Presentation is loading. Please wait.

Presentation is loading. Please wait.

CS590B/690B Detecting Network Interference (Fall 2016)

Published byCamron Curtis Modified over 6 years ago

Similar presentations

Presentation on theme: "CS590B/690B Detecting Network Interference (Fall 2016)"— Presentation transcript:

1 CS590B/690B Detecting Network Interference (Fall 2016)
Lecture 18 Decoy Routing Part I Phillipa Gill – Umass -- Amherst

2 Where we are Last time: Parrot is dead + Cover Your Acks Today
Decoy routing overview Telex Tap Dance (video) Recommended viewing:

3 Review questions Why is imitating an existing protocol challenging?
How are some ways that SkypeMorph fails to evade detection? What about Stegotorus? What is key difference between Freewave and SkypeMorph? How does Freewave try to evade detection? Why does it fail? What are the three types of mismatch that can cause mimicking to fail? Give examples

4 Today: decoy routing Bake circumvention into network routing.
Four key papers: Decoy Routing (FOCI 2011) Cirripede (CCS 2011) Telex (Usenix Security 2011) Tap Dance (Usenix Security 2014) Follow ons: (next class) Routing Around Decoys (CCS2012) No Way Home (NDSS 2014)

5 Challenge of cat and mouse
Circumvention schemes we’ve discussed so far require end- host participation + a proxy or relay server Constant race between detecting circumvention and coming up with new ways to hide. Censor blocks proxy IP Circumvention tool tries to hide proxy IP Put proxy in a dark net (unused IP address space) Hard for censor to find, also hard for clients  Circumventor hides services in more diverse/dynamic IP addresses E.g., resource constrained home users Basic idea: get circumvention on as many IPs as possible  blocking all IPs is not feasible. But can they really get enough IPs to run the circumvention?...

6 What if hosts “look like” proxies?
Idea behind decoy routing: Make any/every host on the Internet look like a latent proxy server Every destination IP acts like a proxy server Goals: access to blacklisted sites with near normal latency and throughput Preserve secrecy of contents + true destination Threat model: Assume basic IP-filtering firewall. Assume circumvention tool, methods, and algorithms are publicly known. Key idea: It is hard to filter traffic based on an intermediate router Packet contains destination IP, not intermediate hops on the path A network has little control over the upstream paths taken by their packets Filtering 1 router can have large collateral damage (if it transits traffic for a lot of prefixes)

7 How it works Decoy router can sit on any network path and act as a proxy (or forward client traffic to a decoy proxy). But how can the client connect to the proxy? Why can it not just address a packet to the proxy destination? Solution: Connect to a decoy destination Once connected covertly signal over TCP/IP flow that the decoy router should forward the packet to the proxy Proxy then intercepts the TCP connection (drop connection to decoy destination) and act as a regular proxy.

8 How it circumvents Makes IP filtering ineffective because the destination IP is meaningless IP on the path is tunneling traffic elsewhere. Nearly any IP address (depending on decoy router location) can be a decoy destination Components of decoy routing: Client software, decoy router, decoy proxy + covert signalling mechanism Decoy router must be able to maintain line rate communication while looking for covert signaling Decoy proxy needs to be able to hijack TCP session to communicate with the client

9 Timeline

10 Step 1: Connect to Decoy Destination
Client needs to find a path with a decoy router Create TCP/IP connections to different destinations Try inserting sentinels (covert requests) into the connection E.g., put a special string in an HTTP cookie header If a decoy proxy replies with a “hello” message the client knows there is a proxy on the path.

11 Step 2: Covertly requesting decoy routing
Example sentinels: String generated by symmetric key (exchanged out of band) Client tries a sequence of ports to signal the decoy routing Series of payload lengths … anything easily detectable by an IDS Decoy routing paper: Uses sentinel generated based on time and a secret key shared between the client and the proxy Client includes this in the random number field in the Client TLS Hello message Router forwards messages with sentinel to the proxy Proxy allows client to finish TLS exchange with the decoy destination (so all clear text communication looks normal) Proxy then sends “hello” in the TLS connection TLS traffic should be shaped to match underlying destination

12 Step 3: Hijacking a tcp flow
Proxy sends a RST to the destination with the sequence number on the packet that the client uses to signal the proxying It can match the header values So the destination won’t try to send any RSTS or consider it out of order Challenge: No assumption that path is symmetric Proxy/decoy router can see traffic from client, but not necessarily from the server Needs to glean server TCP options from the headers Client can convey these values to the proxy via the covert channel (since the client does have communication with the server)

13 Step 4: Provide proxy services
Many standard proxy protocols E.g., SOCKS proxy forwarded to a standard SOCKS server by the decoy proxy.

14 Vulnerabilities Detection: censor can cut off Internet access to clients caught using decoy routing Detection channels: MTU, IP TTL value, RTT Decoy proxy can adjust these values to match and reduce risk Censor can replay the TLS hello message and look for a response that looks like it is from a decoy proxy Make sentinels such that they cannot be reused Record a response from the decoy destination and forward that along to any repeated sentinels Censor could hold TLS hellos and forward them to the correct destination and only forward that reply back to the client Adversary could ID clients using the system Clients can access decoy destinations but not the proxy service Also DoS if the censor gets access to the user software and opens many connections

Download ppt "CS590B/690B Detecting Network Interference (Fall 2016)"

Similar presentations

CPSC 441 - Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-

CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.

Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Mobile IP Overview: Standard IP Standard IP Evolution of Mobile IP Evolution of Mobile IP How it works How it works Problems Assoc. with it Problems Assoc.

Mobile IP Overview: Standard IP Standard IP Evolution of Mobile IP Evolution of Mobile IP How it works How it works Problems Assoc. with it Problems Assoc.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.
21.1 Chapter 21 Network Layer: Address Mapping, Error Reporting, and Multicasting Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.

21.1 Chapter 21 Network Layer: Address Mapping, Error Reporting, and Multicasting Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.
Petrozavodsk State University, Alex Moschevikin, 2003NET TECHNOLOGIES Internet Control Message Protocol ICMP author -- J. Postel, September 1981. The purpose.

Petrozavodsk State University, Alex Moschevikin, 2003NET TECHNOLOGIES Internet Control Message Protocol ICMP author -- J. Postel, September The purpose.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Firewalls. Evil Hackers FirewallYour network Firewalls mitigate risk Block many threats They have vulnerabilities.

Firewalls. Evil Hackers FirewallYour network Firewalls mitigate risk Block many threats They have vulnerabilities.
PA3: Router Junxian (Jim) Huang EECS 489 W11 /

PA3: Router Junxian (Jim) Huang EECS 489 W11 /
The Parrot is Dead: Observing Unobservable Network Communications

The Parrot is Dead: Observing Unobservable Network Communications
CSE 592 INTERNET CENSORSHIP (FALL 2015) LECTURE 03 PHILLIPA GILL STONY BROOK UNIVERSITY, COMPUTER SCIENCE ACKS: SLIDES BASED ON MATERIAL FROM NICK WEAVER’S.

CSE 592 INTERNET CENSORSHIP (FALL 2015) LECTURE 03 PHILLIPA GILL STONY BROOK UNIVERSITY, COMPUTER SCIENCE ACKS: SLIDES BASED ON MATERIAL FROM NICK WEAVER’S.
Internet Ethernet Token Ring Video High Speed Router Host A: Client browser: REQUEST:http//mango.ee.nogradesu.edu/c461.

Internet Ethernet Token Ring Video High Speed Router Host A: Client browser: REQUEST:http//mango.ee.nogradesu.edu/c461.
Fall 2005Computer Networks20-1 Chapter 20. Network Layer Protocols: ARP, IPv4, ICMPv4, IPv6, and ICMPv6 20.1 ARP 20.2 IP 20.3 ICMP 20.4 IPv6.

Fall 2005Computer Networks20-1 Chapter 20. Network Layer Protocols: ARP, IPv4, ICMPv4, IPv6, and ICMPv ARP 20.2 IP 20.3 ICMP 20.4 IPv6.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.

Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.

Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.

Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.

Similar presentations

Ads by Google