Internet censorship and circumvention

Learning objectives

Understand definitions of censorship and circumvention.
See a demonstration of real network censorship by DNS response injection.
Identify flaws in common protocols that make them vulnerable to disruption.
Think about ways to mitigate those flaws and make communication more robust.

How do networks fail?

Specifically, how can an actor inside the network deliberately sabotage communication between two endpoints?

We call such forms of network interference censorship and techniques for avoiding censorship are called circumvention.

Model of Internet censorship

Diagram of a censorship model, with a 'client' node in the middle of a censor-controlled network, connected by network links to an outside 'destination' node.

The client is inside the censor's network.
The destination is outside.
The censor controls middleboxes (routers, firewalls, etc.) on the network paths between the client and the destination.

What happens when you make a network connection?

Connect to www.uiowa.edu.

DNS query and response
Usually one of:
- TCP connection to an IP address
  - HTTP or HTTPS
- QUIC connection to an IP address

If you were a censor middlebox, how could you prevent the network connection from working?

As a middlebox, you decide which packets pass and which get blocked. You can even send your own packets, with any source and destination IP address.

Ideas

Block all packets (Internet shutdown)
Block the DNS query
Block the DNS response
Forge a false DNS response
Block the TCP SYN segment (client→server)
Block the TCP SYN/ACK segment (server→client)
Forge a TCP RST packet to tear down a TCP connection
Forge a false HTTP response
Block all packets to or from the IP address of www.uiowa.edu

DNS response injection demo

Unix

$ dig www.uiowa.edu

Windows

C:\> nslookup www.uiowa.edu

$ dig www.uiowa.edu
; <<>> DiG 9.18.28-1~deb12u2-Debian <<>> @1.1.1.1 www.uiowa.edu
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64865
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.uiowa.edu.                 IN      A

;; ANSWER SECTION:
www.uiowa.edu.          86400   IN      A       54.163.225.50

;; Query time: 84 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Tue Dec 03 04:11:06 UTC 2024
;; MSG SIZE  rcvd: 58

DNS response injection demo (Turkmenistan)

95.85.120.6 is an IP address inside Turkmenistan. (Not a DNS resolver.)

Unix

$ dig @95.85.120.6 www.uiowa.edu

Windows

C:\> nslookup www.uiowa.edu 95.85.120.6

Sending a DNS query to the IP address in Turkmenistan times out—why?

$ dig @95.85.120.6 www.uiowa.edu
;; communications error to 95.85.120.6#53: timed out
;; communications error to 95.85.120.6#53: timed out
;; communications error to 95.85.120.6#53: timed out

; <<>> DiG 9.18.28-1~deb12u2-Debian <<>> @95.85.120.6 www.uiowa.edu
; (1 server found)
;; global options: +cmd
;; no servers could be reached

What if we try a hostname that is censored in Turkmenistan, rsf.org?
(rsf.org = Reporters sans frontières = Reporters Without Borders.)

$ dig @95.85.120.6 rsf.org
; <<>> DiG 9.18.28-1~deb12u2-Debian <<>> @95.85.120.6 rsf.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11777
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;rsf.org.                       IN      A

;; ANSWER SECTION:
rsf.org.                600     IN      A       127.0.0.1

;; Query time: 312 msec
;; SERVER: 95.85.120.6#53(95.85.120.6) (UDP)
;; WHEN: Tue Dec 03 04:15:10 UTC 2024
;; MSG SIZE  rcvd: 41

This is a forged DNS response from a censorship firewall in Turkmenistan.

We can observe it here because the firewall censors DNS queries in both directions.

How does responding with the IP address 127.0.0.1 disrupt the connection?

How can we mitigate the protocol weaknesses that enable censorship by middleboxes?

How to mitigate interference with the DNS exchange?

How to mitigate interference with the TCP/QUIC connection?

How to mitigate interference with the HTTP/HTTPS exchange?

How to mitigate blocking of IP addresses?

The most important network signatures that enable blocking

DNS query name
Destination IP address
TLS server name indication (SNI)

How can future protocols be designed to be more resistant to interference by middleboxes, and better realize the end-to-end principle?

Summary

Network censorship is a problem for many ordinary Internet users.
Censorship is generally made possible because of weaknesses in common network protocols.
Circumvention technology can mitigate these weaknesses and make communication more resistant to blocking by censor middleboxes.

David Fifield
david@bamsoftware.com