Avoiding Censorship through Network Complexity
Learn about DNS-sly, a technique developed by Qurat-Ul-Ann Akbar and researchers at Northwestern University to combat internet censorship. The research delves into circumvention techniques, the research problem, and their solution leveraging DNS complexities. Explore the protocol, evaluation, and components of DNS-sly in this informative study.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
DNS-sly: Avoiding Censorship through Network Complexity Qurat-Ul-Ann Akbar, Northwestern U. Marcel Flores, Aleksandar Kuzmanovic, Northwestern U. Northwestern U. http://networks.cs.northwestern.edu
Internet Censorship is a prevalent problem 2 Qurat-Ul-Ann Akbar DNS-sly: Avoiding Censorship through Network Complexity
3 Qurat-Ul-Ann Akbar DNS-sly: Avoiding Censorship through Network Complexity
problem 4 Qurat-Ul-Ann Akbar DNS-sly: Avoiding Censorship through Network Complexity
Circumvention Techniques Circumvention Technique Covertness Deniability Performance Proxies Yes No High Anonymous Networks Yes No High DNS Tunneling Techniques Yes No High HTTP Tunneling Techniques Yes Statistical Deniability Low 5 Qurat-Ul-Ann Akbar DNS-sly: Avoiding Censorship through Network Complexity
Research Problem Can we create a circumvention technique with high deniability with minimum impact on performance ? Deniability Performance 6 Qurat-Ul-Ann Akbar DNS-sly: Avoiding Censorship through Network Complexity
Our Solution DNS is a core Internet service Significant network complexity in todays Internet Trillions of DNS requests per day Proliferation of public DNS servers CDNs Leverage this complexity in DNS traffic to hide information 7 Qurat-Ul-Ann Akbar DNS-sly: Avoiding Censorship through Network Complexity
Outline Motivation DNS-sly Protocol Case for DNS-sly Evaluation 8 Qurat-Ul-Ann Akbar DNS-sly: Avoiding Censorship through Network Complexity
DNS-sly Overview Components : DNS-sly requester and responder DNS-sly responder profiles the clients DNS behavior Exchanges profile information with the requester In the downstream direction, responder encodes the content from the censored website in DNS response packets 9 Qurat-Ul-Ann Akbar DNS-sly: Avoiding Censorship through Network Complexity
First Phase - Endpoint Profiling DNS-sly responder profiles clients DNS behavior Records domains Forms IP set per domain Creates profile map a mapping of domains to the server IPs they are hosted on Exchanges profile map with the requester via out-of-band communication 10 Qurat-Ul-Ann Akbar DNS-sly: Avoiding Censorship through Network Complexity
Second Phase - Communication In the upstream direction, the DNS-sly requester crafts DNS requests using the profile map Upon receiving the request, the responder retrieves the content from Web In the downstream direction, the DNS-sly responder encodes content using DNS responses 11 Qurat-Ul-Ann Akbar DNS-sly: Avoiding Censorship through Network Complexity
DNS Packet Format Associated IP addresses Domain 12 Qurat-Ul-Ann Akbar DNS-sly: Avoiding Censorship through Network Complexity
Encoding Data Goal - Represent data as a choice of A records from a pool of IP addresses Responder computes the number of bytes of data to be encoded Uses a number representation scheme to map data to a set of IP addresses Forms a valid DNS response and sends it back to the DNS-sly requester 13 Qurat-Ul-Ann Akbar DNS-sly: Avoiding Censorship through Network Complexity
Encoding Data - Example Domain = facebook.com IP set size = 256 Number of A records = 6 Choices ~ P(256,6) Data encoded = 6 Bytes A Records 173.252.74.68 173.252.74.1 173.252.74.13 173.252.74.128 173.252.74.90 173.252.74.55 Number Representation Scheme abcdef 14 Qurat-Ul-Ann Akbar DNS-sly: Avoiding Censorship through Network Complexity
System Overview DNS-sly Client Client DNS-sly Server DNS Req DNS Resp + Content DNS Req / Hidd. Mess. Censor DNS-sly Requester DNS-sly Responder Visible DNS Req DNS Req Visible DNS Req DNS Req Visible DNS Resp / Hidden Content Visible DNS Resp / Hidden Content DNS Resp / DNS Resp / Decode Encode Hidden Content Hidden Content 15 Qurat-Ul-Ann Akbar DNS-sly: Avoiding Censorship through Network Complexity
Outline Motivation DNS-sly Protocol Case for DNS-sly Evaluation 16 Qurat-Ul-Ann Akbar DNS-sly: Avoiding Censorship through Network Complexity
DNS Request Variability Fragmented Web pages Larger number of DNS requests better for deniability: DNS-sly requests hard to detect Leads to increased probability of DNS responses suitable for data encoding 17 Qurat-Ul-Ann Akbar DNS-sly: Avoiding Censorship through Network Complexity
Number of DNS Resolutions per Domain Median is ~50 DNS resolutions per domain 20% of domains have >90 DNS resolutions 18 Qurat-Ul-Ann Akbar DNS-sly: Avoiding Censorship through Network Complexity
DNS Response Variability Number of IP addresses a domain maps to determines the potential for encoding downstream data Global and local Number of A records determines data that can be embedded in a single DNS response Rate of change in A records determines the timescales at which to operate to retain statistical deniability 19 Qurat-Ul-Ann Akbar DNS-sly: Avoiding Censorship through Network Complexity
Experimental Results Maximum number of IPs a domain maps to is 850 ~ 1/3rdof DNS responses have 8 A records with maximum up to 15, Every 30 minutes the responses change completely 20 Qurat-Ul-Ann Akbar DNS-sly: Avoiding Censorship through Network Complexity
Outline Motivation DNS-sly Protocol Case for DNS-sly Evaluation 21 Qurat-Ul-Ann Akbar DNS-sly: Avoiding Censorship through Network Complexity
Security Evaluation: Methodology Emulated a censors probing attack For every response from a DNS-sly responder, queried five other DNS resolvers for the same domain Evaluated by computing the mean and variance of the change between the DNS responses 22 Qurat-Ul-Ann Akbar DNS-sly: Avoiding Censorship through Network Complexity
Security Evaluation: Results 23 Qurat-Ul-Ann Akbar DNS-sly: Avoiding Censorship through Network Complexity
Performance Evaluation: Methodology Evaluated downstream performance using the metric, bytes per click Single click defined as loading of a page, including DNS resolutions for all domains included on the page Deployed DNS-sly in a known-censored environment to exchange data from a known- censored website 24 Qurat-Ul-Ann Akbar DNS-sly: Avoiding Censorship through Network Complexity
Performance Evaluation: Results Median Page Click (global) > 100 Bytes Median Page Click (local) ~ 75 Bytes Maximum Bytes encoded ~ 600 Bytes 25 Qurat-Ul-Ann Akbar DNS-sly: Avoiding Censorship through Network Complexity
Conclusion DNS-sly: a system that enables a DNS covert channel which provides high deniability while maintaining good performance DNS-sly adjusts its behavior to the clients Utilizes frequently changing A records to embed data in DNS responses Achieves downstream throughput of upto 600 Bytes of hidden data per Web page click 26 Qurat-Ul-Ann Akbar DNS-sly: Avoiding Censorship through Network Complexity
Thank You http://networks.cs.northwestern.edu
