OpenAFS Andrew Deason June 2019 OpenAFS Workshop 2019 1 Userspace DTrace Background Specify triggers on events (function calls) No special support needed Complex functionality builtin threading

310 views • 14 slides
Dynamic VM Monitoring using Hypervisor Probes Z. J. Estrada , C. Pham, F. Deng, L. Yan, Z.

Dynamic VM Monitoring using Hypervisor Probes Z. J. Estrada , C. Pham, F. Deng, L. Yan, Z.

Dynamic VM Monitoring using Hypervisor Probes Z. J. Estrada , C. Pham, F. Deng, L. Yan, Z. Kalbarczyk, R. K. Iyer European Dependable Computing Conference 2015-09-09 ECE ILLINOIS 1 Department of Electrical and Computer Engineering Dynamic VM

1.08k views • 76 slides
Thank you. Two of my coauthors are here today, Derekand the first author, Zander. 1 Let us

Thank you. Two of my coauthors are here today, Derekand the first author, Zander. 1 Let us

Thank you. Two of my coauthors are here today, Derekand the first author, Zander. 1 Let us begin with breakdown of the lighting factors in this scene 2 Heres the scene with direct illumination and no materials. What I want you to notice

1.47k views • 59 slides
DTrace Topics: -> java/lang/System.arraycopy <- java/lang/System.arraycopy Java <-

DTrace Topics: -> java/lang/System.arraycopy <- java/lang/System.arraycopy Java <-

# ./jflow.d <- java/lang/Thread.sleep -> Greeting.greet -> java/io/PrintStream.println -> java/io/PrintStream.print -> java/io/PrintStream.write -> java/io/PrintStream.ensureOpen <- java/io/PrintStream.ensureOpen ->

632 views • 34 slides
Aggregation and Aggregation and Correlation of Correlation of Intrusion-Detection

Aggregation and Aggregation and Correlation of Correlation of Intrusion-Detection

Aggregation and Aggregation and Correlation of Correlation of Intrusion-Detection Intrusion-Detection Alerts Alerts Herv Debar Herv Debar France Tlcom R&D France Tlcom R&D Andreas Wespi Andreas Wespi IBM Zurich

550 views • 23 slides
Hash Table Analysis When do hash tables degrade in performance? How should we set the maximum

Hash Table Analysis When do hash tables degrade in performance? How should we set the maximum

Hash Table Analysis When do hash tables degrade in performance? How should we set the maximum load factor? It is especially important to know the average behavior of a hashing method, because we are committed to trusting in the laws of

579 views • 22 slides

More recommend