A Churn for the Better Localizing Censorship using Network‐level Path Churn and Network Tomography Shinyoung Cho , Rishab Nithyanand, Abbas Razaghpanah, Phillipa Gill
• Citizen relying on the Internet for dissemination of information and organizing political actions Facebook GFW China 2
• Citizen relying on the Internet for dissemination of information and organizing political actions In 2010, China censorship leaked outside Great Firewall via root server Facebook GFW China Chile Root server 3
• Citizen relying on the Internet for dissemination of information and organizing political actions In 2010, China censorship leaked outside Great Firewall via root server Facebook GFW China Root server Chile Root server 4
• Citizen relying on the Internet for dissemination of information and organizing political actions In 2010, China censorship leaked outside Great Firewall via root server Facebook GFW China Root server Chile Root server 5
• Citizen relying on the Internet for dissemination of information and organizing political actions In 2010, China censorship leaked outside Great Firewall via root server Facebook GFW China Root server Chile Root server Fake address 6
• Citizen relying on the Internet for dissemination of information and organizing political actions • Many anecdotes of *censorship leakage have been reported • (*censorship leakage: unintended international impact; cases where censoring Autonomous Systems (ASes) block access to content even for users outside their country of operation unintentionally) In 2010, China censorship leaked outside Great Firewall via root server Facebook GFW China Root server Chile Root server Fake address 7
Country Specific Measurement 8
“Global Measurement: ICLAB” “Network Tomography” Monitor Monitor Monitor Monitor Monitor Global Scale! It works! Longitudinal! Path churn is useful! 9
Network tomography Network-level path instability Monitor Source Monitor Source Monitor Destination Source Source Monitor Monitor 25% 30% 38% 67% Q) Is there enough path churn? 10
(1) Send a scheduler + 2016‐05 ∼ 2017‐05 web test lists based on country (2) Perform measurements to web servers ICLAB Server Vantage Points VPN Walker Over 1K VPNs + 5 Raspberry Pis Detecting Censorship Block pages Test Web Servers (3) Send collected data to server Given web test lists Injected packets HTTP Request/Response, (Detected using TTL) DNS, TLS, Pcap, Traceroute RST Not RST 11
How do we Identify which ASes perform censorship? 12
Formulate a Boolean network tomography problem solvable by off‐the‐shelf SAT solvers youporn.com Injected packet [CNF] (2017-02-01 ~ 2017-02-08) (No RST)? Generating (~4766) ꓥ (~48684) ꓥ CNFs (4766 V 3257 V 48684) = T False 48684 4766 True 3257 48684 4766 Off‐the‐shelf SAT solver One No Multiple solution solution solutions 13
Formulate a Boolean network tomography problem solvable by off‐the‐shelf SAT solvers youporn.com Injected packet [CNF] (2017-02-01 ~ 2017-02-08) (No RST)? Generating (~4766) ꓥ (~48684) ꓥ CNFs (4766 V 3257 V 48684) = T False 48684 4766 True 3257 3257 48684 4766 Off‐the‐shelf SAT solver One No Multiple solution solution solutions 14
Time granularity Anomaly types 97.9% (on average) 0.7% (on average) High solvability! 15
1,103 ASes observed in ICLAB (219 countries) 108 censoring ASes (49 countries) 32 ASes leak censorship (18 countries) 16
C1 C1 C2 C2 1,103 ASes observed in ICLAB (219 countries) 108 Censor DST VP censoring ASes (49 countries) 32 ASes leak Server-side filtering --------------------------- 16.6% censorship (18 countries) 17
C1 C1 C2 C2 C3 C3 1,103 ASes observed in ICLAB (219 countries) 108 Censor DST VP censoring ASes (49 countries) 32 ASes leak Server-side filtering --------------------------- 16.6% censorship Transit filtering ---------------------------------- 18.5% (18 countries) 18
C1 C1 C2 C2 C3 C3 1,103 ASes observed in ICLAB (219 countries) 108 Censor DST VP censoring ASes (49 countries) 32 ASes leak Server-side filtering --------------------------- 16.6% censorship Transit filtering ---------------------------------- 18.5% (18 countries) 19
C1 C1 C2 C2 1,103 ASes observed in ICLAB (219 countries) 108 Censor DST VP censoring ASes (49 countries) 32 ASes leak Server-side filtering --------------------------- 16.6% censorship Transit filtering ---------------------------------- 18.5% (18 countries) Censorship foreign content ------------------ 75.9% 20
C1 C1 1,103 ASes observed in ICLAB (219 countries) 108 Censor DST VP censoring ASes (49 countries) 32 ASes leak Server-side filtering --------------------------- 16.6% censorship Transit filtering ---------------------------------- 18.5% (18 countries) Censorship foreign content ------------------ 75.9% Censorship domestic content -------------- 12.0% 21
youporn.com Injected packet (2017-02-01 ~ 2017-02-08) (No RST)? False 48684 4766 True 3257 3257 48684 4766 22
youporn.com Injected packet (2017-02-01 ~ 2017-02-08) (No RST)? False 48684 4766 Pcap {'IPID': 0, 'TCP flags': 18, 'TTL': 48} True 3257 3257 48684 4766 {'IPID': 0, 'TCP flags': 18, 'TTL': 48} {'IPID': 0, 'TCP flags': 18, 'TTL': 48} {'IPID': 54762, 'TCP flags': 25, 'TTL': 118} {'IPID': 27998, 'TCP flags': 16, 'TTL': 48} {'IPID': 54763, 'TCP flags': 25, 'TTL': 109} {'IPID': 20155, 'TCP flags': 4, 'TTL': 48} {'IPID': 20180, 'TCP flags': 4, 'TTL': 48} {'IPID': 20181, 'TCP flags': 4, 'TTL': 48} {'IPID': 20241, 'TCP flags': 4, 'TTL': 48} {'IPID': 20266, 'TCP flags': 4, 'TTL': 48} 23
Localizing Censorship using Network‐level Path Churn and Network Tomography 1) Combine ICLab measurements with Boolean network tomography to identify censors and censorship leakages at a global scale 2) Measure and exploit network-level churn 3) Identify 108 censoring ASes located in 49 different countries 4) Find 32 censoring Ases that leak censorship outside their jurisdiction Shinyoung Cho shicho@cs.stonybrook.edu 24
Recommend
More recommend