the collateral damage of internet censorship by dns
play

The Collateral Damage of Internet Censorship by DNS Injection - PowerPoint PPT Presentation

Apr 10, 2024 •131 likes •574 views

The Collateral Damage of Internet Censorship by DNS Injection Anonymous <zion.vlab@gmail.com> presented by Philip Levis 1 Basic Summary Great Firewall of China injects DNS responses to restrict access to domain names This

  1. The Collateral Damage of Internet Censorship by DNS Injection Anonymous <zion.vlab@gmail.com> presented by Philip Levis 1

  2. Basic Summary • Great Firewall of China injects DNS responses to restrict access to domain names • This affects traffic originating outside China ‣ 26.4% of open resolvers affected ‣ .de is the most affected TLD (70% of open resolvers in kr) • Explain how, where, and why this happens • Present several possible solutions SIGCOMM 2012 2

  3. Just To Be Clear This talk assumes that the Great Firewall of China is not designed to restrict Internet access to computers outside of China. “Collateral damage” means restricting access to computers outside China. SIGCOMM 2012 3

  4. DNS Overview root top level domain (TLD) . .com, .edu, .cn, .de domain (authoritative) stanford.edu, baidu.cn Internet www.stanford.edu? client resolver SIGCOMM 2012 4

  5. ① DNS Overview root top level domain (TLD) . .com, .edu, .cn, .de domain (authoritative) stanford.edu, baidu.cn Internet www.stanford.edu? client resolver SIGCOMM 2012 4

  6. ② ① DNS Overview root top level domain (TLD) . .com, .edu, .cn, .de domain (authoritative) stanford.edu, baidu.cn Internet www.stanford.edu? client resolver SIGCOMM 2012 4

  7. ② ① DNS Overview root top level domain (TLD) . .com, .edu, .cn, .de domain (authoritative) stanford.edu, baidu.cn Internet www.stanford.edu? client resolver SIGCOMM 2012 4

  8. ② ③ ① DNS Overview root top level domain (TLD) . .com, .edu, .cn, .de domain (authoritative) stanford.edu, baidu.cn Internet www.stanford.edu? client resolver SIGCOMM 2012 4

  9. ② ③ ① DNS Overview root top level domain (TLD) . .com, .edu, .cn, .de domain (authoritative) stanford.edu, baidu.cn Internet www.stanford.edu? client resolver SIGCOMM 2012 4

  10. ③ ④ ① ② DNS Overview root top level domain (TLD) . .com, .edu, .cn, .de domain (authoritative) stanford.edu, baidu.cn Internet www.stanford.edu? client resolver SIGCOMM 2012 4

  11. ③ ④ ① ② DNS Overview root top level domain (TLD) . .com, .edu, .cn, .de domain (authoritative) stanford.edu, baidu.cn Internet www.stanford.edu? client resolver SIGCOMM 2012 4

  12. ① ③ ④ ② DNS Overview root top level domain (TLD) . .com, .edu, .cn, .de domain (authoritative) stanford.edu, baidu.cn Internet www.stanford.edu? client resolver 171.53.10.4 SIGCOMM 2012 4

  13. DNS Injection DNS server Censoring AS www.youtube.com? client resolver SIGCOMM 2012 5

  14. DNS Injection DNS server DNS injector Censoring AS www.youtube.com? client resolver SIGCOMM 2012 6

  15. DNS Injection DNS server DNS injector Censoring AS lemon IP client resolver SIGCOMM 2012 7

  16. DNS Injection DNS server DNS injector Typically affects both inbound Censoring and outbound queries AS lemon IP client resolver SIGCOMM 2012 8

  17. DNS Injection DNS server DNS injector Typically affects both inbound Censoring and outbound queries. AS lemon IP Typically does not suppress client “correct” response, just wins resolver race to respond. SIGCOMM 2012 9

  18. Methodology • HoneyQueries to detect autonomous systems paths to whom see DNS injection • TraceQueries to identify location of injectors on affected paths • StepNXQueries to measure collateral damage of DNS injection SIGCOMM 2012 10

  19. HoneyQuery • HoneyQuery: DNS query to sensitive domains, sent to unresponsive IP ‣ Assumption: all observed DNS responses are from DNS injectors • Send from a single vantage point (AS 40676) ‣ 14 million IPs that cover all /24 subnets ‣ Paths spread to discover all injecting autonomous systems • Record IPs in responses: lemon IPs SIGCOMM 2012 11

  20. Probed Domain Names Domain Category Search Engine www.google.com Social Network www.facebook.com Social Network www.twitter.com Streaming Media www.youtube.com Portal www.yahoo.com Web Hosting www.appspot.com Pornography www.xxx.com Site Ranking www.urltrends.com Portal www.live.com Reference www.wikipedia.com SIGCOMM 2012 12

  21. Blacklisted Domains Domain Category Search Engine www.google.com Social Network www.facebook.com Social Network www.twitter.com Streaming Media www.youtube.com Portal www.yahoo.com Web Hosting www.appspot.com Pornography www.xxx.com Site Ranking www.urltrends.com Portal www.live.com Reference www.wikipedia.com SIGCOMM 2012 13

  22. HoneyQuery Results • 28 lemon IPs found ‣ Use later to detect injected responses • 388,988 (2.7%) of HoneyQueries responded ‣ Use to generate poisoned path list Destination Count Percentage CN 388,206 99.80% CA 363 0.09% US 127 0.03% HK 111 0.03% IN 94 0.02% Top 5 of 16 regions • Why are paths to IP addresses outside of China experiencing DNS injection? SIGCOMM 2012 14

  23. TraceQuery • For each IP address in the poisoned path list, send a DNS query to a blacklisted domain with increasing TTL ‣ Queries which reach an injector will trigger a response • Mark IP address and autonomous system of router for TTL that triggers response ‣ Sometimes queries trigger multiple responses, from multiple injectors SIGCOMM 2012 15

  24. Example www.facebook.com? AS1 AS2 AS3 AS4 SIGCOMM 2012 16

  25. Example www.facebook.com? AS1 AS2 AS3 AS4 SIGCOMM 2012 17

  26. Example lemon IP AS1 AS2 AS3 AS4 SIGCOMM 2012 18

  27. Example lemon IP AS1 AS2 AS3 AS4 SIGCOMM 2012 19

  28. Example lemon IP , lemon IP AS1 AS2 AS3 AS4 SIGCOMM 2012 20

  29. Example lemon IP , lemon IP , good IP AS1 AS2 AS3 AS4 SIGCOMM 2012 21

  30. Example lemon IP , lemon IP , good IP AS1 AS2 AS3 Injector A Injector B AS4 SIGCOMM 2012 22

  31. TraceQuery Results • Found 3,120 router IP addresses associated with DNS injection • All 3,120 IP addresses belong to 39 Chinese autonomous systems AS Name AS Number IPs Chinanet 4134 1952 CNCGroup China169 Backbone 4837 489 China Telecom (Group) 4812 289 CHINA RAILWAY Internet (CRNEt) 9394 78 China Netcom Corp. 9929 67 Top 5 ASes by router IP count • How much does this affect the Internet? SIGCOMM 2012 23

  32. Methodology • Tested 43,842 open DNS resolvers in 173 countries outside of China ‣ List from probing DNS servers of Alexa 1M top websites ‣ Supplemented by lists from researchers • Query for blacklisted domain from vantage point, check if response is lemon IP ‣ Test blacklisted name for all 312 TLDs ‣ Also, check against TCP-based DNS queries (injectors do not target DNS queries over TCP) SIGCOMM 2012 24

  33. StepNX Query • To identify where injection occurs, inject random strings into domain name ‣ Injectors use very liberal pattern matching ‣ Generate invalid names, expect NXDOMAIN response ‣ www.facebook.com.{INVALID}: path to root server ‣ www.facebook.com.{INVALID}.com: path to TLD server ‣ Repeat 200 times to try different servers/paths DNS Level Affected Resolvers Affected Rate Root 1 0.002% TLD 11573 26.4% Authoritative 99 0.23% Which resolution step sees injection SIGCOMM 2012 25

  34. StepNX Query • To identify where injection occurs, inject random strings into domain name ‣ Injectors use very liberal pattern matching ‣ Generate invalid names, expect NXDOMAIN response ‣ www.facebook.com.{INVALID}: path to root server ‣ www.facebook.com.{INVALID}.com: path to TLD server ‣ Repeat 200 times to try different servers/paths DNS Level Affected Resolvers Affected Rate Root 1 0.002% TLD 11573 26.4% Authoritative 99 0.23% Which resolution step sees injection SIGCOMM 2012 26

  35. Who’s Affected? • 3 TLDs affected almost TLD Affected Resolvers de 8192 completely (99.53%) xn--3e0b707e 5641 kr 4842 ‣ cn, xn--fiqs8s, xn--fiqz9s kp 384 ‣ Expected: domains from within co 90 travel 90 Great Firewall of China pl 90 no 90 • 11,573 (26.4%) of iq 90 hk 90 resolvers affected for one fi 90 uk 90 or more of 16 xn--j6w193g 90 jp 90 unexpected TLDs nz 90 ca 90 16 unexpected TLDs affected by DNS injection on path from an open resolver SIGCOMM 2012 27

  36. Whose Resolvers? Open resolvers in 109 regions affected Region Affected Resolvers Percentage Iran 157 88% Myanmar 163 85% Korea 198 79% Hong Kong 403 75% Taiwan 1146 66% India 250 60% Top 6 regions by affected open resolver percentage SIGCOMM 2012 28

  37. Details: .de Region Resolvers Affected kr 76% my 66% hk 54% ar 44% il 42% ir 36% tw 36% bg 31% jp 28% ro 25% 10 regions whose open resolvers are most greatly affected for .de queries SIGCOMM 2012 29

  38. Example .de Injection AS9700 AS4641 AS8763 DENIC- AS 6939 Hurricane KRNIC-AS- ASN- AS DENIC eG Electric (US) KR CUHKNET DE HK AS3549 AS 10026 (GBLX Global Pacnet AS4635 Crossing, US) Global (HK) HKIX- RS1 HK AS3356 AS7497 (LEVEL3,US) CSTNET-AS- AS 39737 AP(CN) Net Vision AS 1280 Telcom SRL (ISC, US) (RO) AS 24151 AS4847 CNNIC CRITICAL-AP CNIX-AP (CN) AS 31529 AS 23596 ASes in AS 24136 DENIC eG EDNSKR1 NIDA China... CNNIC-AP (DE) KR SIGCOMM 2012 30

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

and Collateral Brand Damage and Collateral Brand Damage Presenters: Matt Howsare and Matt Smith

and Collateral Brand Damage and Collateral Brand Damage Presenters: Matt Howsare and Matt Smith

WEBINAR: Critical CPSC Recall Update PLUS 5 Things You Need to Know NOW PLUS 5 Things You Need to Know NOW to Avoid Product Safety Recalls, Fines to Avoid Product Safety Recalls, Fines and Collateral Brand Damage and Collateral Brand Damage

271 views • 16 slides
Censored Planet Observatory Measuring Internet censorship globally, continuously, and remotely

Censored Planet Observatory Measuring Internet censorship globally, continuously, and remotely

Censored Planet Observatory Measuring Internet censorship globally, continuously, and remotely Internet Measurement Village 2020 Ram Sundara Raman June 26, 2020 Measuring Censorship is a Complex Problem! Internet censorship practices are

644 views • 52 slides
Your State is Not Mine: A Closer Look at Evading Stateful Internet Censorship Zhongjie Wang , Yue

Your State is Not Mine: A Closer Look at Evading Stateful Internet Censorship Zhongjie Wang , Yue

Your State is Not Mine: A Closer Look at Evading Stateful Internet Censorship Zhongjie Wang , Yue Cao, Zhiyun Qian, Chengyu Song, Srikanth V Krishnamurthy University of California, Riverside 1 Internet Censorship Key technology: Deep Packet

528 views • 33 slides
Measuring Internet Censorship Maria Xynou, 10th June 2020 Internet Measurement Village 2020

Measuring Internet Censorship Maria Xynou, 10th June 2020 Internet Measurement Village 2020

Measuring Internet Censorship Maria Xynou, 10th June 2020 Internet Measurement Village 2020 Its harder to notice the blocking of less popular sites &amp; services Internet censorship often differs from network to network within a

602 views • 34 slides
collateral damage Do Tech Comms and Marketing have to fight when users get informed?

collateral damage Do Tech Comms and Marketing have to fight when users get informed?

collateral damage Do Tech Comms and Marketing have to fight when users get informed? www.flickr.com/photo yell at me here @ RMH40 Roger.Hart@red-gate.com The world is driven by money and we all have a role to play. Gordon Dennis.

609 views • 45 slides
Security and Internet Security Censorship Hacker Viruses Computer Literacy 1 Lecture

Security and Internet Security Censorship Hacker Viruses Computer Literacy 1 Lecture

Topics Security and Internet Security Censorship Hacker Viruses Computer Literacy 1 Lecture 24 Phishing 13/11/2008 Firewall Censorship of the Internet 2 Examples Hacking or Cracking Virus Cracking = Subverting

462 views • 6 slides
Internet censorship is everywhere Source:

Internet censorship is everywhere Source:

Internet censorship is everywhere Source: https://freedomhouse.org/report/freedom-net/freedom-net-2016 Commonly censored content Unapproved news (Fake News!!111) Wikipedia (usually partially) Facebook Google (all services), YouTube

539 views • 37 slides
Collateral Damage: the unintended consequences of adult justice processes Prof Nancy Loucks OBE,

Collateral Damage: the unintended consequences of adult justice processes Prof Nancy Loucks OBE,

From Care to Crime: Breaking the Cycle SASO Glasgow Conference, 9 May 2019 University of Strathclyde Collateral Damage: the unintended consequences of adult justice processes Prof Nancy Loucks OBE, Chief Executive, Families Outside and

360 views • 25 slides
Routing without collateral damage AfriNIC #15 Nov 23, 2011 Your Speaker Today.... Fredy

Routing without collateral damage AfriNIC #15 Nov 23, 2011 Your Speaker Today.... Fredy

Routing without collateral damage AfriNIC #15 Nov 23, 2011 Your Speaker Today.... Fredy Knz nzler CTO TO &amp; Fou Found nder kuenzler at init7.net www.init7.net www.blogg.ch www.bgp-and-beyond.com AS13030 Twitter: @init7 Init

639 views • 20 slides
Pushback vs Censorship Fighting Internet Shutdowns in Africa BEFORE WE DIVE INTO THE SUBJECT,

Pushback vs Censorship Fighting Internet Shutdowns in Africa BEFORE WE DIVE INTO THE SUBJECT,

JULIE OWONO - JUNE 25, 2020 Pushback vs Censorship Fighting Internet Shutdowns in Africa BEFORE WE DIVE INTO THE SUBJECT, What is Internet Sans Frontires ? Its a French non-pro f it organization, and a network of local organizations in

125 views • 8 slides
Censored Planet: Measuring Internet Censorship Globally and Continuously Roya Ensafi AIMS 2018

Censored Planet: Measuring Internet Censorship Globally and Continuously Roya Ensafi AIMS 2018

Censored Planet: Measuring Internet Censorship Globally and Continuously Roya Ensafi AIMS 2018 1 Measuring Internet Censorship Globally PROBLEM: - How can we detect whether pairs of hosts around the world can talk to each other? user ?

780 views • 49 slides
Incentivizing Censorship Measurements via Circumvention Ihsan Ayyub Qazi Aqib Nisar* Zartash A.

Incentivizing Censorship Measurements via Circumvention Ihsan Ayyub Qazi Aqib Nisar* Zartash A.

Incentivizing Censorship Measurements via Circumvention Ihsan Ayyub Qazi Aqib Nisar* Zartash A. Uzmi Aqsa Kashaf** * Now at USC ** Now at CMU Internet censorship is pervasive! - Over 70 countries restrict Internet access Often due to

745 views • 39 slides
Andrs E. Azprua #imv2020 Internet Censorship, DNS poisoning and Phishing in Venezuela

Andrs E. Azprua #imv2020 Internet Censorship, DNS poisoning and Phishing in Venezuela

Andrs E. Azprua #imv2020 Internet Censorship, DNS poisoning and Phishing in Venezuela Measuring from censorship to state-sponsored attacks Andrs E. Azprua #imv2020 @VEsinFiltro VEsinFiltro.com VENEZUELAN CONTEXT Critical failure

833 views • 56 slides
Chipping Away at Censorship with User-Generated Content Sam Burnett, Nick Feamster and Santosh

Chipping Away at Censorship with User-Generated Content Sam Burnett, Nick Feamster and Santosh

Chipping Away at Censorship with User-Generated Content Sam Burnett, Nick Feamster and Santosh Vempala Internet Censorship is a Problem 12 censors 11 monitors More on the way Some censors have fastest growth in Internet usage

626 views • 43 slides
How we tried to establish a nationwide internet censorship measurement system in Ukraine

How we tried to establish a nationwide internet censorship measurement system in Ukraine

How we tried to establish a nationwide internet censorship measurement system in Ukraine Methodology Measurements are conducted by monitors using their personal mobile devices (except for Donbas and Crimea) on public WiFi access points

280 views • 12 slides
IoT and Security Munich Internet Research Retreat Raitenhaslach (MIR^3) 2017 Raitenhaslach, 23 rd

IoT and Security Munich Internet Research Retreat Raitenhaslach (MIR^3) 2017 Raitenhaslach, 23 rd

IoT and Security Munich Internet Research Retreat Raitenhaslach (MIR^3) 2017 Raitenhaslach, 23 rd May 2017 Why care? Collateral damage / DDoS attacks Regulatory Mandatory firmware update End of life Inform customers (e.g.,

554 views • 6 slides
Certifying solutions to a square analytic system Coauthors Certifying regular roots (The 44 th

Certifying solutions to a square analytic system Coauthors Certifying regular roots (The 44 th

Certifying solutions to a square analytic system Coauthors Certifying regular roots (The 44 th ISSAC) Michael Burr Anton Leykin Clemson University Georgia Tech Certifying multiple roots (arXiv:1904.07937) Nan Li Lihong Zhi Shenzhen

1.32k views • 87 slides
Continuous Improvement Through Networked Improvement Communities Root Cause Analysis and Theory

Continuous Improvement Through Networked Improvement Communities Root Cause Analysis and Theory

Continuous Improvement Through Networked Improvement Communities Root Cause Analysis and Theory of Action Agenda 1. Welcome and Introductions 2. Continuous Improvement Overview 3. Root Cause Analysis 4. Theory of Action 5. Closing

739 views • 57 slides
Heapsort Why study Heapsort? It is a well-known, traditional sorting algorithm you will be

Heapsort Why study Heapsort? It is a well-known, traditional sorting algorithm you will be

Heapsort Why study Heapsort? It is a well-known, traditional sorting algorithm you will be expected to know Heapsort is always O(n log n) Quicksort is usually O(n log n) but in the worst case slows to O(n 2 ) Quicksort is generally

535 views • 27 slides
Chapter 25 Binary Search Trees Original slides: Liang updated by Wim Bohm and Sudipto Ghosh

Chapter 25 Binary Search Trees Original slides: Liang updated by Wim Bohm and Sudipto Ghosh

Chapter 25 Binary Search Trees Original slides: Liang updated by Wim Bohm and Sudipto Ghosh Liang, Introduction to Java Programming, Tenth Edition, (c) 2013 Pearson Education, Inc. All 1 rights reserved. Binary Trees A list, stack, or queue

630 views • 41 slides
Undirected Depth-First Search CSE 421 Introduction to Algorithms Its not just for trees

Undirected Depth-First Search CSE 421 Introduction to Algorithms Its not just for trees

Undirected Depth-First Search CSE 421 Introduction to Algorithms Its not just for trees DFS(v) if v marked then return; back edge mark v; #v := ++count; Depth First Search and tree for all edges (v,w) do DFS(w); edge Strongly

319 views • 6 slides
Moderator: Brienne J. Meyer bmeyer@cid-inc.com Application Scientist Also Joining Us from CID

Moderator: Brienne J. Meyer bmeyer@cid-inc.com Application Scientist Also Joining Us from CID

Moderator: Brienne J. Meyer bmeyer@cid-inc.com Application Scientist Also Joining Us from CID Bio-Science: Andrea Melnychenko amelnychenko@cid-inc.com Application Scientist Root Imaging with the CI-600 CID Bio-Science, Inc. Image Credit:

882 views • 32 slides
mLSM : Making Authenticated Storage Faster in Ethereum Pandian Raju 1 , Soujanya Ponnapalli 1 ,

mLSM : Making Authenticated Storage Faster in Ethereum Pandian Raju 1 , Soujanya Ponnapalli 1 ,

mLSM mLSM : Making Authenticated Storage Faster in Ethereum Pandian Raju 1 , Soujanya Ponnapalli 1 , Evan Kaminsky 1 , Gilad Oved 1 , Zachary Keener 1 Vijay Chidambaram 1,2 , Ittai Abraham 2 1 The University of Texas at Austin; 2 VMware Research 1

1.34k views • 92 slides
Lecture 15: Dependency Parsing Kai-Wei Chang CS @ University of Virginia kw@kwchang.net Couse

Lecture 15: Dependency Parsing Kai-Wei Chang CS @ University of Virginia kw@kwchang.net Couse

Lecture 15: Dependency Parsing Kai-Wei Chang CS @ University of Virginia kw@kwchang.net Couse webpage: http://kwchang.net/teaching/NLP16 CS6501: NLP 1 How to represent the structure CS6501: NLP 2 Dependency trees v Dependency grammar

703 views • 51 slides

More recommend