Internet Censorship and circumvention

The setup

Client resides inside the censor-controlled network.
Destination is outside.
Client has control over its own computer (e.g. no censor malware).
You can assume necessary software is installed at the client, destination, or some other host.

How might a middlebox detect that a client is trying to access a prohibited destination and/or prohibited information?

http://example.com/article

https://example.com/article

How might a middlebox detect that a client is trying to access a prohibited destination and/or prohibited information?

DNS query
Destination IP address
URL path (unencrypted only)
Keywords (unencrypted only)
TLS SNI

Client IP address?
Packet sizes and timing (website fingerprinting)?
Correlation with other connections?

Having detected something it wants to prevent, how might a middlebox block a connection?

Drop packets
Blackhole an IP address (or port)
Inject false DNS responses
Inject HTTP redirect to a block page (unencrypted only)
Inject TCP RST packet

Throttle (slow down the connection)?

DNS resolution from the command line

Unix

$ dig dw.com

Windows

C:\> nslookup dw.com

DNS resolution from the command line

$ dig dw.com

; <<>> DiG 9.16.27-Debian <<>> dw.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38878
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 3ac724b645b5a654a84cbd86638e0171387afb6f2a19e232 (good)
;; QUESTION SECTION:
;dw.com.                                IN      A

;; ANSWER SECTION:
dw.com.                 183     IN      A       194.55.26.46
dw.com.                 183     IN      A       194.55.30.46

;; Query time: 0 msec
;; SERVER: 128.255.1.3#53(128.255.1.3)
;; WHEN: Mon Dec 05 14:34:25 UTC 2022
;; MSG SIZE  rcvd: 95

DNS injection (Turkmenistan)

95.85.120.6 is the IP address of a host located in Turkmenistan.
(It's not a DNS server though!)

What happens when you send a DNS query through the firewall hosts that surround Turkmenistan's network?

Unix

$ dig @95.85.120.6 dw.com

Windows

C:\> nslookup dw.com 95.85.120.6

DNS injection (Turkmenistan)

$ dig @95.85.120.6 dw.com

; <<>> DiG 9.16.27-Debian <<>> @95.85.120.6 dw.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31984
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;dw.com.                                IN      A

;; ANSWER SECTION:
dw.com.                 30      IN      A       127.0.0.1

;; Query time: 247 msec
;; SERVER: 95.85.120.6#53(95.85.120.6)
;; WHEN: Mon Dec 05 14:37:07 UTC 2022
;; MSG SIZE  rcvd: 40

Reference: Bidirectional DNS, HTTPS, HTTP injection in Turkmenistan.

DNS injection (China)

159.226.244.24 is the IP address of a host located in China. (Also not a DNS server.)

Unix

$ dig @159.226.244.24 dw.com

Windows

C:\> nslookup dw.com 159.226.244.24

DNS injection (China)

$ dig @159.226.244.24 dw.com

; <<>> DiG 9.16.27-Debian <<>> @159.226.244.24 dw.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35901
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;dw.com.                                IN      A

;; ANSWER SECTION:
dw.com.                 237     IN      A       31.13.87.9

;; Query time: 220 msec
;; SERVER: 159.226.244.24#53(159.226.244.24)
;; WHEN: Mon Dec 05 14:47:44 UTC 2022
;; MSG SIZE  rcvd: 40

Reference: How Great is the Great Firewall? Measuring China's DNS Censorship.

DNS injection

The DNS injection systems in Turkmenistan and China are bidirectional, meaning they don't make a distinction between inbound and outbound packets.

This property makes them easy to study.

(Remote censorship measurement systems like Censored Planet take advantage of this and other properties, to measure levels of censorship without needing a physical presence in another country.)

Not all forms of censorship are this easy to test and see.

Circumvention

What can a client do to circumvent a block of some desired destination/information?

Against a naive censor:

Mirror sites
Ordinary proxy servers (SOCKS or HTTP)
SSH tunnels (ssh -D server)
VPNs

Against a sophisticated censor:

Need a proxy
Need an obfuscated protocol

Circumvention systems

Shadowsocks is meant to be difficult to classify—encrypts everything (even more than TLS).
Refraction networking uses Internet routers as proxies for specially marked network flows.
Snowflake uses volunteer web browsers (running a special browser add-on) as proxies.
Format-transforming encryption encodes an encrypted stream to conform to a specification: e.g. make traffic look like HTTP or like SSH.
Castle encodes information as character movements in online games.

All-in-one systems:

Psiphon bundles multiple circumvention techniques into one app.
Tor Browser has built-in circumvention options.

Key ideas in circumvention

The censor can use the system too, and study how it works.

What prevents a censor from discovering all your proxy IP addresses and blocking them?

The key question is:

What does it cost a censor to block the system?

Protocol obfuscation is not enough.

You need to somehow protect the endpoints too.

If you are interested

https://github.com/net4people/bbs, a censorship circumvention forum that I manage.

https://ntc.party/, another active forum.

https://snowflake.torproject.org/, run a browser extension to become a temporary proxy.

https://ooni.org/, install an app to measure censorship.

David Fifield
david@bamsoftware.com