Download presentation
Presentation is loading. Please wait.
Published byMeredith Ryan Modified over 6 years ago
1
CS590B/690B Detecting Network Interference (Fall 2016)
Lecture 17 Part II – Attacks on covert channels Phillipa Gill – Umass -- Amherst
2
Where we are Last time: Started on covert channels SkypeMorph FreeWave
Today Parrot is dead Cover your ACKs
3
Review What properties do circumvention systems aim to have?
What is the key difference between SkypeMorph and FreeWave? What properties might we consider when evaluating stealthiness of our covert channel? Can we make any guarantees? Why is this hard?
4
TodaY Why imitating existing protocols doesn’t work. -> Parrot is Dead Idea: imitation doesn’t work ACKs: -> Cover your ACKS Idea: even tunneling over another protocol isn’t enough
5
Part 1: Parrot is dead Goals of unobservable circumvention: Censors should not be able to identify circumvention traffic or end-hosts through passive, active, or proactive techniques Side note: Parrot is dead is a reference to this skit:
6
Let’s hide! Censorship Region The Internet
7
Parrot systems Imitate a popular protocol SkypeMorph (CCS’12)
StegoTorus (CCS’12) CensorSpoofer (CCS’12)
8
SkypeMorph The Internet Censorship Region Traffic Shaping SkypeMorph
A Tor node SkypeMorph Bridge SkypeMorph Client
9
SoM header The start of message (SoM) header field is MISSING!
Single-packet identifier, instead of sophisticated statistical traffic analysis
10
SkypeMorph The Internet Censorship Region TCP control SkypeMorph
Bridge A Tor node SkypeMorph Client
11
Let’s imitate the missing!
SkypeMorph+ Let’s imitate the missing! Hard to mimic dynamic behavior Active/proactive tests
12
Checking for super nodes
Idea: see if the SkypeMorph node is a real Skype node or not. Step 1: If the node can receive Skype calls from NATed users in the censor’s network then it must be a super node. OR: If the censor has the IP address of a suspected SkypeMorph, check if it is behind a NAT or not. If a Skype node is not behind a NAT by definition it is a super node. Step 2: Run a Skype client, flush the cache of SuperNodes and force connection to suspected SkypeMorph relay If no response/call support this is a SkypeMorph node.
13
Other tests Test Skype SkypeMorph+ Flush Supernode cache
Serves as a SN Rejects all Skype messages Drop UDP packets Burst of packets in TCP control No reaction Close TCP channel Ends the UDP stream Delay TCP packets Reacts depending on the type of message Close TCP connection to a SN Initiates UDP probes Block the default TCP port Connects to TCP ports 80 and 443
14
StegoTorus The Internet Censorship Region Who does this??? HTTP HTTP
A Tor node StegoTorus Bridge Skype Ventrilo HTTP StegoTorus Client Looks strange!!!
15
StegoTorus chopper Chops Tor connection across other protocols. Creates dependencies between links
16
StegoTorus-HTTP Does not look like a typical HTTP server! Most HTTP methods not supported!
17
Unobservability by imitation is fundamentally flawed!
Lesson 1 Unobservability by imitation is fundamentally flawed! You basically have to implement the entire protocol… Bugs and all!
18
Partial imitation is worse than no imitation!
Lesson 2 Partial imitation is worse than no imitation! Before you looked like a Tor user… … now you look like a SkypeMorph users K anonymity anyone?
19
Alternative Do not imitate, but Run the target protocol i.e., FreeWave
IP over Voice-over-IP [NDSS’13]
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.