Presented by Nelson Mandela Date 7th February 2017 PARROT IS DEAD OBSERVING UNOBSERVABLE NETWORK COMMUNICATION Authors: Amir Houmansadr Chad Brubaker Vitaly Shmatikov The university of Texas Austin Presented by Nelson Mandela Date 7th February 2017
Motivation Parrot circumventing systems have been motivated by the increasing number of Repressive/nondemocratic government to monitor the internet and strengthening their censorship powers. This in return has motivated a growing community of developer aiming at circumventing the censor systems through unobservability which is what we refer as the parrot circumventing systems. The parrot circumventing systems bypass censorship through imitations of common protocols.eg skype,http
How it works X X parrot circumventing systems Content inspector Allowed address X Blocked address X Internet user censors Circumventing by imitation Skype morph Censor spoofer stegoTorus Skype VoIP traffic HTTP Ventrilo
Adversary Models-capabilities classification Passive attack-involves observing, analyzing and packet inspection of internet entities. Proactive attack-identify entities involved in circumventing by sending probes that will elicit certain responses. Active attack-involve manipulation of network traffic i.e. delaying, dropping and terminating internet connection.
Adversary models-Knowledge Classification Local adversary(LO)-small number of network devices, observe small number networks. State level oblivion Adversary(OB)-limited storage, limited computational resource ,deep packet inspection. State level omniscient adversary(OM)-ample processing, storage and computational resource.
Circumvention systems Skymorph -pluggable transport aim at imitating skype video calls. Client obtain bridge id in advance Bridge enter skype picks a high UDP port Client picks high UDP port StegoTorus-pluggable transport derived from obfsproxy. Adds chopping and steganography Mimick HTTP, Skype, and Ventrilo Censorspoofer-stand alone system Ip spoofing Mimic voip traffic
Requirement for parrot circumventing systems Mimicking the protocol in entirety e.g voip(sip,rtp,rtcp) Correctness-mimic full behavior. Side protocols-protocols that run besides the main session. Intradepend- dependancies & correlation among protocol session Interdepend- Mimicking reaction to errors and network condition i.e. reaction to errors/network conditions Mimicking typical traffic i.e. content, pattern, users, Mimicking implementation specific artifacts i.e. parrot must mimic a specific version of a specific popular implementation to the last bug
Detecting skype imitators Passive attacks Exploiting deviation from genuine skype behavior Exploiting re-use of client generated skype traces. Exploiting re-use of pre-recorded Skype traces Hypothetical SkypeMorph+ and StegoTorus+-experiment to find out if the weakeness could be bridged by upgrading. Active and proactive attacks Verifying supernode behavior Manipulate skype calls Manipulate tcp control channels
DETECTING SKYPE IMITATORS SkypeMorph and StegoTorus-Embed—can be easily distinguished from genuine Skype. Attack Imitation requirement Adversary SkypeMorph StegoTorus-Embed Skype HTTP update traffic (T1) SideProtocols LO/OB/OM Satisfied Failed Skype login traffic (T2) SoM field of Skype UDP packets (T3) Content Traffic statistics (T4, T5) Pattern LO/OM Periodic message exchanges (T6, T7) Typical Skype client behavior (T8) IntraDepend TCP control channel (T9)
ACTIVE AND PROACTIVE ATTACKS TO DETECT IMPROVED SKYPE PARROTS Skypemorph+ and StegoTorus+ Attack Imitation requirement Adversary Skype SkypeMorph+ and StegoTorus+ Verify supernode behavior SideProtocols Proactive, The target node serves as the adversary’s Rejects all by flushing supernode cache IntraDepend LO/OM SN, e.g., relays his Skype calls Skype messages Drop a few UDP packets Network, Err Active, LO/OB/OM A burst of TCP packets on the control channel (Fig. 1) No reaction Close TCP channel IntraDepend, Ends the UDP stream immediately Delay TCP packets SideProtocols, Network Reacts depending on the type of TCP messages Close TCP connection to a SN Client initiates UDP probes to find other SNs Block the default TCP port for TCP channel Connects to TCP ports 80 or 443 instead
DETECTING STEGOTORUS HTTP request Real HTTP server StegoTorus’s HTTP module GET existing Returns “200 OK” and sets Connection to keep-alive Arbitrarily sets Connection to either keep-alive or Close GET long request Returns “404 Not Found” since URI does not exist No response GET non-existing Returns “404 Not Found” Returns “200 OK” GET wrong protocol Most servers produce an error message, e.g., “400 Bad Request” HEAD existing Returns the common HTTP headers OPTIONS common Returns the supported methods in the Allow line DELETE existing Most servers have this method not activated and produce an error message TEST method Returns an error message, e.g., “405 Method Not Allowed” and sets Connection=Close Attack request Returns an error message, e.g., “404 Not Found”
DISTINGUISHING CENSORSPOOFER FROM GENUINE SIP CLIENTS. Attack Imitation requirement Adversary Typical SIP clients (e.g., Ekiga) CensorSpoofer Manipulate tag in SIP OK Soft LO/OB/OM Nothing Client closes the call SIP INVITE to fakeID@suspiciousIP SideProtocols Soft, Err Respond with “100 Trying” and “180 Ringing”, “483 Busy Here”, “603 Decline”, or “404 Not Found” SIP INVALID SideProtocols,Err Respond “400 BadRequest” SIP BYE with invalid SIP-ID Respond “481 Call Leg/Transaction Does Not Exist” Drop RTP packets (only for confirmation) Soft, Network Terminate the call after a time period depending on the client, may change codec in more advanced clients.
RELATED WORK Pluggable Tor transports Decoy routing
RECOMMENDATIONS understanding of the adversaries unobservability by imitation is a fundamentally flawed approach. partial imitation is worse than no imitation at all not mimic, but run the actual protocol