Lesson 10 - Internet Surveillance and Censorship Flashcards
What is DNS censorship?
DNS censorship is a large scale network traffic filtering strategy to enforce control and censorship over Internet infrastructure to suppress material which authorities deem as objectionable.
What are the properties of GFW (Great Firewall of China)?
- Locality of GFW nodes - The majority view is that censorship nodes are present at the edge.
- Centralized management (suggested by common blocklists obtained from two distinct GFW locations).
- Load balancing
How does DNS injection work?
- DNS probe is sent to the open DNS resolvers
- The probe is checked against the blocklist of domains and keywords.
- For domain level blocking, a fake DNS A record response is sent back.
What are the strengths and weaknesses of “packet dropping” DNS censorship technique?
Strengths:
- Easy to implement
- Low cost
Weaknesses:
- Maintenance of blocklist - It is challenging to stay up to date with the list of IP addresses to block
- Overblocking - If two websites share the same IP address and the intention is to only block one of them, there’s a risk of blocking both
What is the strength of “DNS poisoning” as a DNS censorship technique?
+ No overblocking: Specific hostnames can be blocked versus blanket IP address blocking.
What are the strengths and weaknesses of DNS censorship using “content inspection” techniques?
regarding Proxy-based content inspection:
+Precise censorship: A very precise level of censorship can be achieved, down to the level of single web pages or even objects within the web page
+Flexible: Works well with hybrid security systems e.g. with a combination of other censorship techniques like packet dropping and DNS poisoning.
-Not scalable: They are expensive to implement on a large scale network as the processing overhead is large (through a proxy)
Intrusion detection system based content inspection is more cost-effect as it is responsive and not reactive since it informs firewall rules for future censorship.
What is a “blocking with resets” DNS censorship technique?
server sends a TCP reset (RST) to block individual connections that contain requests with objectionable content.
What are the strengths and weaknesses of “immediate reset of connections” DNS censorship technique?
- potentially block valid content for a period of time.
What are the challenges of understanding censorship around the world?
- Diverse Measurements
- Measurement techniques should be scalable.
- Need to identify intent to censor and not just a misconfiguration.
- Ethics and Minimizing Risks to citizens in censored networks.
What steps does Iris take to identify DNS manipulation
- Scanning the Internet’s IPv4 space for open DNS resolvers
- Identifying Infrastructure DNS Resolvers
- Perform DNS queries.
- Note DNS responses with auxiliary information. (such as their geo-location, AS, port 80 HTTP responses, etc.)
- Additional PTR and TLS scanning to avoid inconsistencies where more that one host are on the same IP.
- Clean the data
- Identify DNS manipulation
How is it possible to achieve connectivity disruption using routing disruption approach?
If this communication is disrupted or disabled on critical routers, it could result in unreachability of the large parts of a network.
This approach involves withdrawing previously advertised prefixes or re-advertising them with different properties and therefore modifying the global routing state of the network.
How is it possible to achieve connectivity disruption using packet filtering approach?
Packets matching a certain criteria can be blocked disrupting the normal forwarding action.
How does the Augur system use connectivity disruption to determine no filtering is occurring between the host and reflector?
The measurement machine determines the IP ID has incremented by 2 between the first probe and the second.
A bit of detail:
- The measurement machine probes the IP ID of the reflector by sending a TCP SYN-ACK packet. It receives a RST response packet with IP ID set to 6 (IPID (t1)).
- Now, the measurement machine performs perturbation by sending a spoofed TCP SYN to the site.
- The site sends a TCP SYN-ACK packet to the reflector and receives a RST packet as a response. The IP ID of the reflector is now incremented to 7.
- The measurement machine again probes the IP ID of the reflector and receives a response with the IP ID value set to 8 (IPID (t4)).
When a system like Augur, detects inbound blocking what has it observed.
Filtering occurs on the path from the site to the reflector.
Since the reflector did not reply to the host site the measurement machine observes the IP ID of the site incremented by 1.
How can outbound blocking be detected with a measurement machine?
Filtering imposed on the outgoing path from the reflector can be determined when IP ID has increased beyond 2 from the initial SYN-ACK due to the reflector sending multiple RSTs to the host.