CensorSpoofer: Asymmetric Communication using IP Spoofing for Censorship-Resistant Web Browsing Jeremiah O’Connor CS 683 Fall 2012 Main Problem! • Civil Liberties and Freedom of Information, Big Brother • Oppressive regimes view information as a huge threat to their corrupt ideals – Freedom of Information is “dangerous” • Challenge: how to direct legitimate users to redirection proxies while preventing censors, who may pose as insiders, from discovering the proxy address and blocking them? Main Culprit • Primary censor of article is China – Blocks great amount of info (once blocked Gmail), Facebook, news sites, etc. HELP ME!!!! CensorSpoofer to the Rescue!! • Modern Framework for censorshipresistant web browsing • Tackles challenge by taking advantage the asymmetric nature of web browsing traffic and employing IP Spoofing – Separate the upstream (client to server) and downstream (server to client) channels -upstream: low bandwidth indirect channel messages (URLs), -downstream: high bandwidth direct channel for downloading content About CensorSpoofer • To get past proxy, users typically use a redirection proxy allowing users ability to access blocked sites. • Key: use IP address spoofing (packets with forged IP address) to send data from proxy to user without revealing origin of proxy • To avoid being identified by censor, CensorSpoofer impersonates an encrypted VoIP (Voice over IP) session to channel downstream data • Authors explore additional steps to be taken to avoid detection (choosing a reasonable fake IP source address) • Experiments show prototype can be successfully used for browsing while resisting blocking efforts by censors Related Work • To bypass Internet censorship, systems such as Dynaweb/freegate, Ultrasurf, and Psiphon created • Others ways: Infranet, Tor, Triangle Boy • Based on simple idea: let user connect to one of the proxies deployed outside the censor’s network, which can retrieve blocked web pages for the users • However…still vulnerable to “Insider Attack” – censor pretends to be an ordinary user to locate the proxies and then block them Threat Model • State-level adversary (censor) who monitors the network under its jurisdiction • Censor capable of IP filtering, deep packet inspection, and DNS hijacking, and able to monitor, block, alter, and inject traffic anywhere in network • Censor allows citizens basic access: – – IM, Email, and VoIP blocking basics would lead to economic losses and political pressure • Censor unwilling to interfere with internet connections of user, unless there is evidence the connection used to bypass censorship System Goals • CensorSpoofer goals: – Unblockability: censor unable to block CensorSpoofer without sustaining unacceptable costs – Perfect resistance to insider attacks: the censor should not be able to break unblockability or unobservability of CensorSpoofer even if almost all users are compromised – Low Latency (time delay): be able to fetch and deliver web pages for users with low latency (does not support javascript) – Deployability: be depoloyable by people with limited resources, without having support from network infrastructure Overview CensorSpoofer Framework • Overview: In censored countries, users cannot visit blocked websites and must connect to external proxies to access these websites • Author’s Insights: For Web Browsing Upstream Traffic (ex. URLs), much lighter-weight than the downstream traffic • Author’s design: Based on insights, author’s design a new circumvention framework for web browsing, uses asymmetric communication with separate upstream/downstream channels CensorSpoofer Framework • User pretends to communicate with an external dummy host legitimately, and sends URLs to spoofer via low bandwidth indirect channel. Spoofer fetches blocked webpages, and injects censored data into the downstream flow towards the user by spoofing the dummy host’s IP Downstream (Server to Client) Channel • To hide spoofer’s IP address, author’s apply IP spoofing in the downstream flow • What kind of traffic (TCP or UDP) for IP Spoofing? • Authors focus on UDP traffic for IP spoofing Upstream (Client to Server) Channel • To send upstream messages, each user uses a steganographic (hiding data) channel embedded in indirect communications such as IM and Email • Important challenge to address, possibility that the censor will perform blocking based on the recipients IM identifier or Email address Design of CensorSpoofer • CensorSpoofer framework able to be instantiated using various protocol choices – Designed based on VoIP Background of SIP-based VoIP • VolP Internet service that transmits Voice over IP based networks • SIP is one of most popular used VoIP signal protocols, lightweight • Insert picture here • SIP is an application layer protocol – 3 main elements in SIP systems • User agents • Location Services • Servers Sketch of Prototype Implementation • Spoofer prototype has 4 components: a SIP message handler, a RTP/ RTCP transmitter, an upstream message receiver, and a prefetching proxy • Client: implemented client-side HTTP proxy to handle HTTP requests made by user’s browser and HTTP responses received from the RTP channel Censorship Circumvention • • Outline of Circumvention: – 1. Client initializes SIP (Session Initiation Protocol) session with Spoofer by sending out normal INVITE message – 2. After receiving message, Spoofer randomly selects dummy host and replies with manipulated OK message that looks like its from dummy host – 3. When OK message comes, clients starts to send enctypted RTP/RTCP packets to client by spoofing dummy hosts IP address – 4. Meanwhile clients sends URLs through a steganographic IM/Email channel to the spoofer – 5. Spoofer fetches web pages and puts them into RTP packet payloads and sends them to client – 6. To terminate session, client sends termination signal to the spoofer over the upstream channel, spoofer then sends a BYE message (with IP spoofing) to client to close the call Summarized: – – – – – Invitation based BootStrapping Manipulating the OK Message Selection of Dummy Hosts Traffic Pattern and Bandwidth Packet Loss Security Analysis of CensorSpoofer: • Geolocation Analysis • User Agent && Operating Systems (OS) Fingerprinting • Traffic Manipulation • SIP Message Manipulation Geolocation Analysis – Sophisticated censor could record all IP addresses that have been bound to particular SIP ID over time, suspicious if 2 closely conducted SIP sessions are geographically far from each other • To deal with this, instead of picking dummy hosts randomly, spoofer can choose set of dummy hosts close to each other ( IP Geolocation DB) User Agent && Operating Systems (OS) Fingerprinting • SIP Messages have some random identifiers (Ex. “To tag”, “From tag”) creating fingerprint – Also contain codecs (data encoding/decoding device) supported by user agent • Censor may detect users communicating with spoofer based on user-agent fingerprint • Spoofer can create many user-agent profiles based on user-agent fingerprint of spoofer Traffic Manipulation • Censor can manipulate traffic flows in order to find users accessing circumvention system • Censor can block all RTP/RTCP packets sent to callee, and check if callee still sends messages after certain time period (VoIP phones drop call after 30 sec. automatically) • Price of mounting attack is very high – Censor unable to tell which flow carries censored data, must drop all VoIP flows randomly (normal VoIP conversations interrupted SIP Message Manipulation • Censor attempts to manipulate SIP messages – Can manipulate IP of callee in OK message, and check if any RTP/RTCP packets sent to user • Spoofer can compute short keyed hash of dummy host’s IP using SRTP session key, and put hash value into some random identifiers(“To tag”) in the OK message – User who knows session key can use embedded hash to verify integrity of dummy host’s IP – If user detects OK message manipulated, abandon SIP session by not sending ACK respons Dummy Host Selection • To asses ease of finding dummy hosts, used port scanning algorithm using nmap – Randomly selected 10000 IPs (outside China) from entire IP space, according ton an IP geolocation database. • Found 1213 IPs (12.1%) meet author’s requirements; indicating large number of usable dummy hosts • Measured stability of dummy hosts over short period of time, and longer period of time (See graphs) Performance Evaluation • Improved performance by fixing some limitations of current implementation – Current prototype does not start sending any packet to client until receives entire response • Removing limitations reduces download time – Primary performance bottleneck of CensorSpoofer is RTP (Real-Time Transport Protocol) channel that carries the voice data • Answer: use higher-bandwidth downstream channel Conclusion • Suggest new circumvention framework, CensorSpoofer, by exploiting asymmetric nature of web browsing • Implemented a proof-of-concept prototype for CensorSpoofer, and the experimental results showed that CensorSpoofer has reasonable performance for real-world deployment