Global Network Interference Detection over the RIPE Atlas Network - - PowerPoint PPT Presentation

global network interference detection over the ripe atlas
SMART_READER_LITE
LIVE PREVIEW

Global Network Interference Detection over the RIPE Atlas Network - - PowerPoint PPT Presentation

Sep 28, 2023 177 likes •488 views

Global Network Interference Detection over the RIPE Atlas Network Adventures in Pervasive Measurement Collin Anderson, Philipp Winter and Roya USENIX FOCI, August 2014 Once Upon a Time Starting from the Dark Ages For Now We See Through

slide-1
SLIDE 1

Global Network Interference Detection over the RIPE Atlas Network

Adventures in Pervasive Measurement

Collin Anderson, Philipp Winter and Roya

  • USENIX FOCI, August 2014
slide-2
SLIDE 2

Once Upon a Time

Starting from the Dark Ages

slide-3
SLIDE 3

For Now We See Through a Glass, Darkly.

  • Early aggressive, examples of

interference set a general practice of measuring from one location for one ISP per country, once in a while.

  • Of most interest has been

states where censorship is imposed at the international gateway and by governmental- aligned monopolies.

  • Rarely bound to political or

cultural events that may trigger changes in practices.

slide-4
SLIDE 4

Filtering Norms

  • Politicians and international
  • rganizations have promoted

filtering in order to protect intellectual property and ‘save’ children.

  • Large market pressures,

filtering and surveillance equipment manufacturing is a growth industry.

  • Evidence of some public

acceptance for content restrictions, even in ‘democratic’ countries.

slide-5
SLIDE 5

Filtering Norms

  • Legitimacy of these actions are

not within our scope, key presumptions:

  • Filtering will be more of a legal

compliance effort than a direct imposition of the state.

  • We should anticipate greater

diversity in practices and timing when filtering is a measure taken by third-parties.

slide-6
SLIDE 6

Detection is Another Growth Industry

  • As filtering practices changed,

the number of tools and principles for measurement have grown.

  • In Development or Deployed:

OONI, Herdict, ICLab, Satellite, Encore, CensorProbe, rTurtle.

  • At Mass Scale: NDT, Glasnost,

Netalyzr.

  • Still, mostly one ISP on one

network per country, once in awhile.

slide-7
SLIDE 7

The Globally-Distributed Atlas Network

  • High geographic and

topological diversity.

  • Ping, Traceroute, DNS

resolution, and X.509 certificate fetching.

  • Push measurement rules over

a relatively stable set of nodes.

  • Closest platform to

interference measurement at scale.

slide-8
SLIDE 8

Measurement Granularity

The Self Evident

Country Practices Seen Time Turkey DNS Port Blocking ~2012 Russia DNS ~2012 Syria HTTP Inspection ~2012

slide-9
SLIDE 9

Measurement Granularity

The Self Evident

Country ISP Origination Practice Time Resource Turkey Turksat TurkTelecom BGP Hijack 3/28/2014 YouTube Russia Intertax Rostelecom IP Redirection 4/30/2014 208.93.0.190 Syria Tarrasul PDE HTTP Inspection 6/2013 Tor

slide-10
SLIDE 10

Examining Ephemeral Information Controls Through Atlas

Turkey Social Media Restrictions (March 2014)

slide-11
SLIDE 11

Selective Compliance and Unilateral Disruption

Google DNS Blocking and Hijack in Turkey (March 2014)

slide-12
SLIDE 12

Selective Compliance and Unilateral Disruption

Google DNS Normal Route in Turkey (March 2014)

slide-13
SLIDE 13

Selective Compliance and Unilateral Disruption

Google DNS Blocking (March 21)

slide-14
SLIDE 14

Selective Compliance and Unilateral Disruption

Google DNS Normal Route in Turkey (March 2014)

slide-15
SLIDE 15

Selective Compliance and Unilateral Disruption

Google DNS Hijack (March 29)

slide-16
SLIDE 16

Selective Compliance and Unilateral Disruption

Google DNS Hijack (April 2)

slide-17
SLIDE 17

Selective Compliance and Unilateral Disruption

Google DNS Hijack (April 3)

slide-18
SLIDE 18

Selective Compliance and Unilateral Disruption

Google DNS Hijack (April 7)

slide-19
SLIDE 19

Validating Measurements

  • We anticipate that filtering

mechanisms with coordinate answers less than legitimate services (across ASNs, regions or countries).

  • Begin to flag answers based on

differences in:

  • SSL Certificate Hostnames and

Certification Validation

  • Seen End Transit Providers
  • Expected Timing
  • Obviously Fake Answers (localhost

and RFC1918 Addresses)

  • Consensus based pools of reasonable

answers.

slide-20
SLIDE 20

Beyond the Nefarious Middle Box Traffic Inspection

Path Interdiction and Heterogenous Techniques

slide-21
SLIDE 21

Route Interdiction

Russia LiveJournal Addresses

slide-22
SLIDE 22

Rostelecom Interdiction

Russia LiveJournal Addresses

slide-23
SLIDE 23

‘Valid’ LiveJournal Traffic

Russia LiveJournal Addresses

slide-24
SLIDE 24

Живой Журнал

New Compliance

  • March 13 navalny banned, A record 208.93.0.190.
  • April 5 pauluskp A: 208.93.0.150.

April 11 pauluskp banned, listed A of 208.93.0.190.

  • April 21 m-athanasios.livejournal banned with

A record of 208.93.0.190.

  • Late April 1,450 LiveJournal blogs in Alexa top 1 million,

address 208.93.0.150.

  • Four 208.93.0.190, all designated by

Roskomnadzor.

slide-25
SLIDE 25

LiveJournal A Record of Doom

208.93.0.190

slide-26
SLIDE 26

Живой Журнал

Enjoy Summer Vacation, Roskomnadzor Style

slide-27
SLIDE 27

Model Properties of an Interference Detection Platform

  • Controls are often ephemeral and issued without forewarning,

requiring push-based measurement rules.

  • Validation requires client environment documentation (e.g.

DNS Settings, Network Type).

  • Data collection should be longitudinal and frequent over a

normal interval.

  • Heterogeneous technical regimes requires heterogenous

technical datasets.

  • Idiosyncrasies in host network requires normalization.
slide-28
SLIDE 28

Ethics and Measurement (Atlas Edition)

  • Atlas presents a legitimate question of

consent.

  • RIPE’s Term of Service do not provide

guidance.

  • Popular social media platforms and major

content providers:

  • Requests for social media from third-party

sites are common due to the pervasive inclusion of recommendation systems and included media content.

  • Only cases we know where browsing of

content led to attention from law enforcement is in the case of child pornography.

  • Navalny’s blog was an Alexa Top 1000 site, in

the top hundreds in Russia. Tor Project is within the top 10,000, the peak number of daily users in Turkey of the network at the time was 70,000.

slide-29
SLIDE 29

Ethics and Measurement (Atlas Edition)

However, these are piecemeal attempts to legitimize target choice, they are not a systemic framework.

slide-30
SLIDE 30

Conclusions

  • Widespread proliferation presents its own model of

measurement validation.

  • Within heterogeneous filtering regimes, we should expect

greater diversity in implementation, including cheating and slow deployment of rules.

  • Atlas provides an early look at the opportunities and

impediments ahead for pervasive inference detection, but lingering ethical concerns and available measurement types limit future feasibility.

slide-31
SLIDE 31

Thank You.

Code and Data: cartography.io