The Parrot is Dead: Observing Unobservable Network Communications

Slides:



Advertisements
Similar presentations
Routing Routing in an internetwork is the process of directing the transmission of data across two connected networks. Bridges seem to do this function.
Advertisements

I Want My Voice to Be Heard: IP over Voice-over-IP for Unobservable Censorship Circumvention Amir Houmansadr (The University of Texas at Austin) Thomas.
Censorship Resistance: Decoy Routing Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources. See.
SkypeMorph: Protocol Obfuscation for Tor Bridges
McGraw-Hill©The McGraw-Hill Companies, Inc., 2000 Chapter 28 Real-Time Traffic over the Internet.
NAT/Firewall Traversal April NAT revisited – “port-translating NAT”
H. 323 and firewalls: Problem Statement and Solution Framework Author: Melinda Shore, Nokia Presenter: Shannon McCracken.
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &
TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Vocabulary URL = uniform resource locator: web address protocol –set of rules that networked computers follow in order to share data and coordinate communications.
Passive traffic measurement Capturing actual Internet packets in order to measure: –Packet sizes –Traffic volumes –Application utilisation –Resource utilisation.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Censorship Resistance: Parrots Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources. See the.
Jeremiah O’Connor CS 683 Fall 2012 CensorSpoofer: Asymmetric Communication using IP Spoofing for Censorship-Resistant Web Browsing.
Support Protocols and Technologies. Topics Filling in the gaps we need to make for IP forwarding work in practice – Getting IP addresses (DHCP) – Mapping.
Module 1: Reviewing the Suite of TCP/IP Protocols.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Chapter 6: Packet Filtering
1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen
Jaringan Komputer Dasar OSI Transport Layer Aurelio Rahmadian.
CS3502: Data and Computer Networks Local Area Networks - 4 Bridges / LAN internetworks.
What makes a network good? Ch 2.1: Principles of Network Apps 2: Application Layer1.
POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications (1) 4. Active Monitoring Techniques.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Internet Ethernet Token Ring Video High Speed Router Host A: Client browser: REQUEST:http//mango.ee.nogradesu.edu/c461.
Fundamentals of Computer Networks ECE 478/578 Lecture #19: Transport Layer Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
The Inter-network is a big network of networks.. The five-layer networking model for the internet.
Linux Networking and Security
 network appliances to filter network traffic  filter on header (largely based on layers 3-5) Internet Intranet.
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
Firewalls  Firewall sits between the corporate network and the Internet Prevents unauthorized access from the InternetPrevents unauthorized access from.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
CS 3830 Day 13 Introduction 1-1. Announcements r Quiz 3: Wednesday, Oct 10 r Prog3 due Wednesday, Oct 10 Transport Layer 3-2.
1 Figure 3-27: Use of TCP and UDP Port Number Client From: :50047 To: :80 SMTP Server Port 25 Webserver.
1 Firewalls Types of Firewalls Inspection Methods  Static Packet Inspection  Stateful Packet Inspection  NAT  Application Firewalls Firewall Architecture.
Module 10: How Middleboxes Impact Performance
Presented by Rebecca Meinhold But How Does the Internet Work?
Network layer Accepts messages from the application layer Prepares messages for the data link layer Packetising Addressing Routing.
Routing Around Decoys Max Schuchard, John Geddes, Christopher Thompson, Nicholas Hopper Proposed in FOCI'11, USINIX Security'11 and CCS'11 Presented by:
CSE 592 INTERNET CENSORSHIP (FALL 2015) LECTURE 20 PHILLIPA GILL - STONY BROOK U.
CSE 592 INTERNET CENSORSHIP (FALL 2015) LECTURE 22 PHILLIPA GILL - STONY BROOK U.
Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:
VersionIHLTotal Length FlagsIdentificationFragment Offset Time To Live Destination Address OptionsPadding Protocol = 6 Type of Service IP Header TCP Destination.
1 Figure 3-5: IP Packet Total Length (16 bits) Identification (16 bits) Header Checksum (16 bits) Time to Live (8 bits) Flags Protocol (8 bits) 1=ICMP,
TCP and UDP Ports. 1.The TCP part of TCP/IP stands for Transmission Control Protocol, and it is a reliable transport-oriented way for information to be.
Section #7: Getting Data from Point A to Point B.
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
Application Layer 2-1 Chapter 2 Application Layer Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Application Layer – Lecture.
1 Transport Layer: Basics Outline Intro to transport UDP Congestion control basics.
1 Version 3.1 Module 10 Intermediate TCP/IP (Layer 4)
TCP/IP1 Address Resolution Protocol Internet uses IP address to recognize a computer. But IP address needs to be translated to physical address (NIC).
IP packet filtering Breno de Medeiros. Florida State University Fall 2005 Packet filtering Packet filtering is a network security mechanism that works.
Communication Networks NETW 501 Tutorial 2
IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.
The Great Firewall of China What is it and how does it work?
Presented by Nelson Mandela Date 7th February 2017
CS590B/690B Detecting Network Interference (FALL 2016)
A quick intro to networking
CS590B/690B Detecting Network Interference (Fall 2016)
Practical Censorship Evasion Leveraging Content Delivery Networks
CS590B/690B Detecting Network Interference (Fall 2016)
Practical Censorship Evasion Leveraging Content Delivery Networks
Introduction to Networking
0x1A Great Papers in Computer Security
Presentation transcript:

The Parrot is Dead: Observing Unobservable Network Communications Amir Houmansadr Chad Brubaker Vitaly Shmatikov

Internet Censorship The Internet is a big threat to repressive regimes! Repressive regimes censor the Internet: IP filtering, DNS hijacking, Deep packet-inspection, etc. Circumvention systems

X Censorship Region The Internet Allowed Destination Blocked

Censorship Region The Internet DPI X Blocked Destination

We need unobservable circumvention Censors should not be able to identify circumvention traffic or end-hosts through passive, active, or proactive techniques

Let’s hide! Censorship Region The Internet

Parrot systems Imitate a popular protocol SkypeMorph (CCS’12) StegoTorus (CCS’12) CensorSpoofer (CCS’12)

What's, uh... What's wrong with it? 'E's dead, that's what's wrong with it!

SkypeMorph The Internet Censorship Region Traffic Shaping SkypeMorph A Tor node SkypeMorph Bridge SkypeMorph Client

SoM header The start of message (SoM) header field is MISSING! Single-packet identifier, instead of sophisticated statistical traffic analysis

SkypeMorph The Internet Censorship Region TCP control SkypeMorph Bridge A Tor node SkypeMorph Client

No, no.....No, 'e's stunned!

Let’s imitate the missing! SkypeMorph+ Let’s imitate the missing! Hard to mimic dynamic behavior Active/proactive tests

Dropping UDP packets

Other tests Test Skype SkypeMorph+ Flush Supernode cache Serves as a SN Rejects all Skype messages Drop UDP packets Burst of packets in TCP control No reaction Close TCP channel Ends the UDP stream Delay TCP packets Reacts depending on the type of message Close TCP connection to a SN Initiates UDP probes Block the default TCP port Connects to TCP ports 80 and 443

Now that's what I call a dead parrot.

StegoTorus The Internet Censorship Region HTTP HTTP A Tor node Bridge Skype Ventrilo HTTP StegoTorus Client

StegoTorus chopper Dependencies between links

StegoTorus-Skype The same attacks as SkypeMorph Even more attacks!

StegoTorus-HTTP Does not look like a typical HTTP server! Most HTTP methods not supported!

CensorSpoofer The Internet Censorship Region SIP Spoofer server Censored destination RTP downstream Dummy host RTP upstream CensorSpoofer Client

SIP probing The Internet Censorship Region SIP Spoofer server Censored destination RTP downstream Dummy host RTP upstream CensorSpoofer Client

No no! 'E's pining! 'E's not pinin'! 'E's expired and gone to meet 'is maker!

Unobservability by imitation is fundamentally flawed! Lesson 1 Unobservability by imitation is fundamentally flawed!

Imitation Requirements Correct SideProtocols IntraDepend InterDepend Err Network Content Patterns Users Geo Soft OS

Partial imitation is worse than no imitation! Lesson 2 Partial imitation is worse than no imitation!

Alternative Do not imitate, but Run the target protocol IP over Voice-over-IP [NDSS’13] Challenge: efficiency

Thanks