liberate, (n): A library for exposing (traffic-classification) rules and avoiding them efficiently

Size: px

Start display at page:

Download "liberate, (n): A library for exposing (traffic-classification) rules and avoiding them efficiently"

Eric Harrell
6 years ago
Views:

1 liberate, (n): A library for exposing (traffic-classification) rules and avoiding them efficiently Fangfan Li, Abbas Razaghpanah, Arash Molavi Kakhki, Arian Akhavan Niaki, David Choffnes, Phillipa Gill, Alan Mislove 1

2 Traffic management 2

3 Traffic management Internet Service Provider Throttling 2

4 Traffic management Internet Service Provider Throttling Blocking 2

5 Traffic management Internet Service Provider Throttling Blocking 2

6 Traffic management Internet Service Provider Throttling Blocking Zero rating 2

7 Traffic management Internet Service Provider Throttling Blocking Zero rating 2

8 Example policy 3

9 Example policy 3

10 Example policy 3

11 Example policy 3

12 Lack of user control Throttling 4

13 Lack of user control Policies are implemented by DPI (Deep Packet Inspection) devices [IMC 16] Throttling 4

14 Lack of user control Policies are implemented by DPI (Deep Packet Inspection) devices [IMC 16] Youtube Throttling 4

15 Lack of user control Policies are implemented by DPI (Deep Packet Inspection) devices [IMC 16] Differentiation policy can be harmful or unwanted to users/content providers Youtube Throttling 4

16 Lack of user control Policies are implemented by DPI (Deep Packet Inspection) devices [IMC 16] Differentiation policy can be harmful or unwanted to users/content providers Users/content providers have no control over these policies Youtube Throttling 4

17 Previous work

18 Previous work Approaches: VPNs and proxies Covert channels Obfuscating traffic Domain fronting

19 Previous work Approaches: Limitations: VPNs and proxies Covert channels Obfuscating traffic Domain fronting

20 Previous work Approaches: VPNs and proxies Limitations: Brittle Covert channels Obfuscating traffic Domain fronting

21 Previous work Approaches: VPNs and proxies Covert channels Limitations: Brittle Development effort Obfuscating traffic Domain fronting

22 Previous work Approaches: VPNs and proxies Covert channels Obfuscating traffic Limitations: Brittle Development effort Performance Domain fronting

23 Previous work Approaches: VPNs and proxies Covert channels Obfuscating traffic Domain fronting Limitations: Brittle Development effort Performance Manual inspection

24 Goals of liberate Evade throttling liberate 6

25 Goals of liberate A technical solution for detecting and evading unwanted policies Evade throttling liberate 6

26 Goals of liberate A technical solution for detecting and evading unwanted policies Enables unmodified applications to evade Evade throttling liberate 6

27 Goals of liberate A technical solution for detecting and evading unwanted policies Enables unmodified applications to evade Automatically Evade throttling liberate 6

28 Goals of liberate A technical solution for detecting and evading unwanted policies Enables unmodified applications to evade Automatically Adaptively Evade throttling liberate 6

29 Goals of liberate A technical solution for detecting and evading unwanted policies Enables unmodified applications to evade Automatically Adaptively Unilaterally Evade throttling liberate 6

30 Goals of liberate A technical solution for detecting and evading unwanted policies Enables unmodified applications to evade Automatically Adaptively Unilaterally With low overhead Evade throttling liberate 6

31 Goals of liberate A technical solution for detecting and evading unwanted policies Enables unmodified applications to evade Automatically Adaptively Unilaterally With low overhead Unknown Evade throttling liberate 6

32 Outline Design and implementation Traffic-classification rules detection Evasion techniques Implementation Evaluation Effectiveness across multiple networks 7

33 Overview of liberate 8

34 Overview of liberate 8

35 Overview of liberate 8

36 Overview of liberate 8

37 Overview of liberate 8

38 Overview of liberate 8

39 Outline Design and implementation Traffic-classification rules detection Evasion techniques Implementation Evaluation Effectiveness across multiple networks 9

40 Design Traffic-classification rules detection 10

41 Design Traffic-classification rules detection Recorded traffic VPN Channel Client VPN server How to detect differentiation? Record and Replay [IMC 15] 10

42 Design Traffic-classification rules detection Recorded traffic VPN Channel Client VPN server Replay Client Recorded traffic Recorded traffic Replay server How to detect differentiation? Record and Replay [IMC 15] 10

43 Design Traffic-classification rules detection Recorded traffic VPN Channel Client VPN server Replay Client Recorded traffic Recorded traffic Replay server How to detect differentiation? Record and Replay [IMC 15] 10

44 Design Traffic-classification rules detection Recorded traffic VPN Channel Client VPN server Replay Client Recorded traffic Recorded traffic Replay server How to detect differentiation? Record and Replay [IMC 15] How to evade differentiation efficiently? 10

45 Design Traffic-classification rules detection Recorded traffic VPN Channel Client VPN server Replay Client Recorded traffic Recorded traffic Replay server How to detect differentiation? Record and Replay [IMC 15] How to evade differentiation efficiently? Understand classification rules [IMC 16] 10

46 Design Traffic-classification rules detection Recorded traffic VPN Channel Client VPN server Replay Client Recorded traffic GET /url Host: Recorded traffic Replay server How to detect differentiation? Record and Replay [IMC 15] How to evade differentiation efficiently? Understand classification rules [IMC 16] 10

Design Traffic-classification rules detection Recorded traffic VPN Channel Header Client VPN server Example matching content URI Replay Client Host Recorded traffic GET /url Host: www.googlevideo.

47 Design Traffic-classification rules detection Recorded traffic VPN Channel Header Client VPN server Example matching content URI Replay Client Host Recorded traffic GET /url Host: site.js{ }-nbcsports-com Recorded traffic Host: Replay server How User-Agent to detect differentiation? User-Agent: Pandora 5.0{ } Content-Type Record and Replay [IMC 15] Content-Type: video How to SNI evade differentiation efficiently? googlevideo.com Understand classification rules [IMC 16] 10

48 Outline Design and implementation Traffic-classification rules detection Evasion techniques Implementation Evaluation Effectiveness across multiple networks 11

49 Design Example classification How does classifier classify application B? 12

50 Design Example classification How does classifier classify application B? 12

51 Design Example classification How does classifier classify application B? 12

52 Design Example classification How does classifier classify application B? 12

53 Design Example classification How does classifier classify application B? 12

54 Design Example classification How does classifier classify application B? 12

55 Design Example classification How does classifier classify application B? Matching contents : GET /B 12

56 Design Evasion techniques Using a small TTL value * Christian Kreibich et al Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics. 13

57 Design Observation: Evasion techniques Match and forget behavior Using a small TTL value * Christian Kreibich et al Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics. 13

58 Design Observation: Evasion techniques Match and forget behavior Incomplete views of the connection Using a small TTL value * Christian Kreibich et al Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics. 13

59 Design Observation: Evasion techniques Match and forget behavior Incomplete views of the connection Inert packet insertion* : Traffic processed only by a classifier but not endpoint Using a small TTL value * Christian Kreibich et al Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics. 13

60 Design Observation: Evasion techniques Match and forget behavior Incomplete views of the connection Inert packet insertion* : Traffic processed only by a classifier but not endpoint Using a small TTL value * Christian Kreibich et al Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics. 13

61 Design Observation: Evasion techniques Match and forget behavior Incomplete views of the connection Inert packet insertion* : Traffic processed only by a classifier but not endpoint Using a small TTL value * Christian Kreibich et al Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics. 13

Design Observation: Evasion techniques Match and forget behavior Incomplete views of the connection Inert packet insertion* : Traffic processed only by a classifier but not endpoint

62 Design Observation: Evasion techniques Match and forget behavior Incomplete views of the connection Inert packet insertion* : Traffic processed only by a classifier but not endpoint App B is classified as App A Using a small TTL value * Christian Kreibich et al Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics. 13

63 Design Evasion techniques SYN SYN, ACK TCP 80 TCP 80 ACK IPID 1 OFF 0 GE IPID 1 OFF 2 T IPID 1 OFF 4 /A IPID 1 OFF 6 \r\n TCP 80 TCP 80 TCP 80 TCP 80 TCP 80 Fragmenting the IP packet 14

64 Design Evasion techniques Observation: Each packet is searched independently for matching contents SYN SYN, ACK TCP 80 TCP 80 ACK IPID 1 OFF 0 GE IPID 1 OFF 2 T IPID 1 OFF 4 /A IPID 1 OFF 6 \r\n TCP 80 TCP 80 TCP 80 TCP 80 TCP 80 Fragmenting the IP packet 14

65 Design Evasion techniques Observation: Each packet is searched independently for matching contents Splitting/Reordering: splitting the matching contents across multiple packets SYN SYN, ACK TCP 80 TCP 80 ACK IPID 1 OFF 0 GE IPID 1 OFF 2 T IPID 1 OFF 4 /A IPID 1 OFF 6 \r\n TCP 80 TCP 80 TCP 80 TCP 80 TCP 80 Fragmenting the IP packet 14

66 Design Evasion techniques Observation: Each packet is searched independently for matching contents Splitting/Reordering: splitting the matching contents across multiple packets SYN SYN, ACK TCP 80 TCP 80 ACK IPID 1 OFF 0 GE IPID 1 OFF 2 T IPID 1 OFF 4 /A IPID 1 OFF 6 \r\n TCP 80 TCP 80 TCP 80 TCP 80 TCP 80 Fragmenting the IP packet 14

$SYN SYN, ACK TCP 80 TCP 80 App A is unclassified ACK IPID 1 OFF 0 GE IPID 1 OFF 2 T IPID 1 OFF 4 /A IPID 1 OFF 6 \r\n TCP 80 TCP 80 TCP 80 TCP 80 TCP 80 Fragmenting the IP packet$

67 Design Evasion techniques Observation: Each packet is searched independently for matching contents Splitting/Reordering: splitting the matching contents across multiple packets SYN SYN, ACK TCP 80 TCP 80 App A is unclassified ACK IPID 1 OFF 0 GE IPID 1 OFF 2 T IPID 1 OFF 4 /A IPID 1 OFF 6 \r\n TCP 80 TCP 80 TCP 80 TCP 80 TCP 80 Fragmenting the IP packet 14

68 Design Evasion techniques SYN SYN, ACK ACK TCP 80 TCP 80 TCP 80 SEQ 1 GET /B TCP 80 Inserting large delays 15

69 Design Evasion techniques Observation: Classifiers do no retain classification results indefinitely SYN SYN, ACK ACK TCP 80 TCP 80 TCP 80 SEQ 1 GET /B TCP 80 Inserting large delays 15

70 Design Evasion techniques Observation: Classifiers do no retain classification results indefinitely Flushing: causing the classifier to remove the classification state for the flow SYN SYN, ACK ACK TCP 80 TCP 80 TCP 80 SEQ 1 GET /B TCP 80 Inserting large delays 15

71 Design Evasion techniques Observation: Classifiers do no retain classification results indefinitely Flushing: causing the classifier to remove the classification state for the flow SYN SYN, ACK ACK TCP 80 TCP 80 TCP 80 SEQ 1 GET /B TCP 80 Inserting large delays 15

72 Design Evasion techniques Observation: Classifiers do no retain classification results indefinitely Flushing: causing the classifier to remove the classification state for the flow SYN SYN, ACK ACK TCP 80 TCP 80 TCP 80 App B is unclassified SEQ 1 GET /B TCP 80 Inserting large delays 15

73 Outline Design and implementation Traffic-classification rules detection Evasion techniques Implementation Evaluation Effectiveness across multiple networks 16

74 Implementation App liberate Proxy Server 17 Replay Server

75 Implementation Phase 1: liberate does the analysis using a replay server App liberate Proxy Server Phase 1 17 Replay Server

76 Implementation Phase 1 Phase 1: liberate does the analysis using a replay server App liberate Proxy Server Phase 1 17 Replay Server

77 Implementation Phase 1: liberate does the analysis using a replay server Phase 2: liberate applies evasion technique to traffic in-flight App Phase 2 liberate Proxy Phase 2 Server Phase 1 17 Replay Server

78 Implementation Phase 1 Phase 2 Phase 1: liberate does the analysis using a replay server Phase 2: liberate applies evasion technique to traffic in-flight App Phase 2 liberate Proxy App Phase 2 liberate Proxy Phase 2 Phase 1 Phase 2 Server Server Phase 1 17 Replay Server Replay Server

79 Outline Design and implementation Traffic-classification rules detection Evasion techniques Implementation Evaluation Effectiveness across multiple networks 18

80 Evaluation Testbed and in the wild liberate Client Server 19

81 Evaluation Testbed and in the wild Testbed evaluation liberate Client Server 19

82 Evaluation Testbed and in the wild Testbed evaluation liberate Client Server Evaluation in the wild Client liberate 19 Server

83 Evaluation Testbed and in the wild Testbed evaluation liberate Client Server Evaluation in the wild Client liberate 19 Server

84 Evaluation Testbed and in the wild Testbed evaluation liberate Client Server Evaluation in the wild Client liberate 19 Server

85 Evaluation Results 20

86 Evaluation Example result table Technique Test case 1 Example technique Inert packet insertion IP TCP UDP Lower TTL to only reach classifier Wrong sequence number Wrong checksum Payload Splitting Payload Reordering Reverse the transmission of first two fragments Classification flushing 21

87 Evaluation Example result table Technique Test case 1 Example technique Inert packet insertion IP TCP UDP Lower TTL to only reach classifier Wrong sequence number Wrong checksum Payload Splitting Payload Reordering Reverse the transmission of first two fragments Classification flushing 21

88 Evaluation Example result table Technique Test case 1 Example technique Inert packet insertion IP TCP UDP Lower TTL to only reach classifier Wrong sequence number Wrong checksum Payload Splitting Payload Reordering Reverse the transmission of first two fragments Classification flushing 21

89 Evaluation Example result table Technique Test case 1 Example technique Inert packet insertion IP TCP UDP Lower TTL to only reach classifier Wrong sequence number Wrong checksum Payload Splitting Payload Reordering Reverse the transmission of first two fragments Classification flushing 21

90 Evaluation Testbed results Technique Testbed Example technique Inert packet insertion IP TCP UDP Lower TTL to only reach classifier Wrong sequence number Wrong checksum Payload Splitting Payload Reordering Classification flushing Break packet into two IP fragments Reverse the transmission of first two fragments TTL-limited RST packet before classification 22

91 Evaluation Testbed results Technique Testbed Example technique Inert packet insertion IP TCP UDP Lower TTL to only reach classifier Wrong sequence number Wrong checksum Payload Splitting Payload Reordering Classification flushing Break packet into two IP fragments Reverse the transmission of first two fragments TTL-limited RST packet before classification Efficiency: One-time overhead (phase 1) : 13 minutes 22

92 Evaluation Testbed results Technique Testbed Example technique Inert packet insertion IP TCP UDP Lower TTL to only reach classifier Wrong sequence number Wrong checksum Payload Splitting Payload Reordering Classification flushing Break packet into two IP fragments Reverse the transmission of first two fragments TTL-limited RST packet before classification Efficiency: One-time overhead (phase 1) : 13 minutes 22

Evaluation Testbed results Technique Testbed Example technique Inert packet insertion IP TCP UDP Lower TTL to only reach classifier Wrong sequence number Wrong checksum Payload Splitting Payload

93 Evaluation Testbed results Technique Testbed Example technique Inert packet insertion IP TCP UDP Lower TTL to only reach classifier Wrong sequence number Wrong checksum Payload Splitting Payload Reordering Classification flushing Break packet into two IP fragments Reverse the transmission of first two fragments TTL-limited RST packet before classification Efficiency: One-time overhead (phase 1) : 13 minutes Run-time overhead (phase 2) : tens of bytes per flow 22

94 Evaluation Testbed results Technique Testbed Example technique Inert packet insertion IP TCP UDP Lower TTL to only reach classifier Wrong sequence number Wrong checksum Payload Splitting Payload Reordering Classification flushing Break packet into two IP fragments Reverse the transmission of first two fragments TTL-limited RST packet before classification Efficiency: One-time overhead (phase 1) : 13 minutes Run-time overhead (phase 2) : tens of bytes per flow Effectiveness: All types of techniques were effective in testbed 22

95 Evaluation T mobile Binge On Technique Testbed T mobile Example technique Inert packet insertion IP TCP UDP Lower TTL to only reach classifier Payload Splitting Payload Reordering Classification flushing Break packet into five TCP segments Reverse the transmission of first two segments TTL-limited RST packet before classification 23

96 Evaluation T mobile Binge On Technique Testbed T mobile Example technique Inert packet insertion IP TCP UDP Lower TTL to only reach classifier Payload Splitting Payload Reordering Break packet into five TCP segments Reverse the transmission of first two segments Classification flushing TTL-limited RST packet before classification Classified video (HTTP/S) was throttled to 1.5 Mbps and zero-rated Efficiency: One-time overhead (phase 1) : 30 minutes Run-time overhead (phase 2) : tens of bytes per flow 23

97 Evaluation T mobile Binge On Technique Testbed T mobile Example technique Inert packet insertion IP TCP UDP Lower TTL to only reach classifier Payload Splitting Payload Reordering Break packet into five TCP segments Reverse the transmission of first two segments Classification flushing TTL-limited RST packet before classification Classified video (HTTP/S) was throttled to 1.5 Mbps and zero-rated Efficiency: One-time overhead (phase 1) : 30 minutes Run-time overhead (phase 2) : tens of bytes per flow Effectiveness: UDP traffic (e.g., Youtube video in QUIC) was not classified 23

98 Evaluation T mobile Binge On Technique Testbed T mobile Example technique Inert packet insertion IP TCP UDP Lower TTL to only reach classifier Payload Splitting Payload Reordering Break packet into five TCP segments Reverse the transmission of first two segments Classification flushing TTL-limited RST packet before classification Classified video (HTTP/S) was throttled to 1.5 Mbps and zero-rated Efficiency: One-time overhead (phase 1) : 30 minutes Run-time overhead (phase 2) : tens of bytes per flow Effectiveness: UDP traffic (e.g., Youtube video in QUIC) was not classified Breaking packet into 5 TCP segments evaded classification 23

99 Evaluation T mobile Binge On Technique Testbed T mobile Example technique Inert packet insertion IP TCP UDP Lower TTL to only reach classifier Payload Splitting Payload Reordering Break packet into five TCP segments Reverse the transmission of first two segments Classification flushing 23 TTL-limited RST packet before classification Classified video (HTTP/S) was throttled to 1.5 Mbps and zero-rated Efficiency: One-time overhead (phase 1) : 30 minutes Run-time overhead (phase 2) : tens of bytes per flow Effectiveness: UDP traffic (e.g., Youtube video in QUIC) was not classified Breaking packet into 5 TCP segments evaded classification Reversing the order of initial packets was effective

100 Evaluation T mobile Binge On Technique Testbed T mobile Example technique Inert packet insertion IP TCP UDP Lower TTL to only reach classifier Payload Splitting Payload Reordering Break packet into five TCP segments Reverse the transmission of first two segments Classification flushing 23 TTL-limited RST packet before classification Classified video (HTTP/S) was throttled to 1.5 Mbps and zero-rated Efficiency: One-time overhead (phase 1) : 30 minutes Run-time overhead (phase 2) : tens of bytes per flow Effectiveness: UDP traffic (e.g., Youtube video in QUIC) was not classified Breaking packet into 5 TCP segments evaded classification Reversing the order of initial packets was effective

101 Evaluation The Great Firewall of China Technique Testbed T mobile GFC Example technique Inert packet insertion IP TCP UDP Lower TTL to only reach classifier Wrong Checksum Payload Splitting Payload Reordering Classification flushing Pause for t seconds before classification 24

102 Evaluation The Great Firewall of China Technique Testbed T mobile GFC Example technique Inert packet insertion IP TCP UDP Lower TTL to only reach classifier Wrong Checksum Payload Splitting Payload Reordering Classification flushing Pause for t seconds before classification Classified HTTP content was blocked by 3-5 RST packets Efficiency: One-time overhead (phase 1) : 20 minutes Run-time overhead (phase 2) : tens of bytes per flow 24

103 Evaluation The Great Firewall of China Technique Testbed T mobile GFC Example technique Inert packet insertion IP TCP UDP Lower TTL to only reach classifier Wrong Checksum Payload Splitting Payload Reordering Classification flushing Pause for t seconds before classification Classified HTTP content was blocked by 3-5 RST packets Efficiency: One-time overhead (phase 1) : 20 minutes Run-time overhead (phase 2) : tens of bytes per flow Effectiveness: Both IP/ TCP inert insertion succeeded 24

104 Evaluation The Great Firewall of China Technique Testbed T mobile GFC Example technique Inert packet insertion IP TCP UDP Lower TTL to only reach classifier Wrong Checksum Payload Splitting Payload Reordering Classification flushing 24 Pause for t seconds before classification Classified HTTP content was blocked by 3-5 RST packets Efficiency: One-time overhead (phase 1) : 20 minutes Run-time overhead (phase 2) : tens of bytes per flow Effectiveness: Both IP/ TCP inert insertion succeeded Flushing classification by pausing succeeded

105 Evaluation The Great Firewall of China Technique Testbed T mobile GFC Example technique Inert packet insertion IP TCP UDP Lower TTL to only reach classifier Wrong Checksum Payload Splitting Payload Reordering Classification flushing 24 Pause for t seconds before classification Classified HTTP content was blocked by 3-5 RST packets Efficiency: One-time overhead (phase 1) : 20 minutes Run-time overhead (phase 2) : tens of bytes per flow Effectiveness: Both IP/ TCP inert insertion succeeded Flushing classification by pausing succeeded

106 Evaluation The Great Firewall of China Time-of-day effects when flushing classification 25

107 Evaluation The Great Firewall of China Time-of-day effects when flushing classification 25

108 Evaluation The Great Firewall of China Time-of-day effects when flushing classification 25

109 Evaluation The Great Firewall of China Time-of-day effects when flushing classification 60 seconds successfully evaded 2:30 AM 25

110 Evaluation The Great Firewall of China Time-of-day effects when flushing classification 240 seconds failed to evade 60 seconds successfully evaded 2:30 AM 4:00 AM 25

111 Evaluation The Great Firewall of China Time-of-day effects when flushing classification 25

112 Evaluation The Great Firewall of China Time-of-day effects when flushing classification quiet hours (4:00 AM to 9:00 AM) using long delays did not evade 25

113 Evaluation The Great Firewall of China Time-of-day effects when flushing classification quiet hours (4:00 AM to 9:00 AM) using long delays did not evade busy hours (3:00 PM to 10:00 PM) using short delays evaded 25

114 Conclusion A tool that automatically and efficiently evades differentiation A taxonomy of evasion techniques An empirical measurement of traffic classifiers liberate evaded classifiers with low run-time overhead Public, open-source tools and datasets Future work: more resilient evasion techniques 26

115 Thanks For more details about liberate, code, and data : 27

Identifying Traffic Differentiation in Mobile Networks

Identifying Traffic Differentiation in Mobile Networks Arash Molavi Kakhki, Abbas Razaghpanah, Anke Li, Hyungjoon Koo, Rajesh Golani, David Choffnes, Phillipa Gill, Alan Mislove Northeastern University,