[CN notes] Internet Surveillance and Censorship

CN notes 前情提要：傳送門

目錄：
• What is DNS censorship?
• What are the properties of GFW (Great Firewall of China)?
• How does DNS injection work?
• What are the three steps involved in DNS injection?
• List five DNS censorship techniques and briefly describe their working principles.
• Which DNS censorship technique is susceptible to overblocking?
• What are the strengths and weaknesses of the “packet dropping” DNS censorship technique?
• What are the strengths and weaknesses of the “DNS poisoning” DNS censorship technique?
• What are the strengths and weaknesses of the “content inspection” DNS censorship technique?
• Our understanding of censorship around the world is relatively limited. Why is it the case? What are the challenges?
• What are the limitations of main censorship detection systems?
• What kind of disruptions does Augur focus on identifying?
• How does Iris counter the issue of lack of diversity while studying DNS manipulation? What are the steps associated with the proposed process?
• What are the steps involved in the global measurement process using DNS resolvers?
• What metrics does Iris use to identify DNS manipulation once data annotation is complete? Describe the metrics. Under what condition do we declare the response as being manipulated?
• How is it possible to achieve connectivity disruption using the routing disruption approach?
• How is it possible to achieve connectivity disruption using the packet filtering approach?
• Explain a scenario of connectivity disruption detection in the case when no filtering occurs.
• Explain a scenario of connectivity disruption detection in the case of inbound blocking.
• Explain a scenario of connectivity disruption detection in the case of outbound blocking.

What is DNS censorship?

Large scale network traffic filtering strategy opted by a network to enforce control and censorship over Internet infrastructure to suppress material which they deem as objectionable.

What are the properties of GFW (Great Firewall of China)?

1. Locality of GFW nodes — majority view is that GFW censorship nodes are present at the edge.
2. Centralized management — blocklists obtained from two distinct GFW locations show a high possibility of a central GFW management entity that orchestrates blocklists.
3. Load balancing — GFW load balances between processes based on source and destination IP address.

How does DNS injection work?

For DNS requests that are blocked by the GFW, the GFW will respond with a fake DNS record to prevent the client from reaching the requested content.

What are the three steps involved in DNS injection?

• DNS probe is sent to a DNS resolver
• The probe is checked against the blocklist
• A fake DNS A record response is sent back if the request matches the blocklist. The direct domain can be blocked, or specific domain keywords can be blocked.

List five DNS censorship techniques and briefly describe their working principles.

1. Packet dropping — all traffic to specific IP addresses are dropped
2. DNS Poisoning — return no answer or return an incorrect answer
3. Content inspection — all traffic traverses a proxy and is inspected for objectionable content, if matches -> dropped
4. Blocking with resets — sends a TCP (RST) to block individual connections that contain requests with objectionable content.
5. Immediate reset of connections— suspends traffic coming from a source immediately, for a short period of time

Which DNS censorship technique is susceptible to overblocking?

Packet dropping

What are the strengths and weaknesses of the “packet dropping” DNS censorship technique?

Strengths:

• Easy to implement
• Low cost

Weaknesses:

• Maintenance of the blocklist
• Overblocking

What are the strengths and weaknesses of the “DNS poisoning” DNS censorship technique?

Strengths

• 沒有過度阻止：由於有額外的主機名轉換層，可以阻止對特定主機名的訪問而不是全面 IP 地址阻止。

Weaknesses:

• 阻止整個域。在阻止網站的同時不允許電子郵件聯繫。

What are the strengths and weaknesses of the “content inspection” DNS censorship technique?

Strengths:

• Precise censorship
• Flexible

Weaknesses:

• Not scalable

Our understanding of censorship around the world is relatively limited. Why is it the case? What are the challenges?

1. Diverse measurements: 需要一套多樣化的衡量標準，跨越不同的地理區域、ISP、國家和單一國家的地區。我們需要廣泛的縱向測量來了解全球互聯網操縱和 DNS 操縱的異質性，跨越國家、解析器和域。
2. Need for scale: 起初，衡量互聯網審查的方法是依靠在自己的設備上運行測量軟件的志願者。由於這需要他們實際安裝軟件並進行測量，我們可以看到這種方法不太可能達到所需的規模。需要獨立於人為甘預和參與的方法和工具。
3. Identifying the intent to restrict content access: 雖然識別不一致或異常的 DNS 響應有助於檢測各種潛在原因，例如配置錯誤，但識別 DNS 操縱是不同的，它要求我們檢測阻止訪問內容的意圖。它提出了自己的挑戰。所以我們需要依靠識別多個跡象來推斷 DNS 操縱。
4. Ethics and minimizing risks: 顯然，根據不同國家可能如何懲罰訪問被審查材料，公民參與審查制度測量研究存在風險。因此，避免在個人用戶的家庭網絡中使用 DNS 解析器或 DNS 轉發器會更安全。相反，依賴託管在 Internet 基礎設施中的開放式 DNS 解析器會更安全，例如，在 Internet 服務提供商或雲託管提供商中。

What are the limitations of main censorship detection systems?

They either no longer exist or rely upon volunteers performing measurements, which can cause them to get in trouble with their local governments.

What kind of disruptions does Augur focus on identifying?

This system focuses on IP-based disruptions, not DNS-based manipulations.

How does Iris counter the issue of lack of diversity while studying DNS manipulation? What are the steps associated with the proposed process?

Iris uses open DNS resolvers located all over the globe. The two main steps are:

1. Scanning the Internet’s IPv4 space for open DNS resolvers
2. Identifying infrastructure DNS resolvers

What are the steps involved in the global measurement process using DNS resolvers?

1. Perform global DNS queries
2. Annotating DNS responses with auxiliary information
3. Additional PTR and TLS scanning

What metrics does Iris use to identify DNS manipulation once data annotation is complete? Describe the metrics. Under what condition do we declare the response as being manipulated?

1. Consistency metrics
2. Independent verifiability metrics

If neither of these metrics are satisfied, the response is said to be manipulated.

How is it possible to achieve connectivity disruption using the routing disruption approach?

Withdrawing previously advertised prefixes using BGP

How is it possible to achieve connectivity disruption using the packet filtering approach?

Block packets meeting a certain criteria disrupting the normal forwarding action.

Explain a scenario of connectivity disruption detection in the case when no filtering occurs.

When no filtering occurs, the measurement machine will see an increase of 2 in the IP ID — this means the two hosts communicated

Explain a scenario of connectivity disruption detection in the case of inbound blocking.

Traffic from the reflector to the site containing objectionable data is blocked. Thus, the IP ID only increases by 1 because the SYN-ACK from the site never reaches the reflector.

Explain a scenario of connectivity disruption detection in the case of outbound blocking.

Outbound reset packets from the reflector do not reach the site. The site will continue to send SYN-ACK packets until it receives an ACK, causing the reflector’s IP ID to increase by 2 each time.