Quack: Scalable Remote Measurement of Application-Layer Censorship #2
Labels
reading group
summaries and discussions of research papers and other publications
Comments
wkrp
added
the
reading group
wkrp
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
"Quack: Scalable Remote Measurement of Application-Layer Censorship"
Benjamin VanderSloot, Allison McDonald, Will Scott, J. Alex Halderman, Roya Ensafi
https://censorbib.nymity.ch/#VanderSloot2018a
https://www.usenix.org/conference/usenixsecurity18/presentation/vandersloot
Quack is a system for remote measurement of application-layer censorship. It takes advantage of the echo protocol (TCP port 7, RFC 862), which reflects any messages it receives back to the sender. The basic idea is that you send an application message (like an HTTP request or a TLS ClientHello with SNI) to an echo server, and check what it sends back to you. If there is a censor on the path, it has the opportunity to interfere with the message in either direction. In practice, there are a few more complications: you repeat the test a few times, you test both likely censored and likely uncensored messages against the same echo server, and you do a check a few minutes later as a check to see if the echo server went offline. The authors compare Quack with other remote measurement systems: Augur for TCP/IP, and Satellite and Iris for DNS.
They present results of a worldwide test of Quack. They do a ZMap scan and find about 5M hosts with port 7 open; however only about 50K of them actually echo, and some of these are unreliable. Nevertheless, they found 80 countries with at least 15 echo servers. They tested URLs from the Citizen Lab test list, the Alexa top 100K, and dummy control domains like testN.example.com. They tested each URL in both HTTP request and TLS ClientHello form. A clever idea that I like is that they also targeted discard servers (port 9, RFC 863), which simply eat their input and send nothing back. If a message experiences interference when sent to an echo server, but not when it is sent to a discard server, it means the censor probably practices outbound, not inbound blocking. After weeding out a couple of manually identified false positives, they find blocking in 13 countries, a lot of the usual suspects: China, Egypt, Iran, Jordan, Kazakhstan, South Korea, Thailand, Turkey, UAE, and Uzbekistan. Notably absent are Belarus, Russia, Pakistan, and Vietnam: the authors suppose that these well-known censors use other means such as DNS poisoning. Also notable are different blocking proportions across HTTP and TLS.
The text was updated successfully, but these errors were encountered: