Jeremiah O’Connor CS 683 Fall 2012 CensorSpoofer: Asymmetric Communication using IP Spoo ng for fi Censorship-Resistant Web Browsing
Dec 24, 2015
Jeremiah O’ConnorCS 683 Fall 2012
CensorSpoofer: Asymmetric Communication using IP Spoofing for Censorship-Resistant Web Browsing
Main Problem!• Civil Liberties and Freedom of Information,
Big Brother• Oppressive regimes view information as a
huge threat to their corrupt ideals– Freedom of Information is “dangerous”
• Challenge: how to direct legitimate users to redirection proxies while preventing censors, who may pose as insiders, from discovering the proxy address and blocking them?
Main Culprit• Primary censor of article is China
– Blocks great amount of info (once blocked Gmail), Facebook, news sites, etc.
HELP ME!!!!
CensorSpoofer to the Rescue!!• Modern Framework for censorship- resistant web
browsing • Tackles challenge by taking advantage the
asymmetric nature of web browsing traffic and employing IP Spoofing– Separate the upstream (client to server)
and downstream (server to client) channels
-upstream: low bandwidth indirect channel messages (URLs), -downstream: high bandwidth direct
channel for downloading content
About CensorSpoofer• To get past proxy, users typically use a redirection
proxy allowing users ability to access blocked sites.• Key: use IP address spoofing (packets with forged IP
address) to send data from proxy to user without revealing origin of proxy
• To avoid being identified by censor, CensorSpoofer impersonates an encrypted VoIP (Voice over IP) session to channel downstream data
• Authors explore additional steps to be taken to avoid detection (choosing a reasonable fake IP source address)
• Experiments show prototype can be successfully used for browsing while resisting blocking efforts by censors
Related Work• To bypass Internet censorship, systems such
as Dynaweb/freegate, Ultrasurf, and Psiphon created
• Others ways: Infranet, Tor, Triangle Boy• Based on simple idea: let user connect to one
of the proxies deployed outside the censor’s network, which can retrieve blocked web pages for the users
• However…still vulnerable to “Insider Attack”– censor pretends to be an ordinary user to locate the
proxies and then block them
Threat Model• State-level adversary (censor) who monitors the
network under its jurisdiction• Censor capable of IP filtering, deep packet
inspection, and DNS hijacking, and able to monitor, block, alter, and inject traffic anywhere in network
• Censor allows citizens basic access:– IM, Email, and VoIP– blocking basics would lead to economic losses and
political pressure
• Censor unwilling to interfere with internet connections of user, unless there is evidence the connection used to bypass censorship
System Goals• CensorSpoofer goals:
– Unblockability: censor unable to block CensorSpoofer without sustaining unacceptable costs
– Perfect resistance to insider attacks: the censor should not be able to break unblockability or unobservability of CensorSpoofer even if almost all users are compromised
– Low Latency (time delay): be able to fetch and deliver web pages for users with low latency (does not support javascript)
– Deployability: be depoloyable by people with limited resources, without having support from network infrastructure
Overview CensorSpoofer Framework• Overview: In censored countries, users
cannot visit blocked websites and must connect to external proxies to access these websites
• Author’s Insights: For Web Browsing Upstream Traffic (ex. URLs), much lighter-weight than the downstream traffic
• Author’s design: Based on insights, author’s design a new circumvention framework for web browsing, uses asymmetric communication with separate upstream/downstream channels
CensorSpoofer Framework• User pretends to communicate with an external dummy host
legitimately, and sends URLs to spoofer via low bandwidth indirect channel. Spoofer fetches blocked webpages, and injects censored data into the downstream flow towards the user by spoofing the dummy host’s IP
Downstream (Server to Client) Channel
• To hide spoofer’s IP address, author’s apply IP spoofing in the downstream flow
• What kind of traffic (TCP or UDP) for IP Spoofing?
• Authors focus on UDP traffic for IP spoofing
Upstream (Client to Server) Channel• To send upstream messages, each
user uses a steganographic (hiding data) channel embedded in indirect communications such as IM and Email
• Important challenge to address, possibility that the censor will perform blocking based on the recipients IM identifier or Email address
Design of CensorSpoofer
• CensorSpoofer framework able to be instantiated using various protocol choices– Designed based on VoIP
Background of SIP-based VoIP• VolP Internet service that transmits Voice
over IP based networks• SIP is one of most popular used VoIP
signal protocols, lightweight• Insert picture here• SIP is an application layer protocol
– 3 main elements in SIP systems• User agents• Location Services• Servers
Sketch of Prototype Implementation
• Spoofer prototype has 4 components: a SIP message handler, a RTP/ RTCP transmitter, an upstream message receiver, and a prefetching proxy
• Client: implemented client-side HTTP proxy to handle HTTP requests made by user’s browser and HTTP responses received from the RTP channel
Censorship Circumvention• Outline of Circumvention:
– 1. Client initializes SIP (Session Initiation Protocol) session with Spoofer by sending out normal INVITE message
– 2. After receiving message, Spoofer randomly selects dummy host and replies with manipulated OK message that looks like its from dummy host
– 3. When OK message comes, clients starts to send enctypted RTP/RTCP packets to client by spoofing dummy hosts IP address
– 4. Meanwhile clients sends URLs through a steganographic IM/Email channel to the spoofer
– 5. Spoofer fetches web pages and puts them into RTP packet payloads and sends them to client
– 6. To terminate session, client sends termination signal to the spoofer over the upstream channel, spoofer then sends a BYE message (with IP spoofing) to client to close the call
• Summarized:– Invitation based BootStrapping– Manipulating the OK Message– Selection of Dummy Hosts– Traffic Pattern and Bandwidth– Packet Loss
Security Analysis of CensorSpoofer:
• Geolocation Analysis• User Agent && Operating Systems
(OS) Fingerprinting• Traffic Manipulation• SIP Message Manipulation
Geolocation Analysis– Sophisticated censor could record all
IP addresses that have been bound to particular SIP ID over time, suspicious if 2 closely conducted SIP sessions are geographically far from each other• To deal with this, instead of picking
dummy hosts randomly, spoofer can choose set of dummy hosts close to each other ( IP - Geolocation DB)
User Agent && Operating Systems (OS) Fingerprinting• SIP Messages have some random
identifiers (Ex. “To tag”, “From tag”) creating fingerprint– Also contain codecs (data
encoding/decoding device) supported by user agent
• Censor may detect users communicating with spoofer based on user-agent fingerprint
• Spoofer can create many user-agent profiles based on user-agent fingerprint of spoofer
Traffic Manipulation• Censor can manipulate traffic flows in order to
find users accessing circumvention system• Censor can block all RTP/RTCP packets sent to
callee, and check if callee still sends messages after certain time period (VoIP phones drop call after 30 sec. automatically)
• Price of mounting attack is very high– Censor unable to tell which flow carries
censored data, must drop all VoIP flows randomly (normal VoIP conversations interrupted
SIP Message Manipulation• Censor attempts to manipulate SIP messages
– Can manipulate IP of callee in OK message, and check if any RTP/RTCP packets sent to user
• Spoofer can compute short keyed hash of dummy host’s IP using SRTP session key, and put hash value into some random identifiers(“To tag”) in the OK message– User who knows session key can use embedded
hash to verify integrity of dummy host’s IP– If user detects OK message manipulated,
abandon SIP session by not sending ACK respons
Dummy Host Selection• To asses ease of finding dummy hosts, used port
scanning algorithm using nmap– Randomly selected 10000 IPs (outside China) from
entire IP space, according ton an IP geolocation database.
• Found 1213 IPs (12.1%) meet author’s requirements; indicating large number of usable dummy hosts
• Measured stability of dummy hosts over short period of time, and longer period of time(See graphs)
Performance Evaluation• Improved performance by fixing some
limitations of current implementation– Current prototype does not start sending any
packet to client until receives entire response• Removing limitations reduces download time
– Primary performance bottleneck of CensorSpoofer is RTP (Real-Time Transport Protocol) channel that carries the voice data• Answer: use higher-bandwidth downstream
channel
Conclusion• Suggest new circumvention
framework, CensorSpoofer, by exploiting asymmetric nature of web browsing
• Implemented a proof-of-concept prototype for CensorSpoofer, and the experimental results showed that CensorSpoofer has reasonable performance for real-world deployment