QuratUlAnn Akbar Northwestern U Marcel Flores Northwestern U Aleksandar Kuzmanovic Northwestern U httpnetworkscsnorthwesternedu Internet Censorship is a prevalent problem ID: 731848
Download Presentation The PPT/PDF document "DNS-sly: Avoiding Censorship through Net..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
DNS-sly: Avoiding Censorship through Network Complexity
Qurat-Ul-Ann Akbar, Northwestern U. Marcel Flores, Northwestern U.Aleksandar Kuzmanovic, Northwestern U.
http://networks.cs.northwestern.eduSlide2
Internet Censorship is a prevalent problem
2Slide3
3Slide4
4
problemSlide5
Circumvention
Technique
Covertness
Deniability
Performance
Proxies
Anonymous
Networks
DNS Tunneling
Techniques
HTTP
Tunneling
Techniques
Circumvention Techniques
5
Yes
No
High
Yes
No
High
Yes
No
High
Yes
Statistical
Deniability
LowSlide6
Research Problem
6Can we create a circumvention technique with high deniability with minimum impact on
performance ?Slide7
Our SolutionDNS is a core Internet service S
ignificant network complexity in todays InternetTrillions of DNS requests per dayProliferation of public DNS serversCDNsLeverage this complexity in DNS traffic to hide information7Slide8
OutlineMotivationDNS-sly Protocol
Case for DNS-slyEvaluation8Slide9
DNS-sly OverviewComponents : DNS-sly requester and responder DNS-sly responder
profiles the clients DNS behavior Exchanges profile information with the requester In the downstream direction, responder encodes the content from the ‘censored website’ in DNS response packets9Slide10
First Phase - Endpoint Profiling DNS-sly responder profiles clients DNS behaviorRecords domains
Forms IP set per domain Creates profile map – a mapping of domains to the server IPs they are hosted onExchanges profile map with the requester via out-of-band communication 10Slide11
Second Phase - Communication In the upstream direction, the DNS-sly requester crafts DNS requests using the profile mapUpon receiving
the request, the responder retrieves the content from WebIn the downstream direction, the DNS-sly responder encodes content using DNS responses11Slide12
DNS Packet Format
12
Domain
Associated IP addressesSlide13
Encoding DataGoal - Represent data as a choice of A records from a pool
of IP addressesResponder computes the number of bytes of data to be encodedUses a number representation scheme to map data to a set of IP addresses Forms a valid DNS response and sends it back to the DNS-sly requester
13Slide14
Encoding Data - Example14
Domain = “ facebook.com ”IP set size = 256Number of A records = 6
Choices ~ P(256,6) Data encoded =
6 Bytes
“
abcdef
”
Number Representation Scheme
173.252.74.68
173.252.74.1
173.252.74.13
173.252.74.128
173.252.74.90
173.252.74.55
A RecordsSlide15
System Overview
15
Client
DNS-sly Requester
DNS-sly Responder
DNS
Req
DNS-sly Client
DNS-sly Server
Censor
DNS
Req
/
Hidd
. Mess.
DNS
Req
Visible DNS
Req
Visible DNS
Req
DNS
Req
Visible DNS
Resp
/
Hidden Content
DNS
Resp
/
Hidden Content
Visible
DNS
Resp
/
Hidden Content
DNS Resp /Hidden Content
DNS Resp +ContentEncode
DecodeSlide16
OutlineMotivation
DNS-sly ProtocolCase for DNS-slyEvaluation16Slide17
DNS Request Variability Fragmented Web pages Larger number of DNS requests better for deniability:
DNS-sly requests hard to detectLeads to increased probability of DNS responses suitable for data encoding17Slide18
Number of DNS Resolutions per Domain
18Median is ~50
DNS resolutions per domain
20%
of domains have
>
9
0
DNS resolutions Slide19
DNS Response VariabilityNumber of IP addresses a domain maps to determines the potential for encoding downstream dataGlobal and local
Number of A records determines data that can be embedded in a single DNS response Rate of change in A records determines the timescales at which to operate to retain statistical deniability19Slide20
Experimental Results
20Maximum number of IPs a domain maps to is 850
~ 1/3
rd
of DNS responses have
8 A records
with maximum up to
15
,
E
very
30 minutes
the responses change completely
Slide21
OutlineMotivation
DNS-sly ProtocolCase for DNS-slyEvaluation21Slide22
Security Evaluation: MethodologyEmulated a censors probing attackFor every response
from a DNS-sly responder, queried five other DNS resolvers for the same domainEvaluated by computing the mean and variance of the change between the DNS responses22Slide23
Security Evaluation: Results
23Slide24
Performance Evaluation: Methodology Evaluated downstream performance using the metric, bytes per click S
ingle click defined as loading of a page, including DNS resolutions for all domains included on the page Deployed DNS-sly in a known-censored environment to exchange data from a known-censored website 24Slide25
Performance Evaluation: Results
25Median
P
age
C
lick (global) >
100 Bytes
Median Page Click (local) ~
75 Bytes
Maximum Bytes encoded ~
600 BytesSlide26
ConclusionDNS-sly: a system that enables a DNS covert channel which provides high deniability while maintaining good performanceDNS-sly
adjusts its behavior to the clients Utilizes frequently changing A records to embed data in DNS responses Achieves downstream throughput of upto 600 Bytes of hidden data per Web page click 26Slide27
Thank You
http://networks.cs.northwestern.edu