censorspoofer: asymmetric communication using ip spoofing for censorship-resistant web browsing
DESCRIPTION
CensorSpoofer: Asymmetric Communication using IP Spoofing for Censorship-Resistant Web Browsing. Qiyan Wang Xun Gong Giang T. K. Nguyen Amir Houmansadr Nikita Borisov Presented by: Alejandro Moncada. Overview. Motivation What is a Censor? Censor Assumptions - PowerPoint PPT PresentationTRANSCRIPT
The Parrot is Dead:Observing Unobservable Network Communications
CS898AB PRIVACY ENHANCING TECHNOLOGIES
DR. MURTUZA JADLIWALAPRESENTED BY
QASEM ALBASHA
Content1- Introduction2- Req. For Parrot Circumvention3- Parrot Circumvention Systems4- Adversary Models5- Parrot Circumvention Flows6- Conclusion
Unobservability By Imitation
*Unobservability: a censor can neither recognize the traffic generated by the circumvention system, nor identify the endpoints engaged in circumvention.
*Imitating an unpopular protocol is futile because the censor will simply block both the genuine protocol and its imitations.
Req. for Parrot Circumvention
A. Mimicking the protocol in its entirety
B. Mimicking reaction to errors and network conditions
C. Mimicking typical traffic
D. Mimicking implementation specific artifacts
A. Mimicking the protocol in its entirety
1-SideProtocols. e.g. VoIP session involves three protocols: SIP, RTP, and RTCP.
2- IntraDepend: e.g. VoIP session starts with SIP followed by RTP and RTCP connections. 3- InterDepend. e.g. an HTTP request often triggers multiple DNS queries.
B. Mimicking reaction to errors and network conditions
1- The parrot must produce at least some reaction to any possible error that might occur in the target protocol
2- Reactions to all possible errors must be consistent.
C. Mimicking typical traffic
1-Content: formats for headers and payloads.
2- Patterns: packet sizes, counts, inter-packet intervals, and flow rates.
D. Mimicking implementation specific artifacts
1- Soft: e.g. HTTP request headers include information about the browser 2- OS: can often be revealed by the recognizable characteristics of specific client and server software.
Parrot Circumvention Systems
1. Skype Morph: mimic Skype video calls2. CensorSpoofer: mimic SIP based
Voice-Over-IP3. StegoTorus: mimic Skype and/or HTTP
SkypeMorph
SkypeMorph Client
Local Network
Skype
SkypeMorph Bridge Tor Node
Firewall
StegoTorus
StegoTorus Client
Local Network
StegoTorus Bridge Tor Node
Firewall
HTTP
HTTP
Skype
Ventrilo
CensorSpoofer
Client
Local Network Blocked.com
CensorSpooferIndirect Server
Firewall
Dummy Server
The Parrot is Dead
“unobservability by imitation” is fundamentally flawed.
*To win, the censor needs only to find a few discrepancies, while the parrot must satisfy a daunting list of imitation requirements.
Adversary Capability Classification
1- Passive attacks: statistical and behavioral analysis, packet inspection
2- Active attacks: manipulation of network traffic
3-Proactive attacks: identify network entities
1- Local adversary (LO)
2- State-level oblivious adversary (OB)
3- State-level omniscient adversary (OM)
Adversary Knowledge Classification
Costs of censorship More resource-intensive
SlowerMore false positives
Cheap and fastDoable at line speed
Very accurate
Machine learning
Statistical analysis
Proactive probing
Active probing
Inspecting protocol signatures
Inspecting keywords
IP filtering
Hide
-with
in
Trad
ition
al sy
stem
s
Passive Attacks To Detect Skype Parrots
Detect Improved Skype Parrots
Distinguishing Censorspoofer From Genuine SIP Clients
Responses to Different httprecon Requests
Skype TCP activity with and without changes in bandwidth
Correlated behavior of StegoToru connections
Conclusion
1- Understanding of the adversaries is a must.2- Unobservability by imitation is a fundamentally flawed approach, To achieve unobservability, the parrot must mimic a concrete implementation and be compatible with every implementation-specific quirk and bug3- Partial imitation is worse than no imitation at all.
Not mimicing, but run the actual protocol FreeWave