Global Network Interference Detection over the RIPE Atlas Network Adventures in Pervasive Measurement Collin Anderson, Philipp Winter and Roya � USENIX FOCI, August 2014
Once Upon a Time Starting from the Dark Ages
For Now We See Through a Glass, Darkly. • Early aggressive, examples of interference set a general practice of measuring from one location for one ISP per country, once in a while. • Of most interest has been states where censorship is imposed at the international gateway and by governmental- aligned monopolies. • Rarely bound to political or cultural events that may trigger changes in practices.
Filtering Norms • Politicians and international organizations have promoted filtering in order to protect intellectual property and ‘save’ children. • Large market pressures, filtering and surveillance equipment manufacturing is a growth industry. • Evidence of some public acceptance for content restrictions, even in ‘democratic’ countries.
Filtering Norms • Legitimacy of these actions are not within our scope, key presumptions: • Filtering will be more of a legal compliance e ff ort than a direct imposition of the state. • We should anticipate greater diversity in practices and timing when filtering is a measure taken by third-parties.
Detection is Another Growth Industry • As filtering practices changed, the number of tools and principles for measurement have grown. • In Development or Deployed: OONI, Herdict, ICLab, Satellite, Encore, CensorProbe, rTurtle. • At Mass Scale: NDT, Glasnost, Netalyzr. • Still, mostly one ISP on one network per country, once in awhile.
The Globally-Distributed Atlas Network • High geographic and topological diversity. • Ping, Traceroute, DNS resolution, and X.509 certificate fetching. • Push measurement rules over a relatively stable set of nodes. • Closest platform to interference measurement at scale.
Country Practices Seen Time Turkey DNS Port Blocking ~2012 Russia DNS ~2012 Syria HTTP Inspection ~2012 Measurement The Self Evident Granularity
Country ISP Origination Practice Time Resource Turkey Turksat TurkTelecom BGP Hijack 3/28/2014 YouTube Russia Intertax Rostelecom IP Redirection 4/30/2014 208.93.0.190 Syria Tarrasul PDE HTTP Inspection 6/2013 Tor Measurement The Self Evident Granularity
Examining Ephemeral Information Controls Through Turkey Social Media Restrictions (March 2014) Atlas
Selective Compliance Google DNS Blocking and Hijack in Turkey (March 2014) and Unilateral Disruption
Selective Compliance Google DNS Normal Route in Turkey (March 2014) and Unilateral Disruption
Selective Compliance Google DNS Blocking (March 21) and Unilateral Disruption
Selective Compliance Google DNS Normal Route in Turkey (March 2014) and Unilateral Disruption
Selective Compliance Google DNS Hijack (March 29) and Unilateral Disruption
Selective Compliance Google DNS Hijack (April 2) and Unilateral Disruption
Selective Compliance Google DNS Hijack (April 3) and Unilateral Disruption
Selective Compliance Google DNS Hijack (April 7) and Unilateral Disruption
Validating Measurements • We anticipate that filtering mechanisms with coordinate answers less than legitimate services (across ASNs, regions or countries). • Begin to flag answers based on di ff erences in: • SSL Certificate Hostnames and Certification Validation • Seen End Transit Providers • Expected Timing • Obviously Fake Answers (localhost and RFC1918 Addresses) • Consensus based pools of reasonable answers.
Beyond the Nefarious Path Interdiction and Heterogenous Techniques Middle Box Traffic Inspection
Route Interdiction Russia LiveJournal Addresses
Rostelecom Interdiction Russia LiveJournal Addresses
‘Valid’ LiveJournal Traffic Russia LiveJournal Addresses
� March 13 navalny banned, A record 208.93.0.190. � � April 5 pauluskp A: 208.93.0.150. April 11 pauluskp banned, listed A of 208.93.0.190. � � April 21 m-athanasios.livejournal banned with A record of 208.93.0.190. � � Late April 1,450 LiveJournal blogs in Alexa top 1 million, address 208.93.0.150. � Four 208.93.0.190, all designated by Roskomnadzor . � Живой Журнал New Compliance
LiveJournal A Record of 208.93.0.190 Doom
Живой Журнал Enjoy Summer Vacation, Roskomnadzor Style
Model Properties of an Interference Detection Platform • Controls are often ephemeral and issued without forewarning, requiring push-based measurement rules. • Validation requires client environment documentation (e.g. DNS Settings, Network Type). • Data collection should be longitudinal and frequent over a normal interval. • Heterogeneous technical regimes requires heterogenous technical datasets. • Idiosyncrasies in host network requires normalization.
Ethics and Measurement (Atlas Edition) • Atlas presents a legitimate question of consent. • RIPE’s Term of Service do not provide guidance. • Popular social media platforms and major content providers: • Requests for social media from third-party sites are common due to the pervasive inclusion of recommendation systems and included media content. • Only cases we know where browsing of content led to attention from law enforcement is in the case of child pornography. • Navalny’s blog was an Alexa Top 1000 site, in the top hundreds in Russia. Tor Project is within the top 10,000, the peak number of daily users in Turkey of the network at the time was 70,000.
Ethics and Measurement (Atlas Edition) However, these are piecemeal attempts to legitimize target choice, they are not a systemic framework.
Conclusions • Widespread proliferation presents its own model of measurement validation. • Within heterogeneous filtering regimes, we should expect greater diversity in implementation, including cheating and slow deployment of rules. • Atlas provides an early look at the opportunities and impediments ahead for pervasive inference detection, but lingering ethical concerns and available measurement types limit future feasibility.
Code and Data: cartography.io Thank You.
Recommend
More recommend
