Lesson 10 - Internet Surveillance and Censorship

Question 1

What is DNS censorship?

Answer 1

DNS censorship is a large scale network traffic filtering strategy to enforce control and censorship over Internet infrastructure to suppress material which authorities deem as objectionable.

Question 2

What are the properties of GFW (Great Firewall of China)?

Answer 2

1. Locality of GFW nodes - The majority view is that censorship nodes are present at the edge.
2. Centralized management (suggested by common blocklists obtained from two distinct GFW locations).
3. Load balancing

Question 3

How does DNS injection work?

Answer 3

1. DNS probe is sent to the open DNS resolvers
2. The probe is checked against the blocklist of domains and keywords.
3. For domain level blocking, a fake DNS A record response is sent back.

Question 4

What are the strengths and weaknesses of “packet dropping” DNS censorship technique?

Answer 4

Strengths:

• Easy to implement
• Low cost

Weaknesses:

• Maintenance of blocklist - It is challenging to stay up to date with the list of IP addresses to block
• Overblocking - If two websites share the same IP address and the intention is to only block one of them, there’s a risk of blocking both

Question 5

What is the strength of “DNS poisoning” as a DNS censorship technique?

Answer 5

+ No overblocking: Specific hostnames can be blocked versus blanket IP address blocking.

Question 6

What are the strengths and weaknesses of DNS censorship using “content inspection” techniques?

Answer 6

regarding Proxy-based content inspection:
+Precise censorship: A very precise level of censorship can be achieved, down to the level of single web pages or even objects within the web page
+Flexible: Works well with hybrid security systems e.g. with a combination of other censorship techniques like packet dropping and DNS poisoning.
-Not scalable: They are expensive to implement on a large scale network as the processing overhead is large (through a proxy)

Intrusion detection system based content inspection is more cost-effect as it is responsive and not reactive since it informs firewall rules for future censorship.

Question 7

What is a “blocking with resets” DNS censorship technique?

Answer 7

server sends a TCP reset (RST) to block individual connections that contain requests with objectionable content.

Question 8

What are the strengths and weaknesses of “immediate reset of connections” DNS censorship technique?

Answer 8

• potentially block valid content for a period of time.

Question 9

What are the challenges of understanding censorship around the world?

Answer 9

1. Diverse Measurements
2. Measurement techniques should be scalable.
3. Need to identify intent to censor and not just a misconfiguration.
4. Ethics and Minimizing Risks to citizens in censored networks.

Question 10

What steps does Iris take to identify DNS manipulation

Answer 10

1. Scanning the Internet’s IPv4 space for open DNS resolvers
2. Identifying Infrastructure DNS Resolvers
3. Perform DNS queries.
4. Note DNS responses with auxiliary information. (such as their geo-location, AS, port 80 HTTP responses, etc.)
5. Additional PTR and TLS scanning to avoid inconsistencies where more that one host are on the same IP.
6. Clean the data
7. Identify DNS manipulation

Question 11

How is it possible to achieve connectivity disruption using routing disruption approach?

Answer 11

If this communication is disrupted or disabled on critical routers, it could result in unreachability of the large parts of a network.
This approach involves withdrawing previously advertised prefixes or re-advertising them with different properties and therefore modifying the global routing state of the network.

Question 12

How is it possible to achieve connectivity disruption using packet filtering approach?

Answer 12

Packets matching a certain criteria can be blocked disrupting the normal forwarding action.

Question 13

How does the Augur system use connectivity disruption to determine no filtering is occurring between the host and reflector?

Answer 13

The measurement machine determines the IP ID has incremented by 2 between the first probe and the second.

A bit of detail:

1. The measurement machine probes the IP ID of the reflector by sending a TCP SYN-ACK packet. It receives a RST response packet with IP ID set to 6 (IPID (t1)).
2. Now, the measurement machine performs perturbation by sending a spoofed TCP SYN to the site.
3. The site sends a TCP SYN-ACK packet to the reflector and receives a RST packet as a response. The IP ID of the reflector is now incremented to 7.
4. The measurement machine again probes the IP ID of the reflector and receives a response with the IP ID value set to 8 (IPID (t4)).

Question 14

When a system like Augur, detects inbound blocking what has it observed.

Answer 14

Filtering occurs on the path from the site to the reflector.
Since the reflector did not reply to the host site the measurement machine observes the IP ID of the site incremented by 1.

Question 15

How can outbound blocking be detected with a measurement machine?

Answer 15

Filtering imposed on the outgoing path from the reflector can be determined when IP ID has increased beyond 2 from the initial SYN-ACK due to the reflector sending multiple RSTs to the host.

Question 16

In relation to DNS censorship, what is packet dropping?

Answer 16

in packet dropping, all network traffic going to a set of specific IP addresses is discarded.

Question 17

List several DNS censor techniques

Answer 17

Packet dropping
DNS poisoning
Content Inspection
Blocking with Resets
Immediate reset of connections

Question 18

What is DNS poisoning?

Answer 18

When a Domain Name Server receives a request, but does not answer or returns an incorrect answer to redirect or mislead .

Question 19

With regards to DNS censorship, what is “Content Inspection”?

Answer 19

Proxy-based content inspection - All network traffic passes through a proxy where the traffic is examined for content, and the proxy rejects requests that serve objectionable content.

Intrusion detection system (IDS) based content inspection: An alternative approach is to use parts of an IDS to inspect network traffic. An IDS is easier and more cost effective to implement than a proxy based system as it is more responsive than reactive in nature, in that it informs the firewall rules for future censorship.

Question 20

What are two types of content inspection?

Answer 20

Proxy-based

Intrusion Detection System

Question 21

What is Iris?

Answer 21

A system which uses machine learning to identify DNS manipulation.

Question 22

What are ways in which connectivity disruption can be achieved?

Answer 22

Packet Filtering
Routing Disruption
DNS-based blocking
deep packet inspection by an ISP
client software blocking

Question 23

What is Augur?

Answer 23

A system which uses a measurement machine to detect if filtering exists between two hosts.

Question 24

What is an IP ID?

Answer 24

a unique 16-bit IP identifier attached to a packet.

Systems like Augur utilize the IP ID number to detect blocking between two hosts.

+1 inbound blocking
+2 no blocking
>+2 outbound blocking