682 research outputs found
Systemization of Pluggable Transports for Censorship Resistance
An increasing number of countries implement Internet censorship at different
scales and for a variety of reasons. In particular, the link between the
censored client and entry point to the uncensored network is a frequent target
of censorship due to the ease with which a nation-state censor can control it.
A number of censorship resistance systems have been developed thus far to help
circumvent blocking on this link, which we refer to as link circumvention
systems (LCs). The variety and profusion of attack vectors available to a
censor has led to an arms race, leading to a dramatic speed of evolution of
LCs. Despite their inherent complexity and the breadth of work in this area,
there is no systematic way to evaluate link circumvention systems and compare
them against each other. In this paper, we (i) sketch an attack model to
comprehensively explore a censor's capabilities, (ii) present an abstract model
of a LC, a system that helps a censored client communicate with a server over
the Internet while resisting censorship, (iii) describe an evaluation stack
that underscores a layered approach to evaluate LCs, and (iv) systemize and
evaluate existing censorship resistance systems that provide link
circumvention. We highlight open challenges in the evaluation and development
of LCs and discuss possible mitigations.Comment: Content from this paper was published in Proceedings on Privacy
Enhancing Technologies (PoPETS), Volume 2016, Issue 4 (July 2016) as "SoK:
Making Sense of Censorship Resistance Systems" by Sheharbano Khattak, Tariq
Elahi, Laurent Simon, Colleen M. Swanson, Steven J. Murdoch and Ian Goldberg
(DOI 10.1515/popets-2016-0028
Measuring CDNs susceptible to Domain Fronting
Domain fronting is a network communication technique that involves leveraging
(or abusing) content delivery networks (CDNs) to disguise the final destination
of network packets by presenting them as if they were intended for a different
domain than their actual endpoint. This technique can be used for both benign
and malicious purposes, such as circumventing censorship or hiding
malware-related communications from network security systems. Since domain
fronting has been known for a few years, some popular CDN providers have
implemented traffic filtering approaches to curb its use at their CDN
infrastructure. However, it remains unclear to what extent domain fronting has
been mitigated.
To better understand whether domain fronting can still be effectively used,
we propose a systematic approach to discover CDNs that are still prone to
domain fronting. To this end, we leverage passive and active DNS traffic
analysis to pinpoint domain names served by CDNs and build an automated tool
that can be used to discover CDNs that allow domain fronting in their
infrastructure. Our results reveal that domain fronting is feasible in 22 out
of 30 CDNs that we tested, including some major CDN providers like Akamai and
Fastly. This indicates that domain fronting remains widely available and can be
easily abused for malicious purposes
Recommended from our members
TOWARDS RELIABLE CIRCUMVENTION OF INTERNET CENSORSHIP
The Internet plays a crucial role in today\u27s social and political movements by facilitating the free circulation of speech, information, and ideas; democracy and human rights throughout the world critically depend on preserving and bolstering the Internet\u27s openness. Consequently, repressive regimes, totalitarian governments, and corrupt corporations regulate, monitor, and restrict the access to the Internet, which is broadly known as Internet \emph{censorship}. Most countries are improving the internet infrastructures, as a result they can implement more advanced censoring techniques. Also with the advancements in the application of machine learning techniques for network traffic analysis have enabled the more sophisticated Internet censorship. In this thesis, We take a close look at the main pillars of internet censorship, we will introduce new defense and attacks in the internet censorship literature.
Internet censorship techniques investigate users’ communications and they can decide to interrupt a connection to prevent a user from communicating with a specific entity. Traffic analysis is one of the main techniques used to infer information from internet communications. One of the major challenges to traffic analysis mechanisms is scaling the techniques to today\u27s exploding volumes of network traffic, i.e., they impose high storage, communications, and computation overheads. We aim at addressing this scalability issue by introducing a new direction for traffic analysis, which we call \emph{compressive traffic analysis}. Moreover, we show that, unfortunately, traffic analysis attacks can be conducted on Anonymity systems with drastically higher accuracies than before by leveraging emerging learning mechanisms. We particularly design a system, called \deepcorr, that outperforms the state-of-the-art by significant margins in correlating network connections. \deepcorr leverages an advanced deep learning architecture to \emph{learn} a flow correlation function tailored to complex networks. Also to be able to analyze the weakness of such approaches we show that an adversary can defeat deep neural network based traffic analysis techniques by applying statistically undetectable \emph{adversarial perturbations} on the patterns of live network traffic.
We also design techniques to circumvent internet censorship. Decoy routing is an emerging approach for censorship circumvention in which circumvention is implemented with help from a number of volunteer Internet autonomous systems, called decoy ASes. We propose a new architecture for decoy routing that, by design, is significantly stronger to rerouting attacks compared to \emph{all} previous designs. Unlike previous designs, our new architecture operates decoy routers only on the downstream traffic of the censored users; therefore we call it \emph{downstream-only} decoy routing. As we demonstrate through Internet-scale BGP simulations, downstream-only decoy routing offers significantly stronger resistance to rerouting attacks, which is intuitively because a (censoring) ISP has much less control on the downstream BGP routes of its traffic. Then, we propose to use game theoretic approaches to model the arms races between the censors and the censorship circumvention tools. This will allow us to analyze the effect of different parameters or censoring behaviors on the performance of censorship circumvention tools. We apply our methods on two fundamental problems in internet censorship.
Finally, to bring our ideas to practice, we designed a new censorship circumvention tool called \name. \name aims at increasing the collateral damage of censorship by employing a ``mass\u27\u27 of normal Internet users, from both censored and uncensored areas, to serve as circumvention proxies
QUICstep: Circumventing QUIC-based Censorship
Governments around the world limit free and open communication on the
Internet through censorship. To reliably identify and block access to certain
web domains, censors inspect the plaintext TLS SNI field sent in TLS
handshakes. With QUIC rapidly displacing TCP as the dominant transport-layer
protocol on the web, censorship regimes have already begun prosecuting network
traffic delivered over QUIC. With QUIC censorship poised to expand, censorship
circumvention tools must similarly adapt. We present QUICstep, a
censorship-resilient, application-agnostic, performant, and easy-to-implement
approach to censorship circumvention in the QUIC era. QUICstep circumvents TLS
SNI censorship by conducting a QUIC-TLS handshake over an encrypted tunnel to
hide the SNI field from censors and performs connection migration to resume the
QUIC session in plain sight of the censor. Our evaluation finds that QUICstep
successfully establishes QUIC sessions in the presence of a proof-of-concept
censor with minimal latency overhead
- …