112 research outputs found
A Churn for the Better: Localizing Censorship using Network-level Path Churn and Network Tomography
Recent years have seen the Internet become a key vehicle for citizens around
the globe to express political opinions and organize protests. This fact has
not gone unnoticed, with countries around the world repurposing network
management tools (e.g., URL filtering products) and protocols (e.g., BGP, DNS)
for censorship. However, repurposing these products can have unintended
international impact, which we refer to as "censorship leakage". While there
have been anecdotal reports of censorship leakage, there has yet to be a
systematic study of censorship leakage at a global scale. In this paper, we
combine a global censorship measurement platform (ICLab) with a general-purpose
technique -- boolean network tomography -- to identify which AS on a network
path is performing censorship. At a high-level, our approach exploits BGP churn
to narrow down the set of potential censoring ASes by over 95%. We exactly
identify 65 censoring ASes and find that the anomalies introduced by 24 of the
65 censoring ASes have an impact on users located in regions outside the
jurisdiction of the censoring AS, resulting in the leaking of regional
censorship policies
ICLab: A Global, Longitudinal Internet Censorship Measurement Platform
Researchers have studied Internet censorship for nearly as long as attempts
to censor contents have taken place. Most studies have however been limited to
a short period of time and/or a few countries; the few exceptions have traded
off detail for breadth of coverage. Collecting enough data for a comprehensive,
global, longitudinal perspective remains challenging. In this work, we present
ICLab, an Internet measurement platform specialized for censorship research. It
achieves a new balance between breadth of coverage and detail of measurements,
by using commercial VPNs as vantage points distributed around the world. ICLab
has been operated continuously since late 2016. It can currently detect DNS
manipulation and TCP packet injection, and overt "block pages" however they are
delivered. ICLab records and archives raw observations in detail, making
retrospective analysis with new techniques possible. At every stage of
processing, ICLab seeks to minimize false positives and manual validation.
Within 53,906,532 measurements of individual web pages, collected by ICLab in
2017 and 2018, we observe blocking of 3,602 unique URLs in 60 countries. Using
this data, we compare how different blocking techniques are deployed in
different regions and/or against different types of content. Our longitudinal
monitoring pinpoints changes in censorship in India and Turkey concurrent with
political shifts, and our clustering techniques discover 48 previously unknown
block pages. ICLab's broad and detailed measurements also expose other forms of
network interference, such as surveillance and malware injection.Comment: To appear in Proceedings of the 41st IEEE Symposium on Security and
Privacy (Oakland 2020). San Francisco, CA. May 202
Measuring and Evading Turkmenistan's Internet Censorship: A Case Study in Large-Scale Measurements of a Low-Penetration Country
Since 2006, Turkmenistan has been listed as one of the few Internet enemies
by Reporters without Borders due to its extensively censored Internet and
strictly regulated information control policies. Existing reports of filtering
in Turkmenistan rely on a small number of vantage points or test a small number
of websites. Yet, the country's poor Internet adoption rates and small
population can make more comprehensive measurement challenging. With a
population of only six million people and an Internet penetration rate of only
38%, it is challenging to either recruit in-country volunteers or obtain
vantage points to conduct remote network measurements at scale.
We present the largest measurement study to date of Turkmenistan's Web
censorship. To do so, we developed TMC, which tests the blocking status of
millions of domains across the three foundational protocols of the Web (DNS,
HTTP, and HTTPS). Importantly, TMC does not require access to vantage points in
the country. We apply TMC to 15.5M domains, our results reveal that
Turkmenistan censors more than 122K domains, using different blocklists for
each protocol. We also reverse-engineer these censored domains, identifying 6K
over-blocking rules causing incidental filtering of more than 5.4M domains.
Finally, we use Geneva, an open-source censorship evasion tool, to discover
five new censorship evasion strategies that can defeat Turkmenistan's
censorship at both transport and application layers. We will publicly release
both the data collected by TMC and the code for censorship evasion.Comment: To appear in Proceedings of The 2023 ACM Web Conference (WWW 2023
Advanced Network Inference Techniques Based on Network Protocol Stack Information Leaks
Side channels are channels of implicit information flow that can be used to find out information that is not allowed to flow through explicit channels. This thesis focuses on network side channels, where information flow occurs in the TCP/IP network stack implementations of operating systems. I will describe three new types of idle scans: a SYN backlog idle scan, a RST rate-limit idle scan, and a hybrid idle scan. Idle scans are special types of side channels that are designed to help someone performing a network measurement (typically an attacker or a researcher) to infer something about the network that they are not otherwise able to see from their vantage point. The thesis that this dissertation tests is this: because modern network stacks have shared resources, there is a wealth of information that can be inferred off-path by both attackers and Internet measurement researchers. With respect to attackers, no matter how carefully the security model is designed, the non-interference property is unlikely to hold, i.e., an attacker can easily find side channels of information flow to learn about the network from the perspective of the system remotely. One suggestion is that trust relationships for using resources be made explicit all the way down to IP layer with the goal of dividing resources and removing sharendess to prevent advanced network reconnaissance. With respect to Internet measurement researchers, in this dissertation I show that the information flow is rich enough to test connectivity between two arbitrary hosts on the Internet and even infer in which direction any blocking is occurring. To explore this thesis, I present three research efforts: --- First, I modeled a typical TCP/IP network stack. The building process for this modeling effort led to the discovery of two new idles scans: a SYN backlog idle scan and a RST rate-limited idle scan. The SYN backlog scan is particularly interesting because it does not require whoever is performing the measurements (i.e., the attacker or researcher) to send any packets to the victim (or target) at all. --- Second, I developed a hybrid idle scan that combines elements of the SYN backlog idle scan with Antirez\u27s original IPID-based idle scan. This scan enables researchers to test whether two arbitrary machines in the world are able to communicate via TCP/IP, and, if not, in which direction the communication is being prevented. To test the efficacy of the hybrid idle scan, I tested three different kinds of servers (Tor bridges, Tor directory servers, and normal web servers) both inside and outside China. The results were congruent with published understandings of global Internet censorship, demonstrating that the hybrid idle scan is effective. --- Third, I applied the hybrid idle scan to the difficult problem of characterizing inconsistencies in the Great Firewall of China (GFW), which is the largest firewall in the world. This effort resolved many open questions about the GFW. The result of my dissertation work is an effective method for measuring Internet censorship around the world, without requiring any kind of distributed measurement platform or access to any of the machines that connectivity is tested to or from
Mending Wall: On the Implementation of Censorship in India
This paper presents a study of the Internet infrastructure in India from the point of view of censorship. First, we show that the current state of affairs — where each ISP implements its own content filters (nominally as per a governmental blacklist) — results in dramatic differences in the censorship experienced by customers. In practice, a well-informed Indian citizen can escape censorship through a judicious choice of service provider. We then consider the question of whether India might potentially follow the Chinese model and institute a single, government-controlled filter. This would not be difficult, as the Indian Internet is quite centralized already. A few “key” ASes (≈ 1% of Indian ASes) collectively intercept ≈ 95% of paths to the censored sites we sample in our study, and also to all publicly-visible DNS servers. 5, 000 routers spanning these key ASes would suffice to carry out IP or DNS filtering for the entire country; ≈ 70% of these routers belong to only two private ISPs. If the government is willing to employ more powerful measures, such as an IP Prefix Hijacking attack, any one of several key ASes can censor traffic for nearly all Indian users. Finally, we demonstrate that such federated censorship by India would cause substantial collateral damage to non-Indian ASes whose traffic passes through Indian cyberspace (which do not legally come under Indian jurisdiction at all)
Internet censorship in the European Union
Diese Arbeit befasst sich mit Internetzensur innnerhalb der EU, und hier
insbesondere mit der technischen Umsetzung, das heiĂźt mit den angewandten
Sperrmethoden und Filterinfrastrukturen, in verschiedenen EU-Ländern. Neben
einer Darstellung einiger Methoden und Infrastrukturen wird deren Nutzung zur
Informationskontrolle und die Sperrung des Zugangs zu Websites und anderen im
Internet verfĂĽgbaren Netzdiensten untersucht. Die Arbeit ist in drei Teile
gegliedert. Zunächst werden Fälle von Internetzensur in verschiedenen EU-Ländern
untersucht, insbesondere in Griechenland, Zypern und Spanien. AnschlieĂźend wird
eine neue Testmethodik zur Ermittlung der Zensur mittels einiger Anwendungen,
welche in mobilen Stores erhältlich sind, vorgestellt. Darüber hinaus werden
alle 27 EU-Länder anhand historischer Netzwerkmessungen, die von freiwilligen
Nutzern von OONI aus der ganzen Welt gesammelt wurden, öffentlich zugänglichen
Blocklisten der EU-Mitgliedstaaten und Berichten von
Netzwerkregulierungsbehörden im jeweiligen Land analysiert.This is a thesis on Internet censorship in the European Union (EU),
specifically regarding the technical implementation of blocking methodologies
and filtering infrastructure in various EU countries. The analysis examines the
use of this infrastructure for information controls and the blocking of access
to websites and other network services available on the Internet. The thesis
follows a three-part structure. Firstly, it examines the cases of Internet
censorship in various EU countries, specifically Greece, Cyprus, and Spain.
Subsequently, this paper presents a new testing methodology for determining
censorship of mobile store applications. Additionally, it analyzes all 27 EU
countries using historical network measurements collected by Open Observatory
of Network Interference (OONI) volunteers from around the world, publicly
available blocklists used by EU member states, and reports issued by network
regulators in each country
- …