Your State is Not Mine: A Closer Look at Evading Stateful Internet - - PowerPoint PPT Presentation

your state is not mine a closer look at evading stateful
SMART_READER_LITE
LIVE PREVIEW

Your State is Not Mine: A Closer Look at Evading Stateful Internet - - PowerPoint PPT Presentation

Mar 19, 2024 190 likes •531 views

Your State is Not Mine: A Closer Look at Evading Stateful Internet Censorship Zhongjie Wang , Yue Cao, Zhiyun Qian, Chengyu Song, Srikanth V Krishnamurthy University of California, Riverside 1 Internet Censorship Key technology: Deep Packet

slide-1
SLIDE 1

Your State is Not Mine: A Closer Look at Evading Stateful Internet Censorship

Zhongjie Wang, Yue Cao, Zhiyun Qian, Chengyu Song, Srikanth V Krishnamurthy University of California, Riverside

1

slide-2
SLIDE 2
  • Key technology: Deep Packet Inspection (DPI)
  • Reconstruct TCP data flow
  • Examine application protocol fields

Internet Censorship

GET /badword HTTP/1.1\r\nHost: … Alice Web Server AS AS AS IP TCP HTTP (Stateful)

Connection State Client SEQ num Payload Data …

TCB

2

slide-3
SLIDE 3
  • Similar to Network Intrusion Detection System (NIDS), it is

inherently vulnerable:

  • Network reason (small TTL, middleboxes)
  • End-host reason (different TCP impl., local firewall)

Internet Censorship

GET /badword HTTP/1.1\r\nHost: … Alice Web Server AS AS AS IP TCP HTTP (Stateful)

Connection State Client SEQ num Payload Data …

TCB RST RST

3

slide-4
SLIDE 4

Our Study

  • The Great Firewall of China (GFW)
  • a sophisticated censorship system performing stateful DPI
  • has a long history of keyword-based content filtering on

HTTP/DNS/IMAP/Tor/etc

  • sends forged TCP RST packets to terminates the

connection upon detection of sensitive keyword

  • Goal: Measure the effectiveness of TCP-layer censorship

evasion techniques on the GFW in practical situation

4

slide-5
SLIDE 5
  • NIDS
  • Insertion, Evasion, and Denial of Service: Eluding Network

Intrusion Detection. Ptacek et al. 1998.

  • GFW
  • Ignoring the Great Firewall of China. Clayton et al. 2006.
  • Towards Illuminating a Censorship Monitor’s Model to

Facilitate Evasion. Khattak et al. 2013.

Prior Studies

5

slide-6
SLIDE 6

Our Contributions

  • First extensive measurement of the TCP-layer evasion

technique on the GFW

  • Discovered new behaviors of the GFW
  • Our new evasion strategies achieve >95% success rate,

tested effective with HTTP/DNS/VPN/Tor traffic

  • INTANG, a open-source censorship evasion tool

6

slide-7
SLIDE 7

Agenda

  • Overview
  • Background
  • Evaluation of Existing Evasion Strategies
  • Evolved GFW Behaviors
  • Evaluation of New Evasion Strategies
  • Discussion and Conclusion

7

slide-8
SLIDE 8

Insertion/Evasion Packet

  • Insertion Packets: accepted by the GFW but dropped

by the server

  • Evasion Packets: accepted by the server but dropped by

the GFW

  • Basic Idea: De-synchronization
  • TCP states (LISTEN, ESTABLISHED)
  • Program states (SEQ num, win size)

8

slide-9
SLIDE 9

Existing Evasion Strategies

TCB Creation TCB Teardown

(bad SEQ)

Creating false TCB Creating false TCB

9

slide-10
SLIDE 10

Agenda

  • Overview
  • Background
  • Evaluation of Existing Evasion Strategies
  • Evolved GFW Behaviors
  • Evaluation of New Evasion Strategies
  • Discussion and Conclusion

10

slide-11
SLIDE 11

Beijing Shanghai Guangzhou Shenzhen

Measurement Setup

  • Tencent Cloud
  • Alibaba Cloud
  • China Unicom
  • HTTP censorship
  • 77 Alexa top global sites
  • 11 vantage points
  • 9 cities, 3 ISPs
  • 50 times per test
  • Controlled experiments
  • Sensitive keyword: ultrasurf

11

slide-12
SLIDE 12
  • Failure 1 - no resp. from server; Failure 2 - RST from GFW

Evaluation of Existing Strategies

12

slide-13
SLIDE 13

Why

13

slide-14
SLIDE 14

Failure Analysis

Read Inject Win Linux macOS

Interference on Insertion Packets

Client-side Middlebox Server-side Middlebox Server Accept Failure 1 (No resp. from svr) Failure 1
 (No resp. from svr) Failure 1 (No resp. from svr) Drop Failure 2 (RST from GFW) No Interference No Interference

14

slide-15
SLIDE 15

However, there are still a large portion of failure cases left unresolved

15

slide-16
SLIDE 16

Agenda

  • Overview
  • Background
  • Evaluation of Existing Evasion Strategies
  • Evolved GFW Behaviors
  • Evaluation of New Evasion Strategies
  • Discussion and Conclusion

16

slide-17
SLIDE 17

TCB Creation on SYN/ACK

  • TCB Creation

SYN 1.1.1.1:5555 2.2.2.2:6666

Client: 1.1.1.1:5555 Server: 2.2.2.2:6666 Client SEQ: 123 …

TCB Prior SEQ:123, ACK:456 SYN/ACK

Client: 2.2.2.2:6666 Server: 1.1.1.1:5555 Client SEQ: 456 …

TCB 1.1.1.1:5555 2.2.2.2:6666 New SEQ:123, ACK:456

17

slide-18
SLIDE 18

Re-synchronization

  • GFW now becomes “smarter”
  • GFW enters “re-sync” state upon seeing
  • Multiple SYN or
  • Multiple SYN/ACK or
  • SYN/ACK with incorrect ACK num

18

slide-19
SLIDE 19

Re-synchronization

  • When in “re-sync” state, the GFW updates its client SEQ

num using the next

  • SEQ num in data packet from “client” to “server”
  • ACK num in SYN/ACK packet from “server” to “client”

Data SYN/ACK

19

slide-20
SLIDE 20

Combined strategy: TCB Creation + Resync/Desync

20

slide-21
SLIDE 21

Combined strategy: TCB Teardown + TCB Reversal

21

slide-22
SLIDE 22

New Insertion Packets

Expanding the arsenal

22

slide-23
SLIDE 23

How to Find More Insertion Packets?

  • “Ignore” path analysis in TCP receiving logic and

differential testing with the GFW

  • “Ignore” path: an program execution path doesn’t

change any TCP related states, i.e. packet ignored. e.g. wrong checksum

  • Testing if the GFW also ignores the packet, otherwise, it

could be an insertion packet

23

slide-24
SLIDE 24

Analyzing Linux TCP Implementation

  • Analysis on Linux kernel version 4.4, found the following

candidate insertion packets

  • New effective insertion packet: MD5 optional header
  • Future work: automated discovery of insertion packets

24

slide-25
SLIDE 25

Agenda

  • Overview
  • Background
  • Evaluation of Existing Evasion Strategies
  • Evolved GFW Behaviors
  • Evaluation of New Evasion Strategies
  • Discussion and Conclusion

25

slide-26
SLIDE 26

INTANG - Extensible Measurement Tool

INTANG and its components UDP DNS <-> TCP DNS

26

slide-27
SLIDE 27

INTANG - Extensible Measurement Tool

INTANG and its components

Callbacks for each strategy:

  • setup()
  • teardown()
  • process_syn()
  • process_synack()
  • process_request()

27

slide-28
SLIDE 28

Evaluation

  • Evaluation in both directions (inbound & outbound China)
  • High success rate of >95% for outbound; low inbound success

rate due to close distance between server and GFW

  • INTANG performance: automatically choose the best strategy

based on historical results, success rate 98%

(Outbound) (Inbound)

28

slide-29
SLIDE 29

Case Study - DNS/Tor/VPN

  • Public DNS resolvers outside China
  • Google DNS: IP-blocked
  • OpenDNS: not censored
  • Dyn DNS: censored, 98%+ success rate with INTANG
  • Private Tor relay: 100% success rate with INTANG
  • Private OpenVPN server: occasionally censored, can be

bypassed with INTANG when censored

29

slide-30
SLIDE 30

Agenda

  • Overview
  • Background
  • Evaluation of Existing Evasion Strategies
  • Evolved GFW Behaviors
  • Evaluation of New Evasion Strategies
  • Discussion and Conclusion

30

slide-31
SLIDE 31

Discussion & Limitation

  • GFW Countermeasures
  • Hard to be fully immune to insertion packet
  • May use server’s ACK as a feedback, but still vulnerable to

data reassembly strategies

  • Limitation
  • Unable to fully understand some of the failure cases due

to blackbox nature of the GFW

  • Complexity and inconsistency of the GFW behaviors

31

slide-32
SLIDE 32

Conclusion

  • We conduct an extensive measurement on the effectiveness
  • f existing TCP-layer evasion techniques against the GFW,

and find most of them are no longer working

  • Middleboxes (including NATs and firewalls) have significant

interference on the insertion packets

  • We discover new behaviors of the GFW and propose new

evasion strategies that can bypass these behaviors

  • We evaluate our new strategies and demonstrate a high

success rate of 95%+

32

slide-33
SLIDE 33

Q&A

  • Zhongjie Wang <zwang048@ucr.edu>
  • Github: https://github.com/seclab-ucr/INTANG

33