Your state is not mine: a closer look at evading stateful internet censorship

Understanding the behaviors of, and evading state-level Internet-scale censorship systems such as the Great Firewall (GFW) of China, has emerged as a research problem of great interest. One line of evasion is the development of techniques that leverage the possibility that the TCP state maintained on the GFW may not represent the state at end-hosts. In this paper we undertake, arguably, the most extensive measurement study on TCP-level GFW evasion techniques, with several vantage points within and outside China, and with clients subscribed to multiple ISPs. We find that the state-of-the art evasion techniques are no longer very effective on the GFW. Our study further reveals that the primary reason that causes these failures is the evolution of GFW over time. In addition, other factors such as the presence of middleboxes on the route from the client to the server also contribute to previously unexpected behaviors. Our measurement study leads us to new understandings of the GFW and new evasion techniques. Evaluations of our new evasion strategies show that our new techniques provide much higher success rates of (compared to prior schemes) ≈ 90% or higher. Our results further validate our new understandings of the GFW's evolved behaviors. We also develop a measurement-driven tool INTANG, that systematically looks for and finds the best strategy that works with a server and network path. Our measurements show that INTANG can yield near perfect evasion rates and is extremely effective in aiding various protocols such as HTTP, DNS over TCP, and Tor in evading the GFW.

[1]  Jon Postel,et al.  Transmission Control Protocol , 1981, RFC.

[2]  Thomas Henry Ptacek,et al.  Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection , 1998 .

[3]  Andy Heffernan,et al.  Protection of BGP Sessions via the TCP MD5 Signature Option , 1998, RFC.

[4]  Robert N. M. Watson,et al.  Ignoring the Great Firewall of China , 2006, Privacy Enhancing Technologies.

[5]  G. Lowe,et al.  The Great DNS Wall of China , 2007 .

[6]  Jedidiah R. Crandall,et al.  ConceptDoppler: a weather tracker for internet censorship , 2007, CCS '07.

[7]  Jedidiah R. Crandall,et al.  Empirical Study of a National-Scale Distributed Intrusion Detection System: Backbone-Level Filtering of HTML Responses in China , 2010, 2010 IEEE 30th International Conference on Distributed Computing Systems.

[8]  Ian Goldberg,et al.  Telex: Anticensorship in the Network Infrastructure , 2011, USENIX Security Symposium.

[9]  Zhuoqing Morley Mao,et al.  Internet Censorship in China: Where Does the Filtering Occur? , 2011, PAM.

[10]  R. Weisberg A-N-D , 2011 .

[11]  Neo,et al.  The collateral damage of internet censorship by DNS injection , 2012, Comput. Commun. Rev..

[12]  George Candea,et al.  The S2E Platform: Design, Implementation, and Applications , 2012, TOCS.

[13]  Minaxi Gupta,et al.  Inferring Mechanics of Web Censorship Around the World , 2012, FOCI.

[14]  Kang Li,et al.  Hold-On : Protecting Against On-Path DNS Poisoning , 2012 .

[15]  Daniel Anderson,et al.  Splinternet Behind the Great Firewall of China , 2012 .

[16]  Stefan Lindskog,et al.  How the Great Firewall of China is Blocking Tor , 2012, FOCI.

[17]  Vern Paxson,et al.  Towards Illuminating a Censorship Monitor's Model to Facilitate Evasion , 2013, FOCI.

[18]  Towards a Comprehensive Picture of the Great Firewall's DNS Censorship , 2014, FOCI.

[19]  Adam Senft,et al.  Characterizing Web Censorship Worldwide: Another Look at the OpenNet Initiative Data , 2015, TWEB.

[20]  Zhuoqing Morley Mao,et al.  Static Detection of Packet Injection Vulnerabilities: A Case for Identifying Attacker-controlled Implicit Information Leaks , 2015, CCS.

[21]  Nick Feamster,et al.  Examining How the Great Firewall Discovers Hidden Circumvention Servers , 2015, Internet Measurement Conference.

[22]  Antonio Pescapè,et al.  Internet Censorship detection: A survey , 2015, Comput. Networks.

[23]  Dmitri Loguinov,et al.  Hershel: Single-Packet OS Fingerprinting , 2014, IEEE/ACM Transactions on Networking.

[24]  Vern Paxson,et al.  SoK: Towards Grounding Censorship Circumvention in Empiricism , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[25]  Srikanth V. Krishnamurthy,et al.  Off-Path TCP Exploits: Global Rate Limit Considered Dangerous , 2016, USENIX Security Symposium.

[26]  Alan Mislove,et al.  lib•erate, (n): a library for exposing (traffic-classification) rules and avoiding them efficiently , 2017, Internet Measurement Conference.