1. Presented by Nelson Mandela Date 7th February 2017
PARROT IS DEAD
OBSERVING UNOBSERVABLE NETWORK COMMUNICATION
Authors: Amir Houmansadr Chad Brubaker Vitaly Shmatikov The university of Texas Austin
Presented by Nelson Mandela
Date 7th February 2017

2. Motivation
Parrot circumventing systems have been motivated by the increasing number of Repressive/nondemocratic government to monitor the internet and strengthening their censorship powers.
This in return has motivated a growing community of developer aiming at circumventing the censor systems through unobservability which is what we refer as the parrot circumventing systems.
The parrot circumventing systems bypass censorship through imitations of common protocols.eg skype,http

3. How it works X X parrot circumventing systems Content inspector
Allowed address X
Blocked address X
Internet user
censors
Circumventing by imitation
Skype morph
Censor spoofer
stegoTorus
Skype
VoIP traffic
HTTP
Ventrilo

4. Adversary Models-capabilities classification
Passive attack-involves observing, analyzing and packet inspection of internet entities.
Proactive attack-identify entities involved in circumventing by sending probes that will elicit certain responses.
Active attack-involve manipulation of network traffic i.e. delaying, dropping and terminating internet connection.

5. Adversary models-Knowledge Classification
Local adversary(LO)-small number of network devices, observe small number networks.
State level oblivion Adversary(OB)-limited storage, limited computational resource ,deep packet inspection.
State level omniscient adversary(OM)-ample processing, storage and computational resource.

6. Circumvention systems
Skymorph -pluggable transport aim at imitating skype video calls.
Client obtain bridge id in advance
Bridge enter skype picks a high UDP port
Client picks high UDP port
StegoTorus-pluggable transport derived from obfsproxy.
Adds chopping and steganography
Mimick HTTP, Skype, and Ventrilo
Censorspoofer-stand alone system
Ip spoofing
Mimic voip traffic

7. Requirement for parrot circumventing systems
Mimicking the protocol in entirety e.g voip(sip,rtp,rtcp)
Correctness-mimic full behavior.
Side protocols-protocols that run besides the main session.
Intradepend- dependancies & correlation among protocol session
Interdepend-
Mimicking reaction to errors and network condition i.e. reaction to errors/network conditions
Mimicking typical traffic i.e. content, pattern, users,
Mimicking implementation specific artifacts i.e. parrot must mimic a specific version of a specific popular implementation to the last bug

8. Detecting skype imitators
Passive attacks
Exploiting deviation from genuine skype behavior
Exploiting re-use of client generated skype traces.
Exploiting re-use of pre-recorded Skype traces
Hypothetical SkypeMorph+ and StegoTorus+-experiment to find out if the weakeness could be bridged by upgrading.
Active and proactive attacks
Verifying supernode behavior
Manipulate skype calls
Manipulate tcp control channels

9. DETECTING SKYPE IMITATORS
SkypeMorph and StegoTorus-Embed—can be easily distinguished from genuine Skype.
Attack
Imitation requirement
Adversary
SkypeMorph
StegoTorus-Embed
Skype HTTP update traffic (T1)
SideProtocols
LO/OB/OM
Satisfied
Failed
Skype login traffic (T2)
SoM field of Skype UDP packets (T3)
Content
Traffic statistics (T4, T5)
Pattern
LO/OM
Periodic message exchanges (T6, T7)
Typical Skype client behavior (T8)
IntraDepend
TCP control channel (T9)

10. ACTIVE AND PROACTIVE ATTACKS TO DETECT IMPROVED SKYPE PARROTS
Skypemorph+ and StegoTorus+
Attack
Imitation requirement
Adversary
Skype
SkypeMorph+ and StegoTorus+
Verify supernode behavior
SideProtocols
Proactive,
The target node serves as the adversary’s
Rejects all
by flushing supernode cache
IntraDepend
LO/OM
SN, e.g., relays his Skype calls
Skype messages
Drop a few UDP packets
Network,
Err
Active,
LO/OB/OM
A burst of TCP packets on the control channel (Fig. 1)
No reaction
Close TCP channel
IntraDepend,
Ends the UDP stream immediately
Delay TCP packets
SideProtocols,
Network
Reacts depending on the type of TCP messages
Close TCP connection to a SN
Client initiates UDP probes to find other SNs
Block the default TCP port for TCP channel
Connects to TCP ports 80 or 443 instead

11. DETECTING STEGOTORUS HTTP request Real HTTP server
StegoTorus’s HTTP module
GET existing
Returns “200 OK” and sets Connection to keep-alive
Arbitrarily sets Connection to either keep-alive or Close
GET long request
Returns “404 Not Found” since URI does not exist
No response
GET non-existing
Returns “404 Not Found”
Returns “200 OK”
GET wrong protocol
Most servers produce an error message, e.g., “400 Bad Request”
HEAD existing
Returns the common HTTP headers
OPTIONS common
Returns the supported methods in the Allow line
DELETE existing
Most servers have this method not activated and produce an error message
TEST method
Returns an error message, e.g., “405 Method Not Allowed” and sets Connection=Close
Attack request
Returns an error message, e.g., “404 Not Found”

12. DISTINGUISHING CENSORSPOOFER FROM GENUINE SIP CLIENTS.
Attack
Imitation requirement
Adversary
Typical SIP clients (e.g., Ekiga)
CensorSpoofer
Manipulate tag in SIP OK
Soft
LO/OB/OM
Nothing
Client closes the call
SIP INVITE to
SideProtocols
Soft, Err
Respond with “100 Trying” and “180 Ringing”,
“483 Busy Here”, “603 Decline”, or “404 Not Found”
SIP INVALID
SideProtocols,Err
Respond “400 BadRequest”
SIP BYE with invalid SIP-ID
Respond “481 Call Leg/Transaction Does Not Exist”
Drop RTP packets
(only for confirmation)
Soft, Network
Terminate the call after a time period depending on the client, may change codec in more advanced clients.

13. RELATED WORK
Pluggable Tor transports
Decoy routing

14. RECOMMENDATIONS understanding of the adversaries
unobservability by imitation is a fundamentally flawed approach.
partial imitation is worse than no imitation at all
not mimic, but run the actual protocol