DNS injection and China's Great Firewall (GFW)

Questions and Answers

What is the primary function of DNS censorship?

• To encrypt internet traffic for enhanced security.
• To enforce control and censorship over Internet infrastructure. (correct)
• To improve network performance by optimizing DNS queries.
• To protect users from malware and phishing attacks.

Which of the following best characterizes the Great Firewall of China (GFW)?

• A transparent system that allows full access to all websites.
• An opaque system that employs various techniques to censor internet traffic and block access to foreign websites. (correct)
• A tool used to monitor network performance and diagnose connectivity issues.
• An open-source project focused on improving internet speed.

How does the GFW typically block access to a domain name?

• By injecting fake DNS record responses. (correct)
• By encrypting traffic to the domain, making it inaccessible.
• By rerouting traffic through a proxy server for monitoring.
• By physically disconnecting the server hosting the domain.

Which statement reflects the consensus regarding the locality of GFW nodes?

GFW nodes are only present at the edge ISPs. (C)

What does 'centralized management' imply in the context of the GFW?

A central entity (GFW Manager) orchestrates blocklists across the network. (C)

How does the GFW manage the distribution of its workload?

By load balancing between processes based on source and destination IP addresses. (B)

What is the main function of organizations that track the GFW?

To monitor Chinese censorship for censored domains on a continuous basis. (C)

Which of the following techniques is used by the GFW, as revealed by researchers, to censor internet access?

DNS injection. (D)

Which process is the cornerstone of DNS injection?

Injecting DNS replies that censor network traffic. (C)

What is the accuracy rate of DNS open resolvers to accurately pollute the response when tested against probes for restricted domains?

99.9% (B)

What is the primary action taken during the packet dropping censorship technique?

All network traffic going to a set of specific IP addresses is discarded. (C)

What is the main disadvantage of using packet dropping as a censorship technique?

Risk of overblocking. (D)

What happens in DNS poisoning?

A DNS receives a query and sends an incorrect or no answer. (A)

What is one of the advantages of DNS poisoning compared to packet dropping?

No Overblocking. (A)

What is the main function of proxy-based content inspection?

To allow all network traffic to pass through a proxy where it is examined for objectionable content. (D)

When a client sends a request containing flaggable keywords and receives TCP RST packets, what does this indicate?

The client's request has triggered a censorship mechanism. (B)

How does the immediate reset of connections technique work?

By immediately suspending traffic coming from a source for a short period of time. (C)

Why is DNS manipulation difficult to measure?

Understanding of censorship around the world is relatively limited. (D)

What issue does Iris address to counter the lack of diversity in studying DNS manipulation?

It uses open DNS resolvers located all over the globe. (C)

What is indicated by the withdrawal of previously advertised prefixes from the global routing state of the network?

A routing disruption indicative of censorship. (D)

Flashcards

DNS Censorship

A large-scale network traffic filtering strategy to enforce control and suppress objectionable material.

Great Firewall of China (GFW)

An opaque system that uses techniques to censor internet traffic and block access to foreign websites in China

GFW Function

Injecting fake DNS record responses to block access to a domain name.

Packet Dropping

Discarding all network traffic going to specific IP addresses.

DNS Poisoning

Sending an incorrect answer is sent to redirect or mislead the user request.

Proxy-based Content Inspection

Letting all network traffic pass through a proxy where it is examined for objectionable content.

IDS-based Content Inspection

Using parts of an IDS to inspect network traffic.

Blocking with Resets

Sending a TCP reset (RST) to block connections with objectionable content.

Immediate Reset of Connections

Suspending of traffic coming from a source immediately, for a short period of time.

Connectivity Disruption

Using software to interrupt routing or packet forwarding mechanisms.

Routing Disruption

A routing mechanism decides which part of the network can be reachable.

Packet Filtering

Packet filtering can be used to block packets matching a certain criteria disrupting the normal forwarding action

Augur

System that uses reflector and site to detect filtering between the two hosts.

Study Notes

• DNS censorship is a network traffic filtering method used to enforce control over internet infrastructure and suppress objectionable material.
• China's Great Firewall (GFW) exemplifies large-scale DNS censorship, using various techniques to censor internet traffic and block access to foreign websites.
• GFW injects fake DNS record responses to block access to domain names and its functionality is deduced through reverse engineering.
• GFW nodes are mostly at the edge ISPs.
• Centralized management orchestrates blocklists for GFW.
• GFW load balances between processes using the source and destination IP address, to collectively send injected DNS responses.
• Organizations like greatfire.org (since 2011) and hikinggfw.org (since 2012) monitor Chinese censorship.
• One of the main censorship techniques implemented by GFW is based on DNS injection.

DNS Injection

• The GFW employs DNS injection, a common censorship technique, uses a ruleset to decide when to inject DNS replies to censor network traffic
• Accuracy of DNS open resolvers to accurately pollute the response is recorded over 99.9%.
• A DNS probe is sent to open DNS resolvers.
• The probe is then checked against a blocklist of domains and keywords.
• If there is domain level blocking, a fake DNS A record response is sent back.
• There are two levels of blocking domains: the first is by directly blocking the domain, and the second one is by blocking it based on keywords present in the domain.

Packet Dropping

• All network traffic to specific IP addresses is discarded.
• Strength: Easy to implement and low cost.
• Weakness: Challenging to maintain the blocklist and risk of overblocking.

DNS Poisoning

• If a DNS query for resolving a hostname to an IP address receives no response or an incorrect one, redirecting or misleading the user request, it is called DNS Poisoning.
• Strength: No overblocking because access to specific hostnames can be blocked.

Content Inspection

Proxy-based content inspection

• All network traffic passes through a proxy to examined for content; the proxy rejects requests with objectionable content.
• Strength: Achieves precise censorship.
• Strength: Works with hybrid security systems.
• Weakness: Not scalable because it is expensive on a large scale network due to processing overhead.

Intrusion detection system (IDS) based content inspection

• Uses parts of an IDS to inspect network traffic.
• An IDS is easier and more cost effective.

Blocking with Resets

• The GFW sends a TCP reset (RST) to block connections with objectionable content by identifying requests containing flaggable keywords.

Immediate Reset of Connections

• Systems like GFW employ blocking rules to suspend traffic from a source immediately for a short period.
• Even legitimate GET requests may receive resets from the firewall for a variable duration after a questionable request.

Challenges of Measuring DNS Manipulation

• Anecdotal evidence indicates DNS manipulation impacts at least 60 countries, but understanding is limited.
• Measurements spanning different geographic regions, ISPs, countries, and regions within a single country.
• Since political dynamics can vary within a country, different ISPs can use various filtering properties.
• Measurements were initially reliant on volunteers.
• There is a need for methods and tools independent of human intervention.

Identifying Intent

• It is hard to differentiate between natural variation in the DNS responses for a domain from manipulation with malicious intent.

Ethics and Minimizing Risks

• Risks are associated with implicating citizens in censorship based on how different countries penalize access to censored material.
• It is better to rely on open DNS resolvers hosted in internet infrastructure, not home networks.

Censorship Detection Systems

• Global censorship measurement tools were created to measure censorship, such as CensMon and OpenNet Initiative.
• Augur is a new system created to perform longitudinal global measurements using TCP/IP side channels, focusing on IP-based disruptions instead of DNS.

DNS Censorship: A Global Measurement Methodology

• Iris identifies DNS manipulation using machine learning showing the identification process.
• Iris uses open DNS resolvers located all over the globe restricted to a few thousand that are part of the Internet infrastructure, instead of home routers.
• Perform global DNS queries across thousands of open DNS resolvers.
• Annotate the IP addresses with additional information, such as geo-location, AS, and port 80 HTTP responses.
• Additional PTR and TLS scanning to avoid discrepancies that could cause IRIS to label virtual hosting as DNS inconsistencies.

Consistency Metrics

• Domain access should have some consistency like IP address, AS, HTTP content, HTTPS Certificate, PTRs for CDN

Independent Verifiability Metrics

• External data sources that could be externally verified using external data sources.
• An example is HTTPS certificate and a certificate with SNI. If neither metrics are satisfied, the response is manipulated.

Connectivity Disruptions

• Focuses on connectivity disruptions to censorship
• Highest level of internet censorship would be to completely block access to the Internet.
• A more subtle approach is to use software to interrupt the routing or packet forwarding mechanisms
• Routing disruption uses BGP to communicate updates, and disrupting it can cause unreachability.
• Withdraw previously advertised prefixes or re-advertise them with different properties to modifying the global routing state.
• Packet filtering blocks packets matching certain criteria, disrupting normal forwarding action.

2011 Case Study

• In early 2011, Internet connectivity was disabled in many North African countries.
• On January 25 access to Twitter was blocked in Egypt, and on January 27 there was a complete Internet shutdown.
• On February 17, YouTube was blocked in Libya.
• An Internet curfew occurred on February 18, and on March 3, Internet access was disabled completely for around 4 days. Data was gathered from geolocation data, BGP control plane data, darknet traffic, and active forward path probing.
• All routes to Egyptian networks were withdrawn in Egypt, enabled by state-owned infrastructure.
• A single AS dominates Libya's internet, encountering three outages.
• During the first two outages in Libya, 12 out of the 13 delegated prefixes to Libya were withdrawn.

August System: Detection

• A system that uses a measurement machine to detect filtering between hosts
• A reflector maintains a global IP ID and a site potentially blocked to identify if filtering exists, a third machine is used called the measurement machine.

IP ID

• Any packet sent by a host gets a unique 16-bit IP ID to reassemble a fragmented packet.

Probing

• The measurement machine monitors the IP ID of the reflector by sending a TCP SYN-ACK to the reflector and monitoring the TCP RST response

Perturbation

• The machine sends a spoofed TCP SYN packet causing traffic so the host increments its IP ID counter, forcing a host to increment its IP ID counter by sending traffic from different sources.

Scenarios

• Cases where initial IP ID counter is 5
• Scenarios include no filtering and inbound/outbound blocking