DNS-sly: Avoiding Censorship through Network Complexity Qurat-Ul-Ann Akbar, Northwestern U. Marcel Flores, Northwestern U. Aleksandar Kuzmanovic, Northwestern U. http://networks.cs.northwestern.edu Qurat-Ul-Ann Akbar
Internet Censorship is a prevalent problem
problem
Circumvention Techniques Covertness Deniability Performance Proxies Anonymous Networks DNS Tunneling Techniques HTTP Tunneling Yes No High Yes No High Yes No High Understand clearly the difference between covertness and deniability Yes Statistical Deniability Low Qurat-Ul-Ann Akbar
Research Problem Deniability Performance Can we create a circumvention technique with high deniability with minimum impact on performance ? Should present the system on a higher abstract level…… after this …. Animation … and then network complexity Qurat-Ul-Ann Akbar
Our Solution DNS is a core Internet service Significant network complexity in todays Internet Trillions of DNS requests per day Proliferation of public DNS servers CDNs Leverage this complexity in DNS traffic to hide information Explain the point of CDNs clearly….maybe add a diagram here Qurat-Ul-Ann Akbar
Outline Motivation DNS-sly Protocol Case for DNS-sly Evaluation
DNS-sly Overview Components : DNS-sly requester and responder DNS-sly responder profiles the clients DNS behavior Exchanges profile information with the requester In the downstream direction, responder encodes the content from the ‘censored website’ in DNS response packets See if you wanna use requester or client in second point……before we get into more details of the system lets look at how a typical DNS response looks like Qurat-Ul-Ann Akbar
First Phase - Endpoint Profiling DNS-sly responder profiles clients DNS behavior Records domains Forms IP set per domain Creates profile map – a mapping of domains to the server IPs they are hosted on Exchanges profile map with the requester via out-of-band communication Change out-of-band communication Qurat-Ul-Ann Akbar
Second Phase - Communication In the upstream direction, the DNS-sly requester crafts DNS requests using the profile map Upon receiving the request, the responder retrieves the content from Web In the downstream direction, the DNS-sly responder encodes content using DNS responses S choose c formula after the goal … split into four and visual for each toy example repqrest this many bits fpr this many s and c….. which semantically overlap with the regular DNS requests, to ask for content from the responder to regular, non-DNS-sly-requester generated, DNS requests Qurat-Ul-Ann Akbar
DNS Packet Format Domain Associated IP addresses Qurat-Ul-Ann Akbar
Encoding Data Goal - Represent data as a choice of A records from a pool of IP addresses Responder computes the number of bytes of data to be encoded Uses a number representation scheme to map data to a set of IP addresses Forms a valid DNS response and sends it back to the DNS-sly requester
Encoding Data - Example Domain = “ facebook.com ” IP set size = 256 Number of A records = 6 Choices ~ P(256,6) Data encoded = 6 Bytes A Records 173.252.74.68 173.252.74.1 173.252.74.13 173.252.74.128 173.252.74.90 173.252.74.55 Number Representation Scheme “ abcdef ”
System Overview DNS-sly Client DNS-sly Server Censor Client Resp + Content DNS Req DNS Req / Hidd. Mess. DNS Req Censor DNS-sly Requester DNS-sly Responder Color not visible …… type url goes into the requester and then that takes car of that …. Turn that into http req/resp Visible DNS Req Visible DNS Req DNS Req Decode Encode DNS Resp / Hidden Content Visible DNS Resp / Hidden Content Visible DNS Resp / Hidden Content DNS Resp / Hidden Content Qurat-Ul-Ann Akbar
Outline Motivation DNS-sly Protocol Case for DNS-sly Evaluation case for DNS-sly----check mark Qurat-Ul-Ann Akbar
DNS Request Variability Fragmented Web pages Larger number of DNS requests better for deniability: DNS-sly requests hard to detect Leads to increased probability of DNS responses suitable for data encoding Qurat-Ul-Ann Akbar
Number of DNS Resolutions per Domain Per page title …. Dontt talk about top….change the number 100 Median is ~50 DNS resolutions per domain 20% of domains have >90 DNS resolutions Qurat-Ul-Ann Akbar
DNS Response Variability Number of IP addresses a domain maps to determines the potential for encoding downstream data Global and local Number of A records determines data that can be embedded in a single DNS response Rate of change in A records determines the timescales at which to operate to retain statistical deniability This is an A record …. These are the things which we are gonna use ….. Qurat-Ul-Ann Akbar
Experimental Results Maximum number of IPs a domain maps to is 850 Change is the fraction of A records that have exactly the same IP addresses in the same position. Maximum number of IPs a domain maps to is 850 ~ 1/3rd of DNS responses have 8 A records with maximum up to 15, Every 30 minutes the responses change completely Qurat-Ul-Ann Akbar
Outline Motivation DNS-sly Protocol Case for DNS-sly Evaluation
Security Evaluation: Methodology Emulated a censors probing attack For every response from a DNS-sly responder, queried five other DNS resolvers for the same domain Evaluated by computing the mean and variance of the change between the DNS responses Change is fraction of A records that have exacly the same IP address in the same positom …..1 – similiarity=change Qurat-Ul-Ann Akbar
Security Evaluation: Results
Performance Evaluation: Methodology Evaluated downstream performance using the metric, bytes per click Single click defined as loading of a page, including DNS resolutions for all domains included on the page Deployed DNS-sly in a known-censored environment to exchange data from a known-censored website Don’t say top Qurat-Ul-Ann Akbar
Performance Evaluation: Results Median number of clicks Median Page Click (global) > 100 Bytes Median Page Click (local) ~ 75 Bytes Maximum Bytes encoded ~ 600 Bytes Qurat-Ul-Ann Akbar
Conclusion DNS-sly: a system that enables a DNS covert channel which provides high deniability while maintaining good performance DNS-sly adjusts its behavior to the clients Utilizes frequently changing A records to embed data in DNS responses Achieves downstream throughput of upto 600 Bytes of hidden data per Web page click Given a page size n, how many bits can you encode compared to collage and Infranet Qurat-Ul-Ann Akbar
Thank You http://networks.cs.northwestern.edu Qurat-Ul-Ann Akbar