CSE 592 INTERNET CENSORSHIP (FALL 2015) LECTURE 04 PHILLIPA GILL, STONY BROOK UNIVERSITY ACKS: SLIDES BASED ON MATERIAL FROM NICK WEAVER’S PRESENTATION AT THE CONNAUGHT SUMMER INSTITUTE 2013 ALSO FROM: KUROSE + ROSS; COMPUTER NETWORKING A TOP DOWN APPROACH FEATURING THE INTERNET (6 TH EDITION)
ADMINISTRATIVE NOTE Change in how course is graded. Reduced workload Rescaled all items such that total is >100 You only need to score 100 to get full marks in the course Pick/choose items that interest you to make up the % Course Project 30% Midterms (15% each) 40% Assignments (10% each) 15% Paper summaries 20% Paper presentations (5% each) If you have friends that dropped because of the workload please let them know about the change!
WHERE WE ARE Last time: TCP Resets for censorship Fingerprinting Reset Injectors (NDSS 2009 paper) On path vs. In path censorship Questions?
TEST YOUR UNDERSTANDING 1.What is the difference between an in-path and on-path censor? 2.What are the pros of each approach? 3.Cons? 4.What are the two race conditions that can occur with reset injectors? 5.What headers would you look at to ID a reset injector? 6.How would you localize an injector to a specific location in the network? 7.If the TCP reset occurs before the HTTP GET what can you say about the trigger? 8.After?
OVERVIEW Block IP addresses IP layer Disrupt TCP flows TCP (transport layer) Many possible triggers Block hostnames DNS (application layer) Disrupt HTTP transfers HTTP (application layer) Today
DOMAIN NAME SYSTEM (DNS)
Application Layer 2-7 requesting host cis.poly.edu gaia.cs.umass.edu root DNS server local DNS server dns.poly.edu authoritative DNS server dns.cs.umass.edu 7 8 TLD DNS server DNS NAME RESOLUTION EXAMPLE host at cis.poly.edu wants IP address for gaia.cs.umass.edu iterated query: contacted server replies with name of server to contact “I don’t know this name, but ask this server”
Application Layer 2-8 Root DNS Servers com DNS servers org DNS serversedu DNS servers poly.edu DNS servers umass.edu DNS servers yahoo.com DNS servers amazon.com DNS servers pbs.org DNS servers DNS: A DISTRIBUTED, HIERARCHICAL DATABASE … …
Application Layer 2-9 DNS: ROOT NAME SERVERS contacted by local name server that can not resolve name root name server: contacts authoritative name server if name mapping not known gets mapping returns mapping to local name server 13 root name “servers” worldwide a. Verisign, Los Angeles CA (5 other sites) b. USC-ISI Marina del Rey, CA l. ICANN Los Angeles, CA (41 other sites) e. NASA Mt View, CA f. Internet Software C. Palo Alto, CA (and 48 other sites) i. Netnod, Stockholm (37 other sites) k. RIPE London (17 other sites) m. WIDE Tokyo (5 other sites) c. Cogent, Herndon, VA (5 other sites) d. U Maryland College Park, MD h. ARL Aberdeen, MD j. Verisign, Dulles VA (69 other sites ) g. US DoD Columbus, OH (5 other sites)
Application Layer 2-10 TLD, AUTHORITATIVE SERVERS top-level domain (TLD) servers: responsible for com, org, net, edu, aero, jobs, museums, and all top-level country domains, e.g.: uk, fr, ca, jp Network Solutions maintains servers for.com TLD Educause for.edu TLD authoritative DNS servers: organization’s own DNS server(s), providing authoritative hostname to IP mappings for organization’s named hosts can be maintained by organization or service provider
Application Layer 2-11 DNS RECORDS DNS: distributed db storing resource records (RR) type=NS name is domain (e.g., foo.com) value is hostname of authoritative name server for this domain RR format: (name, value, type, ttl) type=A name is hostname value is IP address type=CNAME name is alias name for some “canonical” (the real) name is really servereast.backup2.ibm.com value is canonical name type=MX value is name of mailserver associated with name
Application Layer 2-12 DNS PROTOCOL, MESSAGES query and reply messages, both with same message format msg header identification: 16 bit # for query, reply to query uses same # flags: query or reply recursion desired recursion available reply is authoritative identificationflags # questions questions (variable # of questions) # additional RRs # authority RRs # answer RRs answers (variable # of RRs) authority (variable # of RRs) additional info (variable # of RRs) 2 bytes
Application Layer 2-13 name, type fields for a query RRs in response to query records for authoritative servers additional “helpful” info that may be used identificationflags # questions questions (variable # of questions) # additional RRs # authority RRs # answer RRs answers (variable # of RRs) authority (variable # of RRs) additional info (variable # of RRs) 2 bytes DNS PROTOCOL, MESSAGES
Application Layer 2-14 DNS: CACHING, UPDATING RECORDS once (any) name server learns mapping, it caches mapping cache entries timeout (disappear) after some time (TTL) TLD servers typically cached in local name servers thus root name servers not often visited cached entries may be out-of-date (best effort name-to-address translation!) if name host changes IP address, may not be known Internet-wide until all TTLs expire update/notify mechanisms proposed IETF standard RFC 2136
OK … SO NOW WE KNOW ABOUT DNS … how can we block it! A few things to keep in mind … No cryptographic integrity of DNS messages DNSSEC proposed but not widely implemented Caching of replies means leakage of bad DNS data can persist
BLOCKING DNS NAMES
This diagram assumes ISP DNS Server is complicit. This diagram assumes ISP DNS Server is complicit. DNS Server ( ) TYPES OF FALSE DNS RESPONSES Home connection ( ) 3 rd Party DNS Server ( ) DNS QTYPE A NXDOMAIN DNS RESPONSE A DNS RESPONSE A DNS RESPONSE A Block page server ( ) DNS RESPONSE A (correct IP)
BLOCKING DNS NAMES Option A: get ISP resolver on board (Previous slide) Option B: On-path packet injection similar to TCP Resets Can be mostly countered with DNS-hold-open: Don’t take the first answer but instead wait for up to a second Generally reliable when using an out of country recursive resolve E.g., Can be completely countered by DNS-hold-open + DNSSEC Accept the first DNS reply which validates
READING FROM WEB … Hold-On: Protecting Against On-Path DNS Poisoning H. Duan, N. Weaver, Z. Zhao, M. Hu, J. Liang, J. Jiang, K. Li, and V. Paxson. Idea: Once you receive a DNS packet, wait for a predefined “hold-on” period before accepting the result. DNSSEC is still vulnerable to these injected packets and does not make hold-on unneccessary Inject a reply with an invalid signature: client will reject Use active measurements to determine the expected TTL and RTT to the server.
COLLATERAL DAMAGE (READING) “The Collateral Damage of Internet Censorship by DNS Injection” Anonymous. ACM Computer Communication Review Questions: How many ASes implement injection-based DNS censorship What is the collateral damage?
HOW TO MAP COLLATERAL DAMAGE Issue HoneyQueries DNS queries for sensitive domain names to 14M IP addresses in different /24 networks (not hosting DNS) Reply should only come if there is an on-path DNS injector Can detect if a path contains an injector as well as the IP address returned. Most paths found were to target IPs in China (well known DNS censor) Can also locate where on the path the censor is Issue DNS query to blacklisted domain with incrementing TTL Issue queries to recursive resolvers so look for lemon IP addresses in their results Query to distribute queries across root servers Query {random}.tld to test poisoning between resolver + TLD
NUMBER OF AFFECTED RESOLVERS FOR ALL TLDS
WHERE ARE THE IMPACTED RESOLVERS
HANDS ON ACTIVITY DNS queries to China -Works with custom Python client vs. Dig, if you figure out why post to Piazza! -Eg., look at packet captures of dig
NEXT TIME … Filtering of Web requests at application layer.
ADDITIONAL SLIDES