Network measurement methods for locating and examining censorship devices

Authors:
Ram Sundara Raman

University of Michigan

University of Michigan
View Profile

,
Mona Wang

Princeton University

Princeton University
View Profile

,
Jakub Dalek

The Citizen Lab

The Citizen Lab
View Profile

,
Jonathan Mayer

Princeton University

Princeton University
View Profile

,
Roya Ensafi

University of Michigan

University of Michigan
View Profile

CoNEXT '22: Proceedings of the 18th International Conference on emerging Networking EXperiments and TechnologiesNovember 2022Pages 18–34https://doi.org/10.1145/3555050.3569133

Published:30 November 2022Publication History

CoNEXT '22: Proceedings of the 18th International Conference on emerging Networking EXperiments and Technologies

Pages 18–34

ABSTRACT

Advances in networking and firewall technology have led to the emergence of network censorship devices that can perform large-scale, highly-performant content blocking. While such devices have proliferated, techniques to locate, identify, and understand them are still limited, require cumbersome manual effort, and are developed on a case-by-case basis.

In this paper, we build robust, general-purpose methods to understand various aspects of censorship devices, and study devices deployed in 4 countries (Azerbaijan, Belarus, Kazakhstan, and Russia). We develop a censorship traceroute method, CenTrace, that automatically identifies the network location of censorship devices. We use banner grabs to identify vendors from potential censorship devices. To collect more features about the devices themselves, we build a censorship fuzzer, CenFuzz, that uses various HTTP request and TLS Client Hello fuzzing strategies to examine the rules and triggers of censorship devices. Finally, we use features collected using these methods to cluster censorship devices and explore device characteristics across deployments.

Using CenTrace measurements, we find that censorship devices are often deployed in ISPs upstream to clients, sometimes even in other countries. Using data from banner grabs and injected block-pages, we identify 23 commercial censorship device deployments in Azerbaijan, Belarus, Kazakhstan, and Russia. We observe that certain CenFuzz strategies such as using a different HTTP method succeed in evading a large portion of these censorship devices, and observe that devices manufactured by the same vendors have similar evasion behavior using clustering. The methods developed in this paper apply consistently and rapidly across a wide range of censorship devices and enable continued understanding and monitoring of censorship devices around the world.

References

Access Now. U.S.-Canadian firm Sandvine fosters Russian censorship infrastructure, 2022. https://www.accessnow.org/sandvine-russian-censorship/.Google Scholar
G. Aceto, A. Botta, A. Pescapè, N. Feamster, M. Faheem Awan, T. Ahmad, and S. Qaisar. Monitoring internet censorship with ubica. In International Workshop on Traffic Monitoring and Analysis, pages 143--157. Springer, 2015.Google ScholarCross Ref
A. Akhavan Niaki, S. Cho, Z. Weinberg, N. P. Hoang, A. Razaghpanah, N. Christin, and P. Gill. ICLab: A Global, Longitudinal Internet Censorship Measurement Platform. In IEEE Symposium on Security and Privacy (S&P), 2020.Google Scholar
T. Albakour, O. Gasser, R. Beverly, and G. Smaragdakis. Third time's not a charm: Exploiting SNMPv3 for router fingerprinting. In Proceedings of the 21st ACM Internet Measurement Conference, pages 150--164, 2021.Google ScholarDigital Library
Anonymous. Towards a comprehensive picture of the Great Firewall's DNS censorship. In Free and Open Communications on the Internet (FOCI), 2014.Google Scholar
Anonymous, A. A. Niaki, N. P. Hoang, P. Gill, and A. Houmansadr. Triplet censors: Demystifying Great Firewall's DNS censorship behavior. In Free and Open Communications on the Internet. USENIX, 2020.Google Scholar
APNIC. Visible asns: Customer populations (est.), 2022. https://stats.labs.apnic.net/aspop?c=kz.Google Scholar
H. Asghari, M. Van Eeten, and M. Mueller. Unraveling the economic and political drivers of deep packet inspection. In GigaNet 7th Annual Symposium, November, volume 5, 2012.Google ScholarCross Ref
B. Augustin, X. Cuvellier, B. Orgogozo, F. Viger, T. Friedman, M. Latapy, C. Magnien, and R. Teixeira. Avoiding traceroute anomalies with Paris traceroute. In Proceedings of the 6th ACM SIGCOMM conference on Internet measurement, pages 153--158, 2006.Google ScholarDigital Library
F. Baker. Requirements for IP version 4 routers, 1995. https://datatracker.ietf.org/doc/html/rfc1812.Google ScholarDigital Library
K. Bock, G. Hughey, X. Qiang, and D. Levin. Geneva: Evolving censorship evasion strategies. In Computer and Communications Security. ACM, 2019.Google ScholarDigital Library
K. Bock, G. Naval, K. Reese, and D. Levin. Even censors have a backup: Examining China's double HTTPS censorship middleboxes. In Free and Open Communications on the Internet. ACM, 2021.Google ScholarDigital Library
Censored Planet. Censored Planet assets, 2022. https://assets.censoredplanet.org.Google Scholar
Censored Planet. Censored Planet raw data, 2022. https://data.censoredplanet.org/raw.Google Scholar
H. Cheng, W. Dong, Y. Zheng, and B. Lv. Identify IoT devices through web interface characteristics. In 2021 IEEE 6th International Conference on Computer and Communication Systems (ICCCS), pages 405--410. IEEE, 2021.Google ScholarCross Ref
J. Dalek, L. Gill, B. Marczak, S. McKune, N. Noor, J. Oliver, J. Penney, A. Senft, and R. Deibert. Planet Netsweeper, 2018. https://citizenlab.ca/2018/04/planet-netsweeper/.Google Scholar
J. Dalek, B. Haselton, H. Noman, A. Senft, M. Crete-Nishihata, P. Gill, and R. J. Deibert. A method for identifying and confirming the use of URL filtering products for censorship. In Internet Measurement Conference (IMC). ACM, 2013.Google ScholarDigital Library
G. Detal, B. Hesmans, O. Bonaventure, Y. Vanaubel, and B. Donnet. Revealing middlebox interference with Tracebox. In Proceedings of the Internet Measurement Conference, pages 1--8, 2013.Google Scholar
T. Dierks and E. Rescorla. The Transport Layer Security (TLS) protocol version 1.1, 2006. https://www.rfc-editor.org/rfc/rfc4346.Google ScholarDigital Library
T. Dierks and E. Rescorla. The Transport Layer Security (TLS) protocol version 1.2, 2008. https://datatracker.ietf.org/doc/html/rfc5246.Google ScholarDigital Library
D. Dittrich and E. Kenneally. The Menlo Report: Ethical principles guiding information and communication technology research. Technical report, U.S. Department of Homeland Security, 2012.Google Scholar
Z. Durumeric, D. Adrian, A. Mirian, M. Bailey, and J. A. Halderman. A search engine backed by Internet-wide scanning. In Proceedings of the 2015 ACM SIGSAC Conference on Computer and Communications Security, 2015.Google ScholarDigital Library
Z. Durumeric, E. Wustrow, and J. A. Halderman. ZMap: Fast Internet-wide Scanning and Its Security Applications. In 22nd USENIX Security Symposium, pages 605--620, 2013.Google Scholar
D. Eastlake. Transport Layer Security (TLS) extensions: Extension definitions, 2011. https://datatracker.ietf.org/doc/html/rfc6066.Google Scholar
R. Ensafi, J. Knockel, G. Alexander, and J. R. Crandall. Detecting intentional packet drops on the Internet via TCP/IP side channels. In Passive and Active Measurement Conference. Springer, 2014.Google ScholarDigital Library
R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, and T. Berners-Lee. Hypertext Transfer Protocol - HTTP/1.1, 1999. https://datatracker.ietf.org/doc/html/rfc2616.Google ScholarDigital Library
R. Fielding, Y. Lafon, and J. Reschke. Hypertext Transfer Protocol (HTTP/1.1): Range requests, 2014. https://datatracker.ietf.org/doc/html/rfc7233.Google ScholarDigital Library
R. Fielding, M. Nottingham, and J. Reschke. Hypertext Transfer Protocol (HTTP/1.1): Caching, 2014. https://datatracker.ietf.org/doc/html/rfc7234.Google ScholarDigital Library
R. Fielding and J. Reschke. Hypertext Transfer Protocol (HTTP/1.1): Authentication, 2014. https://datatracker.ietf.org/doc/html/rfc7235.Google ScholarDigital Library
R. Fielding and J. Reschke. Hypertext Transfer Protocol (HTTP/1.1): Conditional requests, 2014. https://datatracker.ietf.org/doc/html/rfc7232.Google ScholarDigital Library
R. Fielding and J. Reschke. Hypertext Transfer Protocol (HTTP/1.1): Message syntax and routing, 2014. https://datatracker.ietf.org/doc/html/rfc7230.Google ScholarDigital Library
R. Fielding and J. Reschke. Hypertext Transfer Protocol (HTTP/1.1): Semantics and content, 2014. https://datatracker.ietf.org/doc/html/rfc7231.Google ScholarDigital Library
D. Fifield, C. Lan, R. Hynes, P. Wegmann, and V. Paxson. Blocking-resistant communication through domain fronting. Privacy Enhancing Technologies, 2015(2), 2015.Google Scholar
D. Gosain, M. Mohindra, and S. Chakravarty. Too close for comfort: Morasses of (anti-) censorship in the era of CDNs. Privacy Enhancing Technologies, 2021(2), 2021.Google Scholar
M. Harrity, K. Bock, F. Sell, and D. Levin. GET /out: Automated discovery of Application-Layer censorship evasion strategies. In 31st USENIX Security Symposium (USENIX Security 22), pages 465--483, Boston, MA, Aug. 2022. USENIX Association.Google Scholar
N. P. Hoang, A. A. Niaki, J. Dalek, J. Knockel, P. Lin, B. Marczak, M. Crete-Nishihata, P. Gill, and M. Polychronakis. How great is the Great Firewall? Measuring China's DNS censorship. In USENIX Security Symposium. USENIX, 2021.Google Scholar
J. Holland, R. Teixeira, P. Schmitt, K. Borgolte, J. Rexford, N. Feamster, and J. Mayer. Classifying network vendors at internet scale. arXiv preprint arXiv:2006.13086, 2020.Google Scholar
J. Jermyn and N. Weaver. Autosonda: Discovering rules and triggers of censorship devices. In Free and Open Communications on the Internet. USENIX, 2017.Google Scholar
L. Jin, S. Hao, H. Wang, and C. Cotton. Understanding the practices of global censorship through accurate, end-to-end measurements. In Abstract Proceedings of the 2022 ACM SIGMETRICS/IFIP PERFORMANCE Joint International Conference on Measurement and Modeling of Computer Systems, pages 17--18, 2022.Google ScholarDigital Library
F. Li, A. M. Kakhki, D. Choffnes, P. Gill, and A. Mislove. Classifiers unclassified: An efficient approach to revealing ip traffic classification rules. In Proceedings of the 2016 Internet Measurement Conference, pages 239--245, 2016.Google ScholarDigital Library
F. Li, A. Razaghpanah, A. M. Kakhki, A. A. Niaki, D. Choffnes, P. Gill, and A. Mislove. lib• erate,(n) a library for exposing (traffic-classification) rules and avoiding them efficiently. In Proceedings of the 2017 Internet Measurement Conference, pages 128--141, 2017.Google ScholarDigital Library
M. Luckie, A. Dhamdhere, B. Huffaker, D. Clark, and K. Claffy. Bdrmap: Inference of borders between IP networks. In Proceedings of the 2016 Internet Measurement Conference, pages 381--396, 2016.Google ScholarDigital Library
G. F. Lyon. Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning. Nmap Project, Sunnyvale, CA, 12.2.2008 edition edition, Jan. 2009.Google Scholar
B. Marczak, J. Dalek, S. McKune, A. Senft, J. Scott-Railton, and R. Deibert. Bad Traffic: Sandvine's PacketLogic Devices Used to Deploy Government Spyware in Turkey and Redirect Egyptian Users to Affiliate Ads? Technical report, Citizen Lab, University of Toronto, 2018.Google Scholar
B. Marczak, N. Weaver, J. Dalek, R. Ensafi, D. Fifield, S. McKune, A. Rey, J. Scott-Railton, R. Deibert, and V. Paxson. An analysis of China's "Great Cannon". In Free and Open Communications on the Internet. USENIX, 2015.Google Scholar
M. Marquis-Boire, J. Dalek, S. McKune, M. Carrieri, M. Crete-Nishihata, R. Deibert, S. O. Khan, H. Noman, J. Scott-Railton, and G. Wiseman. Planet Blue Coat, 2013. https://citizenlab.ca/2013/01/planet-blue-coat-mapping-global-censorship-and-surveillance-tools/.Google Scholar
MaxMind. https://www.maxmind.com/.Google Scholar
Mozilla Developer Network. Host, 2022. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Host.Google Scholar
National Commission for the Protection of Human Subjects of Biomedical and Behavioral Research. The Belmont Report: Ethical Principles and Guidelines for the Protection of Human Subjects of Research. National Commission for the Protection of Human Subjects of Biomedical and Behavioral Research, 1978.Google Scholar
OONI. New blocks emerge in Russia amid war in Ukraine: An OONI network measurement analysis. https://ooni.org/post/2022-russia-blocks-amid-ru-ua-conflict/, 2022.Google Scholar
P. Pearce, B. Jones, F. Li, R. Ensafi, N. Feamster, N. Weaver, and V. Paxson. Global measurement of DNS manipulation. In USENIX Security Symposium, 2017.Google Scholar
PeeringDB. Peeringdb, 2018. https://www.peeringdb.com/.Google Scholar
J. Postel. Internet control message protocol, 1981. https://datatracker.ietf.org/doc/html/rfc792.Google Scholar
N. Rahmah and I. S. Sitanggang. Determination of optimal epsilon (eps) value on DBSCAN algorithm to clustering data on peatland hotspots in sumatra. In IOP conference series: earth and environmental science, volume 31, page 012012. IOP Publishing, 2016.Google Scholar
R. Ramesh, R. S. Raman, M. Bernhard, V. Ongkowijaya, L. Evdokimov, A. Edmundson, S. Sprecher, M. Ikram, and R. Ensafi. Decentralized control: A case study of Russia. In Network and Distributed System Security. The Internet Society, 2020.Google ScholarCross Ref
Rapid7. Recog: A recognition framework, 2022. https://github.com/rapid7/recog.Google Scholar
Refraction Networking. uTLS, 2022. https://github.com/refraction-networking/utls.Google Scholar
University of Oregon Route Views Project. www.routeviews.org.Google Scholar
E. Schubert, J. Sander, M. Ester, H. P. Kriegel, and X. Xu. DBSCAN revisited, revisited: why and how you should (still) use DBSCAN. In ACM Transactions on Database Systems (TODS), volume 42, pages 1--21. ACM New York, NY, USA, 2017.Google ScholarDigital Library
R. Sundara Raman, L. Evdokimov, E. Wustrow, A. Halderman, and R. Ensafi. Investigating Large Scale HTTPS Interception in Kazakhstan. In Internet Measurement Conference (IMC), 2020.Google Scholar
R. Sundara Raman, P. Shenoy, K. Kohls, and R. Ensafi. Censored Planet: an internet-wide, longitudinal censorship observatory. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, pages 49--66, 2020.Google ScholarDigital Library
R. Sundara Raman, A. Stoll, J. Dalek, R. Ramesh, W. Scott, and R. Ensafi. Measuring the deployment of network censorship filters at global scale. In NDSS, 2020.Google ScholarCross Ref
The Tor Project. OONI: Open observatory of network interference. https://ooni.torproject.org/.Google Scholar
A. Troianovski and V. Safronova. Russia Takes Censorship to New Extremes, Stifling War Coverage. New York Times, 2022. https://www.nytimes.com/2022/03/04/world/europe/russia-censorship-media-crackdown.html.Google Scholar
UNHRC. Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, 2019. https://documents-dds-ny.un.org/doc/UNDOC/GEN/G19/148/76/PDF/G1914876.pdf?OpenElement.Google Scholar
Y. Vanaubel, J.-J. Pansiot, P. Mérindol, and B. Donnet. Network fingerprinting: TTL-based router signatures. In Proceedings of the 2013 conference on Internet measurement conference, pages 369--376, 2013.Google ScholarDigital Library
B. VanderSloot, S. Frolov, J. Wampler, S. C. Tan, I. Simpson, M. Kallitsis, J. A. Halderman, N. Borisov, and E. Wustrow. Running refraction networking for real. Privacy Enhancing Technologies, 2020(3):321--335, 2020.Google Scholar
B. VanderSloot, A. McDonald, W. Scott, J. A. Halderman, and R. Ensafi. Quack: Scalable remote measurement of application-layer censorship. In USENIX Security Symposium. USENIX, 2018.Google Scholar
K. Vermeulen, S. D. Strowes, O. Fourmaux, and T. Friedman. Multilevel mda-lite Paris traceroute. In Proceedings of the Internet Measurement Conference 2018, pages 29--42, 2018.Google ScholarDigital Library
Vice. Netsweeper removes alternate lifestyle category, 2019. https://motherboard.vice.com/en_us/article/3kgznn/netsweeper-says-its-stopped-alternative-lifestyles-censorship.Google Scholar
A. Vyas, R. Sundara Raman, N. Ceccio, P. M. Lutscher, and R. Ensafi. Lost in Transmission: Investigating Filtering of COVID-19 Websites. In Financial Cryptography and Data Security (FC), 2021.Google ScholarDigital Library
Z. Wang, S. Zhu, Y. Cao, Z. Qian, C. Song, S. V. Krishnamurthy, K. S. Chan, and T. D. Braun. SymTCP: Eluding stateful deep packet inspection with automated discrepancy discovery. In Network and Distributed System Security. The Internet Society, 2020.Google ScholarCross Ref
N. Weaver, R. Sommer, and V. Paxson. Detecting Forged TCP Reset Packets. In Proceedings of the Network and Distributed System Security Symposium, NDSS 2009, San Diego, California, USA. The Internet Society, 2009.Google Scholar
V. Weber. The Worldwide Web of Chinese and Russian Information Controls, September 2019. https://ctga.web.ox.ac.uk/files/theworldwidewebofchineseandrussianinformationcontrolspdf.Google Scholar
M. Wei. Domain shadowing: Leveraging content delivery networks for robust blocking-resistant communications. In USENIX Security Symposium. USENIX, 2021.Google Scholar
P. Winter and S. Lindskog. How the Great Firewall of China is blocking Tor. In Free and Open Communications on the Internet (FOCI). USENIX, 2012.Google Scholar
X. Xu, Z. M. Mao, and J. A. Halderman. Internet censorship in China: Where does the filtering occur? In Passive and Active Measurement Conference, pages 133--142. Springer, 2011.Google ScholarCross Ref
D. Xue, B. Mixon-Baca, V., A. Ablove, B. Kujath, J. R. Crandall, and R. Ensafi. TSPU: Russia's Decentralized Censorship System. In ACM Internet Measurement Conference (IMC '22), NYC, New York, 2022. ACM.Google ScholarDigital Library
D. Xue, R. Ramesh, L. Evdokimov, A. Viktorov, A. Jain, E. Wustrow, S. Basso, and R. Ensafi. Throttling Twitter: an emerging censorship technique in russia. In Internet Measurement Conference (IMC), 2021.Google ScholarDigital Library
T. K. Yadav, A. Sinha, D. Gosain, P. K. Sharma, and S. Chakravarty. Where the light gets in: Analyzing web censorship mechanisms in India. In Proceedings of the Internet Measurement Conference 2018, pages 252--264, 2018.Google ScholarDigital Library
J. York. Websense bars Yemen's government from further software updates. ONI, 2009. https://opennet.net/blog/2009/08/websensebars-yemens-government-further-softwareupdates.Google Scholar
ZMap. ZGrab 2.0, 2022. https://github.com/zmap/zgrab2/.Google Scholar

Index Terms

Network measurement methods for locating and examining censorship devices
1. General and reference
  1. Cross-computing tools and techniques
    1. Measurement
2. Social and professional topics
  1. Computing / technology policy
    1. Censorship
      1. Technology and censorship

Recommendations

TSPU: Russia's decentralized censorship system
IMC '22: Proceedings of the 22nd ACM Internet Measurement Conference

Russia's Sovereign RuNet was designed to build a Russian national firewall. Previous anecdotes and isolated events in the past two years reflected centrally coordinated censorship behaviors across multiple ISPs, suggesting the deployment of "special ...
Read More
Internet Censorship
Read More
Bypassing Censorship: A Proven Tool against the Recent Internet Censorship in Turkey
ISSREW '14: Proceedings of the 2014 IEEE International Symposium on Software Reliability Engineering Workshops

Users of mobile devices are experiencing great difficulties to circumvent Internet censorship technologies that violate human rights. Mobile users do not have full control of their own systems, and in many cases, they cannot even change the ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CoNEXT '22: Proceedings of the 18th International Conference on emerging Networking EXperiments and Technologies
November 2022
431 pages
ISBN:9781450395083
DOI:10.1145/3555050
General Chairs:
Giuseppe Bianchi
University of Rome Tor Vergata, Italy
,
Alessandro Mei
Sapienza University of Rome, Italy
Copyright © 2022 Owner/Author
This work is licensed under a Creative Commons Attribution International 4.0 License.
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 30 November 2022
Check for updates
Badges
- Artifacts Available / v1.1
Author Tags
censorship
measurement
network fingerprinting
Qualifiers
- research-article
Conference

Acceptance Rates
CoNEXT '22 Paper Acceptance Rate28of151submissions,19%Overall Acceptance Rate198of789submissions,25%
More
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 4
  Total Citations
  View Citations
- 702
  Total Downloads
- Downloads (Last 12 months)451
- Downloads (Last 6 weeks)41
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Network measurement methods for locating and examining censorship devices

CoNEXT '22: Proceedings of the 18th International Conference on emerging Networking EXperiments and Technologies

ABSTRACT

References

Cited By

Index Terms

Recommendations

TSPU: Russia's decentralized censorship system

Internet Censorship

Bypassing Censorship: A Proven Tool against the Recent Internet Censorship in Turkey