Exposing and Evading Middlebox Policies DAVID CHOFFNES Middleboxes - - PowerPoint PPT Presentation

exposing and evading middlebox policies
SMART_READER_LITE
LIVE PREVIEW

Exposing and Evading Middlebox Policies DAVID CHOFFNES Middleboxes - - PowerPoint PPT Presentation

Mar 28, 2023 233 likes •623 views

Exposing and Evading Middlebox Policies DAVID CHOFFNES Middleboxes are pervasive In-network functionality can be really helpful Security (IPS) Performance (proxies) Fairness (traffic management) 2 Middleboxes are pervasive

slide-1
SLIDE 1

Exposing and Evading Middlebox Policies

DAVID CHOFFNES

slide-2
SLIDE 2

Middleboxes are pervasive

In-network functionality can be really helpful

  • Security (IPS)
  • Performance (proxies)
  • Fairness (traffic management)

2

slide-3
SLIDE 3

Middleboxes are pervasive

In-network functionality can be really helpful

  • Security (IPS)
  • Performance (proxies)
  • Fairness (traffic management)

Double-edged sword

  • “Security” (censorship)
  • “Performance” (transcoding to degraded quality)
  • “Fairness” (throttling or boosting specific apps)

2

slide-4
SLIDE 4

Context

Some device in the network (middlebox) uses 
 DPI to classify traffic and apply policies accordingly

3

slide-5
SLIDE 5

Key open questions

What is the nature of deployed middlebox policies? How do middleboxes enforce policies? What are (un)intentional consequences? What can users do about this?

4

slide-6
SLIDE 6

Challenges for middlebox research

Middleboxes are protected, undisclosed systems

  • Expensive (5-6 figures)
  • Hard to acquire
  • Little-to-no documentation
  • (Almost) never acknowledged

5

slide-7
SLIDE 7

Challenges for middlebox research

Middleboxes are protected, undisclosed systems

  • Expensive (5-6 figures)
  • Hard to acquire
  • Little-to-no documentation
  • (Almost) never acknowledged

Understanding policies requires targeted traffic

  • Need to identify potential targets
  • Potentially requires lots of tests
  • Not clear a priori what signals to use to detect classification

5

slide-8
SLIDE 8

Our approach

Examine (in detail) a small testbed of DPI middleboxes

  • Clear signals for classification
  • Control over policies applied to classes

6

slide-9
SLIDE 9

Our approach

Examine (in detail) a small testbed of DPI middleboxes

  • Clear signals for classification
  • Control over policies applied to classes

Extend to operationally deployed devices

6

slide-10
SLIDE 10

Our approach

Examine (in detail) a small testbed of DPI middleboxes

  • Clear signals for classification
  • Control over policies applied to classes

Extend to operationally deployed devices Use application-generated traffic to trigger policies

  • Then explore what part of traffic triggered them
  • Identify implications of inferred implementations

6

slide-11
SLIDE 11

Our approach

Examine (in detail) a small testbed of DPI middleboxes

  • Clear signals for classification
  • Control over policies applied to classes

Extend to operationally deployed devices Use application-generated traffic to trigger policies

  • Then explore what part of traffic triggered them
  • Identify implications of inferred implementations

Systematically violate assumptions in classifiers

6

slide-12
SLIDE 12

What are middleboxes doing?

7

slide-13
SLIDE 13

What are middleboxes doing (2015)?

m: content modified

  • n the fly

p: translucent proxies change connection behavior

8

slide-14
SLIDE 14

What are middleboxes doing (2015)?

m: content modified

  • n the fly

p: translucent proxies change connection behavior

8

Stopped after Open Internet Order…
 
 We will keep monitoring...

slide-15
SLIDE 15

What are middleboxes doing (2015)?

m: content modified

  • n the fly

p: translucent proxies change connection behavior

8

Stopped after Open Internet Order…
 
 We will keep monitoring...

slide-16
SLIDE 16

What are middleboxes doing (2015)?

m: content modified

  • n the fly

p: translucent proxies change connection behavior

8

slide-17
SLIDE 17

How do they classify traffic?

DPI: It’s dumber than you think What isn’t it looking at?

  • IP addresses
  • Traffic timings

9

slide-18
SLIDE 18

How do they classify traffic?

DPI: It’s dumber than you think What isn’t it looking at?

  • IP addresses
  • Traffic timings

What is it looking for?

  • Specific keywords (or bytes)
  • With limited understanding of deployed protocols

9

slide-19
SLIDE 19

How do they classify traffic?

10

slide-20
SLIDE 20

What are unintentional consequences?

Header Example Value User-Agent User-Agent: GalaxyWarsMultiplayer

11

slide-21
SLIDE 21

What are unintentional consequences?

Header Example Value User-Agent User-Agent: GalaxyWarsMultiplayer

11

Example Application iPlayer

slide-22
SLIDE 22

What are unintentional consequences?

Header Example Value User-Agent User-Agent: GalaxyWarsMultiplayer

11

Example Application iPlayer

slide-23
SLIDE 23

What are unintentional consequences?

Free riding on T-Mobile

12

slide-24
SLIDE 24

What are unintentional consequences?

Free riding on T-Mobile

12

slide-25
SLIDE 25

What are unintentional consequences?

Free riding on T-Mobile

12

Get /
 X-Host: foo.com
 Host: hbogo.com

slide-26
SLIDE 26

What are unintentional consequences?

Free riding on T-Mobile

12

Get /
 X-Host: foo.com
 Host: hbogo.com

slide-27
SLIDE 27

What are unintentional consequences?

Free riding on T-Mobile

12

Get /
 X-Host: foo.com
 Host: hbogo.com

slide-28
SLIDE 28

What are unintentional consequences?

Free riding on T-Mobile

12

Get /
 X-Host: foo.com
 Host: hbogo.com

slide-29
SLIDE 29

What are unintentional consequences?

Free riding on T-Mobile

12

Get /
 X-Host: foo.com
 Host: hbogo.com

slide-30
SLIDE 30

What are unintentional consequences?

Free riding on T-Mobile

12

Get /
 X-Host: foo.com
 Host: hbogo.com

slide-31
SLIDE 31

What are unintentional consequences?

Free riding on T-Mobile

12

Get /
 X-Host: foo.com
 Host: hbogo.com

slide-32
SLIDE 32

What are unintentional consequences?

Free riding on T-Mobile

12

Get /
 X-Host: foo.com
 Host: hbogo.com

slide-33
SLIDE 33

What can users do about this?

Axiom: 
 Middleboxes necessarily infer end-to-end state 
 using incomplete information

13

slide-34
SLIDE 34

What can users do about this?

Axiom: 
 Middleboxes necessarily infer end-to-end state 
 using incomplete information Hypothesis: 
 It is possible to systematically identify and violate assumptions used in inference, unilaterally at transport/network layer

13

slide-35
SLIDE 35

What can users do about this?

Axiom: 
 Middleboxes necessarily infer end-to-end state 
 using incomplete information Hypothesis: 
 It is possible to systematically identify and violate assumptions used in inference, unilaterally at transport/network layer Our approach: 
 Build a system that automatically, efficiently does this, to enable user control over impact of policies

  • Evade censorship
  • Select policies applied to traffic
  • Overhead is ~ one header (10s of B) per flow, sometimes zero

13

slide-36
SLIDE 36

Conclusion

Lack of transparency and control over network policies Empirical, practical approach can recover these properties

  • Reverse engineer middleboxes
  • Identify policies and their implications
  • Exploit invalid assumptions to regain control over policies

Testbed, datasets, results available
 http://dd.meddle.mobi

14

slide-37
SLIDE 37

What do I want

How do I engage with policy in an impactful way?

  • You know, besides giving the FCC ombudsperson my reports,

scheduling multiple phone calls with him, agreeing on there being potentially actionable issues, and having him forward to “the commission”

Who wants to help test networks for differentiation?

  • We have an app, python clients
  • We love to collaborate

Which networks should we test? Who wants to use our testbed? What do you want? …and of course any other feedback/questions from you

15