exposing and evading middlebox policies
play

Exposing and Evading Middlebox Policies DAVID CHOFFNES Middleboxes - PowerPoint PPT Presentation

Mar 28, 2023 •233 likes •617 views

Exposing and Evading Middlebox Policies DAVID CHOFFNES Middleboxes are pervasive In-network functionality can be really helpful Security (IPS) Performance (proxies) Fairness (traffic management) 2 Middleboxes are pervasive

  1. Exposing and Evading Middlebox Policies DAVID CHOFFNES

  2. Middleboxes are pervasive In-network functionality can be really helpful ◦ Security (IPS) ◦ Performance (proxies) ◦ Fairness (traffic management) 2

  3. Middleboxes are pervasive In-network functionality can be really helpful ◦ Security (IPS) ◦ Performance (proxies) ◦ Fairness (traffic management) Double-edged sword ◦ “Security” (censorship) ◦ “Performance” (transcoding to degraded quality) ◦ “Fairness” (throttling or boosting specific apps) 2

  4. Context Some device in the network ( middlebox ) uses 
 DPI to classify traffic and apply policies accordingly 3

  5. Key open questions What is the nature of deployed middlebox policies ? How do middleboxes enforce policies? What are (un)intentional consequences ? What can users do about this? 4

  6. Challenges for middlebox research Middleboxes are protected, undisclosed systems ◦ Expensive (5-6 figures) ◦ Hard to acquire ◦ Little-to-no documentation ◦ (Almost) never acknowledged 5

  7. Challenges for middlebox research Middleboxes are protected, undisclosed systems ◦ Expensive (5-6 figures) ◦ Hard to acquire ◦ Little-to-no documentation ◦ (Almost) never acknowledged Understanding policies requires targeted traffic ◦ Need to identify potential targets ◦ Potentially requires lots of tests ◦ Not clear a priori what signals to use to detect classification 5

  8. Our approach Examine (in detail) a small testbed of DPI middleboxes ◦ Clear signals for classification ◦ Control over policies applied to classes 6

  9. Our approach Examine (in detail) a small testbed of DPI middleboxes ◦ Clear signals for classification ◦ Control over policies applied to classes Extend to operationally deployed devices 6

  10. Our approach Examine (in detail) a small testbed of DPI middleboxes ◦ Clear signals for classification ◦ Control over policies applied to classes Extend to operationally deployed devices Use application-generated traffic to trigger policies ◦ Then explore what part of traffic triggered them ◦ Identify implications of inferred implementations 6

  11. Our approach Examine (in detail) a small testbed of DPI middleboxes ◦ Clear signals for classification ◦ Control over policies applied to classes Extend to operationally deployed devices Use application-generated traffic to trigger policies ◦ Then explore what part of traffic triggered them ◦ Identify implications of inferred implementations Systematically violate assumptions in classifiers 6

  12. What are middleboxes doing? 7

  13. What are middleboxes doing (2015)? m : content modified on the fly p : translucent proxies change connection behavior 8

  14. 
 What are middleboxes doing (2015)? m : content modified on the fly p : translucent proxies change connection behavior Stopped after Open Internet Order… 
 We will keep monitoring... 8

  15. 
 What are middleboxes doing (2015)? m : content modified on the fly p : translucent proxies change connection behavior Stopped after Open Internet Order… 
 We will keep monitoring... 8

  16. What are middleboxes doing (2015)? m : content modified on the fly p : translucent proxies change connection behavior 8

  17. How do they classify traffic? DPI: It’s dumber than you think What isn’t it looking at? ◦ IP addresses ◦ Traffic timings ◦ … 9

  18. How do they classify traffic? DPI: It’s dumber than you think What isn’t it looking at? ◦ IP addresses ◦ Traffic timings ◦ … What is it looking for? ◦ Specific keywords (or bytes) ◦ With limited understanding of deployed protocols 9

  19. How do they classify traffic? 10

  20. What are unintentional consequences? Header Example Value User-Agent: User-Agent GalaxyWarsMultiplayer 11

  21. What are unintentional consequences? Example Header Example Value Application User-Agent: User-Agent iPlayer GalaxyWarsMultiplayer 11

  22. What are unintentional consequences? Example Header Example Value Application User-Agent: User-Agent iPlayer GalaxyWarsMultiplayer 11

  23. What are unintentional consequences? Free riding on T-Mobile 12

  24. What are unintentional consequences? Free riding on T-Mobile 12

  25. What are unintentional consequences? Free riding on T-Mobile Get / 
 X-Host: foo.com 
 Host: hbogo.com 12

  26. What are unintentional consequences? Free riding on T-Mobile Get / 
 X-Host: foo.com 
 Host: hbogo.com 12

  27. What are unintentional consequences? Free riding on T-Mobile Get / 
 X-Host: foo.com 
 Host: hbogo.com 12

  28. What are unintentional consequences? Free riding on T-Mobile Get / 
 X-Host: foo.com 
 Host: hbogo.com 12

  29. What are unintentional consequences? Free riding on T-Mobile Get / 
 X-Host: foo.com 
 Host: hbogo.com 12

  30. What are unintentional consequences? Free riding on T-Mobile Get / 
 X-Host: foo.com 
 Host: hbogo.com 12

  31. What are unintentional consequences? Free riding on T-Mobile Get / 
 X-Host: foo.com 
 Host: hbogo.com 12

  32. What are unintentional consequences? Free riding on T-Mobile Get / 
 X-Host: foo.com 
 Host: hbogo.com 12

  33. What can users do about this? Axiom : 
 Middleboxes necessarily infer end-to-end state 
 using incomplete information 13

  34. What can users do about this? Axiom : 
 Middleboxes necessarily infer end-to-end state 
 using incomplete information Hypothesis : 
 It is possible to systematically identify and violate assumptions used in inference, unilaterally at transport/network layer 13

  35. What can users do about this? Axiom : 
 Middleboxes necessarily infer end-to-end state 
 using incomplete information Hypothesis : 
 It is possible to systematically identify and violate assumptions used in inference, unilaterally at transport/network layer Our approach : 
 Build a system that automatically , efficiently does this, to enable user control over impact of policies ◦ Evade censorship ◦ Select policies applied to traffic ◦ Overhead is ~ one header (10s of B) per flow, sometimes zero 13

  36. Conclusion Lack of transparency and control over network policies Empirical, practical approach can recover these properties ◦ Reverse engineer middleboxes ◦ Identify policies and their implications ◦ Exploit invalid assumptions to regain control over policies Testbed, datasets, results available 
 http://dd.meddle.mobi 14

  37. What do I want How do I engage with policy in an impactful way? ◦ You know, besides giving the FCC ombudsperson my reports, scheduling multiple phone calls with him, agreeing on there being potentially actionable issues, and having him forward to “the commission” Who wants to help test networks for differentiation? ◦ We have an app, python clients ◦ We love to collaborate Which networks should we test? Who wants to use our testbed? What do you want? …and of course any other feedback/questions from you 15

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Middlebox Discovery Jamshid Mahdavi Andrew Knutsen March 23, 2010 Talk Outline Middlebox

Middlebox Discovery Jamshid Mahdavi Andrew Knutsen March 23, 2010 Talk Outline Middlebox

Middlebox Discovery Jamshid Mahdavi Andrew Knutsen March 23, 2010 Talk Outline Middlebox Discovery ID Summary and Status Discussion of Middlebox Needs Other Common Middlebox Issues of Potential Interest to IETF References ID

474 views • 12 slides
EXPOSING EXPOSING A FLEXIBLE, COMPOSABLE & EXTENSIBLE A FLEXIBLE, COMPOSABLE &

EXPOSING EXPOSING A FLEXIBLE, COMPOSABLE & EXTENSIBLE A FLEXIBLE, COMPOSABLE &

EXPOSING EXPOSING A FLEXIBLE, COMPOSABLE & EXTENSIBLE A FLEXIBLE, COMPOSABLE & EXTENSIBLE REST API REST API Thierry Delprat td@nuxeo.com https://github.com/tiry/ AGENDA AGENDA Quick introduction provide some context API design

1.37k views • 75 slides
EVADING DEEP INSPECTION FOR FUN AND SHELL Who we are

EVADING DEEP INSPECTION FOR FUN AND SHELL Who we are

EVADING DEEP INSPECTION FOR FUN AND SHELL Who we are Olli-Pekka Niemi An; Levomki Chief Research Officer, Senior Vulnerability Stoneso9

1.02k views • 57 slides
Optimal Evading Strategies and Task Allocation in Multi-Pursuer Single-Evader Problems Venkata

Optimal Evading Strategies and Task Allocation in Multi-Pursuer Single-Evader Problems Venkata

Motivation Optimal Evading Strategies Active/Redundant Pursuers Simulations Optimal Evading Strategies and Task Allocation in Multi-Pursuer Single-Evader Problems Venkata Ramana Makkapati and Panagiotis Tsiotras Dynamics and Control Systems

526 views • 27 slides
A Middlebox-Cooperative TCP for a non End-to-End Internet Ryan Craven (NPS / SPAWAR) Robert

A Middlebox-Cooperative TCP for a non End-to-End Internet Ryan Craven (NPS / SPAWAR) Robert

A Middlebox-Cooperative TCP for a non End-to-End Internet Ryan Craven (NPS / SPAWAR) Robert Beverly (NPS) Mark Allman (ICSI) Support from: ACM SIGCOMM 19 Aug 2014 1 TCPs knowledge of end -to-end path conditions a priori ??? ???

557 views • 38 slides
APTs Way: Evading your EBNIDS Ali Abbasi Jos Wetzels Who

APTs Way: Evading your EBNIDS Ali Abbasi Jos Wetzels Who

APTs Way: Evading your EBNIDS Ali Abbasi Jos Wetzels Who we are? Ali Abbasi : PhD student in Distributed and Embedded System Security Group

921 views • 43 slides
Evading&Android&Run?me&Analysis& via&& Sandbox&Detec?on&

Evading&Android&Run?me&Analysis& via&& Sandbox&Detec?on&

Evading&Android&Run?me&Analysis& via&& Sandbox&Detec?on& &&&&&&&&&&&&&&&&Timothy&Vidas,&Nicolas&Chris?n&

526 views • 28 slides
SKI: Exposing Kernel Concurrency Bugs through Systematic Schedule Exploration Pedro Fonseca

SKI: Exposing Kernel Concurrency Bugs through Systematic Schedule Exploration Pedro Fonseca

SKI: Exposing Kernel Concurrency Bugs through Systematic Schedule Exploration Pedro Fonseca (MPI-SWS) Rodrigo Rodrigues Bjrn Brandenburg (MPI-SWS) (NOVA University of Lisbon) OSDI 2014 SKI: Exposing Kernel Concurrency Bugs

840 views • 67 slides
On Using Application-Layer Middlebox Protocols for Peeking Behind NAT Gateways Teemu Rytilahti,

On Using Application-Layer Middlebox Protocols for Peeking Behind NAT Gateways Teemu Rytilahti,

On Using Application-Layer Middlebox Protocols for Peeking Behind NAT Gateways Teemu Rytilahti, Thorsten Holz Horst Grtz Institute for IT-Security, Ruhr University Bochum, Germany Network and Distributed System Security Symposium 2020 1

581 views • 46 slides
Bruteforcing in the Shadows Evading Automated Detection Martin Draar, Jan Vykopal

Bruteforcing in the Shadows Evading Automated Detection Martin Draar, Jan Vykopal

Bruteforcing in the Shadows Evading Automated Detection Martin Draar, Jan Vykopal {drasar|vykopal}@ics.muni.cz Institute of Computer Science Masaryk University Brno, Czech Republic FloCon 2012 January 12, Austin, Texas Part I Network

898 views • 22 slides
Policy-preserving Middlebox Placement in SDN-Enabled Data Centers Bin Tang Computer Science

Policy-preserving Middlebox Placement in SDN-Enabled Data Centers Bin Tang Computer Science

Policy-preserving Middlebox Placement in SDN-Enabled Data Centers Bin Tang Computer Science Department California State University Dominguez Hills Some slides are from www.cs.berkeley.edu/~randy/Courses/CS268.F08/lectures/22-

867 views • 30 slides
Your state is not mine: a closer look at evading stateful internet censorship Zhongjie Wang, Yue

Your state is not mine: a closer look at evading stateful internet censorship Zhongjie Wang, Yue

Your state is not mine: a closer look at evading stateful internet censorship Zhongjie Wang, Yue Cao, Zhiyun Qian, Chengyu Song, Srikanth V Krishnamurthy University of California, Riverside Background The Great Fire Wall (GFW) A

322 views • 28 slides
Optimizing Flow Bandwidth Consumption with Traffic-diminishing Middlebox Placement Yan Yang

Optimizing Flow Bandwidth Consumption with Traffic-diminishing Middlebox Placement Yan Yang

Optimizing Flow Bandwidth Consumption with Traffic-diminishing Middlebox Placement Yan Yang Chen en, Jie Wu, and Bo Ji Center for Networked Computing Temple University, USA VNF: Evolution of Network Service l Network Function Virtualization

315 views • 19 slides
Automatically Evading Classifiers A Case Study on PDF Malware Classifiers Weilin Xu

Automatically Evading Classifiers A Case Study on PDF Malware Classifiers Weilin Xu

Automatically Evading Classifiers A Case Study on PDF Malware Classifiers Weilin Xu David Evans Yanjun Qi University of Virginia Machine Learning is Solving Our Problems Fake Fake Spam IDS

1.07k views • 34 slides
liberate, (n): A library for exposing (tra ffi c-classification) rules and avoiding them e ffi

liberate, (n): A library for exposing (tra ffi c-classification) rules and avoiding them e ffi

liberate, (n): A library for exposing (tra ffi c-classification) rules and avoiding them e ffi ciently Fangfan Li , Abbas Razaghpanah, Arash Molavi Kakhki, Arian Akhavan Niaki, David Cho ff nes, Phillipa Gill, Alan Mislove 1 Traffic management 2

1.54k views • 115 slides
LB-MAP: LOAD-BALANCED MIDDLEBOX ASSIGNMENT IN POLICY-DRIVEN DATA CENTERS MANAR ALQARNI

LB-MAP: LOAD-BALANCED MIDDLEBOX ASSIGNMENT IN POLICY-DRIVEN DATA CENTERS MANAR ALQARNI

LB-MAP: LOAD-BALANCED MIDDLEBOX ASSIGNMENT IN POLICY-DRIVEN DATA CENTERS MANAR ALQARNI DEPARTMENT OF COMPUTER SCIENCE CALIFORNIA STATE UNIVERSITY DOMINGUEZ HILLS 1 INTRODUCTION - Middleboxes network appliances or network functions

489 views • 25 slides
T h e PY T H I A E ve n t G e n e r a to r P e t e r S k a n d s ( C E R N ) LHC is a QCD

T h e PY T H I A E ve n t G e n e r a to r P e t e r S k a n d s ( C E R N ) LHC is a QCD

TO O L S 2 0 1 2 , S t o c k h o l m , J u n e 2 0 1 2 T h e PY T H I A E ve n t G e n e r a to r P e t e r S k a n d s ( C E R N ) LHC is a QCD Machine Hard processes initiated by partons (quarks & gluons) Associated with

1.04k views • 83 slides
Verifying That Web Pages Have Accessible Layout Pavel Panchekha , Adam T. Geller, Michael D.

Verifying That Web Pages Have Accessible Layout Pavel Panchekha , Adam T. Geller, Michael D.

Verifying That Web Pages Have Accessible Layout Pavel Panchekha , Adam T. Geller, Michael D. Ernst, Zachary Tatlock, Shoaib Kamil This Work: Automated Veri fi cation for Web Page Layout 3.6M lines 66% 17% 9% 7% Backend Layout Script

745 views • 41 slides
Improving Offset Assignment through Simultaneous Variable Coalescing Desiree Ottoni, Guido Araujo

Improving Offset Assignment through Simultaneous Variable Coalescing Desiree Ottoni, Guido Araujo

7th International Workshop on Software and Compilers for Embedded Systems - SCOPES 2003 Improving Offset Assignment through Simultaneous Variable Coalescing Desiree Ottoni, Guido Araujo {desiree.ottoni | guido}@ic.unicamp.br Guilherme Ottoni

270 views • 12 slides
TransplantaGon trends in Italy: outcome and complicaGons

TransplantaGon trends in Italy: outcome and complicaGons

M AY 17-19, 2018 TransplantaGon trends in Italy: outcome and complicaGons FRANCESCA BONIFAZI Hematology Dept. University Hospital S. Orsola-Malpighi,

1.25k views • 47 slides
Format - Tra ransform rming Encryption (more than meets the DPI) Tom om S Shrimpton on

Format - Tra ransform rming Encryption (more than meets the DPI) Tom om S Shrimpton on

Format - Tra ransform rming Encryption (more than meets the DPI) Tom om S Shrimpton on Florida Institute for Cybersecurity Research University of Florida Monday In-place encryption of CC database Encrypt 4417 1234 5678 9112 1234 5678

805 views • 51 slides
Differential Pumping with an Insert of a Narrow Aperture in the PIP2IT MBET Alex Chen on behalf

Differential Pumping with an Insert of a Narrow Aperture in the PIP2IT MBET Alex Chen on behalf

Differential Pumping with an Insert of a Narrow Aperture in the PIP2IT MBET Alex Chen on behalf of the PIP2IT task force: Outline Motivation and Layout MEBT of Absorber to HWR(DP section) Function Requirement Design of DPI

714 views • 27 slides
New Encryp+on Primi+ves for Uncertain Times Thomas Ristenpart

New Encryp+on Primi+ves for Uncertain Times Thomas Ristenpart

New Encryp+on Primi+ves for Uncertain Times Thomas Ristenpart University of Wisconsin Covering joint work with: Sco@ Coull, Kevin Dyer, Ari Juels,

751 views • 54 slides
Stanford CS193p Developing Applications for iOS Fall 2017-18 CS193p Fall 2017-18 Today Drag and

Stanford CS193p Developing Applications for iOS Fall 2017-18 CS193p Fall 2017-18 Today Drag and

Stanford CS193p Developing Applications for iOS Fall 2017-18 CS193p Fall 2017-18 Today Drag and Drop Transferring information around within and between apps. EmojiArt Demo Drag and drop an image to get our EmojiArt masterpieces started.

959 views • 74 slides

More recommend