CSE 592 INTERNET CENSORSHIP (FALL 2015) LECTURE 06 PROF. PHILLIPA GILL COMPUTER SCIENCE, STONY BROOK UNIVERSITY.

Slides:



Advertisements
Similar presentations
Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Advertisements

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Leveraging Good Intentions to Reduce Unwanted Network Traffic Marianne Shaw (U. Washington) USENIX 2nd Workshop on Steps to Reducing Unwanted Traffic on.
 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Component Patterns – Architecture and Applications with EJB copyright © 2001, MATHEMA AG Component Patterns Architecture and Applications with EJB JavaForum.
How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.
1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
By: Bryan Carey Randy Cook Richard Jost TOR: ANONYMOUS BROWSING.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Web server security Dr Jim Briggs WEBP security1.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
1 Web Content Delivery Reading: Section and COS 461: Computer Networks Spring 2007 (MW 1:30-2:50 in Friend 004) Ioannis Avramopoulos Instructor:
Lecture 8 Epidemic communication, Server implementation.
1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)
Department Of Computer Engineering
MNO Cloud Use Case 2 Source: Rogers Wireless Contact: Ed O’Leary George Babut 3GPP/SA3-LI#43Tdoc SA3LI11_115.
Setiri: Advances in Trojan Technology Roelof Temmingh Haroon Meer BlackHat USA 2002.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
1 Content Distribution Networks. 2 Replication Issues Request distribution: how to transparently distribute requests for content among replication servers.
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.
Introduction to Honeypot, Botnet, and Security Measurement
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Troubleshooting Your Network Networking for Home and Small Businesses.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
© Copyright 2012 STI INNSBRUCK Tor project: Anonymity online.
 Zhichun Li  The Robust and Secure Systems group at NEC Research Labs  Northwestern University  Tsinghua University 2.
Chapter 6: Packet Filtering
Application-Layer Anycasting By Samarat Bhattacharjee et al. Presented by Matt Miller September 30, 2002.
Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.
HTTP HTTP stands for Hypertext Transfer Protocol. It is an TCP/IP based communication protocol which is used to deliver virtually all files and other.
Adrian Crenshaw. Darknets  There are many definitions, but mine is “anonymizing private networks ”  Use of encryption.
Lecture#1 on Internet. Internet Addressing IP address: pattern of 32 or 128 bits often represented in dotted decimal notation IP address: pattern of 32.
Intrusion Detection and Prevention. Objectives ● Purpose of IDS's ● Function of IDS's in a secure network design ● Install and use an IDS ● Customize.
CSE 592 INTERNET CENSORSHIP (FALL 2015) LECTURE 03 PHILLIPA GILL STONY BROOK UNIVERSITY, COMPUTER SCIENCE ACKS: SLIDES BASED ON MATERIAL FROM NICK WEAVER’S.
Event Management & ITIL V3
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
CSE 592 INTERNET CENSORSHIP (FALL 2015) LECTURE 07 PROF. PHILLIPA GILL – STONY BROOK UNIVERSITY.
Jeremy Kackley, James Jacobs, Paulus Wahjudi and Jean Gourd.
Presented by Spiros Antonatos Distributed Computing Systems Lab Institute of Computer Science FORTH.
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Remote Controller & Presenter Make education more efficiently
1 Network Administration Module 3 ARP/RARP. 2 Address Resolution The problem Physical networks use physical addresses, not IP addresses Need the physical.
Proxy Servers.
CHAPTER 9 Sniffing.
Content-oriented Networking Platform: A Focus on DDoS Countermeasure ( In incremental deployment perspective) Authors: Junho Suh, Hoon-gyu Choi, Wonjun.
CSE 592 INTERNET CENSORSHIP (FALL 2015) LECTURE 08 PHILLIPA GILL – STONY BROOK UNIVERSITY.
CSE 592 INTERNET CENSORSHIP (FALL 2015) LECTURE 12.
11 CLUSTERING AND AVAILABILITY Chapter 11. Chapter 11: CLUSTERING AND AVAILABILITY2 OVERVIEW  Describe the clustering capabilities of Microsoft Windows.
Routing Around Decoys Max Schuchard, John Geddes, Christopher Thompson, Nicholas Hopper Proposed in FOCI'11, USINIX Security'11 and CCS'11 Presented by:
CSE 592 INTERNET CENSORSHIP (FALL 2015) LECTURE 20 PHILLIPA GILL - STONY BROOK U.
CSE 592 INTERNET CENSORSHIP (FALL 2015) LECTURE 22 PHILLIPA GILL - STONY BROOK U.
CSE 592 INTERNET CENSORSHIP (FALL 2015) LECTURE 16 PHILLIPA GILL - STONY BROOK U.
Lecture 17 Page 1 CS 236 Online Onion Routing Meant to handle issue of people knowing who you’re talking to Basic idea is to conceal sources and destinations.
Role Of Network IDS in Network Perimeter Defense.
Heat-seeking Honeypots: Design and Experience John P. John, Fang Yu, Yinglian Xie, Arvind Krishnamurthy and Martin Abadi WWW 2011 Presented by Elias P.
CS590B/690B Detecting Network Interference (Fall 2016)
DNS-sly: Avoiding Censorship through Network Complexity
CS590B/690B Detecting network interference (Fall 2016)
CS590B/690B Detecting Network Interference (Fall 2016)
CS590/690 Detecting network interference Fall 2016
Practical Censorship Evasion Leveraging Content Delivery Networks
CS590B/690B Detecting Network Interference (Fall 2016)
Practical Censorship Evasion Leveraging Content Delivery Networks
Configuring Internet-related services
Lecture 3: Secure Network Architecture
CS590B/690B Detecting network interference (Spring 2018)
Presentation transcript:

CSE 592 INTERNET CENSORSHIP (FALL 2015) LECTURE 06 PROF. PHILLIPA GILL COMPUTER SCIENCE, STONY BROOK UNIVERSITY

WHERE WE ARE Last time: In-path vs. On-path censorship Proxies Detecting page modifications with Web Trip-Wires Finished up background on measuring censorship Questions?

TEST YOUR UNDERSTANDING 1.What is the purpose of the HTTP 1.1 host header? 2.What is the purpose of the server header? 3.Why might it not be a good header to include? 4.What is a benefit of an in-path censor? 5.What are the two mechanisms for proxying traffic? Pros/cons of these? 6.How can you detect a flow terminating proxy? 7.How can you detect a flow rewriting proxy? 8.What are two options in terms of targeting traffic with proxies? 9.How can partial proxying be used to characterize censorship?

TODAY Challenges of measuring censorship Potential solutions

SO FAR… … we’ve had a fairly clear notion of censorship And mainly focused on censors that disrupt communication Usually Web communication … but in practice things are more complicated Defining, detecting, and measuring censorship at scale pose many challenges Reading from Web page: Making Sense of Internet Censorship: A New Frontier for Internet Measurement. S. Burnett and N. Feamster.

HOW TO DEFINE “CENSORSHIP” Censorship is well defined in the political setting… What we mean when we talk about “Internet censorship” is less clear E.g., copyright takedowns? Surveillance? Blocked content?  broader class of “information controls” The following are 3 types of information controls we can try to measure: 1.Blocking (complete: page unavailable, partial: specific Web objects blocked) 2.Performance degradation (Degrade performance to make service unusable, either to get users to not use a service or to get them to use a different one) 3.Content manipulation (manipulation of information. Removing search results, “sock puppets” in online social networks)

CHALLENGE 1: WHAT SHOULD WE MEASURE? Issue 1: Censorship can take many forms? Which should we measure? How can we find ground truth? If we do not observe censorship does that mean there is no censorship? Issue 2: Distinguishing positive from negative content manipulation. Personalization vs. manipulation? How might we distinguish these? Another option: make result available to the user and let them decide Issue 3: Accurate detection may require a lot of data. Unlike regular Internet measurement, the censor can try to hide itself! Need more data to find small-scale censorship rather than wholesale Internet shut down Distinguishing failure from censorship is a challenge! E.g., IP packet filters

CHALLENGE 2: HOW TO MEASURE Issue 1: Adversarial measurement environment Your measurement tool itself might be blocked. has been blocked in China for a long time! Need covert channel/circumvention tools to send data back. Should have deniability The end-host monitoring itself maybe be compromised E.g., government agent downloads your software and sends back bogus data Issue 2: How to distribute the software Running censorship measurements may incriminate users Distribute “dual use” software. Network debugging/availability testing (censorship is just one such cause of unavailability) Give users availability data. Let them draw conclusions…

PRINCIPLE 1: CORRELATE INDEPENDENT DATA SOURCES Example: Software in the region indicates that the user cannot access the service. Can correlate with: Web site logs: did other regions experience the outage? Was the Web site down? Home routers: e.g., use platforms like Bismark to test availability and correlate with user submitted results. DNS lookups: what was observed as results at DNS resolvers at that time? Does it support the hypothesis of censorship? BGP messages: look for anomalies that could indicate censorship or just network failure.

PRINCIPLE 2: SEPARATE MEASUREMENTS AND ANALYSIS Client collects data but inferences of censorship happen in a separate location Central location can correlate results from a large number of clients + data sources Also helps with defensibility of the dual use property Software itself isn’t doing anything that looks like censorship detection Helpful when you want to go back over the data as well! E.g., testing new detection schemes on existing data

PRINCIPLE 3: SEPARATE INFORMATION PRODUCTION FROM CONSUMPTION The channels used for gathering censorship information E.g., user submitted reports, browser logs, logs from home routers … should be decoupled from results dissemination. Different sets of users can access the information than collected it Improved deniability Just because you access the information does not mean you helped collect it Makes it more difficult for the censor to disrupt the channels

PRINCIPLE 4: DUAL USE SCENARIOS WHENEVER POSSIBLE Censorship is just another type of reachability problem! Many network debugging and diagnosis tools already gather information that can be used for both these issues and censorship E.g., services like SamKnows already perform tests of reachability to popular sites Anomalies in reachability could also indicate censorship If censorship measurement is a side effect and not a purpose of the tool … users will be more willing to deploy … governments may be less likely to block

PRINCIPLE 5: ADOPT EXISTING ROBUST DATA CHANNELS Leverage tools like Collage, Tor, Aqua, etc. for transporting data when necessary: From the platform to the client software (e.g., commands) From the client to the platform (e.g., results data) From the platform to the public (e.g., reports of censorship) Each channel gives different properties Anonymity (e.g., Tor) Deniability (e.g., Collage) Traffic analysis resistance (e.g., Aqua)

PRINCIPLE 6: HEED AND ADAPT TO CHANGING SITUATIONS/THREATS Censorship technology may change with time Cannot have a platform that runs only one type of experiment Need to be able to specify multiple types of experiments Talk with people on the ground Monitor the situation E.g., some regions may be too dangerous to monitor: Syria, N. Korea etc.

ETHICS/LEGALITY OF CENSORSHIP MEASUREMENTS Complicated issue! Using systems like VPNs, VPS, PlanetLab in the region pose least risk to people on the ground Representativeness of results? Realistically, even in countries where there is low Internet penetration attempting to access blocked sites will not be significant enough to raise flags 10 years of ONI data collection support this However, many countries have broadly defined laws And querying a “significant amount” of blocked sites might raise alarms. Informed consent is critical before performing any tests.

SO FAR... MANY PROBLEMS …  … some solutions? Be creative Leverage existing measurement platforms to study censorship from outside of the region E.g., RIPE ATLAS (need to be a bit careful here) querying DNS resolvers, sending probes to find collateral censorship Look for censorship in BGP routing data Another solution: Spookyscan (reading on Web page) ACK: upcoming slides borrowed from Jeff UNM

BACKGROUND Packet spoofing. A spoofed packet has the return IP address of another machine IPID counters. Set differently depending on the operating system. Random 0 Increment per packet within a flow Increment per packet globally  what hybrid idle scan needs

BASIC IDEA We would like to measure censorship without requiring vantage points within the country Idea: Use side channels to infer behavior within the country Real world example: Pentagon + Pizza Watch dominos deliveries on normal evenings Night before invasion … much more pizza.

START DAY 2

ENCORE: LIGHTWEIGHT MEASUREMENT OF WEB CENSORSHIP WITH CROSS-ORIGIN REQUESTS Governments around the world realize Internet is a key communication tool … working to clamp down on it! How can we measure censorship? Main approaches: User-based testing: Give users software/tools to perform measurements E.g., ONI testing, ICLabONI testingICLab External measurements: Probe the censor from outside the country via carefully crafted packets/probes E.g., IPID side channels, probing the great firewall/great cannonIPID side channelsgreat firewallgreat cannon 31

ENCORE: LIGHTWEIGHT MEASUREMENT OF WEB CENSORSHIP WITH CROSS-ORIGIN REQUESTS Censorship measurement challenges: Gaining access to vantage points Managing user risk Obtaining high fidelity technical data Encore key idea: 32 Script to have browser query Web sites for testing

ENCORE: USING CROSS SITE JAVA SCRIPT TO MEASURE CENSORSHIP Basic idea: Recruit Web masters instead of vantage points Have the Web master include a javascript that causes the user’s browser to fetch sites to be tested Use timing information to infer whether resources are fetched directly Operates in an ‘opt-out’ model User may have already executed the javascript prior to opting out Argument Not requiring informed consent gives users plausible deniability Steps taken to mitigate risk Include common 3 rd party domains (they’re already loaded by many pages anyways) Include 3 rd parties that are already included on the main site One project option is to investigate these strategies! Example site hosting Encore:

ETHICAL CONSIDERATIONS Different measurement techniques have different levels of risk In-country measurements How risky is it to have people access censored sites? What is the threshold for risk? Risk-benefit trade off? How to make sure people are informed? Side channel measurements Causes unsuspecting clients to send RSTs to a server What is the risk? Not stateful communication … … but what about a censor that just looks at flow records? Mitigation idea: make sure you’re not on a user device Javascript-based measurements Is lack of consent enough deniability?

HANDS ON ACTIVITY Try spookyscan ! How can we find IP addresses for different clients and servers? Clients: search os:freebsdwww.shodanhq.com Servers: dig! Example results (these will only work for ~1 week) u4vC5fnA/view w Try downloading and installing OONI: Post your experiences to Piazza!