Detecting Intentional Packet Drops on the Internet via TCP/IP Side Channels
- 1.7k Downloads
We describe a method for remotely detecting intentional packet drops on the Internet via side channel inferences. That is, given two arbitrary IP addresses on the Internet that meet some simple requirements, our proposed technique can discover packet drops (e.g., due to censorship) between the two remote machines, as well as infer in which direction the packet drops are occurring. The only major requirements for our approach are a client with a global IP Identifier (IPID) and a target server with an open port. We require no special access to the client or server. Our method is robust to noise because we apply intervention analysis based on an autoregressive-moving-average (ARMA) model. In a measurement study using our method featuring clients from multiple continents, we observed that, of all measured client connections to Tor directory servers that were censored, 98% of those were from China, and only 0.63% of measured client connections from China to Tor directory servers were not censored. This is congruent with current understandings about global Internet censorship, leading us to conclude that our method is effective.
KeywordsPacket Loss Packet Loss Rate Packet Drop Packet Reordering USENIX Association
Unable to display preview. Download preview PDF.
- 1.arma: Research problem: Five ways to test bridge reachability. Tor Blog (December 1, 2011), https://blog.torproject.org/blog/research-problem-five-ways-test-bridge-reachability
- 2.Antirez: new tcp scan method. Posted to the bugtraq mailing list (December 18, 1998)Google Scholar
- 3.Lyon, G.: Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning. Insecure.Org LLC, Sunnyvale, CA, USA (2009)Google Scholar
- 4.Ensafi, R., Park, J.C., Kapur, D., Crandall, J.R.: Idle port scanning and non-interference analysis of network protocol stacks using model checking. In: Proceedings of the 19th USENIX Security Symposium, USENIX Security 2010. USENIX Association (2010)Google Scholar
- 5.Ensafi, R., Knockel, J., Alexander, G., Crandall, J.R.: Detecting intentional packet drops on the Internet via TCP/IP side channels: Extended version CoRR abs/1312.5739 (2013), http://arxiv.org/abs/1312.5739
- 6.Alexa: Alexa top 1,000,000 sites, http://www.alexa.com/topsites
- 7.MaxMind: How accurate are your GeoIP databases? http://www.maxmind.com/en/faq#accurate
- 8.Winter, P., Lindskog, S.: How the Great Firewall of China is Blocking Tor. In: Free and Open Communications on the Internet. USENIX Association (2012)Google Scholar
- 12.Morbitzer, M.: TCP Idle Scans in IPv6. Master’s thesis, Radboud University Nijmegen, The Netherlands (2013)Google Scholar
- 13.Madhyastha, H.V., Isdal, T., Piatek, M., Dixon, C., Anderson, T., Krishnamurthy, A., Venkataramani, A.: iPlane: an information plane for distributed services. In: Proceedings of the 7th Symposium on Operating Systems Design and Implementation, OSDI 2006, pp. 367–380. USENIX Association, Berkeley (2006)Google Scholar