Lesson 10 - Internet Surveillance and Censorship Flashcards

1
Q

What is DNS censorship?

A

DNS censorship is a large scale network traffic filtering strategy to enforce control and censorship over Internet infrastructure to suppress material which authorities deem as objectionable.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the properties of GFW (Great Firewall of China)?

A
  1. Locality of GFW nodes - The majority view is that censorship nodes are present at the edge.
  2. Centralized management (suggested by common blocklists obtained from two distinct GFW locations).
  3. Load balancing
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

How does DNS injection work?

A
  1. DNS probe is sent to the open DNS resolvers
  2. The probe is checked against the blocklist of domains and keywords.
  3. For domain level blocking, a fake DNS A record response is sent back.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are the strengths and weaknesses of “packet dropping” DNS censorship technique?

A

Strengths:

  • Easy to implement
  • Low cost

Weaknesses:

  • Maintenance of blocklist - It is challenging to stay up to date with the list of IP addresses to block
  • Overblocking - If two websites share the same IP address and the intention is to only block one of them, there’s a risk of blocking both
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is the strength of “DNS poisoning” as a DNS censorship technique?

A

+ No overblocking: Specific hostnames can be blocked versus blanket IP address blocking.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the strengths and weaknesses of DNS censorship using “content inspection” techniques?

A

regarding Proxy-based content inspection:
+Precise censorship: A very precise level of censorship can be achieved, down to the level of single web pages or even objects within the web page
+Flexible: Works well with hybrid security systems e.g. with a combination of other censorship techniques like packet dropping and DNS poisoning.
-Not scalable: They are expensive to implement on a large scale network as the processing overhead is large (through a proxy)

Intrusion detection system based content inspection is more cost-effect as it is responsive and not reactive since it informs firewall rules for future censorship.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is a “blocking with resets” DNS censorship technique?

A

server sends a TCP reset (RST) to block individual connections that contain requests with objectionable content.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the strengths and weaknesses of “immediate reset of connections” DNS censorship technique?

A
  • potentially block valid content for a period of time.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are the challenges of understanding censorship around the world?

A
  1. Diverse Measurements
  2. Measurement techniques should be scalable.
  3. Need to identify intent to censor and not just a misconfiguration.
  4. Ethics and Minimizing Risks to citizens in censored networks.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What steps does Iris take to identify DNS manipulation

A
  1. Scanning the Internet’s IPv4 space for open DNS resolvers
  2. Identifying Infrastructure DNS Resolvers
  3. Perform DNS queries.
  4. Note DNS responses with auxiliary information. (such as their geo-location, AS, port 80 HTTP responses, etc.)
  5. Additional PTR and TLS scanning to avoid inconsistencies where more that one host are on the same IP.
  6. Clean the data
  7. Identify DNS manipulation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

How is it possible to achieve connectivity disruption using routing disruption approach?

A

If this communication is disrupted or disabled on critical routers, it could result in unreachability of the large parts of a network.
This approach involves withdrawing previously advertised prefixes or re-advertising them with different properties and therefore modifying the global routing state of the network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

How is it possible to achieve connectivity disruption using packet filtering approach?

A

Packets matching a certain criteria can be blocked disrupting the normal forwarding action.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

How does the Augur system use connectivity disruption to determine no filtering is occurring between the host and reflector?

A

The measurement machine determines the IP ID has incremented by 2 between the first probe and the second.

A bit of detail:

  1. The measurement machine probes the IP ID of the reflector by sending a TCP SYN-ACK packet. It receives a RST response packet with IP ID set to 6 (IPID (t1)).
  2. Now, the measurement machine performs perturbation by sending a spoofed TCP SYN to the site.
  3. The site sends a TCP SYN-ACK packet to the reflector and receives a RST packet as a response. The IP ID of the reflector is now incremented to 7.
  4. The measurement machine again probes the IP ID of the reflector and receives a response with the IP ID value set to 8 (IPID (t4)).
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

When a system like Augur, detects inbound blocking what has it observed.

A

Filtering occurs on the path from the site to the reflector.
Since the reflector did not reply to the host site the measurement machine observes the IP ID of the site incremented by 1.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

How can outbound blocking be detected with a measurement machine?

A

Filtering imposed on the outgoing path from the reflector can be determined when IP ID has increased beyond 2 from the initial SYN-ACK due to the reflector sending multiple RSTs to the host.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

In relation to DNS censorship, what is packet dropping?

A

in packet dropping, all network traffic going to a set of specific IP addresses is discarded.

17
Q

List several DNS censor techniques

A
Packet dropping
DNS poisoning
Content Inspection
Blocking with Resets
Immediate reset of connections
18
Q

What is DNS poisoning?

A

When a Domain Name Server receives a request, but does not answer or returns an incorrect answer to redirect or mislead .

19
Q

With regards to DNS censorship, what is “Content Inspection”?

A

Proxy-based content inspection - All network traffic passes through a proxy where the traffic is examined for content, and the proxy rejects requests that serve objectionable content.

Intrusion detection system (IDS) based content inspection: An alternative approach is to use parts of an IDS to inspect network traffic. An IDS is easier and more cost effective to implement than a proxy based system as it is more responsive than reactive in nature, in that it informs the firewall rules for future censorship.

20
Q

What are two types of content inspection?

A

Proxy-based

Intrusion Detection System

21
Q

What is Iris?

A

A system which uses machine learning to identify DNS manipulation.

22
Q

What are ways in which connectivity disruption can be achieved?

A
Packet Filtering
Routing Disruption
DNS-based blocking
deep packet inspection by an ISP
client software blocking
23
Q

What is Augur?

A

A system which uses a measurement machine to detect if filtering exists between two hosts.

24
Q

What is an IP ID?

A

a unique 16-bit IP identifier attached to a packet.

Systems like Augur utilize the IP ID number to detect blocking between two hosts.

+1 inbound blocking
+2 no blocking
>+2 outbound blocking