Transcript L09 - UMass Amherst

CS590/690B
DETECTING NETWORK
INTERFERENCE
(FALL 2016)
LECTURE 09
PHILLIPA GILL – UMASS -- AMHERST
WHERE WE ARE
Administrative note:
- Assignment 2 has been released.
-
Last time:
• Different censorship measurement platforms
• Questions?
HANDS ON ACTIVITY FROM LAST TIME
• Installing/testing OONI
• Trying differentiation detector app
• Any successes?
• Questions?
TODAY
Case Study: Iran
•
Background on filtering in Iran (ONI report)
•
Private addresses used within Iran (Anderson 2012)
•
Dimming the Internet (Anderson 2013)
•
Web censorship in Iran (Pseudonymous + Halderman 2013)
Case Study: Pakistan
ISP Lens
Pakistan Hijack
Pakistan Web censorship
ONI report
Netsweeper in Pakistan
BACKGROUND
• Limited freedom of speech in Iran grounded in their
constitution
• Limits on topics ranging from religion, immorality, and politics
• State has well established mechanisms for policing traditional
media (e.g., print, radio, TV)
• Internet, initially offered a place for people to express their
viewpoints away from the state controls
• 2000-2008 Internet use in Iran grows from <1M users to ~23M
users
• Fastest growth in the middle east at that time
• As early as 2001 government began asserting control over
Internet access in the country
• Commercial ISPs in Iran are required to connect via the statecontrolled Telecommunication Company of Iran (TCI)
CONFLICTING GOALS
• Desire to encourage economic IT developments …
• … but also rein in free speech
• Fourth Five Year Development Plan called for 1.5 M high speed
Internet connections worldwide
• … but in 2006 Ministry of Communication and Information
Technology issues an order forbidding home Internet
connectivity of > 128 kbps 
• There were oppositions to the 128kbps rule but it remains in
place
• Researchers, faculty and university students are exempt from
the restrictions upon providing documentation
• Initially censorship implemented via IP blocking by individual
ISPs, gradually replaced by centralized censorship by TCI
• Redirects users to 10.10.34.34 (an address owned by the
censor)
MORE RECENTLY
• 2012: Supreme leader establishes Supreme Council of
Cyberspace which controls three government bodies
associated with censorship:
• Committee for determining offensive contents, located at
internet.ir and peyvandha.ir which controls censorship policies.
They are responsible for updating lists of censored Web sites
and enforcing Internet communication policies
• Iran cyber police (FATA police) Responsible for prosecuting
users involved in illegal Internet activities
• Revolutionary guard cyber defense command, (Iran Cyber
Army) responsible for defending Iran against cyber attacks and
implementing countermeasures
• Also, the “Fifth Five Year Development Plan” mandates
development of national information network
• Many fears of complete blocking of external content
CAMPAIGN FOR NATIONAL INTERNET
• Head of MICT and other gov’t officials create public campaign
extolling virtues of creating such a network:
• A genuinely halal network aimed at Muslims on an ethical and
moral level – Ali Agha-Mohammadi
• A national internet can be very effective to protect the country’s
information and the people’s security – Esmail Ahmadi
Moghaddam
• Usage of private IPs within the country could indicate a desire
to go in this direction
• But usage of these addresses is not particularly new
• Observed as far back as 2010 (Anderson 2012)
FILTERING IN IRAN AT A GLANCE
http://www3.cs.stonybrook.edu/~phillipa/papers/TWeb.pdf
NETWORKING 101: RFC 1918
• IP addresses on the Internet need to be globally unique
• IANA: Internet Assigned Numbers Authority is responsible for
ensuring this
• Since IP addresses are finite and not all hosts need to be
globally accessible, three blocks of IP addresses were
reserved for local/private use
• 10.0.0.0/8 (16 M addresses)
• 172.16.0.0/12 (1 M addresses)
• 192.168.0.0/16 (65 K addresses)
• These IP addresses/routing information for them should not
be propagated between networks
• ISPs should filter them (according to RFC)
• Commonly used for NAT (ie., multiplexing a single public IP
address across many clients)
THE HIDDEN INTERNET OF IRAN
Anderson 2012 – Reading on Web page
• Points of observation:
• 2 hosts in Tehran (1 connecting via AS 12880 ITC and 1
connecting via Institute for Research in Fundamental Sciences
(AS 6736))
• Collection of Web proxies within the country that these hosts
connect to to test accessibility
•
Proxies with both internal + external IP addresses
• Potential shortcomings
• The two hosts may be subject to localized censorship by
network owners
• Testing of censorship could lead to reactions from the censor
ILLUSTRATION OF ABNORMAL
TRACEROUTES
MEASURING THE INTERNAL NETWORK
• Many techniques…
• DNS (fig 6); 10.143.177.18 says
it is an email server with hostname
Webmail.isfidc.com. Running dig on this address gives us the
external address for this server
• Can use regional Internet registries to figure out which
organization is using the 10.143 address
• Another way to figure out internal IP ownership:
• Spoof a ping to the internal address from an external host
• When the external host receives the reply the external address
mapped to the internal host will be revealed
RESULTS OF MAPPING
DIMMING THE INTERNET
Anderson 2013 (Reading on Web page)
• http://arxiv.org/abs/1306.4361
• Performance degradation to limit free flow of information
• Relation to network neutrality discussions?
• Data reused from NDT tool (client initiated network
performance tests run against servers hosted by
Measurement Lab (MLab)). NDT integrated into uTorrent
• Focus on:
• RTT
• Packet Loss
• Network-limited time ratio (where client has sent as much traffic
as it can and needs to wait for ACKs before sending more)
• Network throughput
AGGREGATING MEASUREMENTS
• National
• ISP/AS + IP prefixes
• Control groups (grouping users with similar performance)
• Using median country-level throughput (based on highest
performing measurement for each client on a given day) they
find two extended periods of degradation
• Nov. 30 2011 – Aug. 15 2012 (77% decrease)
• Oct 4 2012 – Nov 22 2012 (69% decrease)
• Corroboration with reports:
• “The Internet in Iran is Crawling, Conveniently, Right Before
Planned Protests”
• Suspected events around holidays, protests, disruption of
Google services
EXAMPLE PLOT
TODAY
Case Study: Iran
•
Background on filtering in Iran (ONI report)
•
Private addresses used within Iran (Anderson 2012)
•
Dimming the Internet (Anderson 2013)
•
Web censorship in Iran (Pseudonymous + Halderman 2013)
Case Study: Pakistan
•
Background (ONI report)
•
• https://opennet.net/research/profiles/pakistan
Pakistan YouTube hijacking (Renesys)
•
• http://www.renesys.com/2008/02/pakistan-hijacks-youtube-1/
Web censorship in Pakistan (Nabi, 2013)
•
•
http://0b4af6cdc2f0c5998459c0245c5c937c5dedcca3f1764ecc9b2f.r43.cf2.rackcdn.com/12387-foci13nabi.pdf
Netsweeper in Pakistan (Citizen Lab report)
•
https://citizenlab.org/wp-content/uploads/2013/07/18-2013-opakistan.pdf
INTERNET IN PAKISTAN
•
~130 ISPs: Wateen, Paknet, Linkdotnet, Comsats, Cybernet
•
Wateen roll out of WiMAX in 2007 made Pakistan the first country
with nationwide WiMAX coverage
•
Largest Internet eXchange Point (IXP) in the country (as of 2009)
was the Pakistan Internet Exchange (PIE) subsidiary of PTCL
(gov’t owned ISP)
•
•
•
•
PIE has three main nodes: Karachi, Lahore and Islamabad
+ operates two submarine cables (South East Asia – Middle East
– Western Europe: SEA-ME-WE 3 and SEA-ME-WE 4)
In 2009, ISPs no longer had to connect via PTCL and could
choose third party providers
Second major company in Pakistan Internet market is TransWorld
•
•
Owns and operates Pakistan’s first and only privately owned
submarine fiber optic cable system (TW1)
TW1 has capacity of 1.28 TB more than necessary for the nation
INTERNET FILTERING IN PAKISTAN
• Filtering regulated by the Pakistan Telecom Authority (PTA)
and Federal Investigation Agency (FIA) directed by the
government, supreme court, and Ministry of IT (MoIT).
• 2006 – MoIT created the Inter Ministerial Committee for the
Evaluation of Web sites (IMCEW) responsible for monitoring
and blocking Web pages
• Directives about what to block pass from these government
agencies to ISPs for implementation
• Wide publicity of censorship in Pakistan because of collateral
damage
• 2006: attempt to block 12 sites with cartoons of Mohammad
resulted in blocking the entire Blogspot domain for 2 months
• 2008: accidentally taking YouTube offline for hours
• 2010: blocking of Facebook, YouTube, Flickr, Wikipedia on
“Draw Mohammad Day”
INTERNET FILTERING IN PAKISTAN (2)
• 2012: Gov’t solicits proposals for a country-wide URL filtering
and blocking system including:
•
•
•
•
•
Filtering at domain level, subfolder level, individual files
Blocking individual IPs or whole address ranges
Remote network monitoring via SNMP, configuration via
HTTP/HTTPS
Operation at L2 and L3
Modularity: stand alone hardware that can block up to 50M
URLs with <1ms latency
• Later in 2012: indefinite ban on YouTube in response to a
movie.
•
Impact felt on other Google services with common IP
addresses
HISTORY LESSON
2008: Pakistan uses BGP messages to filter traffic
February 2008 : Pakistan Telecom hijacks YouTube
“The Internet”
YouTube
I’m YouTube:
IP 208.65.153.0 / 22
Telnor
Pakistan
Pakistan
Telecom
Aga Khan
University
Multinet
Pakistan
HISTORY LESSON
Here’s what should have happened….
Hijack + drop
packets
going to
YouTube
“The Internet”
YouTube
I’m YouTube:
IP 208.65.153.0 / 22
Telnor
Pakistan
Pakistan
Telecom
Aga Khan
University
Block your own customers.
Multinet
Pakistan
HISTORY LESSON
But here’s what Pakistan ended up doing…
“The Internet”
YouTube
I’m YouTube:
IP 208.65.153.0 / 22
Telnor
Pakistan
No, I’m YouTube!
IP 208.65.153.0 / 24
Pakistan
Pakistan
Telecom
Aga Khan
University
Multinet
Pakistan
HOW IS THIS POSSIBLE?
• Pakistan Telecom connected to the rest of the Internet via the
PCCW network
• This network did not validate the message sent by Pakistan
Telecom
• …and proceeded to pass it on to its neighbors who also
accepted it
• Worse yet, the route announced by Pakistan was more
specific than the route announced by YouTube
• Pakistan announced 208.65.153.0/24
• YouTube announced 208.65.152.0/22
• No easy way for networks on the Internet to validate messages
• Direct provider has more of a chance since they should know
the prefixes that their customers will be announcing (in theory)
THE ANATOMY OF WEB CENSORSHIP IN
PAKISTAN
• Testing a list of blocked sites which is publicly available ~300
URLs
• Whittled down from 500 because some sites were offline,
duplicates etc.
• VPN terminating in the US was used to ensure that the sites
were indeed up and were being blocked in Pakistan
• Procedure (for each URL)
• Perform DNS lookup on local + 3rd party DNS server
• Try to open a connection to the IP
• Test for URL-keyword filtering (append the URL to
Google.com). Expected result is a 404 not found if not ->
censorship
• HTTP request to the site
• Tests performed on 5 networks (2 University, 2 Home, 1
cellular)
RESULTS
O PAKISTAN, WE STAND ON GUARD FOR THEE
Citizen Lab report on Netsweeper being used in Pakistan
(title is reference to a line in the Canadian national anthem)
• After Pakistan solicited proposals for their filtering system an
advocacy group (Access) started a petition calling on
technology companies to announce that they would not bid on
the project.
• Several major IT companies supported the petition
• 5 declined to comment: Huawei, ZTE, Blue Coat, McAfee, &
Netsweeper
• In previous ONI research block pages with company logos
were common, but over time this decreased
BACKGROUND: NETSWEEPER
• Canadian-based provider of Web content filtering + threat
management products
• Used for state-sanctioned censorship in several countries:
• Qatar, UAE, Kuwait, and Yemen
• Enables bulk filtering on specific categories (e.g., Adult,
Entertainment, Information)
• + specific URLs and custom categories
• These URL lists are central to their business
• Web site boards 5B categorized URLs and 10M URL
categorization requests per day
HOW CITIZEN LAB LOCATED NETSWEEPER
• Searched using www.shodanhq.com to find the IP of
Netsweeper installations in Pakistan
• E.g., search for URL paths like /webadmindeny
• Located the IP: 202.125.134.154
http://202.125.134.154/webadmin/deny/index.php
ON THE SAME IP…
http://202.125.134.154/webadmin/start
OK … BUT IS THIS CENSORSHIP?
• Netsweeper could be used in a corporate setting as opposed
to at the national level
• Many user reports of seeing the same block page that
Netsweeper generates on multiple ISPs
• More IPs in PTCL found hosting Netsweeper
IN COUNTRY TESTING
• To validate online reports The Citizen Lab ran tests to confirm
• Web page accessed in Pakistan + Toronto, results manually
compared
• List of 1465 URLs tested
• Observed a mix of DNS and blockpage blocking
<iframe src="http://202.125.134.154/webadmin/deny/
?dpid=1&dpruleid=78&cat=104&ttl=0&groupname=PTCL2&policyname=PTCL2policy&username=MMBB-9-WLL
&userip=X.X.X.X&connectionip=127.0.0.1&nsphostname=X&
protocol=policyprocessor&dplanguage=-&url=X"width="100%"height="100%"
frameborder=0></iframe>
HANDS ON ACTIVITY
Look at the Netsweeper testing page:
http://denypagetests.netsweeper.com/
Run wireshark while doing the “test”
Look at the HTTP connections it makes
How might we use a page like this to measure censorship? What
might make this hard?
Search www.shodanhq.com for webadmin/deny to find
Netsweeper devices around the world.
HANDS ON ACTIVITY
RIPEstat page for AS 12880:
https://stat.ripe.net/AS12880#tabId=at-a-glance
Try looking up other Iranian networks
NDT data in Google
http://www.google.com/publicdata/explore?ds=e9krd11m38onf_&
ctype=l&strail=false&bcs=d&nselm=h&met_y=download_through
put&scale_y=lin&ind_y=false&rdim=country&idim=country:364&i
fdim=country&ind=false
OOKLA Speed test:
http://www.google.com/publicdata/explore?ds=z8ii06k9csels2_&c
type=l&met_y=avg_download_speed