your state is not mine: a closer look at evading stateful internet ... · client seq num payload...

33
Your State is Not Mine: A Closer Look at Evading Stateful Internet Censorship Zhongjie Wang, Yue Cao, Zhiyun Qian, Chengyu Song, Srikanth V Krishnamurthy University of California, Riverside 1

Upload: others

Post on 21-Aug-2020

3 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve

Your State is Not Mine: A Closer Look at Evading Stateful Internet Censorship

Zhongjie Wang, Yue Cao, Zhiyun Qian, Chengyu Song, Srikanth V Krishnamurthy

University of California, Riverside

1

Page 2: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve

• Key technology: Deep Packet Inspection (DPI)

• Reconstruct TCP data flow

• Examine application protocol fields

Internet Censorship

GET /badword HTTP/1.1\r\nHost: …

Alice Web Server

AS ASAS

IP

TCP

HTTP

(Stateful)

Connection State Client SEQ num Payload Data …

TCB

2

Page 3: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve

• Similar to Network Intrusion Detection System (NIDS), it is inherently vulnerable:• Network reason (small TTL, middleboxes)• End-host reason (different TCP impl., local firewall)

Internet Censorship

GET /badword HTTP/1.1\r\nHost: …

Alice Web Server

AS ASAS

IP

TCP

HTTP

(Stateful)

Connection State Client SEQ num Payload Data …

TCB

RSTRST

3

Page 4: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve

Our Study• The Great Firewall of China (GFW)

• a sophisticated censorship system performing stateful DPI

• has a long history of keyword-based content filtering on HTTP/DNS/IMAP/Tor/etc

• sends forged TCP RST packets to terminates the connection upon detection of sensitive keyword

• Goal: Measure the effectiveness of TCP-layer censorship evasion techniques on the GFW in practical situation

4

Page 5: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve

• NIDS

• Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection. Ptacek et al. 1998.

• GFW

• Ignoring the Great Firewall of China. Clayton et al. 2006.

• Towards Illuminating a Censorship Monitor’s Model to Facilitate Evasion. Khattak et al. 2013.

Prior Studies

5

Page 6: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve

Our Contributions

• First extensive measurement of the TCP-layer evasion technique on the GFW

• Discovered new behaviors of the GFW

• Our new evasion strategies achieve >95% success rate, tested effective with HTTP/DNS/VPN/Tor traffic

• INTANG, a open-source censorship evasion tool

6

Page 7: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve

Agenda• Overview

• Background

• Evaluation of Existing Evasion Strategies

• Evolved GFW Behaviors

• Evaluation of New Evasion Strategies

• Discussion and Conclusion

7

Page 8: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve

Insertion/Evasion Packet• Insertion Packets: accepted by the GFW but dropped

by the server

• Evasion Packets: accepted by the server but dropped by the GFW

• Basic Idea: De-synchronization

• TCP states (LISTEN, ESTABLISHED)

• Program states (SEQ num, win size)

8

Page 9: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve

Existing Evasion Strategies

TCB Creation TCB Teardown

(bad SEQ)

Creating false TCB

Creating false TCB

9

Page 10: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve

Agenda• Overview

• Background

• Evaluation of Existing Evasion Strategies

• Evolved GFW Behaviors

• Evaluation of New Evasion Strategies

• Discussion and Conclusion

10

Page 11: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve

Beijing

Shanghai

Guangzhou

Shenzhen

Measurement Setup• Tencent Cloud• Alibaba Cloud

• China Unicom

• HTTP censorship

• 77 Alexa top global sites

• 11 vantage points

• 9 cities, 3 ISPs

• 50 times per test

• Controlled experiments

• Sensitive keyword: ultrasurf

11

Page 12: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve

• Failure 1 - no resp. from server; Failure 2 - RST from GFW

Evaluation of Existing Strategies

12

Page 13: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve

Why

13

Page 14: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve

Failure Analysis

Read InjectWin

Linux macOS

Interference on Insertion PacketsClient-side Middlebox

Server-side Middlebox Server

Accept Failure 1 (No resp. from svr)

Failure 1(No resp. from svr)

Failure 1 (No resp. from svr)

Drop Failure 2 (RST from GFW) No Interference No Interference

14

Page 15: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve

However, there are still a large portion of failure cases left

unresolved

15

Page 16: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve

Agenda• Overview

• Background

• Evaluation of Existing Evasion Strategies

• Evolved GFW Behaviors

• Evaluation of New Evasion Strategies

• Discussion and Conclusion

16

Page 17: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve

TCB Creation on SYN/ACK• TCB Creation

SYN

1.1.1.1:5555 2.2.2.2:6666

Client: 1.1.1.1:5555 Server: 2.2.2.2:6666 Client SEQ: 123 …

TCB

Prior

SEQ:123, ACK:456SYN/ACK

Client: 2.2.2.2:6666 Server: 1.1.1.1:5555 Client SEQ: 456 …

TCB

1.1.1.1:5555 2.2.2.2:6666

New

SEQ:123, ACK:456

17

Page 18: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve

Re-synchronization• GFW now becomes “smarter”

• GFW enters “re-sync” state upon seeing

• Multiple SYN or

• Multiple SYN/ACK or

• SYN/ACK with incorrect ACK num

18

Page 19: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve

Re-synchronization• When in “re-sync” state, the GFW updates its client SEQ

num using the next

• SEQ num in data packet from “client” to “server”

• ACK num in SYN/ACK packet from “server” to “client”

Data

SYN/ACK

19

Page 20: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve

Combined strategy: TCB Creation + Resync/Desync

20

Page 21: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve

Combined strategy: TCB Teardown + TCB Reversal

21

Page 22: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve

New Insertion Packets Expanding the arsenal

22

Page 23: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve

How to Find More Insertion Packets?

• “Ignore” path analysis in TCP receiving logic and differential testing with the GFW

• “Ignore” path: an program execution path doesn’t change any TCP related states, i.e. packet ignored. e.g. wrong checksum

• Testing if the GFW also ignores the packet, otherwise, it could be an insertion packet

23

Page 24: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve

Analyzing Linux TCP Implementation

• Analysis on Linux kernel version 4.4, found the following candidate insertion packets

• New effective insertion packet: MD5 optional header

• Future work: automated discovery of insertion packets

24

Page 25: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve

Agenda• Overview

• Background

• Evaluation of Existing Evasion Strategies

• Evolved GFW Behaviors

• Evaluation of New Evasion Strategies

• Discussion and Conclusion

25

Page 26: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve

INTANG - Extensible Measurement Tool

INTANG and its components

UDP DNS <-> TCP DNS

26

Page 27: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve

INTANG - Extensible Measurement Tool

INTANG and its components

Callbacks for each strategy:• setup()• teardown()• process_syn()• process_synack()• process_request()

27

Page 28: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve

Evaluation• Evaluation in both directions (inbound & outbound China)

• High success rate of >95% for outbound; low inbound success rate due to close distance between server and GFW

• INTANG performance: automatically choose the best strategy based on historical results, success rate 98%

(Outbound)

(Inbound)

28

Page 29: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve

Case Study - DNS/Tor/VPN• Public DNS resolvers outside China

• Google DNS: IP-blocked

• OpenDNS: not censored

• Dyn DNS: censored, 98%+ success rate with INTANG

• Private Tor relay: 100% success rate with INTANG

• Private OpenVPN server: occasionally censored, can be bypassed with INTANG when censored

29

Page 30: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve

Agenda• Overview

• Background

• Evaluation of Existing Evasion Strategies

• Evolved GFW Behaviors

• Evaluation of New Evasion Strategies

• Discussion and Conclusion

30

Page 31: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve

Discussion & Limitation• GFW Countermeasures

• Hard to be fully immune to insertion packet

• May use server’s ACK as a feedback, but still vulnerable to data reassembly strategies

• Limitation

• Unable to fully understand some of the failure cases due to blackbox nature of the GFW

• Complexity and inconsistency of the GFW behaviors

31

Page 32: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve

Conclusion• We conduct an extensive measurement on the effectiveness

of existing TCP-layer evasion techniques against the GFW, and find most of them are no longer working

• Middleboxes (including NATs and firewalls) have significant interference on the insertion packets

• We discover new behaviors of the GFW and propose new evasion strategies that can bypass these behaviors

• We evaluate our new strategies and demonstrate a high success rate of 95%+

32

Page 33: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve

Q&A• Zhongjie Wang <[email protected]>

• Github: https://github.com/seclab-ucr/INTANG

33