slides

advertisement
CensorSpoofer: Asymmetric Communication
using IP Spoofing for Censorship-Resistant
Web Browsing
Jeremiah O’Connor
CS 683 Fall 2012
Main Problem!
• Civil Liberties and Freedom of
Information, Big Brother
• Oppressive regimes view information
as a huge threat to their corrupt ideals
– Freedom of Information is “dangerous”
• Challenge: how to direct legitimate
users to redirection proxies while
preventing censors, who may pose as
insiders, from discovering the proxy
address and blocking them?
Main Culprit
• Primary censor of article is China
– Blocks great amount of info (once blocked
Gmail), Facebook, news sites, etc.
HELP ME!!!!
CensorSpoofer to the Rescue!!
• Modern Framework for censorshipresistant web browsing
• Tackles challenge by taking advantage
the asymmetric nature of web browsing
traffic and employing IP Spoofing
– Separate the upstream (client to server)
and downstream (server to client)
channels
-upstream: low bandwidth indirect channel
messages (URLs),
-downstream: high bandwidth direct
channel for downloading content
About CensorSpoofer
• To get past proxy, users typically use a redirection proxy
allowing users ability to access blocked sites.
• Key: use IP address spoofing (packets with forged IP
address) to send data from proxy to user without revealing
origin of proxy
• To avoid being identified by censor, CensorSpoofer
impersonates an encrypted VoIP (Voice over IP) session to
channel downstream data
• Authors explore additional steps to be taken to avoid
detection (choosing a reasonable fake IP source address)
• Experiments show prototype can be successfully used for
browsing while resisting blocking efforts by censors
Related Work
• To bypass Internet censorship, systems such as
Dynaweb/freegate, Ultrasurf, and Psiphon
created
• Others ways: Infranet, Tor, Triangle Boy
• Based on simple idea: let user connect to one of
the proxies deployed outside the censor’s
network, which can retrieve blocked web pages
for the users
• However…still vulnerable to “Insider Attack”
– censor pretends to be an ordinary user to locate the
proxies and then block them
Threat Model
• State-level adversary (censor) who monitors the
network under its jurisdiction
• Censor capable of IP filtering, deep packet
inspection, and DNS hijacking, and able to
monitor, block, alter, and inject traffic anywhere
in network
• Censor allows citizens basic access:
–
–
IM, Email, and VoIP
blocking basics would lead to economic losses and
political pressure
• Censor unwilling to interfere with internet
connections of user, unless there is evidence
the connection used to bypass censorship
System Goals
• CensorSpoofer goals:
– Unblockability: censor unable to block CensorSpoofer
without sustaining unacceptable costs
– Perfect resistance to insider attacks: the censor should
not be able to break unblockability or unobservability of
CensorSpoofer even if almost all users are
compromised
– Low Latency (time delay): be able to fetch and deliver
web pages for users with low latency (does not support
javascript)
– Deployability: be depoloyable by people with limited
resources, without having support from network
infrastructure
Overview CensorSpoofer
Framework
• Overview: In censored countries, users cannot
visit blocked websites and must connect to
external proxies to access these websites
• Author’s Insights: For Web Browsing Upstream
Traffic (ex. URLs), much lighter-weight than the
downstream traffic
• Author’s design: Based on insights, author’s
design a new circumvention framework for web
browsing, uses asymmetric communication with
separate upstream/downstream channels
CensorSpoofer Framework
• User pretends to communicate with an external dummy host legitimately,
and sends URLs to spoofer via low bandwidth indirect channel. Spoofer
fetches blocked webpages, and injects censored data into the downstream
flow towards the user by spoofing the dummy host’s IP
Downstream (Server to Client)
Channel
• To hide spoofer’s IP address, author’s
apply IP spoofing in the downstream
flow
• What kind of traffic (TCP or UDP) for IP
Spoofing?
• Authors focus on UDP traffic for IP
spoofing
Upstream (Client to Server)
Channel
• To send upstream messages, each
user uses a steganographic (hiding
data) channel embedded in indirect
communications such as IM and Email
• Important challenge to address,
possibility that the censor will perform
blocking based on the recipients IM
identifier or Email address
Design of CensorSpoofer
• CensorSpoofer framework able to be
instantiated using various protocol
choices
– Designed based on VoIP
Background of SIP-based
VoIP
• VolP Internet service that transmits
Voice over IP based networks
• SIP is one of most popular used VoIP
signal protocols, lightweight
• Insert picture here
• SIP is an application layer protocol
– 3 main elements in SIP systems
• User agents
• Location Services
• Servers
Sketch of Prototype
Implementation
• Spoofer prototype has 4 components: a
SIP message handler, a RTP/ RTCP
transmitter, an upstream message
receiver, and a prefetching proxy
• Client: implemented client-side HTTP
proxy to handle HTTP requests made
by user’s browser and HTTP
responses received from the RTP
channel
Censorship Circumvention
•
•
Outline of Circumvention:
– 1. Client initializes SIP (Session Initiation Protocol) session with
Spoofer by sending out normal INVITE message
– 2. After receiving message, Spoofer randomly selects dummy
host and replies with manipulated OK message that looks like its
from dummy host
– 3. When OK message comes, clients starts to send enctypted
RTP/RTCP packets to client by spoofing dummy hosts IP address
– 4. Meanwhile clients sends URLs through a steganographic
IM/Email channel to the spoofer
– 5. Spoofer fetches web pages and puts them into RTP packet
payloads and sends them to client
– 6. To terminate session, client sends termination signal to the
spoofer over the upstream channel, spoofer then sends a BYE
message (with IP spoofing) to client to close the call
Summarized:
–
–
–
–
–
Invitation based BootStrapping
Manipulating the OK Message
Selection of Dummy Hosts
Traffic Pattern and Bandwidth
Packet Loss
Security Analysis of CensorSpoofer:
• Geolocation Analysis
• User Agent && Operating Systems
(OS) Fingerprinting
• Traffic Manipulation
• SIP Message Manipulation
Geolocation Analysis
– Sophisticated censor could record all IP
addresses that have been bound to
particular SIP ID over time, suspicious if 2
closely conducted SIP sessions are
geographically far from each other
• To deal with this, instead of picking dummy
hosts randomly, spoofer can choose set of
dummy hosts close to each other ( IP Geolocation DB)
User Agent && Operating
Systems (OS) Fingerprinting
• SIP Messages have some random identifiers (Ex.
“To tag”, “From tag”) creating fingerprint
– Also contain codecs (data encoding/decoding
device) supported by user agent
• Censor may detect users communicating with
spoofer based on user-agent fingerprint
• Spoofer can create many user-agent profiles
based on user-agent fingerprint of spoofer
Traffic Manipulation
• Censor can manipulate traffic flows in order to
find users accessing circumvention system
• Censor can block all RTP/RTCP packets sent to
callee, and check if callee still sends messages
after certain time period (VoIP phones drop call
after 30 sec. automatically)
• Price of mounting attack is very high
– Censor unable to tell which flow carries
censored data, must drop all VoIP flows
randomly (normal VoIP conversations
interrupted
SIP Message Manipulation
• Censor attempts to manipulate SIP messages
– Can manipulate IP of callee in OK message, and
check if any RTP/RTCP packets sent to user
• Spoofer can compute short keyed hash of dummy
host’s IP using SRTP session key, and put hash
value into some random identifiers(“To tag”) in the
OK message
– User who knows session key can use embedded
hash to verify integrity of dummy host’s IP
– If user detects OK message manipulated,
abandon SIP session by not sending ACK
respons
Dummy Host Selection
• To asses ease of finding dummy hosts, used port scanning
algorithm using nmap
– Randomly selected 10000 IPs (outside China) from entire
IP space, according ton an IP geolocation database.
• Found 1213 IPs (12.1%) meet author’s requirements;
indicating large number of usable dummy hosts
• Measured stability of
dummy hosts over short
period of time, and longer
period of time
(See graphs)
Performance Evaluation
• Improved performance by fixing some
limitations of current implementation
– Current prototype does not start sending
any packet to client until receives entire
response
• Removing limitations reduces download time
– Primary performance bottleneck of
CensorSpoofer is RTP (Real-Time
Transport Protocol) channel that carries
the voice data
• Answer: use higher-bandwidth downstream
channel
Conclusion
• Suggest new circumvention framework,
CensorSpoofer, by exploiting
asymmetric nature of web browsing
• Implemented a proof-of-concept
prototype for CensorSpoofer, and the
experimental results showed that
CensorSpoofer has reasonable
performance for real-world deployment
Download