Come as You Are: Helping Unmodified Clients Bypass Censorship with Server-side Evasion

Decades of work on censorship evasion have resulted in myriad ways to empower clients with the ability to access censored content, but to our knowledge all of them have required some degree of client-side participation. Having to download and run anti-censorship software can put users at risk, and does not help the many users who do not even realize they are being censored in the first place. In this paper, we present the first purely server-side censorship evasion strategies---11 in total. We extend a recent tool, Geneva, to automate the discovery and implementation of server-side strategies, and we apply it to four countries (China, India, Iran, and Kazakhstan) and five protocols (DNS-over-TCP, FTP, HTTP, HTTPS, and SMTP). We also perform follow-on experiments to understand why the strategies Geneva finds work, and to glean new insights into how censors operate. Among these, we find that China runs a completely separate network stack (each with its own unique bugs) for each application-layer protocol that it censors. The server-side techniques we find are easier and safer to deploy than client-side strategies. Our code and data are publicly available.

[1]  Robert N. M. Watson,et al.  Ignoring the Great Firewall of China , 2006, Privacy Enhancing Technologies.

[2]  J. Alex Halderman,et al.  Internet Censorship in Iran: A First Look , 2013, FOCI.

[3]  Srikanth V. Krishnamurthy,et al.  Your state is not mine: a closer look at evading stateful internet censorship , 2017, Internet Measurement Conference.

[4]  Alan Mislove,et al.  lib•erate, (n): a library for exposing (traffic-classification) rules and avoiding them efficiently , 2017, Internet Measurement Conference.

[5]  Neo,et al.  The collateral damage of internet censorship by DNS injection , 2012, Comput. Commun. Rev..

[6]  Eric Wustrow,et al.  TapDance: End-to-Middle Anticensorship without Flow Blocking , 2014, USENIX Security Symposium.

[7]  Vern Paxson,et al.  Characterizing the Nature and Dynamics of Tor Exit Blocking , 2018, USENIX Security Symposium.

[8]  Jin Qian,et al.  The TCP Split Handshake: Practical Effects on Modern Network Equipment , 2010, Netw. Protoc. Algorithms.

[9]  Anna Feldman,et al.  Detecting Censorable Content on Sina Weibo: A Pilot Study , 2018, SETN.

[10]  Srikanth V. Krishnamurthy,et al.  Off-Path TCP Exploits: Global Rate Limit Considered Dangerous , 2016, USENIX Security Symposium.

[11]  Zhuoqing Morley Mao,et al.  Internet Censorship in China: Where Does the Filtering Occur? , 2011, PAM.

[12]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[13]  Stefan Lindskog,et al.  How the Great Firewall of China is Blocking Tor , 2012, FOCI.

[14]  Vinod Yegneswaran,et al.  StegoTorus: a camouflage proxy for the Tor anonymity system , 2012, CCS.

[15]  Andrew Ruef,et al.  Evaluating Fuzz Testing , 2018, CCS.

[16]  Vern Paxson,et al.  Blocking-resistant communication through domain fronting , 2015, Proc. Priv. Enhancing Technol..

[17]  Herbert Bos,et al.  IFuzzer: An Evolutionary Interpreter Fuzzer Using Genetic Programming , 2016, ESORICS.

[18]  Vitaly Shmatikov,et al.  The Parrot Is Dead: Observing Unobservable Network Communications , 2013, 2013 IEEE Symposium on Security and Privacy.

[19]  Vern Paxson,et al.  Towards Illuminating a Censorship Monitor's Model to Facilitate Evasion , 2013, FOCI.

[20]  J. Alex Halderman,et al.  Quack: Scalable Remote Measurement of Application-Layer Censorship , 2018, USENIX Security Symposium.

[21]  Thomas Henry Ptacek,et al.  Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection , 1998 .

[22]  Zubair Nabi The Anatomy of Web Censorship in Pakistan , 2013, FOCI.

[23]  Sambuddho Chakravarty,et al.  Where The Light Gets In: Analyzing Web Censorship Mechanisms in India , 2018, Internet Measurement Conference.

[24]  Vitaly Shmatikov,et al.  CovertCast: Using Live Streaming to Evade Internet Censorship , 2016, Proc. Priv. Enhancing Technol..

[25]  Nicholas Weaver,et al.  Autosonda: Discovering Rules and Triggers of Censorship Devices , 2017, FOCI @ USENIX Security Symposium.

[26]  Towards a Comprehensive Picture of the Great Firewall's DNS Censorship , 2014, FOCI.

[27]  Nick Feamster,et al.  Examining How the Great Firewall Discovers Hidden Circumvention Servers , 2015, Internet Measurement Conference.

[28]  Ian Goldberg,et al.  SkypeMorph: protocol obfuscation for Tor bridges , 2012, CCS.

[29]  Dan Boneh,et al.  Evading Censorship with Browser-Based Proxies , 2012, Privacy Enhancing Technologies.

[30]  Ian Goldberg,et al.  Telex: Anticensorship in the Network Infrastructure , 2011, USENIX Security Symposium.

[31]  Duane Wessels,et al.  DNS Transport over TCP - Implementation Requirements , 2016, RFC.