TY - GEN
T1 - Network measurement methods for locating and examining censorship devices
AU - Raman, Ram Sundara
AU - Wang, Mona
AU - Dalek, Jakub
AU - Mayer, Jonathan
AU - Ensafi, Roya
N1 - Publisher Copyright:
© 2022 Owner/Author.
PY - 2022/11/30
Y1 - 2022/11/30
N2 - Advances in networking and firewall technology have led to the emergence of network censorship devices that can perform large-scale, highly-performant content blocking. While such devices have proliferated, techniques to locate, identify, and understand them are still limited, require cumbersome manual effort, and are developed on a case-by-case basis. In this paper, we build robust, general-purpose methods to understand various aspects of censorship devices, and study devices deployed in 4 countries (Azerbaijan, Belarus, Kazakhstan, and Russia). We develop a censorship traceroute method, CenTrace, that automatically identifies the network location of censorship devices. We use banner grabs to identify vendors from potential censorship devices. To collect more features about the devices themselves, we build a censorship fuzzer, CenFuzz, that uses various HTTP request and TLS Client Hello fuzzing strategies to examine the rules and triggers of censorship devices. Finally, we use features collected using these methods to cluster censorship devices and explore device characteristics across deployments. Using CenTrace measurements, we find that censorship devices are often deployed in ISPs upstream to clients, sometimes even in other countries. Using data from banner grabs and injected block-pages, we identify 23 commercial censorship device deployments in Azerbaijan, Belarus, Kazakhstan, and Russia. We observe that certain CenFuzz strategies such as using a different HTTP method succeed in evading a large portion of these censorship devices, and observe that devices manufactured by the same vendors have similar evasion behavior using clustering. The methods developed in this paper apply consistently and rapidly across a wide range of censorship devices and enable continued understanding and monitoring of censorship devices around the world.
AB - Advances in networking and firewall technology have led to the emergence of network censorship devices that can perform large-scale, highly-performant content blocking. While such devices have proliferated, techniques to locate, identify, and understand them are still limited, require cumbersome manual effort, and are developed on a case-by-case basis. In this paper, we build robust, general-purpose methods to understand various aspects of censorship devices, and study devices deployed in 4 countries (Azerbaijan, Belarus, Kazakhstan, and Russia). We develop a censorship traceroute method, CenTrace, that automatically identifies the network location of censorship devices. We use banner grabs to identify vendors from potential censorship devices. To collect more features about the devices themselves, we build a censorship fuzzer, CenFuzz, that uses various HTTP request and TLS Client Hello fuzzing strategies to examine the rules and triggers of censorship devices. Finally, we use features collected using these methods to cluster censorship devices and explore device characteristics across deployments. Using CenTrace measurements, we find that censorship devices are often deployed in ISPs upstream to clients, sometimes even in other countries. Using data from banner grabs and injected block-pages, we identify 23 commercial censorship device deployments in Azerbaijan, Belarus, Kazakhstan, and Russia. We observe that certain CenFuzz strategies such as using a different HTTP method succeed in evading a large portion of these censorship devices, and observe that devices manufactured by the same vendors have similar evasion behavior using clustering. The methods developed in this paper apply consistently and rapidly across a wide range of censorship devices and enable continued understanding and monitoring of censorship devices around the world.
KW - censorship
KW - measurement
KW - network fingerprinting
UR - http://www.scopus.com/inward/record.url?scp=85144815894&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85144815894&partnerID=8YFLogxK
U2 - 10.1145/3555050.3569133
DO - 10.1145/3555050.3569133
M3 - Conference contribution
AN - SCOPUS:85144815894
T3 - CoNEXT 2022 - Proceedings of the 18th International Conference on emerging Networking EXperiments and Technologies
SP - 1
EP - 17
BT - CoNEXT 2022 - Proceedings of the 18th International Conference on emerging Networking EXperiments and Technologies
PB - Association for Computing Machinery, Inc
T2 - 18th ACM Conference on Emerging Networking Experiment and Technologies, CoNEXT 2022
Y2 - 6 December 2022 through 9 December 2022
ER -