对Telex互联网反监管系统的攻击

doi:10.3969/j.issn.1000-436x.2014.09.005

Abstract

Abstract:

As a typical router-redirecting based anticensorship system,Telex poses new challenges for Internet censors.To help common users evade Internet censorship,Telex employs network routers,rather than end-hosts,to relay network traffics to blocked destinations.The security of Telex from the censors' perspective is analyzed,and two kinds of active attacks aiming to break users' privacy are presented.The first is a kind of DoS attack,which exploits a security flaw of Telex handshake protocol.It can probabilistically identify the users who are using Telex,as well as break the availability of Telex.An improved handshake protocol to remedy the flaw is also proposed.The second is called TCP packets by-passing attack.Under that attacking scenario,censors make a small fraction of TCP packets from clients bypass the router and reach the cover site directly through asymmetric routing paths or IP tunnels,then determine whether a user is utiliz-ing Telex by observing the reaction of upstream traffic.The feasibility of bypassing attack has been testified by a series of experiments in a prototype environment.The bypassing attack is also applicable to other router-redirecting based anti-censorship systems.

Key words: Internet censorship, router-redirecting, user privacy, DoS attack

Long-hai LI,Cheng-qiang HUANG,Wan-xing WANG,Jian-jun MU. Attacks on Telex Internet anticensorship system[J]. Journal on Communications, 2014, 35(9): 40-56.

Figures/Tables 13

References 20

[1]	ERIC W , SCOTT W , IAN G , et al. Telex: anticensorship in the net-work infrastructure[A]. Proceedings of the 20th USENIX Security Symposium[C]. San Francisco,USA, 2011.
[2]	AMIR H , GIANG T K N , CAESAR M , NIKITA B . Cirripede: cir-cumvention infrastructure using router redirection with plausible de-niability[A]. Proceedings of the 18th ACM conference on Computer and Communications Security (CCS 2011)[C]. Chicago,IL,USA, 2011.187-200.
[3]	JOSH K , DANIEL E , ALDEN W , et al. Decoy routing: toward un-blockable Internet communication[A]. Proceedings of the USENIX Workshop on Free and Open Communications on the Internet (FOCI 2011)[C]. 2011.
[4]	RICHARD C , STEVEN J M , ROBERT N M W , et al. Ignoring the great firewall of China[A]. Proceedings of the Sixth Workshop on Privacy Enhancing Technologies (PET 2006)[C]. Cambridge,UK, 2006.20-35.
[5]	TARIQ E , IAN G . CORDON — A Taxonomy of Internet Censorship Resistance Strategies[R]. CACR Tech Report 2012-33, 2012.
[6]	PHILIPP W , STEFAN L . How the great firewall of China is blocking[A]. Proceedings of the USENIX Workshop on Free and Open Communications on the Internet (FOCI 2012)[C]. 2012.
[7]	QIYAN W , XUN G , GIANG T K , et al. CensorSpoofer: asymmetric communication using IP spoofing for censorship-resistant web browsing[A]. Proceedings of the 19th ACM conference on Computer and Communications Security (CCS 2012)[C]. 2012.
[8]	MAX S , JOHN G , CHRISTOPHER T , et al. Routing around decoys[A]. Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS 2012)[C]. Raleigh,USA, 2012.85-96.
[9]	HOUMANSADR A , EDMUND L W , VITALY S . No direction home:the true cost of routing around decoys[A]. Proceedings of the Network and Distributed Security Symposium (NDSS 2014)[C]. 2014.
[10]	ANDREW H . Fingerprinting websites using traffic analysis[A]. Pro-ceedings of Privacy Enhancing Technologies workshop (PET 2002)[C]. 2002.
[11]	Cooperative association for Internet data analysis (CAIDA)[EB/OL]. .
[12]	Telex[EB/OL]. .
[13]	Netfilter/Iptables[EB/OL]. .
[14]	Squid[EB/OL]. .
[15]	TOBY E , LI J . On the state of IP spoofing defense[J]. ACM Transac-tions on Internet Technology, 2009,9(2):1-29.
[16]	The MIT ANA Spoofer project[EB/OL]. .
[17]	Internet Traffic Report[EB/OL]. .
[18]	Netem/TC[EB/OL]. .
[19]	HomeIP[EB/OL]. .
[20]	WITS[EB/OL]. .

Metrics

Recommended 0

No Suggested Reading articles found!

站点		HOST错误			页面缺失		CONNECT请求
站点	响应码		分组长度	响应码		分组长度	响应码	分组长度
bing.com	400		403	301		306*	400	426
google.com	400		462	404		1 172*	405	1 141
amazon.com	忽略		—	404		15 298	400	176
walmart.com	400		403	404		57 892*	400	426
wikipedia.org	400		200*	404		3 314*	400	3 256*
usatoday.com	400		403	301		226	400	426
msn.com	301		295*	404		41 195*	400	472
yahoo.com	302		545	404		1 021	302	545
aol.com	忽略		—	404		23 141*	503	188
apple.com	400		403	404		10 201*	400	426
hotmail.com	忽略		—	302		137*	400	503
bbc.co.uk	301		688	404		18 053	301	632
lycos.com	301		485	404		2 190	400	415
flickr.com	404		210	404		17 287*	400	66
imdb.com	301		1 018*	404		478	400	176

数据集	P_Loss=0%		P_Loss=1%		P_Loss=5%
数据集	Telex客户	普通客户	Telex客户	普通客户	Telex客户	普通客户
HomeIP	1	0	1	0.009	1	0.054
WAND	1	0	1	0.013	1	0.063
Random	1	0	1	0.011	1	0.052

Attacks on Telex Internet anticensorship system

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 13

References 20

Related Articles 15

Metrics

Recommended 0

[1]	Ming XU, Baojun ZHANG, Yiming WU, Chenduo YING, Ning ZHENG. Cyber attacks and privacy protection distributed consensus algorithm for multi-agent systems [J]. Journal on Communications, 2023, 44(3): 117-127.
[2]	Bin YU, Nan ZHANG, Xu LU, Zhenhua DUAN, Cong TIAN. Runtime verification approach for DoS attack detection in edge servers [J]. Journal on Communications, 2021, 42(9): 75-86.
[3]	CHEN Xingshu,HUA Qiang,WANG Yitong,GE Long,ZHU Yi. Research on low-rate DDoS attack of SDN network in cloud environment [J]. Journal on Communications, 2019, 40(6): 210-222.
[4]	Hongyan QIAN,Hao XUE,Ming CHEN. UDM:NFV-based prevention mechanism against DDoS attack on SDN controller [J]. Journal on Communications, 2019, 40(3): 116-124.
[5]	Junfeng TIAN,Liuling QI. DDoS attack detection method based on conditional entropy and GHSOM in SDN [J]. Journal on Communications, 2018, 39(8): 140-149.
[6]	Heng HE,Yan HU,Lianghan ZHENG,Zhengyuan XUE. Efficient DDoS attack detection and prevention scheme based on SDN in cloud environment [J]. Journal on Communications, 2018, 39(4): 139-151.
[7]	Le-yi SHI,Hui SUN,Yu-wen CUI,Hong-bin GUO,Jian-lan LI. Web plug-in paradigm for anti-DoS attack based on end hopping [J]. Journal on Communications, 2017, 38(Z1): 19-24.
[8]	Meng YUE,Kun LI,Zhi-jun WU. SAPA-based approach for defending DoS attacks in cloud computing [J]. Journal on Communications, 2017, 38(4): 129-139.
[9]	Miao WANG,Li-ming WANG,Zhen XU,Duo-he MA. Research on DDoS detection in multi-tenant cloud based on entropy change [J]. Journal on Communications, 2016, 37(Z1): 204-210.
[10]	Jin-bo XIONG,Wei-wei SHEN,Yang-qun HUANG,Zhi-qiang YAO. Security sharing and associated deleting scheme for multi-replica in cloud [J]. Journal on Communications, 2015, 36(Z1): 136-140.
[11]	Jiang-hong GUO,AJian-feng M. Multi-user broadcast authentication scheme in wireless sensor networks with defending against DoS attacks [J]. Journal on Communications, 2011, 32(4): 94-102.
[12]	Guang JIN,Fei ZHANG,Jiang-bo QIAN,Hong-hao ZHANG. DDoS defense with IP traceback and path identification [J]. Journal on Communications, 2011, 32(2): 61-67.
[13]	Jun-feng TIAN,Hong-tao ZHU,Dong-dong SUN,Zhi-ming BI,Qian LIU. Model of coorperation defense DDoS attack based on client reputation [J]. Journal on Communications, 2009, 30(3): 12-20.
[14]	Guang JIN,Jian-gang YANG,Yuan LI,Hui-zhan ZHANG. Optimal path identification to defend against DDoS attacks [J]. Journal on Communications, 2008, 29(9): 46-53.
[15]	Qing-qi PEI,Yu-long SHEN,Jian-feng MA. Survey of wireless sensor network security techniques [J]. Journal on Communications, 2007, 28(8): 113-122.