PARROT IS DEAD
Download
Report
Transcript PARROT IS DEAD
PARROT IS DEAD
OBSERVING UNOBSERVABLE NETWORK COMMUNICATION
Authors: Amir Houmansadr Chad Brubaker Vitaly Shmatikov
The university of Texas Austin
Presented by Nelson Mandela
Date 7th February 2017
Motivation
Parrot circumventing systems have been motivated by the
increasing number of Repressive/nondemocratic government
to monitor the internet and strengthening their censorship
powers.
This in return has motivated a growing community of
developer aiming at circumventing the censor systems
through unobservability which is what we refer as the parrot
circumventing systems.
The parrot circumventing systems bypass censorship through
imitations of common protocols.eg skype,http
How it works
parrot circumventing systems
Content
inspector
censors
Internet user
X
Skype
morph
Censor
spoofer
stegoToru
s
Allowed
address
X
Circumventing by
imitation
Skype
VoIP traffic
HTTP
Ventrilo
Blocked
address
Adversary Models-capabilities
classification
Passive attack-involves observing, analyzing and packet
inspection of internet entities.
Proactive attack-identify entities involved in
circumventing by sending probes that will elicit certain
responses.
Active attack-involve manipulation of network traffic i.e.
delaying, dropping and terminating internet connection.
Adversary models-Knowledge
Classification
Local adversary(LO)-small number of network
devices, observe small number networks.
State level oblivion Adversary(OB)-limited
storage, limited computational resource ,deep
packet inspection.
State level omniscient adversary(OM)-ample
processing, storage and computational resource.
Circumvention systems
Skymorph -pluggable transport aim at imitating skype video calls.
Client obtain bridge id in advance
Bridge enter skype picks a high UDP port
Client picks high UDP port
StegoTorus-pluggable transport derived from obfsproxy.
Adds chopping and steganography
Mimick HTTP, Skype, and Ventrilo
Censorspoofer-stand alone system
Ip spoofing
Mimic voip traffic
Requirement for parrot circumventing
systems
Mimicking the protocol in entirety e.g voip(sip,rtp,rtcp)
Correctness-mimic full behavior.
Side protocols-protocols that run besides the main session.
Intradepend- dependancies & correlation among protocol session
Interdepend-
Mimicking reaction to errors and network condition i.e. reaction to
errors/network conditions
Mimicking typical traffic i.e. content, pattern, users,
Mimicking implementation specific artifacts i.e. parrot must mimic a specific
version of a specific popular implementation to the last bug
Detecting skype imitators
Passive attacks
Exploiting deviation from genuine skype behavior
Exploiting re-use of client generated skype traces.
Exploiting re-use of pre-recorded Skype traces
Hypothetical SkypeMorph+ and StegoTorus+-experiment to find out if the
weakeness could be bridged by upgrading.
Active and proactive attacks
Verifying supernode behavior
Manipulate skype calls
Manipulate tcp control channels
DETECTING SKYPE IMITATORS
SkypeMorph and StegoTorus-Embed—can be easily distinguished from genuine
Skype.
Attack
Imitation
Adversary SkypeMorp StegoTorusrequirement
h
Embed
Skype HTTP update traffic (T1)
SideProtocols
LO/OB/OM
Satisfied
Failed
Skype login traffic (T2)
SideProtocols
LO/OB/OM
Satisfied
Failed
SoM field of Skype UDP packets (T3)
Content
LO/OB/OM
Failed
Failed
Traffic statistics (T4, T5)
Pattern
Satisfied
Satisfied
Periodic message exchanges (T6, T7)
SideProtocols
Failed
Failed
Typical Skype client behavior (T8)
IntraDepend
Failed
Failed
TCP control channel (T9)
SideProtocols
Failed
Failed
LO/OM
LO/OB/OM
LO/OM
LO/OB/OM
ACTIVE AND PROACTIVE ATTACKS TO DETECT IMPROVED SKYPE PARROTS
Skypemorph+ and StegoTorus+
Attack
Imitation
requirement
Verify supernode behavior
SideProtocols
by flushing supernode cache
IntraDepend
Drop a few UDP packets
Network,
Err
Active,
LO/OB/OM
A burst of TCP packets on the control
channel (Fig. 1)
Close TCP channel
IntraDepend,
SideProtocols
Active,
LO/OB/OM
Ends the UDP stream immediately
Delay TCP packets
IntraDepend,
SideProtocols,
Network
Close TCP connection to a SN
IntraDepend,
SideProtocols
Active,
LO/OB/OM
Client initiates UDP probes to find
other SNs
No reaction
Block the default TCP port for
TCP channel
IntraDepend
SideProtocols
Active,
LO/OB/OM
Connects to TCP ports 80 or 443
instead
No reaction
Adversary
Proactive,
LO/OM
Active,
LO/OM
Skype
The target node serves as the adversary’s
SN, e.g., relays his Skype calls
Reacts depending on the type of TCP
messages
SkypeMorph+
and StegoTorus+
Rejects all
Skype messages
No reaction
No reaction
No reaction
DETECTING STEGOTORUS
Real HTTP server
StegoTorus’s HTTP module
GET existing
Returns “200 OK” and sets Connection to keep-alive
Arbitrarily sets Connection to
either keep-alive or Close
GET long request
Returns “404 Not Found” since URI does not exist
No response
GET non-existing
Returns “404 Not Found”
Returns “200 OK”
GET wrong
protocol
Most servers produce an error message, e.g., “400 Bad Request”
Returns “200 OK”
HEAD existing
Returns the common HTTP headers
No response
OPTIONS
common
Returns the supported methods in the Allow line
No response
DELETE existing
Most servers have this method not activated and produce an error message
No response
TEST method
Returns an error message, e.g., “405 Method Not Allowed” and sets
Connection=Close
No response
Attack request
Returns an error message, e.g., “404 Not Found”
No response
HTTP request
DISTINGUISHING CENSORSPOOFER FROM GENUINE SIP CLIENTS.
Attack
Imitation
requirement
Soft
Manipulate tag in
SIP OK
SIP INVITE to
SideProtocols
fakeID@suspiciousI Soft, Err
P
SIP INVALID
SideProtocols,Err
SIP BYE with
invalid SIP-ID
Drop RTP packets
(only for
confirmation)
SideProtocols
Soft, Err
SideProtocols
Soft, Network
Adversar Typical SIP clients (e.g., Ekiga)
y
LO/OB/O Nothing
M
Respond with “100 Trying” and “180
LO/OB/O Ringing”,
“483 Busy Here”, “603 Decline”, or “404
M
Not Found”
LO/OB/O Respond “400 BadRequest”
M
LO/OB/O Respond “481 Call
Leg/Transaction Does Not Exist”
M
Terminate the call after a time period
LO/OB/O
depending on the client, may change
M
codec in more advanced clients.
CensorSpoofer
Client closes the
call
Nothing
Nothing
Nothing
Nothing
RELATED WORK
Pluggable Tor transports
Decoy routing
RECOMMENDATIONS
understanding of the adversaries
unobservability by imitation is a fundamentally flawed approach.
partial imitation is worse than no imitation at all
not mimic, but run the actual protocol