your state is not mine: a closer look at evading stateful internet ... · client seq num payload...
TRANSCRIPT
![Page 1: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve](https://reader035.vdocuments.net/reader035/viewer/2022071011/5fc99e335072aa75a31ca3d3/html5/thumbnails/1.jpg)
Your State is Not Mine: A Closer Look at Evading Stateful Internet Censorship
Zhongjie Wang, Yue Cao, Zhiyun Qian, Chengyu Song, Srikanth V Krishnamurthy
University of California, Riverside
1
![Page 2: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve](https://reader035.vdocuments.net/reader035/viewer/2022071011/5fc99e335072aa75a31ca3d3/html5/thumbnails/2.jpg)
• Key technology: Deep Packet Inspection (DPI)
• Reconstruct TCP data flow
• Examine application protocol fields
Internet Censorship
GET /badword HTTP/1.1\r\nHost: …
Alice Web Server
AS ASAS
IP
TCP
HTTP
(Stateful)
Connection State Client SEQ num Payload Data …
TCB
2
![Page 3: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve](https://reader035.vdocuments.net/reader035/viewer/2022071011/5fc99e335072aa75a31ca3d3/html5/thumbnails/3.jpg)
• Similar to Network Intrusion Detection System (NIDS), it is inherently vulnerable:• Network reason (small TTL, middleboxes)• End-host reason (different TCP impl., local firewall)
Internet Censorship
GET /badword HTTP/1.1\r\nHost: …
Alice Web Server
AS ASAS
IP
TCP
HTTP
(Stateful)
Connection State Client SEQ num Payload Data …
TCB
RSTRST
3
![Page 4: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve](https://reader035.vdocuments.net/reader035/viewer/2022071011/5fc99e335072aa75a31ca3d3/html5/thumbnails/4.jpg)
Our Study• The Great Firewall of China (GFW)
• a sophisticated censorship system performing stateful DPI
• has a long history of keyword-based content filtering on HTTP/DNS/IMAP/Tor/etc
• sends forged TCP RST packets to terminates the connection upon detection of sensitive keyword
• Goal: Measure the effectiveness of TCP-layer censorship evasion techniques on the GFW in practical situation
4
![Page 5: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve](https://reader035.vdocuments.net/reader035/viewer/2022071011/5fc99e335072aa75a31ca3d3/html5/thumbnails/5.jpg)
• NIDS
• Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection. Ptacek et al. 1998.
• GFW
• Ignoring the Great Firewall of China. Clayton et al. 2006.
• Towards Illuminating a Censorship Monitor’s Model to Facilitate Evasion. Khattak et al. 2013.
Prior Studies
5
![Page 6: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve](https://reader035.vdocuments.net/reader035/viewer/2022071011/5fc99e335072aa75a31ca3d3/html5/thumbnails/6.jpg)
Our Contributions
• First extensive measurement of the TCP-layer evasion technique on the GFW
• Discovered new behaviors of the GFW
• Our new evasion strategies achieve >95% success rate, tested effective with HTTP/DNS/VPN/Tor traffic
• INTANG, a open-source censorship evasion tool
6
![Page 7: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve](https://reader035.vdocuments.net/reader035/viewer/2022071011/5fc99e335072aa75a31ca3d3/html5/thumbnails/7.jpg)
Agenda• Overview
• Background
• Evaluation of Existing Evasion Strategies
• Evolved GFW Behaviors
• Evaluation of New Evasion Strategies
• Discussion and Conclusion
7
![Page 8: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve](https://reader035.vdocuments.net/reader035/viewer/2022071011/5fc99e335072aa75a31ca3d3/html5/thumbnails/8.jpg)
Insertion/Evasion Packet• Insertion Packets: accepted by the GFW but dropped
by the server
• Evasion Packets: accepted by the server but dropped by the GFW
• Basic Idea: De-synchronization
• TCP states (LISTEN, ESTABLISHED)
• Program states (SEQ num, win size)
8
![Page 9: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve](https://reader035.vdocuments.net/reader035/viewer/2022071011/5fc99e335072aa75a31ca3d3/html5/thumbnails/9.jpg)
Existing Evasion Strategies
TCB Creation TCB Teardown
(bad SEQ)
Creating false TCB
Creating false TCB
9
![Page 10: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve](https://reader035.vdocuments.net/reader035/viewer/2022071011/5fc99e335072aa75a31ca3d3/html5/thumbnails/10.jpg)
Agenda• Overview
• Background
• Evaluation of Existing Evasion Strategies
• Evolved GFW Behaviors
• Evaluation of New Evasion Strategies
• Discussion and Conclusion
10
![Page 11: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve](https://reader035.vdocuments.net/reader035/viewer/2022071011/5fc99e335072aa75a31ca3d3/html5/thumbnails/11.jpg)
Beijing
Shanghai
Guangzhou
Shenzhen
Measurement Setup• Tencent Cloud• Alibaba Cloud
• China Unicom
• HTTP censorship
• 77 Alexa top global sites
• 11 vantage points
• 9 cities, 3 ISPs
• 50 times per test
• Controlled experiments
• Sensitive keyword: ultrasurf
11
![Page 12: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve](https://reader035.vdocuments.net/reader035/viewer/2022071011/5fc99e335072aa75a31ca3d3/html5/thumbnails/12.jpg)
• Failure 1 - no resp. from server; Failure 2 - RST from GFW
Evaluation of Existing Strategies
12
![Page 13: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve](https://reader035.vdocuments.net/reader035/viewer/2022071011/5fc99e335072aa75a31ca3d3/html5/thumbnails/13.jpg)
Why
13
![Page 14: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve](https://reader035.vdocuments.net/reader035/viewer/2022071011/5fc99e335072aa75a31ca3d3/html5/thumbnails/14.jpg)
Failure Analysis
Read InjectWin
Linux macOS
Interference on Insertion PacketsClient-side Middlebox
Server-side Middlebox Server
Accept Failure 1 (No resp. from svr)
Failure 1(No resp. from svr)
Failure 1 (No resp. from svr)
Drop Failure 2 (RST from GFW) No Interference No Interference
14
![Page 15: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve](https://reader035.vdocuments.net/reader035/viewer/2022071011/5fc99e335072aa75a31ca3d3/html5/thumbnails/15.jpg)
However, there are still a large portion of failure cases left
unresolved
15
![Page 16: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve](https://reader035.vdocuments.net/reader035/viewer/2022071011/5fc99e335072aa75a31ca3d3/html5/thumbnails/16.jpg)
Agenda• Overview
• Background
• Evaluation of Existing Evasion Strategies
• Evolved GFW Behaviors
• Evaluation of New Evasion Strategies
• Discussion and Conclusion
16
![Page 17: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve](https://reader035.vdocuments.net/reader035/viewer/2022071011/5fc99e335072aa75a31ca3d3/html5/thumbnails/17.jpg)
TCB Creation on SYN/ACK• TCB Creation
SYN
1.1.1.1:5555 2.2.2.2:6666
Client: 1.1.1.1:5555 Server: 2.2.2.2:6666 Client SEQ: 123 …
TCB
Prior
SEQ:123, ACK:456SYN/ACK
Client: 2.2.2.2:6666 Server: 1.1.1.1:5555 Client SEQ: 456 …
TCB
1.1.1.1:5555 2.2.2.2:6666
New
SEQ:123, ACK:456
17
![Page 18: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve](https://reader035.vdocuments.net/reader035/viewer/2022071011/5fc99e335072aa75a31ca3d3/html5/thumbnails/18.jpg)
Re-synchronization• GFW now becomes “smarter”
• GFW enters “re-sync” state upon seeing
• Multiple SYN or
• Multiple SYN/ACK or
• SYN/ACK with incorrect ACK num
18
![Page 19: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve](https://reader035.vdocuments.net/reader035/viewer/2022071011/5fc99e335072aa75a31ca3d3/html5/thumbnails/19.jpg)
Re-synchronization• When in “re-sync” state, the GFW updates its client SEQ
num using the next
• SEQ num in data packet from “client” to “server”
• ACK num in SYN/ACK packet from “server” to “client”
Data
SYN/ACK
19
![Page 20: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve](https://reader035.vdocuments.net/reader035/viewer/2022071011/5fc99e335072aa75a31ca3d3/html5/thumbnails/20.jpg)
Combined strategy: TCB Creation + Resync/Desync
20
![Page 21: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve](https://reader035.vdocuments.net/reader035/viewer/2022071011/5fc99e335072aa75a31ca3d3/html5/thumbnails/21.jpg)
Combined strategy: TCB Teardown + TCB Reversal
21
![Page 22: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve](https://reader035.vdocuments.net/reader035/viewer/2022071011/5fc99e335072aa75a31ca3d3/html5/thumbnails/22.jpg)
New Insertion Packets Expanding the arsenal
22
![Page 23: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve](https://reader035.vdocuments.net/reader035/viewer/2022071011/5fc99e335072aa75a31ca3d3/html5/thumbnails/23.jpg)
How to Find More Insertion Packets?
• “Ignore” path analysis in TCP receiving logic and differential testing with the GFW
• “Ignore” path: an program execution path doesn’t change any TCP related states, i.e. packet ignored. e.g. wrong checksum
• Testing if the GFW also ignores the packet, otherwise, it could be an insertion packet
23
![Page 24: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve](https://reader035.vdocuments.net/reader035/viewer/2022071011/5fc99e335072aa75a31ca3d3/html5/thumbnails/24.jpg)
Analyzing Linux TCP Implementation
• Analysis on Linux kernel version 4.4, found the following candidate insertion packets
• New effective insertion packet: MD5 optional header
• Future work: automated discovery of insertion packets
24
![Page 25: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve](https://reader035.vdocuments.net/reader035/viewer/2022071011/5fc99e335072aa75a31ca3d3/html5/thumbnails/25.jpg)
Agenda• Overview
• Background
• Evaluation of Existing Evasion Strategies
• Evolved GFW Behaviors
• Evaluation of New Evasion Strategies
• Discussion and Conclusion
25
![Page 26: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve](https://reader035.vdocuments.net/reader035/viewer/2022071011/5fc99e335072aa75a31ca3d3/html5/thumbnails/26.jpg)
INTANG - Extensible Measurement Tool
INTANG and its components
UDP DNS <-> TCP DNS
26
![Page 27: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve](https://reader035.vdocuments.net/reader035/viewer/2022071011/5fc99e335072aa75a31ca3d3/html5/thumbnails/27.jpg)
INTANG - Extensible Measurement Tool
INTANG and its components
Callbacks for each strategy:• setup()• teardown()• process_syn()• process_synack()• process_request()
27
![Page 28: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve](https://reader035.vdocuments.net/reader035/viewer/2022071011/5fc99e335072aa75a31ca3d3/html5/thumbnails/28.jpg)
Evaluation• Evaluation in both directions (inbound & outbound China)
• High success rate of >95% for outbound; low inbound success rate due to close distance between server and GFW
• INTANG performance: automatically choose the best strategy based on historical results, success rate 98%
(Outbound)
(Inbound)
28
![Page 29: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve](https://reader035.vdocuments.net/reader035/viewer/2022071011/5fc99e335072aa75a31ca3d3/html5/thumbnails/29.jpg)
Case Study - DNS/Tor/VPN• Public DNS resolvers outside China
• Google DNS: IP-blocked
• OpenDNS: not censored
• Dyn DNS: censored, 98%+ success rate with INTANG
• Private Tor relay: 100% success rate with INTANG
• Private OpenVPN server: occasionally censored, can be bypassed with INTANG when censored
29
![Page 30: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve](https://reader035.vdocuments.net/reader035/viewer/2022071011/5fc99e335072aa75a31ca3d3/html5/thumbnails/30.jpg)
Agenda• Overview
• Background
• Evaluation of Existing Evasion Strategies
• Evolved GFW Behaviors
• Evaluation of New Evasion Strategies
• Discussion and Conclusion
30
![Page 31: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve](https://reader035.vdocuments.net/reader035/viewer/2022071011/5fc99e335072aa75a31ca3d3/html5/thumbnails/31.jpg)
Discussion & Limitation• GFW Countermeasures
• Hard to be fully immune to insertion packet
• May use server’s ACK as a feedback, but still vulnerable to data reassembly strategies
• Limitation
• Unable to fully understand some of the failure cases due to blackbox nature of the GFW
• Complexity and inconsistency of the GFW behaviors
31
![Page 32: Your State is Not Mine: A Closer Look at Evading Stateful Internet ... · Client SEQ num Payload Data ... • Discovered new behaviors of the GFW • Our new evasion strategies achieve](https://reader035.vdocuments.net/reader035/viewer/2022071011/5fc99e335072aa75a31ca3d3/html5/thumbnails/32.jpg)
Conclusion• We conduct an extensive measurement on the effectiveness
of existing TCP-layer evasion techniques against the GFW, and find most of them are no longer working
• Middleboxes (including NATs and firewalls) have significant interference on the insertion packets
• We discover new behaviors of the GFW and propose new evasion strategies that can bypass these behaviors
• We evaluate our new strategies and demonstrate a high success rate of 95%+
32