Measuring Internet Censorship Globally and Continuously33. Detection Augur Framework Reflector...
Transcript of Measuring Internet Censorship Globally and Continuously33. Detection Augur Framework Reflector...
![Page 1: Measuring Internet Censorship Globally and Continuously33. Detection Augur Framework Reflector selection Reflector Characterization Site characterization Scheduler User input Ref-to-Site](https://reader034.fdocuments.us/reader034/viewer/2022051604/5ffb75342e2430128d06b716/html5/thumbnails/1.jpg)
1
Roya EnsafiAIMS 2018
Censored Planet: Measuring Internet Censorship
Globally and Continuously
![Page 2: Measuring Internet Censorship Globally and Continuously33. Detection Augur Framework Reflector selection Reflector Characterization Site characterization Scheduler User input Ref-to-Site](https://reader034.fdocuments.us/reader034/viewer/2022051604/5ffb75342e2430128d06b716/html5/thumbnails/2.jpg)
2
?
PROBLEM:
- How can we detect whether pairs of hostsaround the world can talk to each other?
Measuring Internet Censorship Globally
Site
user
![Page 3: Measuring Internet Censorship Globally and Continuously33. Detection Augur Framework Reflector selection Reflector Characterization Site characterization Scheduler User input Ref-to-Site](https://reader034.fdocuments.us/reader034/viewer/2022051604/5ffb75342e2430128d06b716/html5/thumbnails/3.jpg)
3
?STATE OF THE ART:
- Deploy hardware or software at hosts(RIPE Atlas, OONI probe)
- Ask people on the ground, or use VPNs, or research networks (PlanetLab)
PROBLEM:
- How can we detect whether pairs of hostsaround the world can talk to each other?
THREE KEY CHALLENGES:
Coverage, ethics, and continuity
Measuring Internet Censorship Globally
Site
user
![Page 4: Measuring Internet Censorship Globally and Continuously33. Detection Augur Framework Reflector selection Reflector Characterization Site characterization Scheduler User input Ref-to-Site](https://reader034.fdocuments.us/reader034/viewer/2022051604/5ffb75342e2430128d06b716/html5/thumbnails/4.jpg)
Thinking Like an Attacker...These machines blindly follow Internet protocol rules such as TCP/IP.
4
140 million public live IPv4 addresses
How can we leverage standard protocol behaviors to detect whether two distant hosts can communicate?
Thinking Like an “Attacker”…
![Page 5: Measuring Internet Censorship Globally and Continuously33. Detection Augur Framework Reflector selection Reflector Characterization Site characterization Scheduler User input Ref-to-Site](https://reader034.fdocuments.us/reader034/viewer/2022051604/5ffb75342e2430128d06b716/html5/thumbnails/5.jpg)
5
?
Impossible!
Measuring Internet Censorship Globally… Remotely!
PROBLEM:
- How can we detect whether pairs of hostsaround the world can talk to each other?
…from somewhere else in the world?.
Site
user
![Page 6: Measuring Internet Censorship Globally and Continuously33. Detection Augur Framework Reflector selection Reflector Characterization Site characterization Scheduler User input Ref-to-Site](https://reader034.fdocuments.us/reader034/viewer/2022051604/5ffb75342e2430128d06b716/html5/thumbnails/6.jpg)
6
Spooky Scan
Spooky Scan uses TCP/IP side channels to detect whether a user and a site can communicate (and in which direction packets are blocked)
Goal: Detect blocking from off-path
* TCP Idle Scan Antirez, (Bugtraq 1998)* Detecting Intentional Packet Drops on the Internet via TCP/IP Side Channels Roya Ensafi, Knockel, Alexander, and Crandall (PAM ’14)* Idle Port Scanning and Non-interference Analysis of Network Protocol Stacks Using Model Checking Roya Ensafi, Park, Kapur, and Crandall (Usenix Security 2010)
??
Site
user
![Page 7: Measuring Internet Censorship Globally and Continuously33. Detection Augur Framework Reflector selection Reflector Characterization Site characterization Scheduler User input Ref-to-Site](https://reader034.fdocuments.us/reader034/viewer/2022051604/5ffb75342e2430128d06b716/html5/thumbnails/7.jpg)
Augur is a follow up system that uses the same TCP/IP side channels to detect blocking from off-path.
Goal: Scalable, ethical, and statistically robust system to continuously detect blocking.
7
Augur
??
Site
user
Augur
* Augur: Internet-Wide Detection of Connectivity Disruption P. Pearce*, R. Ensafi*, F. Li, N. Feamster, V. Paxson (* joint first authors)
![Page 8: Measuring Internet Censorship Globally and Continuously33. Detection Augur Framework Reflector selection Reflector Characterization Site characterization Scheduler User input Ref-to-Site](https://reader034.fdocuments.us/reader034/viewer/2022051604/5ffb75342e2430128d06b716/html5/thumbnails/8.jpg)
TCP Handshake:
TCP/IP
8
SYN/ACK [IP ID: Y]
SYN [IP ID:X]
ACK [IP ID:X+1]
Port status is open/closed
SYN-ACKRST
Port status is open
SYNSYN/ACKSYN/ACKSYN/ACK
![Page 9: Measuring Internet Censorship Globally and Continuously33. Detection Augur Framework Reflector selection Reflector Characterization Site characterization Scheduler User input Ref-to-Site](https://reader034.fdocuments.us/reader034/viewer/2022051604/5ffb75342e2430128d06b716/html5/thumbnails/9.jpg)
Site
Open port and retransmitting SYN-ACKs
“User” (Reflector)Must maintain a global value for IP ID
Measurement MachineMust be able to spoof packets
9
Spooky Scan Requirements
![Page 10: Measuring Internet Censorship Globally and Continuously33. Detection Augur Framework Reflector selection Reflector Characterization Site characterization Scheduler User input Ref-to-Site](https://reader034.fdocuments.us/reader034/viewer/2022051604/5ffb75342e2430128d06b716/html5/thumbnails/10.jpg)
Measurement machine
Site
10
Spooky Scan
Reflector
Reflector IP ID
![Page 11: Measuring Internet Censorship Globally and Continuously33. Detection Augur Framework Reflector selection Reflector Characterization Site characterization Scheduler User input Ref-to-Site](https://reader034.fdocuments.us/reader034/viewer/2022051604/5ffb75342e2430128d06b716/html5/thumbnails/11.jpg)
Measurement machine
Site
SYN/ACK1
11
Spooky ScanNo direction blocked
Reflector
Reflector IP ID:7000
![Page 12: Measuring Internet Censorship Globally and Continuously33. Detection Augur Framework Reflector selection Reflector Characterization Site characterization Scheduler User input Ref-to-Site](https://reader034.fdocuments.us/reader034/viewer/2022051604/5ffb75342e2430128d06b716/html5/thumbnails/12.jpg)
Spooky ScanNo direction blocked
RST [IP ID: 7000]
Spooky ScanNo direction blocked SYN/ACK
Measurement machine
1
2
Reflector
Site
12
Reflector IP ID:7000
![Page 13: Measuring Internet Censorship Globally and Continuously33. Detection Augur Framework Reflector selection Reflector Characterization Site characterization Scheduler User input Ref-to-Site](https://reader034.fdocuments.us/reader034/viewer/2022051604/5ffb75342e2430128d06b716/html5/thumbnails/13.jpg)
Spooky ScanNo direction blocked
Spooky ScanReflector IP ID:7000
SYN/ACK
Measurement machine
1
2
3
Reflector
Site
Spoofed SYN
[src: Reflector IP]
13
RST [IP ID: 7000]
![Page 14: Measuring Internet Censorship Globally and Continuously33. Detection Augur Framework Reflector selection Reflector Characterization Site characterization Scheduler User input Ref-to-Site](https://reader034.fdocuments.us/reader034/viewer/2022051604/5ffb75342e2430128d06b716/html5/thumbnails/14.jpg)
Spooky ScanNo direction blocked
Spooky ScanReflector IP ID:7000
SYN/ACK
Measurement machine
1
3
SYN/ACK
14
RST [IP ID: 7000]
Spoofed SYN
[src: Reflector IP]
Reflector
Site
4
2
![Page 15: Measuring Internet Censorship Globally and Continuously33. Detection Augur Framework Reflector selection Reflector Characterization Site characterization Scheduler User input Ref-to-Site](https://reader034.fdocuments.us/reader034/viewer/2022051604/5ffb75342e2430128d06b716/html5/thumbnails/15.jpg)
Spooky ScanNo direction blocked
Spooky ScanReflector IP ID:70007001
SYN/ACK
Measurement machine
1
2
3
5
Reflector
Site
RST[IP ID: 7001]
4SYN/ACK
15
RST [IP ID: 7000]
Spoofed SYN
[src: Reflector IP]
![Page 16: Measuring Internet Censorship Globally and Continuously33. Detection Augur Framework Reflector selection Reflector Characterization Site characterization Scheduler User input Ref-to-Site](https://reader034.fdocuments.us/reader034/viewer/2022051604/5ffb75342e2430128d06b716/html5/thumbnails/16.jpg)
Reflector IP ID:700070017002
SYN/ACK
Measurement machine
1
2
3
5
Reflector
Site
4SYN/ACK
RST [IP ID: 7002]SYN/ACK6
7
16
RST [IP ID: 7000]
Spoofed SYN
[src: Reflector IP]
RST[IP ID: 7001]
No direction blocked
Spooky Scan
![Page 17: Measuring Internet Censorship Globally and Continuously33. Detection Augur Framework Reflector selection Reflector Characterization Site characterization Scheduler User input Ref-to-Site](https://reader034.fdocuments.us/reader034/viewer/2022051604/5ffb75342e2430128d06b716/html5/thumbnails/17.jpg)
Reflector IP ID:7000700170027003
SYN/ACK
Measurement machine
1
2
3
5
Reflector
Site
4SYN/ACK
RST [IP ID: 7002]SYN/ACK6
7
17
RST [IP ID: 7000]
Spoofed SYN
[src: Reflector IP]
RST[IP ID: 7001]
No direction blocked
Spooky Scan
Probe [IP ID: 7003]
![Page 18: Measuring Internet Censorship Globally and Continuously33. Detection Augur Framework Reflector selection Reflector Characterization Site characterization Scheduler User input Ref-to-Site](https://reader034.fdocuments.us/reader034/viewer/2022051604/5ffb75342e2430128d06b716/html5/thumbnails/18.jpg)
SYN/ACK
Measurement machine
1
2
3
RST [IP ID: 7001]SYN/ACK5
6
18
RST [IP ID: 7000]
Spoofed SYN
[src: ClientIP]
Spooky Scan
SYN/ACK4
Reflector IP ID:700070017002
Reflector
Site
Site-to-Reflector Blocked
Probe [IP ID: 7002]
![Page 19: Measuring Internet Censorship Globally and Continuously33. Detection Augur Framework Reflector selection Reflector Characterization Site characterization Scheduler User input Ref-to-Site](https://reader034.fdocuments.us/reader034/viewer/2022051604/5ffb75342e2430128d06b716/html5/thumbnails/19.jpg)
SYN/ACK
Measurement machine
1
2
3
RST [IP ID: 7002]SYN/ACK6
7
19
RST [IP ID: 7000]
Spoofed SYN
[src: ClientIP]
Reflector-to-SiteBlocked
Spooky ScanReflector IP ID:700070017002
Site
4SYN/ACK
5 RST
![Page 20: Measuring Internet Censorship Globally and Continuously33. Detection Augur Framework Reflector selection Reflector Characterization Site characterization Scheduler User input Ref-to-Site](https://reader034.fdocuments.us/reader034/viewer/2022051604/5ffb75342e2430128d06b716/html5/thumbnails/20.jpg)
SYN/ACK
Measurement machine
1
2
3
RST [IP ID: 7002]SYN/ACK6
7
20
RST [IP ID: 7000]
Spoofed SYN
[src: ClientIP]
Reflector-to-SiteBlocked
Spooky ScanReflector IP ID:70007001700270037004
Site
4SYN/ACK
5 RST
Probe [IP ID: 7004]
![Page 21: Measuring Internet Censorship Globally and Continuously33. Detection Augur Framework Reflector selection Reflector Characterization Site characterization Scheduler User input Ref-to-Site](https://reader034.fdocuments.us/reader034/viewer/2022051604/5ffb75342e2430128d06b716/html5/thumbnails/21.jpg)
No DirectionBlocked
Site-to-Reflector Blocked
Reflector-to-Site Blocked
21
Spooky Scan
IP ID1 = 1 IP ID2 = 1
IP ID1 = 2 IP ID2 = 1
IP ID1 = 2 IP ID2 = 2
![Page 22: Measuring Internet Censorship Globally and Continuously33. Detection Augur Framework Reflector selection Reflector Characterization Site characterization Scheduler User input Ref-to-Site](https://reader034.fdocuments.us/reader034/viewer/2022051604/5ffb75342e2430128d06b716/html5/thumbnails/22.jpg)
Coping with Reflector IP ID Noise
Amplifying the signal
Effect of sending N spoofed SYNs:
22
Reflector
No Direction BlockedSite-to-Reflector Blocked Reflector-to-Site Blocked
IP ID1 = (1 + noise) IP ID2 = noise
IP ID1 = (1 + N + noise) IP ID2 = noise
IP ID1 = (1 + N + noise) IP ID2 = (1 + N + noise)
![Page 23: Measuring Internet Censorship Globally and Continuously33. Detection Augur Framework Reflector selection Reflector Characterization Site characterization Scheduler User input Ref-to-Site](https://reader034.fdocuments.us/reader034/viewer/2022051604/5ffb75342e2430128d06b716/html5/thumbnails/23.jpg)
Coping with Reflector IP ID Noise
Amplifying the signal
Effect of sending N spoofed SYNs:
Repeating the experiment
To eliminate the effects of packet loss, sudden bursts of packets, ...
23
Reflector
No Direction BlockedSite-to-Reflector Blocked Reflector-to-Site Blocked
IP ID1 = (1 + noise) IP ID2 = noise
IP ID1 = (1 + N + noise) IP ID2 = noise
IP ID1 = (1 + N + noise) IP ID2 = (1 + N + noise)
![Page 24: Measuring Internet Censorship Globally and Continuously33. Detection Augur Framework Reflector selection Reflector Characterization Site characterization Scheduler User input Ref-to-Site](https://reader034.fdocuments.us/reader034/viewer/2022051604/5ffb75342e2430128d06b716/html5/thumbnails/24.jpg)
Augur for Continuous Scanning
24
Insight: Some measurements much noisier than others.
![Page 25: Measuring Internet Censorship Globally and Continuously33. Detection Augur Framework Reflector selection Reflector Characterization Site characterization Scheduler User input Ref-to-Site](https://reader034.fdocuments.us/reader034/viewer/2022051604/5ffb75342e2430128d06b716/html5/thumbnails/25.jpg)
- For first 4s, query IPID every sec
-
- Query IPID
Send 10 spoofed SYNsQuery IPID
Run
Probing Methodology:
Until we have high enough confidence (or up to):
Augur for Continuous Scanning
25
Insight: Some measurements much noisier than others.
![Page 26: Measuring Internet Censorship Globally and Continuously33. Detection Augur Framework Reflector selection Reflector Characterization Site characterization Scheduler User input Ref-to-Site](https://reader034.fdocuments.us/reader034/viewer/2022051604/5ffb75342e2430128d06b716/html5/thumbnails/26.jpg)
- For first 4s, query IPID every sec
-
- Query IPID
Send 10 spoofed SYNsQuery IPID
Run
Probing Methodology:
Until we have high enough confidence (or up to):
Augur for Continuous Scanning
26
Insight: Some measurements much noisier than others.
Repeat runs and
use Seq. Hypothesis Testing
to gradually build confidence.
![Page 27: Measuring Internet Censorship Globally and Continuously33. Detection Augur Framework Reflector selection Reflector Characterization Site characterization Scheduler User input Ref-to-Site](https://reader034.fdocuments.us/reader034/viewer/2022051604/5ffb75342e2430128d06b716/html5/thumbnails/27.jpg)
Augur: Sequential Hypothesis Testing
Defining a random variable:
27
if no IPID acceleration occursif IPID acceleration occurs
![Page 28: Measuring Internet Censorship Globally and Continuously33. Detection Augur Framework Reflector selection Reflector Characterization Site characterization Scheduler User input Ref-to-Site](https://reader034.fdocuments.us/reader034/viewer/2022051604/5ffb75342e2430128d06b716/html5/thumbnails/28.jpg)
Augur: Sequential Hypothesis Testing
Defining a random variable:
Calculate known outcome probabilities (priors):
28
Prior 1: Prob. of no IPID acceleration when there is blockingPrior 2: Prob. of IPID acceleration when there is no blocking
if no IPID acceleration occursif IPID acceleration occurs
![Page 29: Measuring Internet Censorship Globally and Continuously33. Detection Augur Framework Reflector selection Reflector Characterization Site characterization Scheduler User input Ref-to-Site](https://reader034.fdocuments.us/reader034/viewer/2022051604/5ffb75342e2430128d06b716/html5/thumbnails/29.jpg)
Based on ,can we decide the blocking case?
Augur: Sequential Hypothesis Testing
29
Trial
Update
No
Site-to-Ref blocking
Yes
Output Unknown
Ref-to-Site blocking
No Blocking
Maximum Likelihood Ratio
No
![Page 30: Measuring Internet Censorship Globally and Continuously33. Detection Augur Framework Reflector selection Reflector Characterization Site characterization Scheduler User input Ref-to-Site](https://reader034.fdocuments.us/reader034/viewer/2022051604/5ffb75342e2430128d06b716/html5/thumbnails/30.jpg)
30
Augur Framework
![Page 31: Measuring Internet Censorship Globally and Continuously33. Detection Augur Framework Reflector selection Reflector Characterization Site characterization Scheduler User input Ref-to-Site](https://reader034.fdocuments.us/reader034/viewer/2022051604/5ffb75342e2430128d06b716/html5/thumbnails/31.jpg)
Detection
Augur Framework
Reflectorselection
ReflectorCharacterization
User input
Targetcountries
All responsive
IPs
31
![Page 32: Measuring Internet Censorship Globally and Continuously33. Detection Augur Framework Reflector selection Reflector Characterization Site characterization Scheduler User input Ref-to-Site](https://reader034.fdocuments.us/reader034/viewer/2022051604/5ffb75342e2430128d06b716/html5/thumbnails/32.jpg)
Detection
Augur Framework
Reflectorselection
ReflectorCharacterization
Site characterization
User input
Targetcountries
Siteaddress
All responsive
IPs
32
![Page 33: Measuring Internet Censorship Globally and Continuously33. Detection Augur Framework Reflector selection Reflector Characterization Site characterization Scheduler User input Ref-to-Site](https://reader034.fdocuments.us/reader034/viewer/2022051604/5ffb75342e2430128d06b716/html5/thumbnails/33.jpg)
Detection
Augur Framework
Reflectorselection
ReflectorCharacterization
Site characterization Scheduler
User input
Targetcountries
Siteaddress
Probing
All responsive
IPs
33
![Page 34: Measuring Internet Censorship Globally and Continuously33. Detection Augur Framework Reflector selection Reflector Characterization Site characterization Scheduler User input Ref-to-Site](https://reader034.fdocuments.us/reader034/viewer/2022051604/5ffb75342e2430128d06b716/html5/thumbnails/34.jpg)
Detection
Augur Framework
Reflectorselection
ReflectorCharacterization
Site characterization Scheduler
User input Ref-to-Siteblocking— OR —
Site-to-Ref blocking— OR —
No blocking— OR —
Error
System output
Targetcountries
Siteaddress
Probing
Detection/Validation
All responsive
IPs
34
![Page 35: Measuring Internet Censorship Globally and Continuously33. Detection Augur Framework Reflector selection Reflector Characterization Site characterization Scheduler User input Ref-to-Site](https://reader034.fdocuments.us/reader034/viewer/2022051604/5ffb75342e2430128d06b716/html5/thumbnails/35.jpg)
35
Challenge: Need global vantage points from which to measure
Coverage Scanning IPv4 on port 80:
- 22.7 million potential reflectors!
Compare: 10,000 in prior work (RIPE Atlas)
THREE KEY CHALLENGES: Coverage, ethics, and continuity
![Page 36: Measuring Internet Censorship Globally and Continuously33. Detection Augur Framework Reflector selection Reflector Characterization Site characterization Scheduler User input Ref-to-Site](https://reader034.fdocuments.us/reader034/viewer/2022051604/5ffb75342e2430128d06b716/html5/thumbnails/36.jpg)
36
Challenge: Probing banned sites from users’ machines creates risk
Ethics Reflector IP ID:100010011002
5
Site
4
Reflector
SYN/ACK
RST[IP ID: 1001]
![Page 37: Measuring Internet Censorship Globally and Continuously33. Detection Augur Framework Reflector selection Reflector Characterization Site characterization Scheduler User input Ref-to-Site](https://reader034.fdocuments.us/reader034/viewer/2022051604/5ffb75342e2430128d06b716/html5/thumbnails/37.jpg)
37
Challenge: Probing banned sites from users’ machines creates risk
Ethics Use only infrastructure devices to source probes
Global IP ID 22.7 million 236 countries (and dependent territories)
Two hops back from end user 53,000 180 countries
User
Internet
THREE KEY CHALLENGES: Coverage, ethics, and continuity
![Page 38: Measuring Internet Censorship Globally and Continuously33. Detection Augur Framework Reflector selection Reflector Characterization Site characterization Scheduler User input Ref-to-Site](https://reader034.fdocuments.us/reader034/viewer/2022051604/5ffb75342e2430128d06b716/html5/thumbnails/38.jpg)
Augur doesn’t depend on end users’ availability, and routers have less downtime, allowing us to collect measurements continuously.
38
Challenge: Need to repeat measurements over time
Continuity
THREE KEY CHALLENGES: Coverage, ethics, and continuity
![Page 39: Measuring Internet Censorship Globally and Continuously33. Detection Augur Framework Reflector selection Reflector Characterization Site characterization Scheduler User input Ref-to-Site](https://reader034.fdocuments.us/reader034/viewer/2022051604/5ffb75342e2430128d06b716/html5/thumbnails/39.jpg)
39
Reflectors: 2,050
Sites: 2,134 (Citizen Lab list + Alexa Top-10K)
Mix of sensitive and popular sites
Duration: 17 days
Measurements per reflector-site: 47
Overall # of measurements: 207.6 million
RunningAugur In the Wild
![Page 40: Measuring Internet Censorship Globally and Continuously33. Detection Augur Framework Reflector selection Reflector Characterization Site characterization Scheduler User input Ref-to-Site](https://reader034.fdocuments.us/reader034/viewer/2022051604/5ffb75342e2430128d06b716/html5/thumbnails/40.jpg)
40
Site-to-Reflector Blocked
Top Blocked Sites
Site-to-Reflector blocking
Interesting example: - amtrak.com was blocked for 21% of reflectors, 57% of
countries (ranked 6) → Collateral damage
Reflector
Site
![Page 41: Measuring Internet Censorship Globally and Continuously33. Detection Augur Framework Reflector selection Reflector Characterization Site characterization Scheduler User input Ref-to-Site](https://reader034.fdocuments.us/reader034/viewer/2022051604/5ffb75342e2430128d06b716/html5/thumbnails/41.jpg)
41
Reflector-to-site Blocked
Top Blocked Sites
Reflector-to-site blocking
Interesting example:- nsa.gov was blocked for 7.4% of reflectors,
23% of countries (ranked 1)
Note: Some servers discriminate by providing their services to specific regionsExamples: Dating sites, banking sites, or sites that have to follow embargo rules
Reflector
Site
![Page 42: Measuring Internet Censorship Globally and Continuously33. Detection Augur Framework Reflector selection Reflector Characterization Site characterization Scheduler User input Ref-to-Site](https://reader034.fdocuments.us/reader034/viewer/2022051604/5ffb75342e2430128d06b716/html5/thumbnails/42.jpg)
Augur is a system that uses TCP/IP side channels to continuously detect blocking.
42
Augur
- Reduce risks by using only infrastructure devices to source probes
- Can use more than 53,000 to cover more than 180 countries
Augur
![Page 43: Measuring Internet Censorship Globally and Continuously33. Detection Augur Framework Reflector selection Reflector Characterization Site characterization Scheduler User input Ref-to-Site](https://reader034.fdocuments.us/reader034/viewer/2022051604/5ffb75342e2430128d06b716/html5/thumbnails/43.jpg)
43
Side Channels at Other Network Layers
IP routing
TCP handshake
(opt) TLS handshake
HTTP requests
What’s new on cnn.com?
Network interference happens at all layers
DNS A query for
cnn.co
m
Resolver
![Page 44: Measuring Internet Censorship Globally and Continuously33. Detection Augur Framework Reflector selection Reflector Characterization Site characterization Scheduler User input Ref-to-Site](https://reader034.fdocuments.us/reader034/viewer/2022051604/5ffb75342e2430128d06b716/html5/thumbnails/44.jpg)
44
Satellite (Iris)
Satellite is a system that uses DNS open resolvers to detect whether a user can resolve a domain accurately
Goal: Scalable, ethical, and statistically robust system to continuously detect DNS level manipulation
* Satellite: Joint Analysis of CDNs and Network-Level Interference,Satelite, Scott, Anderson, Kohno, and Krishnamurthy. In USENIX ATC, 2016.* Global Measurement of DNS Manipulation, Pearce, Jones, Li, Ensafi , Feamster, Paxson, USENIX Security, August 2017
Resolver
DNS query
![Page 45: Measuring Internet Censorship Globally and Continuously33. Detection Augur Framework Reflector selection Reflector Characterization Site characterization Scheduler User input Ref-to-Site](https://reader034.fdocuments.us/reader034/viewer/2022051604/5ffb75342e2430128d06b716/html5/thumbnails/45.jpg)
45
Challenge: Identify “wrong” DNS responses
DeployingSatellite
Coverage:
- Scan IPv4 for open resolvers: 4.2 M, 232 countries
Ethical:
- Using resolvers reasonably attributed to Internet
naming infrastructures: ~ 7k
Continuity:
- Satellite doesn’t depend on end users’ availability, and
resolvers have less downtime
Detecting DNS manipulation:
- Using consistency and independent verifiability
heuristics.
THREE KEY CHALLENGES: Coverage, ethics, and continuity
![Page 46: Measuring Internet Censorship Globally and Continuously33. Detection Augur Framework Reflector selection Reflector Characterization Site characterization Scheduler User input Ref-to-Site](https://reader034.fdocuments.us/reader034/viewer/2022051604/5ffb75342e2430128d06b716/html5/thumbnails/46.jpg)
46
Side Channels at Other Network Layers
IP routing
TCP handshake
(opt) TLS handshake
HTTP requests
What’s new on cnn.com?
Network interference happens at all layers
DNS query for
cnn.co
m
Resolver
![Page 47: Measuring Internet Censorship Globally and Continuously33. Detection Augur Framework Reflector selection Reflector Characterization Site characterization Scheduler User input Ref-to-Site](https://reader034.fdocuments.us/reader034/viewer/2022051604/5ffb75342e2430128d06b716/html5/thumbnails/47.jpg)
47
Side Channels at Other Network Layers
IP routing
TCP handshake
(opt) TLS handshake
HTTP requests
What’s new on cnn.com?
Network interference happens at all layers
DNS query for
cnn.co
m
Resolver
![Page 48: Measuring Internet Censorship Globally and Continuously33. Detection Augur Framework Reflector selection Reflector Characterization Site characterization Scheduler User input Ref-to-Site](https://reader034.fdocuments.us/reader034/viewer/2022051604/5ffb75342e2430128d06b716/html5/thumbnails/48.jpg)
48
Censored Planet, a system that provides a continual and global view of Internet censorship
- Daily reachability measurements for key websites from countries worldwide
- Data collected with Augur, Satellite, and Quack combined with side channels at other network layers
- Tools for mapping and comparative analysesacross locations and time
![Page 49: Measuring Internet Censorship Globally and Continuously33. Detection Augur Framework Reflector selection Reflector Characterization Site characterization Scheduler User input Ref-to-Site](https://reader034.fdocuments.us/reader034/viewer/2022051604/5ffb75342e2430128d06b716/html5/thumbnails/49.jpg)
49
Roya EnsafiCAIDA, 2018
Censored Planet: Measuring Internet Censorship
Globally and Continuously