Presentation is loading. Please wait.

Presentation is loading. Please wait.

Practical Censorship Evasion Leveraging Content Delivery Networks

Published byBrendan Wilkins Modified over 6 years ago

Similar presentations

Presentation on theme: "Practical Censorship Evasion Leveraging Content Delivery Networks"— Presentation transcript:

1 Practical Censorship Evasion Leveraging Content Delivery Networks
Authors: Hadi Zolfaghari, Amir Houmansadr Presented By: Hanzhi Wang

2 Censorship Background Censorship Methods CDN Browsing
Censorship – preventing access to certain websites and content Political reasons Background Censorship Methods CDN Browsing Current Vulnerabilities CDNReaper Criticisms Conclusion

3 Censorship Methods IP Address blocking DNS Interference
Deep-Packet Inspection (DPI) Three methods used to accomplish this Background Censorship Methods CDN Browsing Current Vulnerabilities CDNReaper Criticisms Conclusion

4 IP Address Blocking ip: 198.35.26.96 host: wikipedia.org
A blacklist of IP addresses, all requests with destination matching blacklist are dropped Background Censorship Methods CDN Browsing Current Vulnerabilities CDNReaper Criticisms Conclusion

5 DNS Interference Blocking
query: allowed.com query: allowed.com answer: answer: Interfering with DNS resolution using a MITM Allowed domains are resolved as usual DNS queries for forbidden domains are dropped or have an invalid answer returned This and IP blocking are packet filter firewalls query: blocked.com answer: no Background Censorship Methods CDN Browsing Current Vulnerabilities CDNReaper Criticisms Conclusion

6 Deep-Packet Inspection (DPI)
GET /image.jpg GET /image.jpg Block requests and responses based on content Application layer firewall Can block individual parts of a site Background Censorship Methods CDN Browsing Current Vulnerabilities CDNReaper Criticisms Conclusion

7 CDN Browsing Technique to circumvent censorship methods
Makes use of Content Delivery Network (CDN) hosting providers Host censored content amongst uncensored content Blocking would incur collateral damage A way to get around censorship CDNs host content of multiple tenants at the same location Block all or nothing Background Censorship Methods CDN Browsing Current Vulnerabilities CDNReaper Criticisms Conclusion

8 Circumventing Censorship Methods
IP Blocking Content hosted on CDNs share a set of IP addresses IP based blocking would cause collateral blockage for uncensored content DNS Interference Connect directly using edge server IPs Deep-Packet Inspection (DPI) Use HTTPS IP blocks cause collateral damage CDNs have fixed set of edge server IPs Skip DNS resolution entirely HTTPS prevents inspection of traffic contents Background Censorship Methods CDN Browsing Current Vulnerabilities CDNReaper Criticisms Conclusion

9 Flaws In Existing CDN Browsing Systems
Study of CacheBrowser, the first CDN browsing system Information leakages may compromise circumvention techniques HTTPS destination leakage Domain-based website fingerprinting CDN browsing (as-is) not a perfect solution Authors found vulnerabilities within CacheBrowser Information is leaked which may allow censors to identify source/destination of traffic i.e. can identify that traffic is destined for a certain site Background Censorship Methods CDN Browsing Current Vulnerabilities CDNReaper Criticisms Conclusion

10 HTTPS Destination Leakage
How CDNs deploy HTTPS: CDN Domain Certificates (e.g. *.akamaihd.net) Subject Alternative Name (SAN) Certificates Server Name Indication (SNI) Dedicated IP Addresses 4 different ways CDNs can provide HTTPS SAN certs have domain name in cert SNI used to indicate which tenant’s cert should be returned IP address used to identify associated website Vulnerable to DPI blocking Background Censorship Methods CDN Browsing Current Vulnerabilities CDNReaper Criticisms Conclusion

11 Domain Based Fingerprinting
Websites embed objects from other domains Can fingerprint websites based on how many packets they receive from other domains Authors created fingerprinting tool Tested on top 100 sites blocked in China and Iran 99.1% accuracy 10μs / classification DPI filters may be able to do this fingerprinting Websites have objects (CSS, JS libs) Each site has different objects, different amount of content loaded from each external site E.g. chart Tool created to show viability and potential accuracy Background Censorship Methods CDN Browsing Current Vulnerabilities CDNReaper Criticisms Conclusion

12 CDNReaper New CDN browsing system Fixes identified vulnerabilities
HTTPS destination leakage Domain based fingerprinting Authors created new CDN browser Aims to fix aforementioned vulnerabilities Background Censorship Methods CDN Browsing Current Vulnerabilities CDNReaper Criticisms Conclusion

13 Preventing HTTPS Destination Leakage
CDN-specific solutions Send request to arbitrary edge server, get wildcard certificate Contact dedicated IP of another CDN tenant Remove or replace SNI entry Few ways to prevent HTTPS dest leakage CDNs implement HTTPS in different ways, require different approaches Some CDNs will return a wildcard cert when sending to arbitrary edge (i.e. instead of the edge the CDN would normally direct request to) For dedicated IPs, send to the dedicated IP of another tenant Some CDNs allow empty or mismatched SNI fields Depends on the CDN, CDN specific settings Background Censorship Methods CDN Browsing Current Vulnerabilities CDNReaper Criticisms Conclusion

14 Preventing Domain Based Fingerprinting
Scrambler Inject decoy requests Drop unnecessary requests (e.g. advertisements) Scrambler ‘evens out’ number of requests to each site Also drops requests not vital to the content of the page, similar to adblock Background Censorship Methods CDN Browsing Current Vulnerabilities CDNReaper Criticisms Conclusion

15 Reach of CDN Browsing Top 10,000 websites analysed to determine CDN browsing readiness Top 10,000 alexa rank Some class 1 and 2 – ready for CDN browsing Majority are class 4 (partial CDN) Background Censorship Methods CDN Browsing Current Vulnerabilities CDNReaper Criticisms Conclusion

16 Supporting Partial CDN Websites
Content Wrappers Lightweight HTML page which embeds CDN hosted content Created manually for each website Dynamic Mirroring Mirrors non-CDN content dynamically as requested Similar to domain fronting Content wrappers used where interesting content is CDN hosted Can only serve static content Dynamic mirroring creates CDN hosted mirrors of content as requested Domain fronting (only for non-CDN content) Background Censorship Methods CDN Browsing Current Vulnerabilities CDNReaper Criticisms Conclusion

17 Criticisms – Negative Only looked at CacheBrowser
Fingerprinting – “99.1% accuracy” Only for top 100 blocked sites False positive / false negative rate? Focused only on China and Iran No discussion on DPI censorship methods used in practice Solution to HTTPS destination leakage relies on current implementations by CDNs Background Censorship Methods CDN Browsing Current Vulnerabilities CDNReaper Criticisms Conclusion

18 Criticisms – Positive Comprehensive solution to identified CDN browsing weaknesses Provides suggestions for making websites more accessible Analysis of performance and costs – practicality of solution Created tools to assist with CDN browsing Background Censorship Methods CDN Browsing Current Vulnerabilities CDNReaper Criticisms Conclusion

19 Conclusion CDN browsing circumvents censorship methods
CDNReaper created to resolve vulnerabilities in existing CDN browsers Analysis of CDN browsing readiness of websites Tools created to help make sites CDN browsable Background Censorship Methods CDN Browsing Current Vulnerabilities CDNReaper Criticisms Conclusion

20 Thank you

21 Questions?

Download ppt "Practical Censorship Evasion Leveraging Content Delivery Networks"

Similar presentations

Networking Problems in Cloud Computing Projects. 2 Kickass: Implementation PROJECT 1.

Networking Problems in Cloud Computing Projects. 2 Kickass: Implementation PROJECT 1.
1 Web Content Delivery Reading: Section 9.2.2 and 9.4.3 COS 461: Computer Networks Spring 2007 (MW 1:30-2:50 in Friend 004) Ioannis Avramopoulos Instructor:

1 Web Content Delivery Reading: Section and COS 461: Computer Networks Spring 2007 (MW 1:30-2:50 in Friend 004) Ioannis Avramopoulos Instructor:
Department Of Computer Engineering

Department Of Computer Engineering
1 Content Distribution Networks. 2 Replication Issues Request distribution: how to transparently distribute requests for content among replication servers.

1 Content Distribution Networks. 2 Replication Issues Request distribution: how to transparently distribute requests for content among replication servers.
{ Content Distribution Networks ECE544 Dhananjay Makwana Principal Software Engineer, Semandex Networks 5/2/14ECE544.

{ Content Distribution Networks ECE544 Dhananjay Makwana Principal Software Engineer, Semandex Networks 5/2/14ECE544.
DNS (Domain Name System) Protocol On the Internet, the DNS associates various sorts of information with domain names. A domain name is a meaningful and.

DNS (Domain Name System) Protocol On the Internet, the DNS associates various sorts of information with domain names. A domain name is a meaningful and.
© British Telecommunications plc Network Filtering.

© British Telecommunications plc Network Filtering.
Application-Layer Anycasting By Samarat Bhattacharjee et al. Presented by Matt Miller September 30, 2002.

Application-Layer Anycasting By Samarat Bhattacharjee et al. Presented by Matt Miller September 30, 2002.
Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.

Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.
The Parrot is Dead: Observing Unobservable Network Communications

The Parrot is Dead: Observing Unobservable Network Communications
CSE 592 INTERNET CENSORSHIP (FALL 2015) LECTURE 03 PHILLIPA GILL STONY BROOK UNIVERSITY, COMPUTER SCIENCE ACKS: SLIDES BASED ON MATERIAL FROM NICK WEAVER’S.

CSE 592 INTERNET CENSORSHIP (FALL 2015) LECTURE 03 PHILLIPA GILL STONY BROOK UNIVERSITY, COMPUTER SCIENCE ACKS: SLIDES BASED ON MATERIAL FROM NICK WEAVER’S.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.

11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
Access Control List (ACL)

Access Control List (ACL)
Policies by FQDN WatchGuard Training.

Policies by FQDN WatchGuard Training.
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.

Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
TASHKENT UNIVERSITY OF INFORMATION TECHNOLOGIES Lesson №18 Telecommunication software design for analyzing and control packets on the networks by using.

TASHKENT UNIVERSITY OF INFORMATION TECHNOLOGIES Lesson №18 Telecommunication software design for analyzing and control packets on the networks by using.
McLean 20061 HIGHER COMPUTER NETWORKING Lesson 14 Firewalls & Filtering Comparison of Internet content filtering methods: firewalls, Internet filtering.

McLean HIGHER COMPUTER NETWORKING Lesson 14 Firewalls & Filtering Comparison of Internet content filtering methods: firewalls, Internet filtering.
Protecting Browsers from DNS Rebinding Attacks Collin Jackson, Adam Barth, Andrew Bortz ACM CCS 2007 2008. 11. 13. Systems Modeling & Simulation Lab. Kim.

Protecting Browsers from DNS Rebinding Attacks Collin Jackson, Adam Barth, Andrew Bortz ACM CCS Systems Modeling & Simulation Lab. Kim.
Homework 02 NAT 、 DHCP 、 Firewall 、 Proxy. Computer Center, CS, NCTU 2 Basic Knowledge  DHCP Dynamically assigning IPs to clients  NAT Translating addresses.

Homework 02 NAT 、 DHCP 、 Firewall 、 Proxy. Computer Center, CS, NCTU 2 Basic Knowledge  DHCP Dynamically assigning IPs to clients  NAT Translating addresses.
Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma

Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma

Similar presentations

Ads by Google