examining how the great firewall discovers hidden
play

Examining How The Great Firewall Discovers Hidden Circumvention - PowerPoint PPT Presentation

Apr 07, 2023 •218 likes •641 views

Examining How The Great Firewall Discovers Hidden Circumvention Servers Roya Ensafi , David Fifield, Philipp Winter, Nick Feamster, Nicholas Weaver, and Vern Paxson Oct 29, 2015 1 Circumventing Internet Censorship Using Proxies Web servers

  1. Examining How The Great Firewall Discovers Hidden Circumvention Servers Roya Ensafi , David Fifield, Philipp Winter, Nick Feamster, Nicholas Weaver, and Vern Paxson Oct 29, 2015 1

  2. Circumventing Internet Censorship Using Proxies Web servers Internet 2

  3. Circumventing Internet Censorship Using Proxies ● Not everyone can connect to all web servers Web servers Internet DPI 3

  4. Circumventing Internet Censorship Using Proxies ● Not everyone can connect to all web servers ● Many use proxy servers to circumvent censorship Proxy server Web servers Internet DPI 4

  5. Circumventing Internet Censorship Using Proxies ● Not everyone can connect to all web servers ● Many use proxy servers to circumvent censorship ● Governments are getting smarter at detecting proxy servers Proxy server Web servers Internet DPI 5

  6. Circumventing Internet Censorship Using Proxies ● Not everyone can connect to all web servers ● Many use proxy servers to circumvent censorship ● Governments are getting smarter at detecting proxy servers How do governments find these proxies? Proxy server Web servers Internet DPI 6

  7. How GFW Discovers Hidden Circumvention Servers We focus on the GFW and Tor ● GFW is a sophisticated censorship system ● Tor has a long history of being used for circumventing government censorship 7

  8. Censorship Arms Race: GFW vs. Tor Use public Tor network to circumvent GFW e m i T 8

  9. Censorship Arms Race: GFW vs. Tor Use public Tor network to circumvent GFW Download consensus and block relays e m i T 9

  10. Censorship Arms Race: GFW vs. Tor Use public Tor network to circumvent GFW Download consensus and block relays e m Introduce private bridges , whose i T distribution is rate-limited 10

  11. Censorship Arms Race: GFW vs. Tor Use public Tor network to circumvent GFW Download consensus and block relays e m Introduce private bridges , whose i T distribution is rate-limited Use DPI to detect Tor TLS handshake 11

  12. Fingerprinting the Tor TLS Handshake ● TLS handshake is unencrypted and leaks information ● Tor’s use of TLS has some peculiarities ○ X.509 certificate life times ○ Cipher suites ○ Randomly generated server name indication (e.g., www.6qgoz6epdi6im5rvxnlx. com) ● GFW looks (at least) for cipher suites in the TLS client hello 12

  13. Censorship Arms Race: GFW vs. Tor Use public Tor network to circumvent GFW Download consensus and block relays e m Introduce private bridges , whose i T distribution is rate-limited Use DPI to detect Tor TLS handshake Introduce pluggable transports to hide the handshake such as obfs2, obfs3 13

  14. Tor Pluggable Transport ● Pluggable transports are drop-in modules for traffic obfuscation ● Many modules have been written, but we focus on ○ obfs2 (First deployed module) ■ First 20 bytes can be used to detect Tor traffic with high confidence. ○ obfs3 (obfs2’s successor) ■ Makes Tor traffic look like a uniformly random byte stream 14

  15. Censorship Arms Race: GFW vs. Tor Use public Tor network to Detection of pluggable transports is uncertain ● circumvent GFW Implies false positives → collateral damage ○ Download consensus and block relays e m Introduce private bridges , whose i T distribution is rate-limited Use DPI to detect Tor TLS handshake , then probe and block bridges Introduce pluggable transports to hide the handshake such as obfs2, obfs3 15

  16. Censorship Arms Race: GFW vs. Tor Use public Tor network to Detection of pluggable transports is uncertain ● circumvent GFW Implies false positives → collateral damage ○ Download consensus and block relays e m Introduce private bridges , whose GFW added active probing to complement the DPI fingerprinting i T distribution is rate-limited Use DPI to detect Tor TLS handshake , then probe and block bridges Introduce pluggable transports to hide the handshake such as obfs2, obfs3 16

  17. How does GFW Block Tor Hidden Circumvention Servers? 1. Network monitoring (e.g., switch mirror port) 2. DPI for suspicious traffic (e.g., cipher suite) 3. Actively probing server to verify suspicion 4. Blocking server 17

  18. Censorship Arms Race: GFW vs. Tor Use public Tor network to circumvent GFW Download consensus and block relays e m Introduce private bridges , whose i T distribution is rate-limited Use DPI to detect Tor TLS handshake Introduce pluggable transports to hide the handshake such as obfs2, obfs3 Use DPI + Active probing 18

  19. Many Questions about Active Probing are Unanswered! ● Only two blog posts and Winter’s FOCI’12 paper ● We lack a comprehensive picture of more complicated questions ● We want to know: ○ Implementation , i.e., how does it block? ○ Architecture , i.e., how is a system added to China’s backbone? ○ Policy , i.e., what kind of protocols does it block? ○ Effectiveness , i.e., what’s the degree of success at discovering Tor bridges? 19

  20. Overview of Our Datasets: Shadow Infrastructure EC2-Vanilla CERNET EC2-Obfs2 Network EC2-Obfs3 EC2-Vanilla Unicom EC2-Obfs2 ISP EC2-Obfs3 Amazon AWS Clients in China 20

  21. Overview of Our Datasets: Sybil Infrastructure Shadow Infrastructure 30000 . . 30300 . Client in EC2-Vanilla CERNET . EC2-Obfs2 30600 China Network EC2-Obfs3 Forwarding 600 ports to Vanilla Tor EC2-Vanilla Tor port Unicom EC2-Obfs2 ISP EC2-Obfs3 Amazon AWS Clients in China 21

  22. Overview of Our Datasets: Sybil Infrastructure Shadow Infrastructure 30000 . . 30300 . Client in EC2-Vanilla CERNET . EC2-Obfs2 30600 China Network EC2-Obfs3 Forwarding 600 ports to Vanilla Tor EC2-Vanilla Tor port Unicom EC2-Obfs2 ISP EC2-Obfs3 Server Log Analysis Amazon AWS Application logs of a Clients in China web server that also runs a Tor bridge since 2010. 22

  23. Overview of Our Datasets: ● For the Shadow and the Sybil datasets: ○ We had pcap files of both the clients and the bridges. ● For the Log dataset, we only had application logs. Dataset Time span Shadow Dec 2014 -- Feb 2015 (3 months) Sybil Jan 29, 2015 -- Jan 30, 2015 (20 hours) Log Jan 2010 -- Aug 2015 (5 years) 23

  24. How to Distinguish Probers from Genuine Clients? 24

  25. How to Distinguish Probers from Genuine Clients? ● Detecting probers in Sybil dataset is easy, all the probers: ○ Visited our vanilla Tor bridge after our client established connections ○ Originated from China 25

  26. How to Distinguish Probers from Genuine Clients? ● Detecting probers in Sybil dataset is easy, all the probers: ○ Visited our vanilla Tor bridge after our client established connections ○ Originated from China ● For the other datasets, we adopt an algorithm: ○ If the cipher suites is in the TLS client hello => Vanilla bridge probes ○ If the first 20 bytes can reveal Obfs2 => Obfs2 bridges probers ○ ... 26

  27. How Many Unique Probers did We Find? 27

  28. How Many Unique Probers did We Find? ● Using Sybil , Shadow and Log dataset ○ In total, we collected 16,083 unique prober IP addresses 135 Shadow Log (3 months) 20 2 GFW’s famous IP: 14,802 202.108.181.70 (Over 5 years) 1,090 89 (22 hours) Sybil 28

  29. Can We Fingerprint Active Probers? 29

  30. Can We Fingerprint Active Probers? TCP layer ● ○ TSval slope: timestamp clock rate ○ TSval intercept: (rough) system uptime ○ GFW likely operate a handful of physical probing systems Log dataset with Sybil exp. with Shadow exp. with 14,912 Prober IPs 158 Prober IPs 1,182 Prober IPs 30

  31. Can We Fingerprint Active Probers? TCP layer ● ○ Striking pattern in initial sequence numbers (derived from time) of 1,182 probes ○ Shared pattern in TSval for all three datasets Initial sequence number 31

  32. What do These Patterns Mean? ● Active probing connections leak shared state ○ ISNs, TSval, source ports, ... ● GFW likely operates only few physical systems ● Thousands of IP addresses are controlled by central source 32

  33. How Quickly do Active Probes Show Up? 33

  34. How Quickly do Active Probes Show Up? ● Sybil dataset shows that system now works in real time ○ Median delay between Tor connection and subsequent probing connection is ~500ms ○ 1,182 distinct probes showed up in 22 hours 34

  35. Is Active Probing Successful? 35

  36. Is Active Probing Successful? 36

  37. Is Active Probing Successful? ● Tor clients succeed in connecting roughly every 25 hours ○ Might reflect implementation artifact of GFW 37

  38. Is Active Probing Successful? ● Tor clients succeed in connecting roughly every 25 hours ○ Might reflect implementation artifact of GFW ● obfs2 and obfs3 (~98%) were almost always reachable for clients ○ Surprising because GFW can probe and block obfs2 and obfs3 38

  39. Takeaway messages Our results show that the active probing system ● Makes use of a large amount of IP addresses , clearly centrally controlled ○ We can not just blacklist probers’ IP addresses ● Operates in real time ● Probes Vanilla, Obfs2, and Obfs3 Bridge Tor’s pluggable transports led to GFW’s “pluggable censorship” 39

  40. Q&A ● Project page: https://nymity.ch/active-probing/ ● Log and Sybil data sets are available online ● Contact: rensafi@cs.princeton.edu 40

Recommend

How the Great Firewall discovers hidden circumvention servers Roya Ensafi David Fifield

How the Great Firewall discovers hidden circumvention servers Roya Ensafi David Fifield

How the Great Firewall discovers hidden circumvention servers Roya Ensafi David Fifield Philipp Winter Nick Weaver Nick Feamster Vern Paxson Much already known about GFW Numerous research papers and blog posts Open access

916 views • 53 slides
Sophos XG Firewall IP Partners ICT Systems & Services www.ippartners.gr XG Firewall

Sophos XG Firewall IP Partners ICT Systems & Services www.ippartners.gr XG Firewall

Sophos XG Firewall IP Partners ICT Systems & Services www.ippartners.gr XG Firewall Overview Todays top firewall problems What IT managers say about their existing firewall Firewall Satisfaction Survey (Spiceworks 2017) Top

548 views • 52 slides
ip.buffer with HTTP New features! Great for Managed Services! Legacy Out Firewall

ip.buffer with HTTP New features! Great for Managed Services! Legacy Out Firewall

ip.buffer with HTTP New features! Great for Managed Services! Legacy Out Firewall issues Server not easily scaled Non transactional Duplicate data on failure Legacy In Port forwarding VPN black holes

900 views • 30 slides
Firewall and IDS/IPS What is a firewall? firewall = wall to protect against fire propagation

Firewall and IDS/IPS What is a firewall? firewall = wall to protect against fire propagation

Firewall and IDS/IPS What is a firewall? firewall = wall to protect against fire propagation controlled connection between networks at different security levels = boundary protection ( L1 > L2 ) network at network at security

1.07k views • 67 slides
How the Great Firewall of China is Blocking Tor Philipp Winter and Stefan Lindskog Karlstad

How the Great Firewall of China is Blocking Tor Philipp Winter and Stefan Lindskog Karlstad

How the Great Firewall of China is Blocking Tor Philipp Winter and Stefan Lindskog Karlstad University Aug. 6, 2012 In a nutshell 1. Investigated how Tor is being blocked 2. Speculated about the blocking infrastructure 3. Looked at

454 views • 26 slides
Make the Internet safe with DNS firewall Response Policy Zones (RPZ) SGNOG 7 2019 2 Great

Make the Internet safe with DNS firewall Response Policy Zones (RPZ) SGNOG 7 2019 2 Great

1 Make the Internet safe with DNS firewall Response Policy Zones (RPZ) SGNOG 7 2019 2 Great Asean Fastest Growing Area of Threats Over 200 Billion devices connected worldwide by 2020. Over 13 million active bots recorded for January 2019.

766 views • 38 slides
Examining Taiwan Weekly Rainfall Examining Taiwan Weekly Rainfall Examining Taiwan Weekly

Examining Taiwan Weekly Rainfall Examining Taiwan Weekly Rainfall Examining Taiwan Weekly

Conference on East Asia and Western Pacific Meteorology and Climate cum 25th Anniversary of Hong Kong Meteorological Society (HKMMS25) Examining Taiwan Weekly Rainfall Examining Taiwan Weekly Rainfall Examining Taiwan Weekly Rainfall Examining

548 views • 17 slides
Analyzing the Great Firewall of China Over Space and Time Roya Ensafi, Philipp Winter, Abdullah

Analyzing the Great Firewall of China Over Space and Time Roya Ensafi, Philipp Winter, Abdullah

Analyzing the Great Firewall of China Over Space and Time Roya Ensafi, Philipp Winter, Abdullah Mueen, Jed Crandall June 30, 2015 The Battle Over Information Control On The Internet State of the Art Rent a control machine (VPS)

699 views • 26 slides
Firewalls in FreeBSD and OpenBSD What is firewall? firewall is a method of protecting hosts

Firewalls in FreeBSD and OpenBSD What is firewall? firewall is a method of protecting hosts

Firewalls in FreeBSD and OpenBSD What is firewall? firewall is a method of protecting hosts and networks connected to other hosts and networks against attacks from the outside and from the inside. a firewall is a network security system

440 views • 30 slides
Lane ESD Technology Services Core Firewall Overview Districts Behind Firewall Blachly

Lane ESD Technology Services Core Firewall Overview Districts Behind Firewall Blachly

Lane ESD Technology Services Core Firewall Overview Districts Behind Firewall Blachly Creswell Crow-Applegate-Lorane Fern Ridge Junction City Lowell Mapleton Screened, but exempt from policies Marcola

539 views • 15 slides
Firewall vs. Scrambling 2 1 Review of Firewall argument Review of Hayden-Preskill 4 3

Firewall vs. Scrambling 2 1 Review of Firewall argument Review of Hayden-Preskill 4 3

Firewall vs. Scrambling 2 1 Review of Firewall argument Review of Hayden-Preskill 4 3 State-independent interior operators Interior operator from HP recovery 6 5 Resolution of the puzzle Effect of infalling observer 7 Discussions Beni

1.61k views • 106 slides
FIREMAN: A Toolkit for FIREwall Modeling and ANalysis Michael Lin All about firewalls A

FIREMAN: A Toolkit for FIREwall Modeling and ANalysis Michael Lin All about firewalls A

FIREMAN: A Toolkit for FIREwall Modeling and ANalysis Michael Lin All about firewalls A firewall is only as good as its configuration Big deal, it should be easy to configure a firewall, right? Basically... no. A Quantitative

507 views • 14 slides
Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple

Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple

Firewalls 1 Outline What are firewalls? Types of Firewalls Building a simple firewall using Netfilter Iptables firewall in Linux Stateful Firewall Application Firewall Evading Firewalls 2 Firewalls

811 views • 55 slides
Breakthrough silicon scanning discovers backdoor in military chip Sergei Skorobogatov,

Breakthrough silicon scanning discovers backdoor in military chip Sergei Skorobogatov,

Breakthrough silicon scanning discovers backdoor in military chip CHES2012 Workshop, Leuven, Belgium, 9-12 September 2012 Breakthrough silicon scanning discovers backdoor in military chip Sergei Skorobogatov, Christopher Woods

353 views • 20 slides
NASTID Summer Conference Great Lakes Equity Center One of the ten regional EACs funded by the

NASTID Summer Conference Great Lakes Equity Center One of the ten regional EACs funded by the

July 24, 2014 A Process for Examining and Addressing Systemic Inequities within State Education Agencies Seena M. Skelton, Ph.D. & Kathleen King Thorius, Ph.D. Great Lakes Equity Center NASTID Summer Conference Great Lakes Equity Center

335 views • 31 slides
Overview Firewall Security Perimeter Security Devices H/W vs. S/W Packet Filtering vs.

Overview Firewall Security Perimeter Security Devices H/W vs. S/W Packet Filtering vs.

Overview Firewall Security Perimeter Security Devices H/W vs. S/W Packet Filtering vs. Stateful Inspection Firewall Topologies Chapter 8 Firewall Rulebases Lecturer: Pei-yih Ting 1 2 Perimeter Security Devices Routers

291 views • 7 slides
Java Card Applet Firewall Java Card Applet Firewall Exploration and Exploitation Exploration and

Java Card Applet Firewall Java Card Applet Firewall Exploration and Exploitation Exploration and

Java Card Applet Firewall Java Card Applet Firewall Exploration and Exploitation Exploration and Exploitation Wojciech Mostowski and Erik Poll Digital Security Radboud University Nijmegen The Netherlands http://www.cs.ru.nl/~{woj,erikpoll}/

818 views • 42 slides
Hidden Markov Models Jimmy Lin Jimmy Lin The iSchool University of Maryland Wednesday,

Hidden Markov Models Jimmy Lin Jimmy Lin The iSchool University of Maryland Wednesday,

CMSC 723: Computational Linguistics I Session #5 Hidden Markov Models Jimmy Lin Jimmy Lin The iSchool University of Maryland Wednesday, September 30, 2009 Todays Agenda The great leap forward in NLP Hidden Markov models (HMMs)

950 views • 70 slides
Patentable Patents 101 Whoever invents or discovers any new and useful process,

Patentable Patents 101 Whoever invents or discovers any new and useful process,

Patentable Subject Matter -- 101 Utility -- 101 Novelty -- 102 Disclosure Req. Non-obvious 112 -- 103 | | Patentable Patents 101 Whoever invents or discovers any new and useful process, machine,

936 views • 71 slides
Firewall What is it? Do we need one? Oxford Hills School District March 5, 2018 What is a

Firewall What is it? Do we need one? Oxford Hills School District March 5, 2018 What is a

Firewall What is it? Do we need one? Oxford Hills School District March 5, 2018 What is a firewall? Term first used in 1851 Henry Ford used them to protect passengers from engine fires, smoke and heat. Computer networks: a part of a

500 views • 21 slides
Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls?

Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls?

Firewalls Summary Brief History of Firewalls What is a Firewall? Why Firewalls? Network Address Translation Types of Firewalls Linux/Windows Firewalls pfSense Blue Team Activity Brief History Firewall

348 views • 30 slides
Palo Alto Firewall What are next generation firewalls and how do they operate? Difference between

Palo Alto Firewall What are next generation firewalls and how do they operate? Difference between

Palo Alto Firewall What are next generation firewalls and how do they operate? Difference between NGFW and classic firewalls: Classic Firewall Next Generation Firewall Traffic filtering using Port, IP, and protocol Supported Supported VPN

533 views • 25 slides
Palo Alto Firewall What are next generation firewalls and how do they operate? Difference between

Palo Alto Firewall What are next generation firewalls and how do they operate? Difference between

Palo Alto Firewall What are next generation firewalls and how do they operate? Difference between NGFW and classic firewalls: Classic Firewall Next Generation Firewall Traffic filtering using Port, IP, and protocol Supported Supported VPN

1.23k views • 26 slides
CohBar Discovers Novel Peptide Inhibitors of CXCR4, a Key Regulator of Tumor Growth and

CohBar Discovers Novel Peptide Inhibitors of CXCR4, a Key Regulator of Tumor Growth and

CohBar Discovers Novel Peptide Inhibitors of CXCR4, a Key Regulator of Tumor Growth and Metastasis Anti-tumor effects demonstrated in vivo in preclinical melanoma immuno-oncology model January 2020 1 Forward Looking Statements This news

268 views • 7 slides

More recommend