Philipp Winter
ABSTRACT
Deep packet inspection technology became a cornerstone of Internet censorship by facilitating cheap and effective filtering of what censors consider undesired information. Moreover, filtering is not limited to simple pattern matching but makes use of sophisticated techniques such as active probing and protocol classification to block access to popular circumvention tools such as Tor.
In this paper, we propose ScrambleSuit; a thin protocol layer above TCP whose purpose is to obfuscate the transported application data. By using morphing techniques and a secret exchanged out-of-band, we show that ScrambleSuit can defend against active probing and other fingerprinting techniques such as protocol classification and regular expressions.
We finally demonstrate that our prototype exhibits little overhead and enables effective and lightweight obfuscation for application layer protocols.
- Thomas H. Ptacek and Timothy N. Newsham. Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection. Technical report, Secure Networks, Inc., 1998.Google Scholar
- Olli-Pekka Niemi, Antti Levomäki, and Jukka Manner. Dismantling Intrusion Prevention Systems (Demo). In SIGCOMM. ACM, 2012. Google ScholarDigital Library
- Mark Handley, Vern Paxson, and Christian Kreibich. Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics. In USENIX Security. USENIX Association, 2001. Google ScholarDigital Library
- Marcel Dischinger, Alan Mislove, Andreas Haeberlen, and Krishna P. Gummadi. Detecting BitTorrent Blocking. In IMC. ACM, 2008. Google ScholarDigital Library
- Richard Clayton, Steven J. Murdoch, and Robert N. M. Watson. Ignoring the Great Firewall of China. In PETS. Springer, 2006. Google ScholarDigital Library
- Sparks, Neo, Tank, Smith, and Dozer. The Collateral Damage of Internet Censorship by DNS Injection. SIGCOMM Computer Communication Review, 42(3), 2012. Google ScholarDigital Library
- Christopher Rhoads and Loretta Chao. Iran's Web Spying Aided By Western Technology, 2009. URL: http://online.wsj.com/article/SB124562668777335653.html.Google Scholar
- Jillian C. York. Government Internet Surveillance Starts With Eyes Built in the West, 2011. URL: https://www.eff.org/deeplinks/2011/09/government-internet-surveillance-starts-eyes-built.Google Scholar
- Roger Dingledine, Nick Mathewson, and Paul Syverson. Tor: The Second-Generation Onion Router. In USENIX Security. USENIX Association, 2004. Google ScholarDigital Library
- The Tor Project. Iran. URL: https://censorshipwiki.torproject.org/CensorshipByCountry/Iran.Google Scholar
- Philipp Winter and Stefan Lindskog. How the Great Firewall of China is Blocking Tor. In FOCI. USENIX Association, 2012.Google Scholar
- The Tor Project. Ethiopia. URL: https://censorshipwiki.torproject.org/CensorshipByCountry/Ethiopia.Google Scholar
- Charles Arthur. China tightens "Great Firewall" internet control with new technology, 2012. URL: http://www.guardian.co.uk/technology/2012/dec/14/china-tightens-great-firewall-internet-control.Google Scholar
- GFW actively probes obfs2 bridges, 2013. URL: https://bugs.torproject.org/8591.Google Scholar
- Zakir Durumeric, Eric Wustrow, and J. Alex Halderman. ZMap: Fast Internet-Wide Scanning and its Security Applications. In USENIX Security. USENIX Association, 2013. Google ScholarDigital Library
- Zachary Weinberg, Jeffrey Wang, Vinod Yegneswaran, Linda Briesemeister, Steven Cheung, Frank Wang, and Dan Boneh. StegoTorus: A Camouflage Proxy for the Tor Anonymity System. In CCS. ACM, 2012. Google ScholarDigital Library
- Hooman Mohajeri Moghaddam, Baiyu Li, Mohammad Derakhshani, and Ian Goldberg. SkypeMorph: Protocol Obfuscation for Tor Bridges. In CCS. ACM, 2012. Google ScholarDigital Library
- Amir Houmansadr, Thomas Riedl, Nikita Borisov, and Andrew Singer. I want my voice to be heard: IP over Voice-over-IP for unobservable censorship circumvention. In NDSS. The Internet Society, 2013.Google Scholar
- Wenxuan Zhou, Amir Houmansadr, Matthew Caesar, and Nikita Borisov. SWEET: Serving the Web by Exploiting Email Tunnels. In HotPETS. Springer, 2013.Google Scholar
- The Tor Project. obfs2 (The Twobfuscator). URL: https://gitweb.torproject.org/pluggable-transports/obfsproxy.git/blob/HEAD:/doc/obfs2/obfs2-protocol-spec.txt.Google Scholar
- The Tor Project. obfs3 (The Threebfuscator). URL: https://gitweb.torproject.org/pluggable-transports/obfsproxy.git/blob/HEAD:/doc/obfs3/obfs3-protocol-spec.txt.Google Scholar
- Brandon Wiley. Dust: A Blocking-Resistant Internet Transport Protocol. Technical report, University of Texas at Austin, 2011.Google Scholar
- Viewing cable 09MUSCAT1039, SKYPE CRACKDOWN IN OMAN, 2009. URL: http://wikileaks.org/cable/2009/11/09MUSCAT1039.html.Google Scholar
- Russian "Clean Internet" experiment gets green light, 2013. URL: http://rt.com/politics/anti-pedophile-safe-internet-russian-169/.Google Scholar
- Small Media. Iranian Internet Infrastructure and Policy Report: Election Edition 2013 (April - June), 2013.Google Scholar
- Alberto Dainotti, Claudio Squarcella, Emile Aben, Kimberly C. Claffy, Marco Chiesa, Michele Russo, and Antonio Pescapé. Analysis of Country-wide Internet Outages Caused by Censorship. In IMC. ACM, 2011. Google ScholarDigital Library
- Eva Galperin and Jillian C. York. Syria goes dark, 2012. https://www.eff.org/deeplinks/2012/11/syria-goes-dark.Google Scholar
- Erik Hjelmvik and Wolfgang John. Breaking and Improving Protocol Obfuscation. Technical report, Chalmers University of Technology, 2010.Google Scholar
- Brandon Wiley. Blocking-Resistant Protocol Classification Using Bayesian Model Selection. Technical report, University of Texas at Austin, 2011.Google Scholar
- The Tor Project. obfsproxy. URL: https://www.torproject.org/projects/obfsproxy.Google Scholar
- Qiyan Wang, Xun Gong, Giang T. K. Nguyen, Amir Houmansadr, and Nikita Borisov. CensorSpoofer: Asymmetric Communication using IP Spoofing for Censorship-Resistant Web Browsing. In CCS. ACM, 2012. Google ScholarDigital Library
- Amir Houmansadr, Chad Brubaker, and Vitaly Shmatikov. The Parrot is Dead: Observing Unobservable Network Communications. In Security & Privacy. IEEE, 2013. Google ScholarDigital Library
- Patrick Lincoln, Ian Mason, Phillip Porras, Vinod Yegneswaran, Zachary Weinberg, Jeroen Massar, William Simpson, Paul Vixie, and Dan Boneh. Bootstrapping Communications into an Anti-Censorship System. In FOCI. USENIX Association, 2012.Google Scholar
- Eugene Y. Vasserman, Nicholas Hopper, John Laxson, and James Tyra. SilentKnock: Practical, Provably Undetectable Authentication. In ESORICS. Springer, 2007. Google ScholarDigital Library
- Rob Smits, Divam Jain, Sarah Pidcock, Ian Goldberg, and Urs Hengartner. BridgeSPA: Improving Tor Bridges with Single Packet Authorization. In WPES. ACM, 2011. Google ScholarDigital Library
- Martin Johnson. China, GitHub and the man-in-the-middle, 2013. URL: https://en.greatfire.org/blog/2013/jan/china-github-and-man-middle.Google Scholar
- Ronald L. Rivest, Adi Shamir, and David A. Wagner. Time-lock Puzzles and Timed-release Crypto. Technical report, Massachusetts Institute of Technology, 1996. Google ScholarDigital Library
- Ben Laurie and Richard Clayton. "Proof-of-Work" Proves Not to Work. In WEIS, 2004.Google Scholar
- Joseph Salowey, Hao Zhou, Pasi Eronen, and Hannes Tschofenig. RFC 5077: Transport Layer Security (TLS) Session Resumption without Server-Side State, 2008.Google Scholar
- Hugo Krawczyk, Mihir Bellare, and Ran Canetti. RFC 2104: HMAC: Keyed-Hashing for Message Authentication, 1997. Google ScholarDigital Library
- Zhen Ling, Xinwen Fu, Wei Yu, Junzhou Luo, and Ming Yang. Extensive Analysis and Large-Scale Empirical Evaluation of Tor Bridge Discovery. In INFOCOM. IEEE, 2012.Google ScholarCross Ref
- Tero Kivinen and Mika Kojo. RFC 3526: More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE), 2003. Google ScholarDigital Library
- Hugo Krawczyk and Pasi Eronen. RFC 5869: HMAC-based Extract-and-Expand Key Derivation Function (HKDF), 2010.Google Scholar
- Manuel Crotti, Maurizio Dusi, Francesco Gringoli, and Luca Salgarelli. Traffic Classification through Simple Statistical Fingerprinting. SIGCOMM Computer Communication Review, 37(1), 2007. Google ScholarDigital Library
- Kevin P. Dyer, Scott E. Coull, Thomas Ristenpart, and Thomas Shrimpton. Peek-a-Boo, I Still See You: Why Efficient Traffic Analysis Countermeasures Fail. In Security & Privacy. IEEE, 2012. Google ScholarDigital Library
- Xiang Cai, Xin Cheng Zhang, Brijesh Joshi, and Rob Johnson. Touching from a Distance: Website Fingerprinting Attacks and Defenses. In CCS. ACM, 2012. Google ScholarDigital Library
- Andriy Panchenko, Lukas Niessen, Andreas Zinnen, and Thomas Engel. Website Fingerprinting in Onion Routing Based Anonymization Networks. In WPES. ACM, 2011. Google ScholarDigital Library
- CAIDA. Packet size distribution comparison between Internet links in 1998 and 2008, 2010. URL: http://www.caida.org/research/traffic-analysis/pkt sizedistribution/graphs.xml.Google Scholar
- Mohamad Jaber, Roberto G. Cascella, and Chadi Barakat. Can we trust the inter-packet time for traffic classification? In ICC. IEEE, 2011.Google ScholarCross Ref
- ECRYPT II Yearly Report on Algorithms and Keysizes, 2012.Google Scholar
- Dwayne C. Litzenberger. PyCrypto - The Python Cryptography Toolkit. URL: https://www.dlitz.net/software/pycrypto/.Google Scholar
- Andrew M. White, Srinivas Krishnan, Michael Bailey, Fabian Monrose, and Phillip Porras. Clear and Present Data: Opaque Traffic and its Security Implications for the Future. In NDSS. The Internet Society, 2013.Google Scholar
Index Terms
- ScrambleSuit: a polymorphic network protocol to circumvent censorship
Recommendations
Examining How the Great Firewall Discovers Hidden Circumvention Servers
IMC '15: Proceedings of the 2015 Internet Measurement ConferenceRecently, the operators of the national censorship infrastructure of China began to employ "active probing" to detect and block the use of privacy tools. This probing works by passively monitoring the network for suspicious traffic, then actively ...
Exposing the Rat in the Tunnel: Using Traffic Analysis for Tor-based Malware Detection
CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications SecurityTor~\citetor is the most widely used anonymous communication network with millions of daily users~\citetormetrics. Since Tor provides server and client anonymity, hundreds of malware binaries found in the wild rely on it to hide their presence and ...
Effective Attacks in the Tor Authentication Protocol
NSS '09: Proceedings of the 2009 Third International Conference on Network and System SecurityAs an anonymous Internet communication system Tor is popular and famous, being used by lots of users. The security of Tor is based on the authentication protocol. Although the Tor authentication protocol has been proved secure, this paper discovers its ...
Comments