censorspoofer: asymmetric communication using ip spoofing for censorship-resistant web browsing
DESCRIPTION
CensorSpoofer: Asymmetric Communication using IP Spoofing for Censorship-Resistant Web Browsing. Qiyan Wang Xun Gong Giang T. K. Nguyen Amir Houmansadr Nikita Borisov Presented by: Alejandro Moncada. Overview. Motivation What is a Censor? Censor Assumptions - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: CensorSpoofer: Asymmetric Communication using IP Spoofing for Censorship-Resistant Web Browsing](https://reader030.vdocuments.site/reader030/viewer/2022033020/56816625550346895dd97f32/html5/thumbnails/1.jpg)
The Parrot is Dead:Observing Unobservable Network Communications
CS898AB PRIVACY ENHANCING TECHNOLOGIES
DR. MURTUZA JADLIWALAPRESENTED BY
QASEM ALBASHA
![Page 2: CensorSpoofer: Asymmetric Communication using IP Spoofing for Censorship-Resistant Web Browsing](https://reader030.vdocuments.site/reader030/viewer/2022033020/56816625550346895dd97f32/html5/thumbnails/2.jpg)
Content1- Introduction2- Req. For Parrot Circumvention3- Parrot Circumvention Systems4- Adversary Models5- Parrot Circumvention Flows6- Conclusion
![Page 3: CensorSpoofer: Asymmetric Communication using IP Spoofing for Censorship-Resistant Web Browsing](https://reader030.vdocuments.site/reader030/viewer/2022033020/56816625550346895dd97f32/html5/thumbnails/3.jpg)
![Page 4: CensorSpoofer: Asymmetric Communication using IP Spoofing for Censorship-Resistant Web Browsing](https://reader030.vdocuments.site/reader030/viewer/2022033020/56816625550346895dd97f32/html5/thumbnails/4.jpg)
Unobservability By Imitation
*Unobservability: a censor can neither recognize the traffic generated by the circumvention system, nor identify the endpoints engaged in circumvention.
*Imitating an unpopular protocol is futile because the censor will simply block both the genuine protocol and its imitations.
![Page 5: CensorSpoofer: Asymmetric Communication using IP Spoofing for Censorship-Resistant Web Browsing](https://reader030.vdocuments.site/reader030/viewer/2022033020/56816625550346895dd97f32/html5/thumbnails/5.jpg)
Req. for Parrot Circumvention
A. Mimicking the protocol in its entirety
B. Mimicking reaction to errors and network conditions
C. Mimicking typical traffic
D. Mimicking implementation specific artifacts
![Page 6: CensorSpoofer: Asymmetric Communication using IP Spoofing for Censorship-Resistant Web Browsing](https://reader030.vdocuments.site/reader030/viewer/2022033020/56816625550346895dd97f32/html5/thumbnails/6.jpg)
A. Mimicking the protocol in its entirety
1-SideProtocols. e.g. VoIP session involves three protocols: SIP, RTP, and RTCP.
2- IntraDepend: e.g. VoIP session starts with SIP followed by RTP and RTCP connections. 3- InterDepend. e.g. an HTTP request often triggers multiple DNS queries.
![Page 7: CensorSpoofer: Asymmetric Communication using IP Spoofing for Censorship-Resistant Web Browsing](https://reader030.vdocuments.site/reader030/viewer/2022033020/56816625550346895dd97f32/html5/thumbnails/7.jpg)
B. Mimicking reaction to errors and network conditions
1- The parrot must produce at least some reaction to any possible error that might occur in the target protocol
2- Reactions to all possible errors must be consistent.
![Page 8: CensorSpoofer: Asymmetric Communication using IP Spoofing for Censorship-Resistant Web Browsing](https://reader030.vdocuments.site/reader030/viewer/2022033020/56816625550346895dd97f32/html5/thumbnails/8.jpg)
C. Mimicking typical traffic
1-Content: formats for headers and payloads.
2- Patterns: packet sizes, counts, inter-packet intervals, and flow rates.
![Page 9: CensorSpoofer: Asymmetric Communication using IP Spoofing for Censorship-Resistant Web Browsing](https://reader030.vdocuments.site/reader030/viewer/2022033020/56816625550346895dd97f32/html5/thumbnails/9.jpg)
D. Mimicking implementation specific artifacts
1- Soft: e.g. HTTP request headers include information about the browser 2- OS: can often be revealed by the recognizable characteristics of specific client and server software.
![Page 10: CensorSpoofer: Asymmetric Communication using IP Spoofing for Censorship-Resistant Web Browsing](https://reader030.vdocuments.site/reader030/viewer/2022033020/56816625550346895dd97f32/html5/thumbnails/10.jpg)
Parrot Circumvention Systems
1. Skype Morph: mimic Skype video calls2. CensorSpoofer: mimic SIP based
Voice-Over-IP3. StegoTorus: mimic Skype and/or HTTP
![Page 11: CensorSpoofer: Asymmetric Communication using IP Spoofing for Censorship-Resistant Web Browsing](https://reader030.vdocuments.site/reader030/viewer/2022033020/56816625550346895dd97f32/html5/thumbnails/11.jpg)
SkypeMorph
SkypeMorph Client
Local Network
Skype
SkypeMorph Bridge Tor Node
Firewall
![Page 12: CensorSpoofer: Asymmetric Communication using IP Spoofing for Censorship-Resistant Web Browsing](https://reader030.vdocuments.site/reader030/viewer/2022033020/56816625550346895dd97f32/html5/thumbnails/12.jpg)
StegoTorus
StegoTorus Client
Local Network
StegoTorus Bridge Tor Node
Firewall
HTTP
HTTP
Skype
Ventrilo
![Page 13: CensorSpoofer: Asymmetric Communication using IP Spoofing for Censorship-Resistant Web Browsing](https://reader030.vdocuments.site/reader030/viewer/2022033020/56816625550346895dd97f32/html5/thumbnails/13.jpg)
CensorSpoofer
Client
Local Network Blocked.com
CensorSpooferIndirect Server
Firewall
Dummy Server
![Page 14: CensorSpoofer: Asymmetric Communication using IP Spoofing for Censorship-Resistant Web Browsing](https://reader030.vdocuments.site/reader030/viewer/2022033020/56816625550346895dd97f32/html5/thumbnails/14.jpg)
The Parrot is Dead
“unobservability by imitation” is fundamentally flawed.
*To win, the censor needs only to find a few discrepancies, while the parrot must satisfy a daunting list of imitation requirements.
![Page 15: CensorSpoofer: Asymmetric Communication using IP Spoofing for Censorship-Resistant Web Browsing](https://reader030.vdocuments.site/reader030/viewer/2022033020/56816625550346895dd97f32/html5/thumbnails/15.jpg)
Adversary Capability Classification
1- Passive attacks: statistical and behavioral analysis, packet inspection
2- Active attacks: manipulation of network traffic
3-Proactive attacks: identify network entities
![Page 16: CensorSpoofer: Asymmetric Communication using IP Spoofing for Censorship-Resistant Web Browsing](https://reader030.vdocuments.site/reader030/viewer/2022033020/56816625550346895dd97f32/html5/thumbnails/16.jpg)
1- Local adversary (LO)
2- State-level oblivious adversary (OB)
3- State-level omniscient adversary (OM)
Adversary Knowledge Classification
![Page 17: CensorSpoofer: Asymmetric Communication using IP Spoofing for Censorship-Resistant Web Browsing](https://reader030.vdocuments.site/reader030/viewer/2022033020/56816625550346895dd97f32/html5/thumbnails/17.jpg)
Costs of censorship More resource-intensive
SlowerMore false positives
Cheap and fastDoable at line speed
Very accurate
Machine learning
Statistical analysis
Proactive probing
Active probing
Inspecting protocol signatures
Inspecting keywords
IP filtering
Hide
-with
in
Trad
ition
al sy
stem
s
![Page 18: CensorSpoofer: Asymmetric Communication using IP Spoofing for Censorship-Resistant Web Browsing](https://reader030.vdocuments.site/reader030/viewer/2022033020/56816625550346895dd97f32/html5/thumbnails/18.jpg)
Passive Attacks To Detect Skype Parrots
![Page 19: CensorSpoofer: Asymmetric Communication using IP Spoofing for Censorship-Resistant Web Browsing](https://reader030.vdocuments.site/reader030/viewer/2022033020/56816625550346895dd97f32/html5/thumbnails/19.jpg)
Detect Improved Skype Parrots
![Page 20: CensorSpoofer: Asymmetric Communication using IP Spoofing for Censorship-Resistant Web Browsing](https://reader030.vdocuments.site/reader030/viewer/2022033020/56816625550346895dd97f32/html5/thumbnails/20.jpg)
Distinguishing Censorspoofer From Genuine SIP Clients
![Page 21: CensorSpoofer: Asymmetric Communication using IP Spoofing for Censorship-Resistant Web Browsing](https://reader030.vdocuments.site/reader030/viewer/2022033020/56816625550346895dd97f32/html5/thumbnails/21.jpg)
Responses to Different httprecon Requests
![Page 22: CensorSpoofer: Asymmetric Communication using IP Spoofing for Censorship-Resistant Web Browsing](https://reader030.vdocuments.site/reader030/viewer/2022033020/56816625550346895dd97f32/html5/thumbnails/22.jpg)
Skype TCP activity with and without changes in bandwidth
![Page 23: CensorSpoofer: Asymmetric Communication using IP Spoofing for Censorship-Resistant Web Browsing](https://reader030.vdocuments.site/reader030/viewer/2022033020/56816625550346895dd97f32/html5/thumbnails/23.jpg)
Correlated behavior of StegoToru connections
![Page 24: CensorSpoofer: Asymmetric Communication using IP Spoofing for Censorship-Resistant Web Browsing](https://reader030.vdocuments.site/reader030/viewer/2022033020/56816625550346895dd97f32/html5/thumbnails/24.jpg)
Conclusion
1- Understanding of the adversaries is a must.2- Unobservability by imitation is a fundamentally flawed approach, To achieve unobservability, the parrot must mimic a concrete implementation and be compatible with every implementation-specific quirk and bug3- Partial imitation is worse than no imitation at all.
Not mimicing, but run the actual protocol FreeWave