ACM Digital Library home
ACM home
Advanced Search
10.1145/3555050.3569133acmconferencesArticle/Chapter ViewAbstractPublication PagesconextConference Proceedingsconference-collections
research-article
Artifacts Available / v1.1

Network measurement methods for locating and examining censorship devices

CoNEXT '22: Proceedings of the 18th International Conference on emerging Networking EXperiments and TechnologiesNovember 2022Pages 18–34https://doi.org/10.1145/3555050.3569133
Published:30 November 2022Publication History
  • 0citation
  • 316
  • Downloads
Metrics
Total Citations0
Total Downloads316
Last 12 Months316
Last 6 weeks105

ABSTRACT

Advances in networking and firewall technology have led to the emergence of network censorship devices that can perform large-scale, highly-performant content blocking. While such devices have proliferated, techniques to locate, identify, and understand them are still limited, require cumbersome manual effort, and are developed on a case-by-case basis.

In this paper, we build robust, general-purpose methods to understand various aspects of censorship devices, and study devices deployed in 4 countries (Azerbaijan, Belarus, Kazakhstan, and Russia). We develop a censorship traceroute method, CenTrace, that automatically identifies the network location of censorship devices. We use banner grabs to identify vendors from potential censorship devices. To collect more features about the devices themselves, we build a censorship fuzzer, CenFuzz, that uses various HTTP request and TLS Client Hello fuzzing strategies to examine the rules and triggers of censorship devices. Finally, we use features collected using these methods to cluster censorship devices and explore device characteristics across deployments.

Using CenTrace measurements, we find that censorship devices are often deployed in ISPs upstream to clients, sometimes even in other countries. Using data from banner grabs and injected block-pages, we identify 23 commercial censorship device deployments in Azerbaijan, Belarus, Kazakhstan, and Russia. We observe that certain CenFuzz strategies such as using a different HTTP method succeed in evading a large portion of these censorship devices, and observe that devices manufactured by the same vendors have similar evasion behavior using clustering. The methods developed in this paper apply consistently and rapidly across a wide range of censorship devices and enable continued understanding and monitoring of censorship devices around the world.

References

  1. Access Now. U.S.-Canadian firm Sandvine fosters Russian censorship infrastructure, 2022. https://www.accessnow.org/sandvine-russian-censorship/.Google ScholarGoogle Scholar
  2. G. Aceto, A. Botta, A. Pescapè, N. Feamster, M. Faheem Awan, T. Ahmad, and S. Qaisar. Monitoring internet censorship with ubica. In International Workshop on Traffic Monitoring and Analysis, pages 143--157. Springer, 2015.Google ScholarGoogle ScholarCross RefCross Ref
  3. A. Akhavan Niaki, S. Cho, Z. Weinberg, N. P. Hoang, A. Razaghpanah, N. Christin, and P. Gill. ICLab: A Global, Longitudinal Internet Censorship Measurement Platform. In IEEE Symposium on Security and Privacy (S&P), 2020.Google ScholarGoogle Scholar
  4. T. Albakour, O. Gasser, R. Beverly, and G. Smaragdakis. Third time's not a charm: Exploiting SNMPv3 for router fingerprinting. In Proceedings of the 21st ACM Internet Measurement Conference, pages 150--164, 2021.Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Anonymous. Towards a comprehensive picture of the Great Firewall's DNS censorship. In Free and Open Communications on the Internet (FOCI), 2014.Google ScholarGoogle Scholar
  6. Anonymous, A. A. Niaki, N. P. Hoang, P. Gill, and A. Houmansadr. Triplet censors: Demystifying Great Firewall's DNS censorship behavior. In Free and Open Communications on the Internet. USENIX, 2020.Google ScholarGoogle Scholar
  7. APNIC. Visible asns: Customer populations (est.), 2022. https://stats.labs.apnic.net/aspop?c=kz.Google ScholarGoogle Scholar
  8. H. Asghari, M. Van Eeten, and M. Mueller. Unraveling the economic and political drivers of deep packet inspection. In GigaNet 7th Annual Symposium, November, volume 5, 2012.Google ScholarGoogle ScholarCross RefCross Ref
  9. B. Augustin, X. Cuvellier, B. Orgogozo, F. Viger, T. Friedman, M. Latapy, C. Magnien, and R. Teixeira. Avoiding traceroute anomalies with Paris traceroute. In Proceedings of the 6th ACM SIGCOMM conference on Internet measurement, pages 153--158, 2006.Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. F. Baker. Requirements for IP version 4 routers, 1995. https://datatracker.ietf.org/doc/html/rfc1812.Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. K. Bock, G. Hughey, X. Qiang, and D. Levin. Geneva: Evolving censorship evasion strategies. In Computer and Communications Security. ACM, 2019.Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. K. Bock, G. Naval, K. Reese, and D. Levin. Even censors have a backup: Examining China's double HTTPS censorship middleboxes. In Free and Open Communications on the Internet. ACM, 2021.Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Censored Planet. Censored Planet assets, 2022. https://assets.censoredplanet.org.Google ScholarGoogle Scholar
  14. Censored Planet. Censored Planet raw data, 2022. https://data.censoredplanet.org/raw.Google ScholarGoogle Scholar
  15. H. Cheng, W. Dong, Y. Zheng, and B. Lv. Identify IoT devices through web interface characteristics. In 2021 IEEE 6th International Conference on Computer and Communication Systems (ICCCS), pages 405--410. IEEE, 2021.Google ScholarGoogle ScholarCross RefCross Ref
  16. J. Dalek, L. Gill, B. Marczak, S. McKune, N. Noor, J. Oliver, J. Penney, A. Senft, and R. Deibert. Planet Netsweeper, 2018. https://citizenlab.ca/2018/04/planet-netsweeper/.Google ScholarGoogle Scholar
  17. J. Dalek, B. Haselton, H. Noman, A. Senft, M. Crete-Nishihata, P. Gill, and R. J. Deibert. A method for identifying and confirming the use of URL filtering products for censorship. In Internet Measurement Conference (IMC). ACM, 2013.Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. G. Detal, B. Hesmans, O. Bonaventure, Y. Vanaubel, and B. Donnet. Revealing middlebox interference with Tracebox. In Proceedings of the Internet Measurement Conference, pages 1--8, 2013.Google ScholarGoogle Scholar
  19. T. Dierks and E. Rescorla. The Transport Layer Security (TLS) protocol version 1.1, 2006. https://www.rfc-editor.org/rfc/rfc4346.Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. T. Dierks and E. Rescorla. The Transport Layer Security (TLS) protocol version 1.2, 2008. https://datatracker.ietf.org/doc/html/rfc5246.Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. D. Dittrich and E. Kenneally. The Menlo Report: Ethical principles guiding information and communication technology research. Technical report, U.S. Department of Homeland Security, 2012.Google ScholarGoogle Scholar
  22. Z. Durumeric, D. Adrian, A. Mirian, M. Bailey, and J. A. Halderman. A search engine backed by Internet-wide scanning. In Proceedings of the 2015 ACM SIGSAC Conference on Computer and Communications Security, 2015.Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Z. Durumeric, E. Wustrow, and J. A. Halderman. ZMap: Fast Internet-wide Scanning and Its Security Applications. In 22nd USENIX Security Symposium, pages 605--620, 2013.Google ScholarGoogle Scholar
  24. D. Eastlake. Transport Layer Security (TLS) extensions: Extension definitions, 2011. https://datatracker.ietf.org/doc/html/rfc6066.Google ScholarGoogle Scholar
  25. R. Ensafi, J. Knockel, G. Alexander, and J. R. Crandall. Detecting intentional packet drops on the Internet via TCP/IP side channels. In Passive and Active Measurement Conference. Springer, 2014.Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, and T. Berners-Lee. Hypertext Transfer Protocol - HTTP/1.1, 1999. https://datatracker.ietf.org/doc/html/rfc2616.Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. R. Fielding, Y. Lafon, and J. Reschke. Hypertext Transfer Protocol (HTTP/1.1): Range requests, 2014. https://datatracker.ietf.org/doc/html/rfc7233.Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. R. Fielding, M. Nottingham, and J. Reschke. Hypertext Transfer Protocol (HTTP/1.1): Caching, 2014. https://datatracker.ietf.org/doc/html/rfc7234.Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. R. Fielding and J. Reschke. Hypertext Transfer Protocol (HTTP/1.1): Authentication, 2014. https://datatracker.ietf.org/doc/html/rfc7235.Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. R. Fielding and J. Reschke. Hypertext Transfer Protocol (HTTP/1.1): Conditional requests, 2014. https://datatracker.ietf.org/doc/html/rfc7232.Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. R. Fielding and J. Reschke. Hypertext Transfer Protocol (HTTP/1.1): Message syntax and routing, 2014. https://datatracker.ietf.org/doc/html/rfc7230.Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. R. Fielding and J. Reschke. Hypertext Transfer Protocol (HTTP/1.1): Semantics and content, 2014. https://datatracker.ietf.org/doc/html/rfc7231.Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. D. Fifield, C. Lan, R. Hynes, P. Wegmann, and V. Paxson. Blocking-resistant communication through domain fronting. Privacy Enhancing Technologies, 2015(2), 2015.Google ScholarGoogle Scholar
  34. D. Gosain, M. Mohindra, and S. Chakravarty. Too close for comfort: Morasses of (anti-) censorship in the era of CDNs. Privacy Enhancing Technologies, 2021(2), 2021.Google ScholarGoogle Scholar
  35. M. Harrity, K. Bock, F. Sell, and D. Levin. GET /out: Automated discovery of Application-Layer censorship evasion strategies. In 31st USENIX Security Symposium (USENIX Security 22), pages 465--483, Boston, MA, Aug. 2022. USENIX Association.Google ScholarGoogle Scholar
  36. N. P. Hoang, A. A. Niaki, J. Dalek, J. Knockel, P. Lin, B. Marczak, M. Crete-Nishihata, P. Gill, and M. Polychronakis. How great is the Great Firewall? Measuring China's DNS censorship. In USENIX Security Symposium. USENIX, 2021.Google ScholarGoogle Scholar
  37. J. Holland, R. Teixeira, P. Schmitt, K. Borgolte, J. Rexford, N. Feamster, and J. Mayer. Classifying network vendors at internet scale. arXiv preprint arXiv:2006.13086, 2020.Google ScholarGoogle Scholar
  38. J. Jermyn and N. Weaver. Autosonda: Discovering rules and triggers of censorship devices. In Free and Open Communications on the Internet. USENIX, 2017.Google ScholarGoogle Scholar
  39. L. Jin, S. Hao, H. Wang, and C. Cotton. Understanding the practices of global censorship through accurate, end-to-end measurements. In Abstract Proceedings of the 2022 ACM SIGMETRICS/IFIP PERFORMANCE Joint International Conference on Measurement and Modeling of Computer Systems, pages 17--18, 2022.Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. F. Li, A. M. Kakhki, D. Choffnes, P. Gill, and A. Mislove. Classifiers unclassified: An efficient approach to revealing ip traffic classification rules. In Proceedings of the 2016 Internet Measurement Conference, pages 239--245, 2016.Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. F. Li, A. Razaghpanah, A. M. Kakhki, A. A. Niaki, D. Choffnes, P. Gill, and A. Mislove. lib• erate,(n) a library for exposing (traffic-classification) rules and avoiding them efficiently. In Proceedings of the 2017 Internet Measurement Conference, pages 128--141, 2017.Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. M. Luckie, A. Dhamdhere, B. Huffaker, D. Clark, and K. Claffy. Bdrmap: Inference of borders between IP networks. In Proceedings of the 2016 Internet Measurement Conference, pages 381--396, 2016.Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. G. F. Lyon. Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning. Nmap Project, Sunnyvale, CA, 12.2.2008 edition edition, Jan. 2009.Google ScholarGoogle Scholar
  44. B. Marczak, J. Dalek, S. McKune, A. Senft, J. Scott-Railton, and R. Deibert. Bad Traffic: Sandvine's PacketLogic Devices Used to Deploy Government Spyware in Turkey and Redirect Egyptian Users to Affiliate Ads? Technical report, Citizen Lab, University of Toronto, 2018.Google ScholarGoogle Scholar
  45. B. Marczak, N. Weaver, J. Dalek, R. Ensafi, D. Fifield, S. McKune, A. Rey, J. Scott-Railton, R. Deibert, and V. Paxson. An analysis of China's "Great Cannon". In Free and Open Communications on the Internet. USENIX, 2015.Google ScholarGoogle Scholar
  46. M. Marquis-Boire, J. Dalek, S. McKune, M. Carrieri, M. Crete-Nishihata, R. Deibert, S. O. Khan, H. Noman, J. Scott-Railton, and G. Wiseman. Planet Blue Coat, 2013. https://citizenlab.ca/2013/01/planet-blue-coat-mapping-global-censorship-and-surveillance-tools/.Google ScholarGoogle Scholar
  47. MaxMind. https://www.maxmind.com/.Google ScholarGoogle Scholar
  48. Mozilla Developer Network. Host, 2022. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Host.Google ScholarGoogle Scholar
  49. National Commission for the Protection of Human Subjects of Biomedical and Behavioral Research. The Belmont Report: Ethical Principles and Guidelines for the Protection of Human Subjects of Research. National Commission for the Protection of Human Subjects of Biomedical and Behavioral Research, 1978.Google ScholarGoogle Scholar
  50. OONI. New blocks emerge in Russia amid war in Ukraine: An OONI network measurement analysis. https://ooni.org/post/2022-russia-blocks-amid-ru-ua-conflict/, 2022.Google ScholarGoogle Scholar
  51. P. Pearce, B. Jones, F. Li, R. Ensafi, N. Feamster, N. Weaver, and V. Paxson. Global measurement of DNS manipulation. In USENIX Security Symposium, 2017.Google ScholarGoogle Scholar
  52. PeeringDB. Peeringdb, 2018. https://www.peeringdb.com/.Google ScholarGoogle Scholar
  53. J. Postel. Internet control message protocol, 1981. https://datatracker.ietf.org/doc/html/rfc792.Google ScholarGoogle ScholarDigital LibraryDigital Library
  54. N. Rahmah and I. S. Sitanggang. Determination of optimal epsilon (eps) value on DBSCAN algorithm to clustering data on peatland hotspots in sumatra. In IOP conference series: earth and environmental science, volume 31, page 012012. IOP Publishing, 2016.Google ScholarGoogle Scholar
  55. R. Ramesh, R. S. Raman, M. Bernhard, V. Ongkowijaya, L. Evdokimov, A. Edmundson, S. Sprecher, M. Ikram, and R. Ensafi. Decentralized control: A case study of Russia. In Network and Distributed System Security. The Internet Society, 2020.Google ScholarGoogle ScholarCross RefCross Ref
  56. Rapid7. Recog: A recognition framework, 2022. https://github.com/rapid7/recog.Google ScholarGoogle Scholar
  57. Refraction Networking. uTLS, 2022. https://github.com/refraction-networking/utls.Google ScholarGoogle Scholar
  58. University of Oregon Route Views Project. www.routeviews.org.Google ScholarGoogle Scholar
  59. E. Schubert, J. Sander, M. Ester, H. P. Kriegel, and X. Xu. DBSCAN revisited, revisited: why and how you should (still) use DBSCAN. In ACM Transactions on Database Systems (TODS), volume 42, pages 1--21. ACM New York, NY, USA, 2017.Google ScholarGoogle ScholarDigital LibraryDigital Library
  60. R. Sundara Raman, L. Evdokimov, E. Wustrow, A. Halderman, and R. Ensafi. Investigating Large Scale HTTPS Interception in Kazakhstan. In Internet Measurement Conference (IMC), 2020.Google ScholarGoogle Scholar
  61. R. Sundara Raman, P. Shenoy, K. Kohls, and R. Ensafi. Censored Planet: an internet-wide, longitudinal censorship observatory. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, pages 49--66, 2020.Google ScholarGoogle ScholarDigital LibraryDigital Library
  62. R. Sundara Raman, A. Stoll, J. Dalek, R. Ramesh, W. Scott, and R. Ensafi. Measuring the deployment of network censorship filters at global scale. In NDSS, 2020.Google ScholarGoogle ScholarCross RefCross Ref
  63. The Tor Project. OONI: Open observatory of network interference. https://ooni.torproject.org/.Google ScholarGoogle Scholar
  64. A. Troianovski and V. Safronova. Russia Takes Censorship to New Extremes, Stifling War Coverage. New York Times, 2022. https://www.nytimes.com/2022/03/04/world/europe/russia-censorship-media-crackdown.html.Google ScholarGoogle Scholar
  65. UNHRC. Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, 2019. https://documents-dds-ny.un.org/doc/UNDOC/GEN/G19/148/76/PDF/G1914876.pdf?OpenElement.Google ScholarGoogle Scholar
  66. Y. Vanaubel, J.-J. Pansiot, P. Mérindol, and B. Donnet. Network fingerprinting: TTL-based router signatures. In Proceedings of the 2013 conference on Internet measurement conference, pages 369--376, 2013.Google ScholarGoogle ScholarDigital LibraryDigital Library
  67. B. VanderSloot, S. Frolov, J. Wampler, S. C. Tan, I. Simpson, M. Kallitsis, J. A. Halderman, N. Borisov, and E. Wustrow. Running refraction networking for real. Privacy Enhancing Technologies, 2020(3):321--335, 2020.Google ScholarGoogle Scholar
  68. B. VanderSloot, A. McDonald, W. Scott, J. A. Halderman, and R. Ensafi. Quack: Scalable remote measurement of application-layer censorship. In USENIX Security Symposium. USENIX, 2018.Google ScholarGoogle Scholar
  69. K. Vermeulen, S. D. Strowes, O. Fourmaux, and T. Friedman. Multilevel mda-lite Paris traceroute. In Proceedings of the Internet Measurement Conference 2018, pages 29--42, 2018.Google ScholarGoogle ScholarDigital LibraryDigital Library
  70. Vice. Netsweeper removes alternate lifestyle category, 2019. https://motherboard.vice.com/en_us/article/3kgznn/netsweeper-says-its-stopped-alternative-lifestyles-censorship.Google ScholarGoogle Scholar
  71. A. Vyas, R. Sundara Raman, N. Ceccio, P. M. Lutscher, and R. Ensafi. Lost in Transmission: Investigating Filtering of COVID-19 Websites. In Financial Cryptography and Data Security (FC), 2021.Google ScholarGoogle ScholarDigital LibraryDigital Library
  72. Z. Wang, S. Zhu, Y. Cao, Z. Qian, C. Song, S. V. Krishnamurthy, K. S. Chan, and T. D. Braun. SymTCP: Eluding stateful deep packet inspection with automated discrepancy discovery. In Network and Distributed System Security. The Internet Society, 2020.Google ScholarGoogle ScholarCross RefCross Ref
  73. N. Weaver, R. Sommer, and V. Paxson. Detecting Forged TCP Reset Packets. In Proceedings of the Network and Distributed System Security Symposium, NDSS 2009, San Diego, California, USA. The Internet Society, 2009.Google ScholarGoogle Scholar
  74. V. Weber. The Worldwide Web of Chinese and Russian Information Controls, September 2019. https://ctga.web.ox.ac.uk/files/theworldwidewebofchineseandrussianinformationcontrolspdf.Google ScholarGoogle Scholar
  75. M. Wei. Domain shadowing: Leveraging content delivery networks for robust blocking-resistant communications. In USENIX Security Symposium. USENIX, 2021.Google ScholarGoogle Scholar
  76. P. Winter and S. Lindskog. How the Great Firewall of China is blocking Tor. In Free and Open Communications on the Internet (FOCI). USENIX, 2012.Google ScholarGoogle Scholar
  77. X. Xu, Z. M. Mao, and J. A. Halderman. Internet censorship in China: Where does the filtering occur? In Passive and Active Measurement Conference, pages 133--142. Springer, 2011.Google ScholarGoogle ScholarCross RefCross Ref
  78. D. Xue, B. Mixon-Baca, V., A. Ablove, B. Kujath, J. R. Crandall, and R. Ensafi. TSPU: Russia's Decentralized Censorship System. In ACM Internet Measurement Conference (IMC '22), NYC, New York, 2022. ACM.Google ScholarGoogle ScholarDigital LibraryDigital Library
  79. D. Xue, R. Ramesh, L. Evdokimov, A. Viktorov, A. Jain, E. Wustrow, S. Basso, and R. Ensafi. Throttling Twitter: an emerging censorship technique in russia. In Internet Measurement Conference (IMC), 2021.Google ScholarGoogle ScholarDigital LibraryDigital Library
  80. T. K. Yadav, A. Sinha, D. Gosain, P. K. Sharma, and S. Chakravarty. Where the light gets in: Analyzing web censorship mechanisms in India. In Proceedings of the Internet Measurement Conference 2018, pages 252--264, 2018.Google ScholarGoogle ScholarDigital LibraryDigital Library
  81. J. York. Websense bars Yemen's government from further software updates. ONI, 2009. https://opennet.net/blog/2009/08/websensebars-yemens-government-further-softwareupdates.Google ScholarGoogle Scholar
  82. ZMap. ZGrab 2.0, 2022. https://github.com/zmap/zgrab2/.Google ScholarGoogle Scholar

Index Terms

  1. Network measurement methods for locating and examining censorship devices

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      Get this Publication

      • Article Metrics

        • Downloads (Last 12 months)316
        • Downloads (Last 6 weeks)105

        Other Metrics

        View Author Metrics

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader
      View Table of Contents
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!