Lesson 10: Internet Surveillance and Censorship

Question 1

What is DNS censorship?

Answer 1

DNS censorship is a network traffic filering strategy opted by a network to enforce control and censorship over internet infrastructureto suppress material which they deem as inappropriate.

Question 2

What are the properties of GFW (Great Firewall of China)?

Answer 2

1. Locality of the nodes: majority view is that GFW nodes only exist at the ISP edges of the network
2. Centralized management: a centralized blocklist is used to maintain same blocking behavior in different locations
3. Load balancing: processes are clustered together based on source and destination IP addresses to send collective DNS injection messages

Question 3

How does DNS injection work?

Answer 3

DNS injection is the technique of sending fake DNS A records in response to blacklisted queries. The blacklist maybe on a specific domain or even by certain keywords present in the domain.

Question 4

What are the three steps involved in DNS injection?

Answer 4

1. DNS probe is sent to the open DNS resolvers
2. The probe is checked against the blocklist of domains and keywords
3. For domain level blocking, a fake DNS A record response is sent back. There are two levels of blocking domains: the first one is by directly blocking the domain, and the second one is by blocking it based on keywords present in the domain

Question 5

List five DNS censorship techniques and briefly describe their working principles.

Answer 5

1. Packet dropping - all network traffic going to a set of specific IP addresses is discarded.
2. DNS poisoning - fake record to redirect or mislead the user
3. Content inspection - a proxy service which inspects the contents of all the packets in transmission and selectively serves them based on censorship policies
4. Blocking with resets - sending TCP reset response to only to censored content queries
5. Immediate reset of connections - sending TCP resets to all queries following a censored content query for fixed amount of time

Question 6

Which DNS censorship technique is susceptible to overblocking?

Answer 6

Packet dropping

Question 7

What are the strengths and weaknesses of the “packet dropping” DNS censorship technique?

Answer 7

Strengths: easy to implement, low cost.

Weaknesses: maintenance of a blocklist, overblocking

Question 8

What are the strengths and weaknesses of the “DNS poisoning” DNS censorship technique?

Answer 8

Strengths: no overblocking

Weaknesses: blocks entire domain

Question 9

What are the strengths and weaknesses of the “content inspection” DNS censorship technique?

Answer 9

• Strengths: precise, flexibleWeaknesses: does not scale well

Question 10

What are the strengths and weaknesses of the “blocking with resets” DNS censorship technique?

Answer 10

Strength: easy to implement, low cost
Weaknesses: maintaining blocklist

Question 11

What are the strengths and weaknesses of the “immediate reset of connections” DNS censorship technique?

Answer 11

Strengths: easy to implement, low cost
Weaknesses: maintaining blocklist

Question 12

Our understanding of censorship around the world is relatively limited. Why is it the case? What are the challenges?

Answer 12

1. Diverse measurements are required
2. Need for scale
3. Identifying the intent to restrict content access
4. Ethics and minimizing risks

Question 13

What are the limitations of main censorship detection systems?

Answer 13

Relying on volunteer efforts make continuous and diverse measurements very difficult.

Question 14

What kind of disruptions does Augur focus on identifying?

Answer 14

Augur focuses on identifying IP-based disruptions as opposed to DNS-based manipulations.

Question 15

How does Iris counter the issue of lack of diversity while studying DNS manipulation? What are the steps associated with the proposed process?

Answer 15

Iris uses open DNS resolvers located all over the globe.

1. Scanning the Internet’s IPv4 space for open DNS resolvers
2. Identifying Infrastructure DNS Resolvers

Question 16

What are the steps involved in the global measurement process using DNS resolvers?

Answer 16

1. Performing global DNS queries – Iris queries thousands of domains across thousands of open DNS resolvers. To establish a baseline for comparison, the creators included 3 DNS domains that were under their control to help calculate metrics used for evaluation DNS manipulation.
2. Annotating DNS responses with auxiliary information – To enable the classification, Iris annotates the IP addresses with additional information such as their geo-location, AS, port 80 HTTP responses, etc. This information is available from the Censys dataset.
3. Additional PTR and TLS scanning – One IP address could host several websites via virtual hosting. So, when Censys retrieves certificates from port 443, it could differ from one retrieved via TLS’s Server Name Indication (SNI) extension. This results in discrepancies that could cause Iris to label virtual hosting as DNS inconsistencies. To avoid this, Iris adds PTR and SNI certificates.

Question 17

What metrics does Iris use to identify DNS manipulation once data annotation is complete? Describe the metrics. Under what condition, do we declare the response as being manipulated?

Answer 17

1. Consistency Metrics

Domain access should have some consistency, in terms of network properties, infrastructure, or content, even when accessed from different global vantage points. Using one of the domains Iris controls gives a set of high-confidence consistency baselines. Some consistency metrics used are IP address, Autonomous System, HTTP Content, HTTPS Certificate, PTRs for CDN.

2. Independent Verifiability Metrics

In addition to the consistency metrics, they also use metrics that could be externally verified using external data sources. Some of the independent verifiability metrics used are HTTPS certificate (whether the IP address presents a valid, browser-trusted certificate for the correct domain name when queried without SNI) and HTTPS Certificate with SNI.

Ifanyconsistency metric or independent verifiability metric is satisfied, the response is correct. Otherwise, the response is classified as manipulated.

Question 18

How to identify DNS manipulation via machine learning with Iris?

Answer 18

Ifanyconsistency metric or independent verifiability metric is satisfied, the response is correct. Otherwise, the response is classified as manipulated.

Question 19

How is it possible to achieve connectivity disruption using the routing disruption approach?

Answer 19

A routing mechanism decides which part of the network can be reachable.

Question 20

How is it possible to achieve connectivity disruption using the packet filtering approach?

Answer 20

To disrupt a network’s connectivity, packet filtering can be used to block packets matching a certain criteria disrupting the normal forwarding action.

Question 21

Explain a scenario of connectivity disruption detection in the case when no filtering occurs.

Answer 21

An increment of IP Id by 2

Question 22

Explain a scenario of connectivity disruption detection in the case of inbound blocking.

Answer 22

An increment of IP Id by 1

Question 23

Explain a scenario of connectivity disruption detection in the case of outbound blocking.

Answer 23

Continous increment of IP Id as reflector attempts to resend packets.