Exam 2: Lesson 10 Flashcards
Lesson 10 (T/F):
A censorship technique can use any combination of criteria based on content, source IP and destination IP to block access to objectionable content.
True??
Lesson 10 (T/F):
DNS injection uses DNS replies to censor network traffic based on the source and destination IP address.
False
- DNS injection is one of the most common censorship techniques employed by the GFW.
- The GFW uses a ruleset to determine when to inject DNS replies to censor network traffic.
Lesson 10 (T/F):
With a censorship technique based on packet dropping, all network traffic going to a set of specific IP addresses is discarded.
True
As the name suggests, in packet dropping, all network traffic going to a set of specific IP addresses is discarded. The censor identifies undesirable traffic and chooses to not properly forward any packets it sees associated with the traversing undesirable traffic instead of following a normal routing protocol.
Strengths
- Easy to implement
- Low cost
Weaknesses
- Maintenance of blocklist - It is challenging to stay up to date with the list of IP addresses to block
- Overblocking - If two websites share the same IP address and the intention is to only block one of them, there’s a risk of blocking both
Lesson 10 (T/F):
When using DNS Poisoning, all traffic passes through a proxy where it is examined for content, and the proxy rejects requests that serve objectionable content.
False
DNS Poisoning is When a DNS receives a query for resolving hostname to IP address- if there is no answer returned or an incorrect answer is sent to redirect or mislead the user request, this scenario is called DNS Poisoning.
This question is referring to Content Inspection which is:
3A. Proxy-based content inspection:This censorship technique is more sophisticated, in that it allows for all network traffic to pass through a proxy where the traffic is examined for content, and the proxy rejects requests that serve objectionable content.
3B. Intrusion detection system (IDS) based content inspection: An alternative approach is to use parts of an IDS to inspect network traffic. An IDS is easier and more cost effective to implement than a proxy based system as it is more responsive than reactive in nature, in that it informs the firewall rules for future censorship.
Lesson 10 (T/F):
When using the Blocking with Resets technique, if a client sends a request containing flaggable keywords, only the connection containing requests with objectionable content is blocked.
True
The GFW employs this technique where it sends a TCP reset (RST) to block individual connections that contain requests with objectionable content. We can see this by packet capturing of requests that are normal and requests that contain potentially flaggable keywords. Let’s look at one such example of packet capture.
Lesson 10 (T/F):
With the Immediate Reset of Connections technique, whenever a request is sent containing flaggable keywords, any subsequent request will receive resets from the firewall for a certain amount of time.
True
Censorship systems like GFW have blocking rules in addition to inspecting content, to suspend traffic coming from a source immediately, for a short period of time.
The reset packet received by the client is from the firewall. It does not matter that the client sends out legitimate GET requests following one “questionable” request. It will continue to receive resets from the firewall for a particular duration. Running different experiments suggests that this blocking period is variable for “questionable” requests.
Lesson 10 (T/F):
One of the obstacles to fully understand DNS censorship is the heterogeneity of DNS manipulation across the globe.
True
The challenges are:
1. Diverse Measurements:
- Such understanding would need a diverse set of measurements spanning different geographic regions, ISPs, countries, and regions within a single country. Since political dynamics can vary so different ISPs can use various filtering techniques and differentorganizations may implement censorship at multiple layers of the Internet protocol stack and using different techniques.
- For example, an ISP may be blocking traffic based on IP address, but another ISP may be blocking individual web requests based on keywords.
- Therefore,we needwidespread longitudinal measurements to understand global Internet manipulation and the heterogeneity of DNS manipulation, across countries, resolvers, and domains.
Lesson 10 (T/F):
It is easy to infer if there is DNS manipulation based on few indications such as inconsistent or anomalous DNS responses.
False
3. Identifying the intent to restrict content access:
- While identifyinginconsistent or anomalous DNS responses can help to detect a variety of underlying causes such as for example misconfigurations, identifying DNS manipulation is different and it requires that we detect the intent to block access to content.
- It poses its own challenges.
- So we need to rely on identifying multiple indications to infer DNS manipulation.
Lesson 10 (T/F):
There is a need for methods and tools independent of human intervention and participation in order to achieve the scalability necessary to measure Internet censorship.
True
2. Need for Scale:
- At first, the methods tomeasure Internet censorship were relying on volunteers who were running measurement software on their own devices. Since this requires them to actually install software and do measurements, we can see that this method is unlikely to reach the scale required.
- There is a need for methods and tools that are independent of human intervention and participation.
Lesson 10 (T/F):
It is considered safe for volunteers to participate in censorship measurement studies and accessing DNS resolvers or DNS forwarders.
False
4. Ethics and Minimizing Risks:
- Obviously, there are risks associated with involving citizens in censorship measurement studies, based on how different countries maybe penalizing access to censored material. Therefore it is safer to stay away from using DNSresolvers or DNS forwarders in the home networks of individual users. Instead, it is safer torely onopen DNS resolvers that are hosted in Internet infrastructure, for example within Internet service providers or cloud hosting providers).
Lesson 10:
Which of the following censorship detection systems target to identify IP-based disruptions as opposed to DNS-based manipulations?
CensMon
PlanetLab
OpenNet
Augur
Augur
Augur is a new system created to perform longitudinal global measurements using TCP/IP side channels. However, this system focuses on identifying IP-based disruptions as opposed to DNS-based manipulations.
Other answers are:
What are the limitations of main censorship detection systems?
- Global censorship measurement tools were created by efforts to measure censorship by running experiments from diverse vantage points.
- For example, CensMon used PlanetLab nodes in different countries.
- However, many such methods are no longer in use. One the most common systems/approaches is the OpenNet Initiative where volunteers perform measurements on their home networks at different times since the past decade. Relying on volunteer efforts make continuous and diverse measurements very difficult.
Lesson 10 (T/F):
[Iris] The Iris system uses home routers to identify DNS manipulation.
False
Iris uses open DNS resolvers located all over the globe. In order to avoid using home routers (which are usually open due to configuration issues), this dataset is then restricted to a few thousand that are part of the Internet infrastructure. There are two main steps associated with this process:
- Scanning the Internet’s IPv4 space for open DNS resolvers
- Identifying Infrastructure DNS Resolvers
Lesson 10 (T/F):
[Iris] In order to infer DNS manipulation, Iris relies solely on metrics that can be externally verified using external data sources.
False
After annotating the dataset, techniques are performed to clean the dataset, and identify whether DNS manipulation is taking place or not. Iris uses two types of metrics to identify this manipulation:
- Consistency Metrics
- Domain access should have some consistency, in terms of network properties, infrastructure or content, even when accessed from different global vantage points. Using one of the domains Iris controls gives a set of high-confidence consistency baselines. Some consistency metrics used are IP address, Autonomous System, HTTP Content, HTTPS Certificate, PTRs for CDN.
- Independent Verifiability Metrics
- In addition to the consistency metrics, they also use metrics that could be externally verified using external data sources. Some of the independent verifiability metrics used are: HTTPS certificate (whether the IP address presents a valid, browser trusted certificate for the correct domain name when queried without SNI) and HTTPS Certificate with SNI.
Lesson 10:
[Augur] Assume a scenario where there is inbound blocking. The Measurement Machine sends a SYN-ACK to the reflector, what should happen?
Group of answer choices
The return IPID from the reflector to the Measurement Machine should increase by 2.
The return IPID from the reflector to the Measurement Machine will increase by 1.
The return IPID from the reflector to the Measurement Machine should remain the same as it was before.
The return IPID from the reflector to the Measurement Machine will increase by 1.
Explain a scenario of connectivity disruption detection in case of the inbound blocking.
Inbound blocking
- The scenario where filtering occurs on the path from the site to the reflector is termed as inbound blocking.
- In this case, the SYN-ACK packet sent from the site in step 3 does not reach the reflector.
- Hence, there is no response generated and the IP ID of the reflector does not increase.
- The returned IP ID in step 4 will be 7 (IPID(t4)) as shown in the figure. Since the measurement machine observes the increment in IP ID value as 1, it detects filtering on the path from the site to the reflector.