research-article

Public Access

Your state is not mine: a closer look at evading stateful internet censorship

Authors:

Srikanth V. KrishnamurthyAuthors Info & Claims

IMC '17: Proceedings of the 2017 Internet Measurement Conference

Pages 114 - 127

https://doi.org/10.1145/3131365.3131374

Published: 01 November 2017 Publication History

Abstract

Understanding the behaviors of, and evading state-level Internet-scale censorship systems such as the Great Firewall (GFW) of China, has emerged as a research problem of great interest. One line of evasion is the development of techniques that leverage the possibility that the TCP state maintained on the GFW may not represent the state at end-hosts. In this paper we undertake, arguably, the most extensive measurement study on TCP-level GFW evasion techniques, with several vantage points within and outside China, and with clients subscribed to multiple ISPs. We find that the state-of-the art evasion techniques are no longer very effective on the GFW. Our study further reveals that the primary reason that causes these failures is the evolution of GFW over time. In addition, other factors such as the presence of middleboxes on the route from the client to the server also contribute to previously unexpected behaviors.

Our measurement study leads us to new understandings of the GFW and new evasion techniques. Evaluations of our new evasion strategies show that our new techniques provide much higher success rates of (compared to prior schemes) ≈ 90% or higher. Our results further validate our new understandings of the GFW's evolved behaviors. We also develop a measurement-driven tool INTANG, that systematically looks for and finds the best strategy that works with a server and network path. Our measurements show that INTANG can yield near perfect evasion rates and is extremely effective in aiding various protocols such as HTTP, DNS over TCP, and Tor in evading the GFW.

References

[1]

Giuseppe Aceto and Antonio Pescapé. 2015. Internet Censorship detection: A survey. Computer Networks 83, C, 381--421.

Digital Library

[2]

Daniel Anderson. 2012. Splinternet Behind the Great Firewall of China. Queue 10, 11, Article 40, 10 pages.

Digital Library

[3]

Anonymous. 2009. Evaluation and Problems of Intrusion Detection System. (2009). Retrieved August 7, 2017 from http://www.chinagfw.org/2009/09/gfw_21.html

[4]

Anonymous. 2012. The Collateral Damage of Internet Censorship by DNS Injection. ACM SIGCOMM Computer Communication Review 42, 3, 21--27.

Digital Library

[5]

Anonymous. 2014. Towards a Comprehensive Picture of the Great Firewall's DNS Censorship. In 4th USENIX Workshop on Free and Open Communications on the Internet (FOCI '14). USENIX Association, San Diego, CA. https://www.usenix.org/conference/foci14/workshop-program/presentation/anonymous

[6]

Pablo Neira Ayuso. {n. d.}. Netfilter Queue Project. ({n. d.}). Retrieved August 7, 2017 from http://www.netfilter.org/projects/libnetfilter_queue/

[7]

Yue Cao, Zhiyun Qian, Zhongjie Wang, Tuan Dao, Srikanth V. Krishnamurthy, and Lisa M. Marvel. 2016. Off-Path TCP Exploits: Global Rate Limit Considered Dangerous. In 25th USENIX Security Symposium (USENIX Security 16). USENIX Association, Austin, TX, 209--225. https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/cao

[8]

Qi Alfred Chen, Zhiyun Qian, Yunhan Jack Jia, Yuru Shao, and Zhuoqing Morley Mao. 2015. Static Detection of Packet Injection Vulnerabilities: A Case for Identifying Attacker-controlled Implicit Information Leaks. In Proceedings of the 22Nd ACM SIGSAC Conference on Computer and Communications Security (CCS '15). ACM, New York, NY, USA, 388--400.

Digital Library

[9]

Vitaly Chipounov, Volodymyr Kuznetsov, and George Candea. 2012. The S2E Platform: Design, Implementation, and Applications. ACM Transactions on Computer Systems (TOCS) 30, 1, Article 2, 49 pages.

Digital Library

[10]

Richard Clayton, Steven J. Murdoch, and Robert N. M. Watson. 2006. Ignoring the Great Firewall of China. In Proceedings of the 6th International Conference on Privacy Enhancing Technologies (PET '06). Springer-Verlag, Berlin, Heidelberg, 20--35.

Digital Library

[11]

Jedidiah R. Crandall, Daniel Zinn, Michael Byrd, Earl Barr, and Rich East. 2007. ConceptDoppler: A Weather Tracker for Internet Censorship. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS '07). ACM, New York, NY, USA, 352--365.

Digital Library

[12]

Haixin Duan, Nicholas Weaver, Zongxu Zhao, Meng Hu, Jinjin Liang, Jian Jiang, Kang Li, and Vern Paxson. 2012. Hold-on: Protecting against on-path DNS poisoning. In Workshop on Securing and Trusting Internet Names (SATIN).

[13]

Roya Ensafi, David Fifield, Philipp Winter, Nick Feamster, Nicholas Weaver, and Vern Paxson. 2015. Examining How the Great Firewall Discovers Hidden Circumvention Servers. In Proceedings of the 2015 Internet Measurement Conference (IMC '15). ACM, New York, NY, USA, 445--458.

Digital Library

[14]

Phillipa Gill, Masashi Crete-Nishihata, Jakub Dalek, Sharon Goldberg, Adam Senft, and Greg Wiseman. 2015. Characterizing Web Censorship Worldwide: Another Look at the OpenNet Initiative Data. ACM Transactions on the Web (TWEB) 9, 1, Article 4, 29 pages.

Digital Library

[15]

Andy Heffernan. 1998. Protection of BGP Sessions via the TCP MD5 Signature Option. RFC 2385. https://tools.ietf.org/html/rfc2385

Digital Library

[16]

OpenNet Initiative. 2012. China | ONI Country Profile. (2012). Retrieved August 7, 2017 from https://opennet.net/research/profiles/china

[17]

Sheharbano Khattak, Mobin Javed, Philip D. Anderson, and Vern Paxson. 2013. Towards Illuminating a Censorship Monitor's Model to Facilitate Evasion. In Presented as part of the 3rd USENIX Workshop on Free and Open Communications on the Internet (FOCI '13). USENIX, Washington, D.C. https://www.usenix.org/conference/foci13/workshop-program/presentation/Khattak

[18]

Fangfan Li, Abbas Razaghpanah, Arash Molavi Kakhki, Arian Akhavan Niaki, David Choffnes, Phillipa Gill, and Alan Mislove. 2017. lib•erate,(n): A library for exposing (traffic-classification) rules and avoiding them efficiently. In Proceedings of the 2017 Internet Measurement Conference (IMC '17). ACM, London, UK.

Digital Library

[19]

Graham Lowe, Patrick Winters, and Michael L Marcus. 2007. The Great DNS Wall of China. Technical Report. https://censorbib.nymity.ch/pdf/Lowe2007a.pdf

[20]

Jong Chun Park and Jedidiah R. Crandall. 2010. Empirical Study of a National-Scale Distributed Intrusion Detection System: Backbone-Level Filtering of HTML Responses in China. In Proceedings of the 2010 IEEE 30th International Conference on Distributed Computing Systems (ICDCS '10). IEEE Computer Society, Washington, DC, USA, 315--326.

Digital Library

[21]

Jon Postel. 1981. Transmission Control Protocol. RFC 793. https://tools.ietf.org/html/rfc793

[22]

The Tor Project. {n. d.}. The Tor Project. ({n. d.}). Retrieved August 7, 2017 from https://www.torproject.org

[23]

Thomas H. Ptacek and Timothy N. Newsham. 1998. Insertion, Envasion, and Denial of Service: Eluding Network Intrusion Detection. Technical Report. http://www.icir.org/vern/Ptacek-Newsham-Evasion-98.ps

[24]

Redis. {n. d.}. The Redis Project. ({n. d.}). Retrieved August 7, 2017 from http://redis.io/

[25]

scholarzhang. 2010. West Chamber Project. (2010). Retrieved August 7, 2017 from https://code.google.com/p/scholarzhang/

[26]

Zain Shamsi, Ankur Nandwani, Derek Leonard, and Dmitri Loguinov. 2014. Hershel: Single-packet Os Fingerprinting. In The 2014 ACM International Conference on Measurement and Modeling of Computer Systems (SIGMETRICS '14). ACM, New York, NY, USA, 195--206.

Digital Library

[27]

Michael Carl Tschantz, Sadia Afroz, David Fifield, and Vern Paxson. 2016. SoK: Towards Grounding Censorship Circumvention in Empiricism. In 2016 IEEE Symposium on Security and Privacy (SP). 914--933.

[28]

twilde. 2012. Knock Knock Knockin' on Bridges' Doors. (January 2012). Retrieved August 7, 2017 from https://blog.torproject.org/blog/knock-knock-knockin-bridges-doors

[29]

John-Paul Verkamp and Minaxi Gupta. 2012. Inferring Mechanics of Web Censorship Around the World. In Presented as part of the 2nd USENIX Workshop on Free and Open Communications on the Internet (FOCI '12). USENIX, Bellevue, WA. https://www.usenix.org/conference/foci12/workshop-program/presentation/Verkamp

[30]

VPNanswers.com. 2015. Bypass The Great Firewall And Hide Your OpenVPN In China. (2015). Retrieved August 7, 2017 from https://www.vpnanswers.com/bypass-great-firewall-hide-openvpn-in-china-2015/

[31]

Philipp Winter and Stefan Lindskog. 2012. How the Great Firewall of China is Blocking Tor. In Presented as part of the 2nd USENIX Workshop on Free and Open Communications on the Internet (FOCI '12). USENIX, Bellevue, WA. https://www.usenix.org/conference/foci12/workshop-program/presentation/Winter

[32]

Eric Wustrow, Scott Wolchok, Ian Goldberg, and J. Alex Halderman. 2011. Telex: Anticensorship in the Network Infrastructure. In Proceedings of the 20th USENIX Conference on Security (SEC '11). USENIX Association, Berkeley, CA, USA, 30--30. http://dl.acm.org/citation.cfm?id=2028067.2028097

Digital Library

[33]

Eva Xiao. 2016. Behind The Scenes: Here's Why Your VPN Is Done In China. (2016). Retrieved August 7, 2017 from http://technode.com/2016/03/17/behind-scenes-heres-vpn/

[34]

Xueyang Xu, Z. Morley Mao, and J. Alex Halderman. 2011. Internet Censorship in China: Where Does the Filtering Occur?. In Proceedings of the 12th International Conference on Passive and Active Measurement (PAM '11). Springer-Verlag, Berlin, Heidelberg, 133--142. http://dl.acm.org/citation.cfm?id=1987510.1987524

Digital Library

Cited By

Gosain DSingh KSharma RSuresh Babu JChakravaty S(2024)Out in the Open: On the Implementation of Mobile App Filtering in IndiaPassive and Active Measurement10.1007/978-3-031-56252-5_2(19-36)Online publication date: 20-Mar-2024
https://doi.org/10.1007/978-3-031-56252-5_2
Wu MSippe JSivakumar DBurg JAnderson PWang XBock KHoumansadr ALevin DWustrow ECalandrino JTroncoso C(2023)How the great firewall of china detects and blocks fully encrypted trafficProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620386(2653-2670)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620386
Amich AEshete BYegneswaran VHoang NCalandrino JTroncoso C(2023)DeResistorProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620384(2617-2633)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620384
Show More Cited By

Index Terms

Your state is not mine: a closer look at evading stateful internet censorship

Recommendations

Examining How the Great Firewall Discovers Hidden Circumvention Servers
IMC '15: Proceedings of the 2015 Internet Measurement Conference

Recently, the operators of the national censorship infrastructure of China began to employ "active probing" to detect and block the use of privacy tools. This probing works by passively monitoring the network for suspicious traffic, then actively ...
Characterizing Transnational Internet Performance and the Great Bottleneck of China
SIGMETRICS '20: Abstracts of the 2020 SIGMETRICS/Performance Joint International Conference on Measurement and Modeling of Computer Systems

Transnational Internet performance is an important indication of a country's level of infrastructure investment, globalization, and openness. We conduct a large-scale measurement study of transnational Internet performance in and out of 29 countries and ...
Characterizing Transnational Internet Performance and the Great Bottleneck of China
SIGMETRICS

Transnational Internet performance is an important indication of a country's level of infrastructure investment, globalization, and openness. We conduct a large-scale measurement study of transnational Internet performance in and out of 29 countries and ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

IMC '17: Proceedings of the 2017 Internet Measurement Conference

November 2017

509 pages

ISBN:9781450351188

DOI:10.1145/3131365

General Chairs:
Steve Uhlig
Queen Mary University of London
,
Olaf Maennel
Tallinn University of Technology

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

In-Cooperation

USENIX Assoc: USENIX Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 November 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

IMC '17

Sponsor:

IMC '17: Internet Measurement Conference

November 1 - 3, 2017

London, United Kingdom

Acceptance Rates

Overall Acceptance Rate 277 of 1,083 submissions, 26%

Upcoming Conference

IMC '24

Sponsor:
sigcomm
sigcomm

ACM Internet Measurement Conference

November 4 - 6, 2024

Madrid , AA , Spain

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

30
Total Citations
View Citations
1,925
Total Downloads

Downloads (Last 12 months)299
Downloads (Last 6 weeks)33

Reflects downloads up to 12 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Gosain DSingh KSharma RSuresh Babu JChakravaty S(2024)Out in the Open: On the Implementation of Mobile App Filtering in IndiaPassive and Active Measurement10.1007/978-3-031-56252-5_2(19-36)Online publication date: 20-Mar-2024
https://doi.org/10.1007/978-3-031-56252-5_2
Wu MSippe JSivakumar DBurg JAnderson PWang XBock KHoumansadr ALevin DWustrow ECalandrino JTroncoso C(2023)How the great firewall of china detects and blocks fully encrypted trafficProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620386(2653-2670)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620386
Amich AEshete BYegneswaran VHoang NCalandrino JTroncoso C(2023)DeResistorProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620384(2617-2633)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620384
Liu HDiallo APatras P(2023)Amoeba: Circumventing ML-supported Network Censorship via Adversarial Reinforcement LearningProceedings of the ACM on Networking10.1145/36291311:CoNEXT3(1-25)Online publication date: 28-Nov-2023
https://dl.acm.org/doi/10.1145/3629131
Umayya ZMalik DGosain DKumar Sharma PMontpetit MLeivadeas AUhlig SJaved M(2023)PTPerf: On the Performance Evaluation of Tor Pluggable TransportsProceedings of the 2023 ACM on Internet Measurement Conference10.1145/3618257.3624817(501-525)Online publication date: 24-Oct-2023
https://dl.acm.org/doi/10.1145/3618257.3624817
Sundara Raman RMerino LBock KFayed MLevin DSullivan NValenta LSchulzrinne HKohler EMaltz DMisra V(2023)Global, Passive Detection of Connection TamperingProceedings of the ACM SIGCOMM 2023 Conference10.1145/3603269.3604875(622-636)Online publication date: 10-Sep-2023
https://dl.acm.org/doi/10.1145/3603269.3604875
Nourin STran VJiang XBock KFeamster NHoang NLevin D(2023)Measuring and Evading Turkmenistan’s Internet CensorshipProceedings of the ACM Web Conference 202310.1145/3543507.3583189(1969-1979)Online publication date: 30-Apr-2023
https://dl.acm.org/doi/10.1145/3543507.3583189
Cheng YLiu YWang LZhang ZChai TDu Y(2022)Evaluating the Effectiveness of Handling Abusive Domain Names by Internet EntitiesElectronics10.3390/electronics1108117211:8(1172)Online publication date: 7-Apr-2022
https://doi.org/10.3390/electronics11081172
Zhang ZYuan BYang KZou DJin H(2022)StateDiver: Testing Deep Packet Inspection Systems with State-Discrepancy GuidanceProceedings of the 38th Annual Computer Security Applications Conference10.1145/3564625.3564650(756-768)Online publication date: 5-Dec-2022
https://dl.acm.org/doi/10.1145/3564625.3564650
Amich AEshete BYegneswaran VHong YWang L(2022)Adversarial Detection of Censorship MeasurementsProceedings of the 21st Workshop on Privacy in the Electronic Society10.1145/3559613.3563203(139-143)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3559613.3563203
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents