how the great firewall discovers hidden circumvention
play

How the Great Firewall discovers hidden circumvention servers Roya - PowerPoint PPT Presentation

Mar 24, 2024 •373 likes •916 views

How the Great Firewall discovers hidden circumvention servers Roya Ensafi David Fifield Philipp Winter Nick Weaver Nick Feamster Vern Paxson Much already known about GFW Numerous research papers and blog posts Open access

  1. How the Great Firewall discovers hidden circumvention servers Roya Ensafi David Fifield Philipp Winter Nick Weaver Nick Feamster Vern Paxson

  2. Much already known about GFW Numerous research papers and blog posts ● ○ Open access library: censorbib.nymity.ch We know... ● What is blocked ○ ○ How it is blocked Where the GFW is, topologically ○ Unfortunately, most studies are one-off ● Continuous measurements challenging ○

  3. Many domains are blocked DNS resolver Client in China outside China DNS request for www.facebook.com

  4. Many domains are blocked DNS resolver Client in China outside China DNS request for www.facebook.com

  5. Many domains are blocked DNS resolver Client in China outside China DNS request for www.facebook.com facebook is at 8.7.198.45

  6. Many domains are blocked DNS resolver Client in China outside China DNS request for www.facebook.com facebook is at facebook: 173.252.74.68 8.7.198.45

  7. Many keywords are blocked Web server Client in China outside China GET /www.facebook.com HTTP/1.1 Host: site.com

  8. Many keywords are blocked Web server Client in China outside China GET /www.facebook.com HTTP/1.1 Host: site.com

  9. Many keywords are blocked Web server Client in China outside China GET /www.facebook.com HTTP/1.1 Host: site.com T C r e P s e t

  11. Encryption reduces blocking accuracy Client in China Server in Germany Encrypted connection HTTPS? VPN? Tor?

  12. Encryption reduces blocking accuracy Client in China Server in Germany Encrypted connection HTTPS? Port number? VPN? Tor? Type of encryption? Handshake parameters? Flow information?

  13. Censors often test how far they can go

  14. Censors often test how far they can go

  15. Active Probing

  16. Assume an encrypted tunnel Client in China Server in Germany TLS connection

  17. 1. GFW does DPI Client in China Server in Germany TLS connection

  18. c02bc02fc00ac009 c013c014c012c007 1. GFW does DPI c011003300320045 0039003800880016 002f004100350084 000a0005000400ff Client in China Server in Germany TLS connection Cipher list in TLS client hello looks like vanilla Tor!

  19. 2. GFW launches active probe Client in China Server in Germany TLS connection Tor handshake Active prober

  20. 2. GFW launches active probe Client in China Server in Germany TLS connection Tor handshake Tor handshake Active prober

  21. 3. GFW blocks server Block server Client in China Server in Germany TLS connection Tor handshake Yes, it was Tor handshake vanilla Tor! Active prober

  22. Our “Shadow” dataset Clients in China repeatedly connected ● to bridges under our control Clients in CERNET Tor, obfs2, obfs3 EC2 Tor bridge Tor, obfs2, obfs3 Clients in EC2 Tor bridge UNICOM

  23. Our “Sybil” dataset Redirected 600 ports to Tor port ● Client in China Vanilla Tor bridge in France

  24. Our “Sybil” dataset Redirected 600 ports to Tor port ● Client in China Vanilla Tor bridge in France Holy moly, 600 bridges on a single machine!

  25. Our “Log” dataset Web server logs dating back ● to Jan 2010 Active probes Web server

  26. Where are the probes coming from? Collected 16,083 unique prober IP addresses ● ● 95% of addresses seen only once Shadow Sybil Reverse DNS suggests ISP pools 135 ● 1,090 adsl-pool.sx.cn ○ ○ kd.ny.adsl online.tj.cn ○ Log ● Majority of probes come from three 14,802 autonomous systems ASN 4837, 4134, and 17622 ○

  27. Where are the probes coming from? 202.108.181.70 Collected 16,083 unique prober IP addresses ● ● 95% of addresses seen only once Shadow Sybil Reverse DNS suggests ISP pools 135 ● 1,090 adsl-pool.sx.cn ○ ○ kd.ny.adsl online.tj.cn ○ Log ● Majority of probes come from three 14,802 autonomous systems ASN 4837, 4134, and 17622 ○

  28. Are probes hijacking IP addresses? While probe is active, no other communication with probe possible ● ○ Traceroutes time out several hops before destination Port scans say all ports are filtered ○ ● What do probes have in common? ○ IP TTL IP ID ○ IP ○ TCP ISN TCP TCP TSval ○ TLS ○ TLS client hello Tor Pcaps online: nymity.ch/active-probing/ ○

  29. What do probes have in common? All probes… ● ○ Have narrow IP TTL distribution Use source ports in entire 16-bit port range ○ ○ Exhibit patterns in TCP TSval Does not seem like off-the-shelf networking stack ● User space TCP stack? ● IP TCP TLS Tor

  30. TCP’s initial sequence numbers TCP uses 32-bit initial sequence numbers (ISNs) ● ● Protects against off-path attackers Attacker must guess correct ISN range to inject segments ● Every SYN segment should have random ISN ● IP TCP connection Seq = 0x1AF93CBA TCP TCP reset TLS Seq = ??? Tor

  31. What we expected to see

  32. What we did see

  33. What we did see

  34. TLS fingerprint Probes all share uncommon TLS client hello ● ● Not running original Tor client ○ No randomly-generated SNI Unique (?) cipher suite ○ Measured on a busy Tor guard relay: ● IP Observed 236,101 client hellos over 24 hours ○ ○ Only 67 (0.02%) had identical setup TCP Recorded only client hellos, no IP addresses ○ TLS Tor

  35. Tor probing Active prober Tor bridge Establish TCP and TLS connection V E R S I O N S IP VERSIONS TCP O F N I T E N TLS Close TCP and TLS Tor connection

  36. Physical infrastructure State leakage shows that probes are controlled by centralised entity ● ● Not clear how central entity controls probes Proxy network? ● Geographically distributed set of proxy machines ○ ● Off-path device in ISP’s data centre? ○ Machines connected to switch mirror ports

  37. Blocking is reliable, but fails predictably

  38. In 2012, probes were batch-processed

  39. Today, probes are invoked in real-time Median arrival time of only 500 ms ● ● Odd, linearly-decreasing outliers

  40. Blocked protocols

  41. Protocols that are probed or blocked SSH ● In 2011, not anymore? ○ ● VPN OpenVPN occasionally ○ ○ SoftEther Tor ● Vanilla Tor ○ ○ obfs2 and obfs3 AppSpot ● ○ To find GoAgent? TLS ● Anything else? ●

  42. Oddities in obfs2 and obfs3 probing Tor probes don’t use reference implementations ● ○ obfs3 padding sent in one segment instead of two Probes sometimes send duplicate payload ● State leakage? ○

  43. Probe type and frequency since 2013

  44. Find your own probes SoftEther: POST /vpnsvc/connect.cgi ● AppSpot: GET /twitter.com ● ● tcpdump ‘host 202.108.181.70’ ● More instructions on nymity.ch/active-probing

  45. Trolling the GFW

  46. Block list exhaustion for ip_addr in “$ip_addrs”; do for port in $(seq 1 65535); do timeout 5 tor --usebridges 1 --bridge “$ip_addr:$port” done done One /24 network can add 16 million blocklist entries

  47. File descriptor exhaustion Processes have OS-enforced file descriptor limit ● ○ Often 1,024, but configurable Every new, open socket brings us closer to limit ○ ● What’s the limit for active probes? Attract many probes and don’t ACK data, don’t close socket ● Will GFW be unable to scan new bridges? ●

  48. Make GFW block arbitrary addresses See VPN Gate’s “innocent IP mixing” ● See censorbib.nymity.ch/#Nobori2014a ○ For a while, GFW blindly fetched and blocked IP ● addresses ● Add critical IP addresses to server list Windows update servers ○ ○ DNS root servers Google infrastructure ○ GFW operators soon started verifying addresses ●

  49. Circumvention

  50. Problems in the GFW’s DPI engine DPI engine must reassemble stream before pattern matching ● ● TCP stream often not reassembled ○ Server-side manipulation of TCP window size can “hide” signature Exploited in brdgrd: gitweb.torproject.org/brdgrd.git/ ○ Ambiguities in TCP/IP parsing ● See censorbib.nymity.ch/#Khattak2013a ○ ● TCP/IP-based circumvention difficult to deploy ○ “Hey, how about you run this kernel module for me?”

  51. Pluggable transports to the rescue obfs3 obfs2 Vanilla Tor SOCKS interface on client ● ● Turn Tor into something else ○ Payload Flow ○ Several APIs ● Time Python ○ ○ Go C ○

  52. Pluggable transports that work in China ScrambleSuit ● Flow shape polymorphic ○ ○ Clients must prove knowledge of shared secret obfs4 ● ○ Extends ScrambleSuit Uses Elligator elliptic curve key agreement ○ meek ● ○ Tunnels traffic over CDNs (Amazon, Azure, Google) FTE ● ○ Shapes ciphertext based on regular expressions More is in the making! ● WebRTC-based transport ○

  53. Q&A Roya Ensafi — rensafi@cs.princeton.edu — @_royaen_ David Fifield — david@bamsoftware.com Philipp Winter — phw@nymity.ch — @_ _phw Code, data, and paper: nymity.ch/active-probing/

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Examining How The Great Firewall Discovers Hidden Circumvention Servers Roya Ensafi , David

Examining How The Great Firewall Discovers Hidden Circumvention Servers Roya Ensafi , David

Examining How The Great Firewall Discovers Hidden Circumvention Servers Roya Ensafi , David Fifield, Philipp Winter, Nick Feamster, Nicholas Weaver, and Vern Paxson Oct 29, 2015 1 Circumventing Internet Censorship Using Proxies Web servers

641 views • 41 slides
Sophos XG Firewall IP Partners ICT Systems & Services www.ippartners.gr XG Firewall

Sophos XG Firewall IP Partners ICT Systems & Services www.ippartners.gr XG Firewall

Sophos XG Firewall IP Partners ICT Systems & Services www.ippartners.gr XG Firewall Overview Todays top firewall problems What IT managers say about their existing firewall Firewall Satisfaction Survey (Spiceworks 2017) Top

548 views • 52 slides
ip.buffer with HTTP New features! Great for Managed Services! Legacy Out Firewall

ip.buffer with HTTP New features! Great for Managed Services! Legacy Out Firewall

ip.buffer with HTTP New features! Great for Managed Services! Legacy Out Firewall issues Server not easily scaled Non transactional Duplicate data on failure Legacy In Port forwarding VPN black holes

900 views • 30 slides
Firewall and IDS/IPS What is a firewall? firewall = wall to protect against fire propagation

Firewall and IDS/IPS What is a firewall? firewall = wall to protect against fire propagation

Firewall and IDS/IPS What is a firewall? firewall = wall to protect against fire propagation controlled connection between networks at different security levels = boundary protection ( L1 > L2 ) network at network at security

1.07k views • 67 slides
How the Great Firewall of China is Blocking Tor Philipp Winter and Stefan Lindskog Karlstad

How the Great Firewall of China is Blocking Tor Philipp Winter and Stefan Lindskog Karlstad

How the Great Firewall of China is Blocking Tor Philipp Winter and Stefan Lindskog Karlstad University Aug. 6, 2012 In a nutshell 1. Investigated how Tor is being blocked 2. Speculated about the blocking infrastructure 3. Looked at

454 views • 26 slides
Make the Internet safe with DNS firewall Response Policy Zones (RPZ) SGNOG 7 2019 2 Great

Make the Internet safe with DNS firewall Response Policy Zones (RPZ) SGNOG 7 2019 2 Great

1 Make the Internet safe with DNS firewall Response Policy Zones (RPZ) SGNOG 7 2019 2 Great Asean Fastest Growing Area of Threats Over 200 Billion devices connected worldwide by 2020. Over 13 million active bots recorded for January 2019.

766 views • 38 slides
Analyzing the Great Firewall of China Over Space and Time Roya Ensafi, Philipp Winter, Abdullah

Analyzing the Great Firewall of China Over Space and Time Roya Ensafi, Philipp Winter, Abdullah

Analyzing the Great Firewall of China Over Space and Time Roya Ensafi, Philipp Winter, Abdullah Mueen, Jed Crandall June 30, 2015 The Battle Over Information Control On The Internet State of the Art Rent a control machine (VPS)

699 views • 26 slides
Firewalls in FreeBSD and OpenBSD What is firewall? firewall is a method of protecting hosts

Firewalls in FreeBSD and OpenBSD What is firewall? firewall is a method of protecting hosts

Firewalls in FreeBSD and OpenBSD What is firewall? firewall is a method of protecting hosts and networks connected to other hosts and networks against attacks from the outside and from the inside. a firewall is a network security system

440 views • 30 slides
Censors Delay in Blocking Circumvention Proxies David Fifield & Lynn Tsai University of

Censors Delay in Blocking Circumvention Proxies David Fifield & Lynn Tsai University of

Censors Delay in Blocking Circumvention Proxies David Fifield & Lynn Tsai University of California, Berkeley Tor (The Onion Router) Anonymous network Poorly suited for censorship circumvention Including bridges + pluggable transports

577 views • 21 slides
Lane ESD Technology Services Core Firewall Overview Districts Behind Firewall Blachly

Lane ESD Technology Services Core Firewall Overview Districts Behind Firewall Blachly

Lane ESD Technology Services Core Firewall Overview Districts Behind Firewall Blachly Creswell Crow-Applegate-Lorane Fern Ridge Junction City Lowell Mapleton Screened, but exempt from policies Marcola

539 views • 15 slides
Firewall vs. Scrambling 2 1 Review of Firewall argument Review of Hayden-Preskill 4 3

Firewall vs. Scrambling 2 1 Review of Firewall argument Review of Hayden-Preskill 4 3

Firewall vs. Scrambling 2 1 Review of Firewall argument Review of Hayden-Preskill 4 3 State-independent interior operators Interior operator from HP recovery 6 5 Resolution of the puzzle Effect of infalling observer 7 Discussions Beni

1.61k views • 106 slides
FIREMAN: A Toolkit for FIREwall Modeling and ANalysis Michael Lin All about firewalls A

FIREMAN: A Toolkit for FIREwall Modeling and ANalysis Michael Lin All about firewalls A

FIREMAN: A Toolkit for FIREwall Modeling and ANalysis Michael Lin All about firewalls A firewall is only as good as its configuration Big deal, it should be easy to configure a firewall, right? Basically... no. A Quantitative

507 views • 14 slides
Shoddy Spares Customer Circumvention 18-849b Dependable Embedded Systems John DeVale April 1,

Shoddy Spares Customer Circumvention 18-849b Dependable Embedded Systems John DeVale April 1,

Shoddy Spares Customer Circumvention 18-849b Dependable Embedded Systems John DeVale April 1, 1999 (no kidding) Overview: Shoddy Spares, Customer Circumvention N Introduction Any design should take into consideration a customers desire

316 views • 10 slides
Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple

Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple

Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple firewall using Netfilter Iptables firewall in Linux Stateful Firewall Application Firewall Evading Firewalls 2 Firewalls

811 views • 55 slides
Breakthrough silicon scanning discovers backdoor in military chip Sergei Skorobogatov,

Breakthrough silicon scanning discovers backdoor in military chip Sergei Skorobogatov,

Breakthrough silicon scanning discovers backdoor in military chip CHES2012 Workshop, Leuven, Belgium, 9-12 September 2012 Breakthrough silicon scanning discovers backdoor in military chip Sergei Skorobogatov, Christopher Woods

353 views • 20 slides
Overview Firewall Security Perimeter Security Devices H/W vs. S/W Packet Filtering vs.

Overview Firewall Security Perimeter Security Devices H/W vs. S/W Packet Filtering vs.

Overview Firewall Security Perimeter Security Devices H/W vs. S/W Packet Filtering vs. Stateful Inspection Firewall Topologies Chapter 8 Firewall Rulebases Lecturer: Pei-yih Ting 1 2 Perimeter Security Devices Routers

291 views • 7 slides
The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J.

The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J.

The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and Shriram Krishnamurthi (Brown) 1 and other dens of iniquity 2 I dont really know whats

1.28k views • 115 slides
Click to edit Master title style SCALING NETWORK MONITORING IN A LARGE ENTERPRISE BroCon 2016

Click to edit Master title style SCALING NETWORK MONITORING IN A LARGE ENTERPRISE BroCon 2016

Click to edit Master title style SCALING NETWORK MONITORING IN A LARGE ENTERPRISE BroCon 2016 Austin, TX Click to edit Master title style Who am I? I work for Amazons Worldwide Consumer Information Security group What are we going to

526 views • 38 slides
Network Security Architecture CS461/ECE422 Computer Security I Fall 2008 Reading Material

Network Security Architecture CS461/ECE422 Computer Security I Fall 2008 Reading Material

Network Security Architecture CS461/ECE422 Computer Security I Fall 2008 Reading Material Computer Security chapter 26. Firewalls and Internet Security: Repelling the Wily Hacker, Cheswick, Bellovin, and Rubin. New second

1.24k views • 50 slides
How to Hack Millions of Routers Craig Heffner Administrivia My overarching objective with

How to Hack Millions of Routers Craig Heffner Administrivia My overarching objective with

How to Hack Millions of Routers Craig Heffner Administrivia My overarching objective with this talk is to increase security awareness and serve as a catalyst for positive change I developed this paper and the conclusions reached and the

913 views • 89 slides
whoami Alec Stuart Muirk Network Security Architect Firewall Engineer Ruxcon

whoami Alec Stuart Muirk Network Security Architect Firewall Engineer Ruxcon

whoami Alec Stuart Muirk Network Security Architect Firewall Engineer Ruxcon attendee Security hobbist alec.stuart@gmail.com DISCLAIMER This research is not related to my job or current employer. This is purely an exercise

1.66k views • 111 slides
AFS Server Performance Comparisons Bo Tretta Kim Kimball Jet Propulsion Laboratory Information

AFS Server Performance Comparisons Bo Tretta Kim Kimball Jet Propulsion Laboratory Information

AFS Server Performance Comparisons Bo Tretta Kim Kimball Jet Propulsion Laboratory Information Services - FIL Service http://fil.jpl.nasa.gov SLAC AFS Best Practices Workshop March 24, 2004 JPLIS-FIL Server Performance Comparisons 1 n

701 views • 21 slides
Unveiling the Hidden Dangers of Public IP in 4G/LTE Networks Wai Kay Leong , Aditya Kulkarni, Yin

Unveiling the Hidden Dangers of Public IP in 4G/LTE Networks Wai Kay Leong , Aditya Kulkarni, Yin

Unveiling the Hidden Dangers of Public IP in 4G/LTE Networks Wai Kay Leong , Aditya Kulkarni, Yin Xu, Ben Leong Mobile Internet is Hot ot 2 Public IP Whats the deal? Subscribers want Public IP 3 M2M M2M Machine to Machine

555 views • 26 slides
Zentyal Linux small business server Julien Kerihuel Zentyal CTO 2013 [

Zentyal Linux small business server Julien Kerihuel Zentyal CTO 2013 [

Zentyal Linux small business server Julien Kerihuel Zentyal CTO 2013 [ jkerihuel@zentyal.com ] What is Zentyal? 2 of 26 Linux small business server www.zentyal.com 5/22/13 What is Zentyal? Linux server for SMBs Full-featured

369 views • 26 slides

More recommend