Your State is Not Mine: A Closer Look at Evading Stateful Internet Censorship

Size: px

Start display at page:

Download "Your State is Not Mine: A Closer Look at Evading Stateful Internet Censorship"

Austen Singleton
6 years ago
Views:

1 Your State is Not Mine: A Closer Look at Evading Stateful Internet Censorship Zhongjie Wang, Yue Cao, Zhiyun Qian, Chengyu Song, Srikanth V Krishnamurthy University of California, Riverside 1

2 Internet Censorship Key technology: Deep Packet Inspection (DPI) Reconstruct TCP data flow Examine application protocol fields AS AS AS TCB Alice Connection State Client SEQ num Payload Data IP TCP HTTP (Stateful) Web Server GET /badword HTTP/1.1\r\nHost: 2

3 Internet Censorship Similar to Network Intrusion Detection System (NIDS), it is inherently vulnerable: Network reason (small TTL, middleboxes) End-host reason (different TCP impl., local firewall) AS AS AS TCB Alice Connection State Client SEQ num Payload Data IP TCP HTTP RST RST Web Server (Stateful) GET /badword HTTP/1.1\r\nHost: 3

4 Our Study The Great Firewall of China (GFW) a sophisticated censorship system performing stateful DPI has a long history of keyword-based content filtering on HTTP/DNS/IMAP/Tor/etc sends forged TCP RST packets to terminates the connection upon detection of sensitive keyword Goal: Measure the effectiveness of TCP-layer censorship evasion techniques on the GFW in practical situation 4

5 Prior Studies NIDS Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection. Ptacek et al GFW Ignoring the Great Firewall of China. Clayton et al Towards Illuminating a Censorship Monitor s Model to Facilitate Evasion. Khattak et al

6 Our Contributions First extensive measurement of the TCP-layer evasion technique on the GFW Discovered new behaviors of the GFW Our new evasion strategies achieve >95% success rate, tested effective with HTTP/DNS/VPN/Tor traffic INTANG, a open-source censorship evasion tool 6

7 Agenda Overview Background Evaluation of Existing Evasion Strategies Evolved GFW Behaviors Evaluation of New Evasion Strategies Discussion and Conclusion 7

8 Insertion/Evasion Packet Insertion Packets: accepted by the GFW but dropped by the server Evasion Packets: accepted by the server but dropped by the GFW Basic Idea: De-synchronization TCP states (LISTEN, ESTABLISHED) Program states (SEQ num, win size) 8

9 Existing Evasion Strategies Creating false TCB (bad SEQ) Creating false TCB TCB Creation TCB Teardown 9

10 Agenda Overview Background Evaluation of Existing Evasion Strategies Evolved GFW Behaviors Evaluation of New Evasion Strategies Discussion and Conclusion 10

11 Measurement Setup HTTP censorship 77 Alexa top global sites Alibaba Cloud Tencent Cloud China Unicom 11 vantage points Beijing 9 cities, 3 ISPs 50 times per test Shanghai Controlled experiments Guangzhou Sensitive keyword: ultrasurf Shenzhen 11

12 Evaluation of Existing Strategies Failure 1 - no resp. from server; Failure 2 - RST from GFW 12

13 Why 13

14 Failure Analysis Interference on Insertion Packets Client-side Middlebox Server-side Middlebox Server Accept Failure 1 (No resp. from svr) Failure 1 (No resp. from svr) Failure 1 (No resp. from svr) Drop Failure 2 (RST from GFW) No Interference No Interference Read Inject Win Linux macos 14

15 However, there are still a large portion of failure cases left unresolved 15

16 Agenda Overview Background Evaluation of Existing Evasion Strategies Evolved GFW Behaviors Evaluation of New Evasion Strategies Discussion and Conclusion 16

17 TCB Creation on SYN/ACK TCB Creation SYN SEQ:123, ACK:456 SYN/ACK SEQ:123, ACK: : : : :6666 TCB Client: :5555 Server: :6666 Client SEQ: 123 TCB Client: :6666 Server: :5555 Client SEQ: 456 Prior 17 New

18 Re-synchronization GFW now becomes smarter GFW enters re-sync state upon seeing Multiple SYN or Multiple SYN/ACK or SYN/ACK with incorrect ACK num 18

19 Re-synchronization When in re-sync state, the GFW updates its client SEQ num using the next SEQ num in data packet from client to server ACK num in SYN/ACK packet from server to client Data SYN/ACK 19

20 Combined strategy: TCB Creation + Resync/Desync 20

21 Combined strategy: TCB Teardown + TCB Reversal 21

22 New Insertion Packets Expanding the arsenal 22

23 How to Find More Insertion Packets? Ignore path analysis in TCP receiving logic and differential testing with the GFW Ignore path: an program execution path doesn t change any TCP related states, i.e. packet ignored. e.g. wrong checksum Testing if the GFW also ignores the packet, otherwise, it could be an insertion packet 23

24 Analyzing Linux TCP Implementation Analysis on Linux kernel version 4.4, found the following candidate insertion packets New effective insertion packet: MD5 optional header Future work: automated discovery of insertion packets 24

25 Agenda Overview Background Evaluation of Existing Evasion Strategies Evolved GFW Behaviors Evaluation of New Evasion Strategies Discussion and Conclusion 25

26 INTANG - Extensible Measurement Tool UDP DNS <-> TCP DNS INTANG and its components 26

27 INTANG - Extensible Measurement Tool Callbacks for each strategy: setup() teardown() process_syn() process_synack() process_request() INTANG and its components 27

28 Evaluation Evaluation in both directions (inbound & outbound China) (Outbound) (Inbound) High success rate of >95% for outbound; low inbound success rate due to close distance between server and GFW INTANG performance: automatically choose the best strategy based on historical results, success rate 98% 28

29 Case Study - DNS/Tor/VPN Public DNS resolvers outside China Google DNS: IP-blocked OpenDNS: not censored Dyn DNS: censored, 98%+ success rate with INTANG Private Tor relay: 100% success rate with INTANG Private OpenVPN server: occasionally censored, can be bypassed with INTANG when censored 29

30 Agenda Overview Background Evaluation of Existing Evasion Strategies Evolved GFW Behaviors Evaluation of New Evasion Strategies Discussion and Conclusion 30

31 Discussion & Limitation GFW Countermeasures Hard to be fully immune to insertion packet May use server s ACK as a feedback, but still vulnerable to data reassembly strategies Limitation Unable to fully understand some of the failure cases due to blackbox nature of the GFW Complexity and inconsistency of the GFW behaviors 31

32 Conclusion We conduct an extensive measurement on the effectiveness of existing TCP-layer evasion techniques against the GFW, and find most of them are no longer working Middleboxes (including NATs and firewalls) have significant interference on the insertion packets We discover new behaviors of the GFW and propose new evasion strategies that can bypass these behaviors We evaluate our new strategies and demonstrate a high success rate of 95%+ 32

33 Q&A Zhongjie Wang Github: 33

Network Intrusion Detection Systems. Beyond packet filtering

Network Intrusion Detection Systems Beyond packet filtering Goal of NIDS Detect attacks as they happen: Real-time monitoring of networks Provide information about attacks that have succeeded: Forensic