1 / 27

The Parrot is Dead: Observing Unobservable Network Communication

The Parrot is Dead: Observing Unobservable Network Communication. Amir Houmansadr Chad Brubaker Vitaly Shmatikov Presented by Amruta Patwardhan. INTRODUCTION. Internet is a big threat to the repressive Regimes These regimes censor internet by IP filtering, DPI,DNS hijacking..

ocean
Download Presentation

The Parrot is Dead: Observing Unobservable Network Communication

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Parrot is Dead:Observing Unobservable Network Communication Amir Houmansadr Chad Brubaker VitalyShmatikov Presented by AmrutaPatwardhan

  2. INTRODUCTION • Internet is a big threat to the repressive Regimes • These regimes censor internet by IP filtering, DPI,DNS hijacking.. • Some of the popular circumvention Systems are

  3. INTRODUCTION We need unobservable circumvention Censors should not be able to identify circumvention traffic or end-hosts through passive, active, or proactive techniques

  4. UNOBSERVABILITY BY IMITATION • Aim of parrot circumvention systems : • To Achieve unobservability by mimicking a widely used, uncensored target protocol. • Popular Targets: • HTTP, Skype and IETF{Internet Engineering Task Force} based VoIP. • Imitating unpopular protocol is futile • because the censor will simply block both the genuine protocol and it’s imitations.

  5. UNOBSERVABILITY BY IMITATION SKYPE • Very Popular VoIP system based on P2P overlay network of users running. • Client makes calls and sends messages • Users are authenticated by a central login server • Skype SuperNode is resource-rich user which relay media and signals between clients that cannot communicate because of NAT and firewalls.

  6. UNOBSERVABILITY BY IMITATION • IETF- based VoIP: • Standards for VoIP protocols: • Network discovery – to connect to the VoIP network • Session Control – to Setup and tear down calls • Media transmission to communicate voice datagrams • SIP: (Session Initiation Protocol) – • popular session Control Protocol • Application Layer Protocol which can run over TCP or UDP. • VoIP session between two SIP user agents use media transmission protocol to communicate the call traffic. • Media Transmission protocol: -- • RTP( real-time Transport Protocol) is an IETF std. • RTCP controls an established RTP connection by exchanging out-band statistics and control information. • RTP and RTCP run on UDP.

  7. PARROT CIRCUMVENTION SYSTEMS • A class of circumvention systems that aim to achieve unobservability by imitating popular applications such as web browsers and Skype clients are called as PARROT CIRCUMVENTION SYSTEM. • Skype Morph : hides Tor traffic by mimicking Skype video call. • StegoTorus : mimics Skype and or HTTP • CensorSpoofer : SIP based VOIP

  8. SkypeMorph • Pluggable Transport for Tor • Traffic between Tor Client and a Tor bridge looks like a Skype video call. • Login authentication and initial call setup is done using Skype software firewall Bridge Bridge skypeMorph sKypeMorph NAT OR Tor network Direct Client, and OR communication blocked

  9. StegoTorus • Pluggable Tor Transport derived from ObfsProxy • Adds Chopping and Steganography to Tor Clients and Bridges • Chopper: Aims to convert traffic on a Tor link into a format that has sequence of variable size blocks, independently padded and delivered out of order. Tor Client • Embed Steganography -- aims to mimic P2P connection such as Skype • Uses Database of genuine previously collected Skype or Ventrilo packet traces to shape its traffic • HTTP Steganography -- aims to mimic unencrypted HTTP traffic by using client-side request generator and Server-side response generator. StegoTorus Client StegoTorus Server Existing Tor Network Adversary firewall Censored Sites

  10. PARROT CIRCUMVENTION SYSTEM • CensorSpoofer is a standalone system • Uses IP spoofing to obfuscate the server’s identity • Mimics VoIP traffic to obfuscate traffic patterns. Censored Destinations SIP server RTP downstream RTP upstream Dummy host Spoofer Firewall

  11. ADVERSARY MODEL Capability Classification • Passive attacks: • Observing and analyzing the network traffic and the internet entities behavior. • Statistical analysis, deep-packet inspection, behavioral analysis • Active attacks • Manipulation of network traffic • Delaying, dropping or injecting packets ,modifying packet contents ,throttling BW , terminating connections. • Proactive attacks • These attacks will send probes that will evoke recognizable responses and reveal the network entities involved in circumvention. • E.g.: Censors may initiate connections to random or suspected IP addresses , trying to discover the Tor bridges

  12. ADVERSARY MODEL Knowledge Classification • Local adversary(LO) : • Controls few network devices and can only observe a small number of connections. • Home routers or Wi-Fi access points. • State-Level adversary: • Observes large volumes of network traffic. • E.g.: malicious ISPs, government censors • State – level Oblivious adversary(OB) • Has limited processing and storage resources • These censors may do deep-packet inspection but can only apply then at close to line speeds and may be to single packets not across the packets. • State-Level Omniscient adversary(OM) • Has ample processing and storage resources • Can aggregate data collected at different network locations • All the intercepted traffic can be stored for offline analysis.

  13. ADVERSARY MODEL Real-world censors: • Internet Censorship is been deployed very aggressively in many countries • Some of the Government Censors are Passive OB but Active and Proactive OM censors are increasing. • For e.g. some countries have censors that can actually manage to detect and block all Tor traffic for several weeks just by noticing the DH handshake • Censors of some countries block all the encrypted traffic.

  14. ADVERSARY MODEL Adversary models for parrot circumvention systems • SkypeMorph: • Is capable of Passive, Active and Proactive attacks • Because of it’s behavior this censor is OM according to our knowledge classification. • StegoTorus: • The filtering of IP, content can only be done in real time. • This censor is OB according to our knowledge Classification • CensorSpoofer: • Is capable of passive, active and proactive attacks • This censor is OM according to our knowledge Classification.

  15. REQUIREMENTS FOR PARROT CIRCUMVENTION • Mimicking the protocol in its entirety • Correct • Mimic the target protocol correctly. • Side Protocols • Parrot System must mimic all control channels and side protocols that run alongside the main session of its target. • E.g. VoIP session includes 3 protocols. SIP , RTP & RTCP • IntraDepend • Changes in the main session can cause observable activity in it’s side protocols or control channels. • Parrot System must successfully mimic al the dynamic dependencies and correlations between these sub protocols. • InterDepend • Many times a session of a given protocol triggers other protocols… e.g. Http request triggers multiple DNS queries • Parrot System must mimic • Triggering other protocols like target • Responding as target when triggered by other protocols.

  16. REQUIREMENTS FOR PARROT CIRCUMVENTION • Mimicking reaction to errors and network conditions • Error • Parrot system must produce some reaction to any possible error • The reaction produces should be consistent. • Network • Parrot system must mimic all possible Network condition changes like packet drops and reorders, repacketization. Etc.. • E.g. • TCP uses sequence numbers and congestion control mechanism • Live – video environments have automatic repeat request mechanism • Side protocol mimic. • Mimicking implementation specific artifacts • Soft: Parrot System mimic should be not only to a protocols specific but must be version specific of that protocol. • OS: Parrot System must generate consistent OS fingerprints.

  17. REQUIREMENTS FOR PARROT CIRCUMVENTION • Mimicking typical traffic • Content • Specific header and payload format. • Imitated files must be metadata-compatible with the genuine files. • Patterns • All the pattern characteristics like packet sizes, counts, inter-packet intervals, flow rates should be mimicked as the genuine protocol • Users • User behavior produce recognizable patters at network level. • E.g. : Skype Users, User’s sending email. • Geo • Protocol behavior like routing decisions, choosing peers or traffic contents all depend on geographic location • E.g. Web server respond, SIP –based VoIP clients connect to geographically closet SIP server. • Some implementations like Skype users are country specific.

  18. DETECTING SKYPE IMITATORS • SkypeMorph and StegoTorus-Embed : - • Easily distinguished from genuine Skype • Imitation is incomplete • Recognized by low-cost passive attacks • Hypothetical improved versions( designed to imitate Skype behaviors) • Active and proactive attacks can Distinguish these improvements from genuine Skype. • Passive Attacks: • StegoTorus mimic Skype’s Traffic but fails to imitate HTTP update and login traffic. • Both the censors fail to mimic TCP channel • Neither generate SoM packet headers.

  19. DETECTING SKYPE IMITATORS • ` http://www.cs.utexas.edu/~shmat/shmat_oak13parrot.pdf

  20. DETECTING SKYPE IMITATORS Active and Proactive attacks to detect improved Skype Parrots • http://www.cs.utexas.edu/~shmat/shmat_oak13parrot.pdf

  21. DETECTING STEGOTORUS Attacks on StegoTorus chopper • Correlating IP address between links • Requirement : Geo • Adversary : Passive, LO/OM • Multiple connections to same server • Servers are distributed Geographically , intolerable delay is introduced on low-latency traffic(TOR) • Exploiting connection dependences • Requirement: Network, User • Adversary: Passive/Active, LO/OM • StegoTorus chopper create multiple connections and carry packets from the same Tor session. • Reactions to network conditions and change are correlated. Genuine Http connections to different servers exhibit no such correlations http://www.cs.utexas.edu/~shmat/shmat_oak13parrot.pdf

  22. DETECTING STEGOTORUS • Passive attacks on StegoTorus-Http • Exploiting discrepancies in file-format semantics • Requirements: Contents • Adversary: Passive ,LO/OB/OM • StegoTorus paper’s claim – checking file semantics at line speeds require lot of resources from a state-Level censor dealing with large volumes of traffic. • E.g. Analyzing PDF Files • Fake trace generator in StegoTorus prototype produces the templates similar to genuine PDF file but misses the essential object xreftable. • Via deep packet inspection we can detect at line speed without any need to reconstruct the file

  23. DETECTING STEGOTORUS Active and Proactive attacks on StegoTorus-Http http://www.cs.utexas.edu/~shmat/shmat_oak13parrot.pdf

  24. DETECTING CENSORSPOOFER • http://www.cs.utexas.edu/~shmat/shmat_oak13parrot.pdf

  25. RELATED WORK • Pluggable Tor Transports • Obfsproxy: first pluggable Tor transport • It preserves patterns but remove Tor –related content identifiers • Fails to achieve unobservability • FlashProxy: Turns ordinary web Browers into Bridges using webscokets • it fails Users(Adversary Model) • Dust : aims to provide a packet-based DPI-resistant protocol

  26. Lessons & Recommendations Lessons: • Thorough understanding of the adversaries is a must • Unobservability by imitation is a fundamentally flawed approach • Partial imitation is worse than no imitation at all • Recommendations: • Not to mimic but run the actual protocol • FreeWave : hides data in encrypted voice or video payloads sent over genuine Skype • SWEET : embeds it in email messages.

  27. Thank you !!

More Related