Jeremiah O’Connor CS 683 Fall 2012 CensorSpoofer: Asymmetric Communication using IP Spoofing for Censorship-Resistant Web Browsing.

Jeremiah O’ConnorCS 683 Fall 2012

CensorSpoofer: Asymmetric Communication using IP Spoofing for Censorship-Resistant Web Browsing

Main Problem!• Civil Liberties and Freedom of Information,

Big Brother• Oppressive regimes view information as a

huge threat to their corrupt ideals– Freedom of Information is “dangerous”

• Challenge: how to direct legitimate users to redirection proxies while preventing censors, who may pose as insiders, from discovering the proxy address and blocking them?

Main Culprit• Primary censor of article is China

– Blocks great amount of info (once blocked Gmail), Facebook, news sites, etc.

HELP ME!!!!

CensorSpoofer to the Rescue!!• Modern Framework for censorship- resistant web

browsing • Tackles challenge by taking advantage the

asymmetric nature of web browsing traffic and employing IP Spoofing– Separate the upstream (client to server)

and downstream (server to client) channels

-upstream: low bandwidth indirect channel messages (URLs), -downstream: high bandwidth direct

channel for downloading content

About CensorSpoofer• To get past proxy, users typically use a redirection

proxy allowing users ability to access blocked sites.• Key: use IP address spoofing (packets with forged IP

address) to send data from proxy to user without revealing origin of proxy

• To avoid being identified by censor, CensorSpoofer impersonates an encrypted VoIP (Voice over IP) session to channel downstream data

• Authors explore additional steps to be taken to avoid detection (choosing a reasonable fake IP source address)

• Experiments show prototype can be successfully used for browsing while resisting blocking efforts by censors

Related Work• To bypass Internet censorship, systems such

as Dynaweb/freegate, Ultrasurf, and Psiphon created

• Others ways: Infranet, Tor, Triangle Boy• Based on simple idea: let user connect to one

of the proxies deployed outside the censor’s network, which can retrieve blocked web pages for the users

• However…still vulnerable to “Insider Attack”– censor pretends to be an ordinary user to locate the

proxies and then block them

Threat Model• State-level adversary (censor) who monitors the

network under its jurisdiction• Censor capable of IP filtering, deep packet

inspection, and DNS hijacking, and able to monitor, block, alter, and inject traffic anywhere in network

• Censor allows citizens basic access:– IM, Email, and VoIP– blocking basics would lead to economic losses and

political pressure

• Censor unwilling to interfere with internet connections of user, unless there is evidence the connection used to bypass censorship

System Goals• CensorSpoofer goals:

– Unblockability: censor unable to block CensorSpoofer without sustaining unacceptable costs

– Perfect resistance to insider attacks: the censor should not be able to break unblockability or unobservability of CensorSpoofer even if almost all users are compromised

– Low Latency (time delay): be able to fetch and deliver web pages for users with low latency (does not support javascript)

– Deployability: be depoloyable by people with limited resources, without having support from network infrastructure

Overview CensorSpoofer Framework• Overview: In censored countries, users

cannot visit blocked websites and must connect to external proxies to access these websites

• Author’s Insights: For Web Browsing Upstream Traffic (ex. URLs), much lighter-weight than the downstream traffic

• Author’s design: Based on insights, author’s design a new circumvention framework for web browsing, uses asymmetric communication with separate upstream/downstream channels

CensorSpoofer Framework• User pretends to communicate with an external dummy host

legitimately, and sends URLs to spoofer via low bandwidth indirect channel. Spoofer fetches blocked webpages, and injects censored data into the downstream flow towards the user by spoofing the dummy host’s IP

Downstream (Server to Client) Channel

• To hide spoofer’s IP address, author’s apply IP spoofing in the downstream flow

• What kind of traffic (TCP or UDP) for IP Spoofing?

• Authors focus on UDP traffic for IP spoofing

Upstream (Client to Server) Channel• To send upstream messages, each

user uses a steganographic (hiding data) channel embedded in indirect communications such as IM and Email

• Important challenge to address, possibility that the censor will perform blocking based on the recipients IM identifier or Email address

Design of CensorSpoofer

• CensorSpoofer framework able to be instantiated using various protocol choices– Designed based on VoIP

Background of SIP-based VoIP• VolP Internet service that transmits Voice

over IP based networks• SIP is one of most popular used VoIP

signal protocols, lightweight• Insert picture here• SIP is an application layer protocol

– 3 main elements in SIP systems• User agents• Location Services• Servers

Sketch of Prototype Implementation

• Spoofer prototype has 4 components: a SIP message handler, a RTP/ RTCP transmitter, an upstream message receiver, and a prefetching proxy

• Client: implemented client-side HTTP proxy to handle HTTP requests made by user’s browser and HTTP responses received from the RTP channel

Censorship Circumvention• Outline of Circumvention:

– 1. Client initializes SIP (Session Initiation Protocol) session with Spoofer by sending out normal INVITE message

– 2. After receiving message, Spoofer randomly selects dummy host and replies with manipulated OK message that looks like its from dummy host

– 3. When OK message comes, clients starts to send enctypted RTP/RTCP packets to client by spoofing dummy hosts IP address

– 4. Meanwhile clients sends URLs through a steganographic IM/Email channel to the spoofer

– 5. Spoofer fetches web pages and puts them into RTP packet payloads and sends them to client

– 6. To terminate session, client sends termination signal to the spoofer over the upstream channel, spoofer then sends a BYE message (with IP spoofing) to client to close the call

• Summarized:– Invitation based BootStrapping– Manipulating the OK Message– Selection of Dummy Hosts– Traffic Pattern and Bandwidth– Packet Loss

Security Analysis of CensorSpoofer:

• Geolocation Analysis• User Agent && Operating Systems

(OS) Fingerprinting• Traffic Manipulation• SIP Message Manipulation

Geolocation Analysis– Sophisticated censor could record all

IP addresses that have been bound to particular SIP ID over time, suspicious if 2 closely conducted SIP sessions are geographically far from each other• To deal with this, instead of picking

dummy hosts randomly, spoofer can choose set of dummy hosts close to each other ( IP - Geolocation DB)

User Agent && Operating Systems (OS) Fingerprinting• SIP Messages have some random

identifiers (Ex. “To tag”, “From tag”) creating fingerprint– Also contain codecs (data

encoding/decoding device) supported by user agent

• Censor may detect users communicating with spoofer based on user-agent fingerprint

• Spoofer can create many user-agent profiles based on user-agent fingerprint of spoofer

Traffic Manipulation• Censor can manipulate traffic flows in order to

find users accessing circumvention system• Censor can block all RTP/RTCP packets sent to

callee, and check if callee still sends messages after certain time period (VoIP phones drop call after 30 sec. automatically)

• Price of mounting attack is very high– Censor unable to tell which flow carries

censored data, must drop all VoIP flows randomly (normal VoIP conversations interrupted

SIP Message Manipulation• Censor attempts to manipulate SIP messages

– Can manipulate IP of callee in OK message, and check if any RTP/RTCP packets sent to user

• Spoofer can compute short keyed hash of dummy host’s IP using SRTP session key, and put hash value into some random identifiers(“To tag”) in the OK message– User who knows session key can use embedded

hash to verify integrity of dummy host’s IP– If user detects OK message manipulated,

abandon SIP session by not sending ACK respons

Dummy Host Selection• To asses ease of finding dummy hosts, used port

scanning algorithm using nmap– Randomly selected 10000 IPs (outside China) from

entire IP space, according ton an IP geolocation database.

• Found 1213 IPs (12.1%) meet author’s requirements; indicating large number of usable dummy hosts

• Measured stability of dummy hosts over short period of time, and longer period of time(See graphs)

Performance Evaluation• Improved performance by fixing some

limitations of current implementation– Current prototype does not start sending any

packet to client until receives entire response• Removing limitations reduces download time

– Primary performance bottleneck of CensorSpoofer is RTP (Real-Time Transport Protocol) channel that carries the voice data• Answer: use higher-bandwidth downstream

channel

Conclusion• Suggest new circumvention

framework, CensorSpoofer, by exploiting asymmetric nature of web browsing

• Implemented a proof-of-concept prototype for CensorSpoofer, and the experimental results showed that CensorSpoofer has reasonable performance for real-world deployment