Anticensorship in the Network Infrastructure Eric Wustrow University of Michigan.

Slides:

Advertisements

Similar presentations

1 Firewalls. 2 References 1.Mark Stamp, Information Security: Principles and Practice, Wiley Interscience, Robert Zalenski, Firewall Technologies,

Advertisements

Censorship Resistance: Decoy Routing Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources. See.

NS-H /11041 Attacks. NS-H /11042 The Definition Security is a state of well-being of information and infrastructures in which the possibility.

1 Advanced Security Research Wes Hardaker Eric Monteith, Russ Mundy, Eric O’Brian, Ron Ostrenga, Dan Sterne, Roshan Thomas NAI Labs under contract to DARPA.

1 Depth First Search dfs(0, 0) open site blocked site reachable from top via open sites.

Security Firewall Firewall design principle. Firewall Characteristics.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

Lecture Chapter 1: roadmap 1.1 What is the Internet? 1.2 Network edge  end systems, access networks, links 1.3 Network core  network structure,

Firewalls Presented By Hareesh Pattipati. Outline Introduction Firewall Environments Type of Firewalls Future of Firewalls Conclusion.

Putting the Network to Work

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

MPTCP Proxy Support Costin Raiciu. Explicit Proxies The MPTCP host knows about the proxy (e.g. via DHCP) All connections are made to the proxy – Signaling.

Introducing Fiddler Web Debugging for Performance and Operations

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

Jeremiah O’Connor CS 683 Fall 2012 CensorSpoofer: Asymmetric Communication using IP Spooﬁng for Censorship-Resistant Web Browsing.

OASIS V2+ Next Generation Open Access Server CSD 2006 / Team 12.

DNS POISONING + CENSORSHIP LAB DUSTIN VANDENBERG, VIPUL AGARWAL, LIANG ZHAO.

Towards a Safe Playground for HTTPS and Middle-Boxes with QoS2 Zhenyu Zhou CS Dept., Duke University.

Access Gateway Operation

January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.

Unit 28 Website Production.

System Administration and Maintenance. Proxy Server 1 Purpose – – To separate internal network from internet (NAT) To cache often used content User control:

Module 7: Firewalls and Port Forwarding 1. Overview Firewall configuration for Web Application Hosting Forwarding necessary ports for Web Application.

CSE 592 INTERNET CENSORSHIP (FALL 2015) LECTURE 03 PHILLIPA GILL STONY BROOK UNIVERSITY, COMPUTER SCIENCE ACKS: SLIDES BASED ON MATERIAL FROM NICK WEAVER’S.

Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.

SDN based Network Security Monitoring in Dynamic Cloud Networks Xiuzhen CHEN School of Information Security Engineering Shanghai Jiao Tong University,

Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.

HTML ~ Web Design.

CHAPTER 10 Session Hijacking. INTRODUCTION The act of taking over a connection of some sort, for examples, network connection, a modem connection or other.

David Wetherall Professor of Computer Science & Engineering Introduction to Computer Networks Transport Layer Overview (§ )

Overview of Microsoft ISA Server. Introducing ISA Server New Product—Proxy Server In 1996, Netscape had begun to sell a web proxy product, which optimized.

© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.

Module 8: Managing Terminal Services. Overview Use and manage Terminal Services RemoteApp programs Use and manage Terminal Services Gateway Optimize and.

ClearTunnel Close the SSL Hole! Copyright ©2008 Collective Software, LLC.

The Domain Name System and DNS Blocking Malcolm Hutty Head of Public Affairs, LINX February 2011.

GOVERNMENT REGULATION AND SURVEILLANCE OF THE INTERNET Ayman Irziqat Katarzyna Kosarska Sergio Pradel.

McLean HIGHER COMPUTER NETWORKING Lesson 14 Firewalls & Filtering Comparison of Internet content filtering methods: firewalls, Internet filtering.

Class 16 Deniable Authentication CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman

RTCWEB Considerations for NATs, Firewalls and HTTP proxies draft-hutton-rtcweb-nat-firewall- considerations A. Hutton, T. Stach, J. Uberti.

Security fundamentals Topic 10 Securing the network perimeter.

Routing Around Decoys Max Schuchard, John Geddes, Christopher Thompson, Nicholas Hopper Proposed in FOCI'11, USINIX Security'11 and CCS'11 Presented by:

CSE 592 INTERNET CENSORSHIP (FALL 2015) LECTURE 22 PHILLIPA GILL - STONY BROOK U.

Connection Establishment and Termination. Tcpdump tcpdump is a common packet analyzer that runs under the command line. It allows the user to intercept.

CSE 592 INTERNET CENSORSHIP (FALL 2015) LECTURE 23 PHILLIPA GILL - STONY BROOK U.

Cryptography and Network Security Chapter 16 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

INTRODUCTION Firewall is a concept which blocks unwanted traffic and passes desirable traffic to and from both sides of the network.

Network and Internet Security Prepared by Dr. Lamiaa Elshenawy

Lesson 2a © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-1 Firewall Technologies and the Cisco Security Appliance.

An Analysis of Using Reflectors for Distributed Denial-of- Service Attacks Paper by Vern Paxson.

© ITT Educational Services, Inc. All rights reserved.Page 1 IS3220 Information Technology Infrastructure Security Class Agenda 1  Learning Objectives.

Volunteer-based Monitoring System Min Gyung Kang KAIST.

: MobileIP. : r Goal: Allow machines to roam around and maintain IP connectivity r Problem: IP addresses => location m This is important for efficient.

Draft-carpenter-v6ops-label-balance-02 Brian Carpenter Sheng Jiang (Speaker) Willy Tarreau March 2012 IPv6 Flow Label for Server Load Balancing - update.

PROXY SERVER Kalyani Ravi. A proxy server is essentially an electronic gatekeeper, residing between an organization's internal network and the Internet,

Presented By Hareesh Pattipati.  Introduction  Firewall Environments  Type of Firewalls  Future of Firewalls  Conclusion.

Multicast in Information-Centric Networking March 2012.

DISA Cyclops Program.

The Great Firewall of China What is it and how does it work?

iSupplier Portal (iSP) Technical Requirements

CS590B/690B Detecting network interference (Fall 2016)

CS590B/690B Detecting Network Interference (Fall 2016)

Practical Censorship Evasion Leveraging Content Delivery Networks

No Direction Home: The True cost of Routing Around Decoys

Working at a Small-to-Medium Business or ISP – Chapter 7

Internet Connection Sharing

Chapter 5 TCP Control Flow

Session 20 INST 346 Technologies, Infrastructure and Architecture

Presentation transcript:

Anticensorship in the Network Infrastructure Eric Wustrow University of Michigan

Background | Internet Censorship 2 Pervasive censorship Substantial censorship Changing situation Little or no censorship Selective censorship

3 Censor… controls client’s network, but not external network … blocks according to a blacklist … allows HTTPS connections to non-blocked sites Threat Model

4 Telex | Overview

5

6

7

8

9

Prototype | Test Deployment Hosted sites 10 Single Telex Station on lab-scale “ISP” at Michigan Blocked.telex.cc Simulated censored site only reachable via Telex NotBlocked.telex.cc Unobjectionable content * Inline Blocking Asymmetric flows

Telex v2: Passive tap 11

ClientServerISP Proxy “GET / HTTP/1.1\r\nX-Ignore: \x81\x28\x66 …” ACK [seq=Y, ack=X] “PROXY OK” [seq=Y, ack=X, len=M] ACK [seq=X, ack=Y+M] ack != Y? “\x95\x1f\x6b\x27\xe2 … \xc8\x3f\x22 …” Tag: Plaintext: Ciphertext: Plaintext: “GET …” [seq=X, ack=Y+M] Plaintext: “HTTP/ OK … ….” Plaintext: New architecture -- passive ISP tap TLS Handshake

New architecture -- passive ISP tap Pros –No inline blocking required, only passive tap –Works with asymmetric flows (client -> server) Cons –Censor can use active attacks (though we can use “active defenses”) 13

Anticensorship in the Network Infrastructure Future work –Looking for ISPs willing to help Technical feedback Prototype deployment –Strategies for optimal deployment –Improving traffic analysis defense 14

Anticensorship in the Network Infrastructure Eric Wustrow Colleen M. Swanson Scott Wolchok Ian Goldberg J. Alex Halderman