Your State is Not Mine: A Closer Look at Evading Stateful Internet Censorship

Zhongjie Wang, Yue Cao, Zhiyun Qian, Chengyu Song, Srikanth V Krishnamurthy

University of California, Riverside

1

• Key technology: Deep Packet Inspection (DPI)

• Reconstruct TCP data flow

• Examine application protocol fields

Internet Censorship

GET /badword HTTP/1.1\r\nHost: …

Alice Web Server

AS ASAS

IP

TCP

HTTP

(Stateful)

Connection State Client SEQ num Payload Data …

TCB

2

• Similar to Network Intrusion Detection System (NIDS), it is inherently vulnerable:• Network reason (small TTL, middleboxes)• End-host reason (different TCP impl., local firewall)

Internet Censorship

GET /badword HTTP/1.1\r\nHost: …

Alice Web Server

AS ASAS

IP

TCP

HTTP

(Stateful)

Connection State Client SEQ num Payload Data …

TCB

RSTRST

3

Our Study• The Great Firewall of China (GFW)

• a sophisticated censorship system performing stateful DPI

• has a long history of keyword-based content filtering on HTTP/DNS/IMAP/Tor/etc

• sends forged TCP RST packets to terminates the connection upon detection of sensitive keyword

• Goal: Measure the effectiveness of TCP-layer censorship evasion techniques on the GFW in practical situation

4

• NIDS

• Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection. Ptacek et al. 1998.

• GFW

• Ignoring the Great Firewall of China. Clayton et al. 2006.

• Towards Illuminating a Censorship Monitor’s Model to Facilitate Evasion. Khattak et al. 2013.

Prior Studies

5

Our Contributions

• First extensive measurement of the TCP-layer evasion technique on the GFW

• Discovered new behaviors of the GFW

• Our new evasion strategies achieve >95% success rate, tested effective with HTTP/DNS/VPN/Tor traffic

• INTANG, a open-source censorship evasion tool

6

Agenda• Overview

• Background

• Evaluation of Existing Evasion Strategies

• Evolved GFW Behaviors

• Evaluation of New Evasion Strategies

• Discussion and Conclusion

7

Insertion/Evasion Packet• Insertion Packets: accepted by the GFW but dropped

by the server

• Evasion Packets: accepted by the server but dropped by the GFW

• Basic Idea: De-synchronization

• TCP states (LISTEN, ESTABLISHED)

• Program states (SEQ num, win size)

8

Existing Evasion Strategies

TCB Creation TCB Teardown

(bad SEQ)

Creating false TCB

Creating false TCB

9

Agenda• Overview

• Background

• Evaluation of Existing Evasion Strategies

• Evolved GFW Behaviors

• Evaluation of New Evasion Strategies

• Discussion and Conclusion

10

Beijing

Shanghai

Guangzhou

Shenzhen

Measurement Setup• Tencent Cloud• Alibaba Cloud

• China Unicom

• HTTP censorship

• 77 Alexa top global sites

• 11 vantage points

• 9 cities, 3 ISPs

• 50 times per test

• Controlled experiments

• Sensitive keyword: ultrasurf

11

• Failure 1 - no resp. from server; Failure 2 - RST from GFW

Evaluation of Existing Strategies

12

Why

13

Failure Analysis

Read InjectWin

Linux macOS

Interference on Insertion PacketsClient-side Middlebox

Server-side Middlebox Server

Accept Failure 1 (No resp. from svr)

Failure 1(No resp. from svr)

Failure 1 (No resp. from svr)

Drop Failure 2 (RST from GFW) No Interference No Interference

14

However, there are still a large portion of failure cases left

unresolved

15

Agenda• Overview

• Background

• Evaluation of Existing Evasion Strategies

• Evolved GFW Behaviors

• Evaluation of New Evasion Strategies

• Discussion and Conclusion

16

TCB Creation on SYN/ACK• TCB Creation

SYN

1.1.1.1:5555 2.2.2.2:6666

Client: 1.1.1.1:5555 Server: 2.2.2.2:6666 Client SEQ: 123 …

TCB

Prior

SEQ:123, ACK:456SYN/ACK

Client: 2.2.2.2:6666 Server: 1.1.1.1:5555 Client SEQ: 456 …

TCB

1.1.1.1:5555 2.2.2.2:6666

New

SEQ:123, ACK:456

17

Re-synchronization• GFW now becomes “smarter”

• GFW enters “re-sync” state upon seeing

• Multiple SYN or

• Multiple SYN/ACK or

• SYN/ACK with incorrect ACK num

18

Re-synchronization• When in “re-sync” state, the GFW updates its client SEQ

num using the next

• SEQ num in data packet from “client” to “server”

• ACK num in SYN/ACK packet from “server” to “client”

Data

SYN/ACK

19

Combined strategy: TCB Creation + Resync/Desync

20

Combined strategy: TCB Teardown + TCB Reversal

21

New Insertion Packets Expanding the arsenal

22

How to Find More Insertion Packets?

• “Ignore” path analysis in TCP receiving logic and differential testing with the GFW

• “Ignore” path: an program execution path doesn’t change any TCP related states, i.e. packet ignored. e.g. wrong checksum

• Testing if the GFW also ignores the packet, otherwise, it could be an insertion packet

23

Analyzing Linux TCP Implementation

• Analysis on Linux kernel version 4.4, found the following candidate insertion packets

• New effective insertion packet: MD5 optional header

• Future work: automated discovery of insertion packets

24

Agenda• Overview

• Background

• Evaluation of Existing Evasion Strategies

• Evolved GFW Behaviors

• Evaluation of New Evasion Strategies

• Discussion and Conclusion

25

INTANG - Extensible Measurement Tool

INTANG and its components

UDP DNS <-> TCP DNS

26

INTANG - Extensible Measurement Tool

INTANG and its components

Callbacks for each strategy:• setup()• teardown()• process_syn()• process_synack()• process_request()

27

Evaluation• Evaluation in both directions (inbound & outbound China)

• High success rate of >95% for outbound; low inbound success rate due to close distance between server and GFW

• INTANG performance: automatically choose the best strategy based on historical results, success rate 98%

(Outbound)

(Inbound)

28

Case Study - DNS/Tor/VPN• Public DNS resolvers outside China

• Google DNS: IP-blocked

• OpenDNS: not censored

• Dyn DNS: censored, 98%+ success rate with INTANG

• Private Tor relay: 100% success rate with INTANG

• Private OpenVPN server: occasionally censored, can be bypassed with INTANG when censored

29

Agenda• Overview

• Background

• Evaluation of Existing Evasion Strategies

• Evolved GFW Behaviors

• Evaluation of New Evasion Strategies

• Discussion and Conclusion

30

Discussion & Limitation• GFW Countermeasures

• Hard to be fully immune to insertion packet

• May use server’s ACK as a feedback, but still vulnerable to data reassembly strategies

• Limitation

• Unable to fully understand some of the failure cases due to blackbox nature of the GFW

• Complexity and inconsistency of the GFW behaviors

31

Conclusion• We conduct an extensive measurement on the effectiveness

of existing TCP-layer evasion techniques against the GFW, and find most of them are no longer working

• Middleboxes (including NATs and firewalls) have significant interference on the insertion packets

• We discover new behaviors of the GFW and propose new evasion strategies that can bypass these behaviors

• We evaluate our new strategies and demonstrate a high success rate of 95%+

32

Q&A• Zhongjie Wang <zwang048@ucr.edu>

• Github: https://github.com/seclab-ucr/INTANG

33