31
Global Network Interference Detection over the RIPE Atlas Network Adventures in Pervasive Measurement Collin Anderson, Philipp Winter and Roya USENIX FOCI, August 2014
Global Network Interference Detection over the RIPE Atlas Network Adventures in Pervasive Measurement
Collin Anderson, Philipp Winter and Roya !USENIX FOCI, August 2014
Once Upon a Time Starting from the Dark Ages
For Now We See Through a Glass, Darkly.
• Early aggressive, examples of interference set a general practice of measuring from one location for one ISP per country, once in a while.
• Of most interest has been states where censorship is imposed at the international gateway and by governmental-aligned monopolies.
• Rarely bound to political or cultural events that may trigger changes in practices.
Filtering Norms
• Politicians and international organizations have promoted filtering in order to protect intellectual property and ‘save’ children.
• Large market pressures, filtering and surveillance equipment manufacturing is a growth industry.
• Evidence of some public acceptance for content restrictions, even in ‘democratic’ countries.
Filtering Norms
• Legitimacy of these actions are not within our scope, key presumptions:
• Filtering will be more of a legal compliance effort than a direct imposition of the state.
• We should anticipate greater diversity in practices and timing when filtering is a measure taken by third-parties.
Detection is Another Growth Industry
• As filtering practices changed, the number of tools and principles for measurement have grown.
• In Development or Deployed: OONI, Herdict, ICLab, Satellite, Encore, CensorProbe, rTurtle.
• At Mass Scale: NDT, Glasnost, Netalyzr.
• Still, mostly one ISP on one network per country, once in awhile.
The Globally-Distributed Atlas Network
• High geographic and topological diversity.
• Ping, Traceroute, DNS resolution, and X.509 certificate fetching.
• Push measurement rules over a relatively stable set of nodes.
• Closest platform to interference measurement at scale.
Measurement Granularity The Self Evident
Country Practices Seen Time
Turkey DNS Port Blocking ~2012
Russia DNS ~2012
Syria HTTP Inspection ~2012
Measurement Granularity The Self Evident
Country ISP Origination Practice Time Resource
Turkey Turksat TurkTelecom BGP Hijack 3/28/2014 YouTube
Russia Intertax Rostelecom IP Redirection 4/30/2014 208.93.0.190
Syria Tarrasul PDE HTTP Inspection 6/2013 Tor
Examining Ephemeral Information Controls Through
AtlasTurkey Social Media Restrictions (March 2014)
Selective Compliance and Unilateral Disruption
Google DNS Blocking and Hijack in Turkey (March 2014)
Selective Compliance and Unilateral Disruption
Google DNS Normal Route in Turkey (March 2014)
Selective Compliance and Unilateral Disruption Google DNS Blocking (March 21)
Selective Compliance and Unilateral Disruption
Google DNS Normal Route in Turkey (March 2014)
Selective Compliance and Unilateral Disruption Google DNS Hijack (March 29)
Selective Compliance and Unilateral Disruption Google DNS Hijack (April 2)
Selective Compliance and Unilateral Disruption Google DNS Hijack (April 3)
Selective Compliance and Unilateral Disruption Google DNS Hijack (April 7)
Validating Measurements• We anticipate that filtering
mechanisms with coordinate answers less than legitimate services (across ASNs, regions or countries).
• Begin to flag answers based on differences in:
• SSL Certificate Hostnames and Certification Validation
• Seen End Transit Providers
• Expected Timing
• Obviously Fake Answers (localhost and RFC1918 Addresses)
• Consensus based pools of reasonable answers.
Beyond the Nefarious Middle Box Traffic Inspection
Path Interdiction and Heterogenous Techniques
Route Interdiction Russia LiveJournal Addresses
Rostelecom Interdiction Russia LiveJournal Addresses
‘Valid’ LiveJournal Traffic Russia LiveJournal Addresses
Живой Журнал New Compliance
!March 13 navalny banned, A record 208.93.0.190. !!April 5 pauluskp A: 208.93.0.150.
April 11 pauluskp banned, listed A of 208.93.0.190. !!April 21 m-athanasios.livejournal banned with A record of 208.93.0.190. !!Late April 1,450 LiveJournal blogs in Alexa top 1 million, address 208.93.0.150. ! Four 208.93.0.190, all designated by Roskomnadzor. !
LiveJournal A Record of Doom 208.93.0.190
Живой Журнал Enjoy Summer Vacation, Roskomnadzor Style
Model Properties of an Interference Detection Platform
• Controls are often ephemeral and issued without forewarning, requiring push-based measurement rules.
• Validation requires client environment documentation (e.g. DNS Settings, Network Type).
• Data collection should be longitudinal and frequent over a normal interval.
• Heterogeneous technical regimes requires heterogenous technical datasets.
• Idiosyncrasies in host network requires normalization.
Ethics and Measurement (Atlas Edition)
• Atlas presents a legitimate question of consent.
• RIPE’s Term of Service do not provide guidance.
• Popular social media platforms and major content providers:
• Requests for social media from third-party sites are common due to the pervasive inclusion of recommendation systems and included media content.
• Only cases we know where browsing of content led to attention from law enforcement is in the case of child pornography.
• Navalny’s blog was an Alexa Top 1000 site, in the top hundreds in Russia. Tor Project is within the top 10,000, the peak number of daily users in Turkey of the network at the time was 70,000.
Ethics and Measurement (Atlas Edition)
However, these are piecemeal attempts to legitimize target choice, they are not a systemic framework.
Conclusions
• Widespread proliferation presents its own model of measurement validation.
• Within heterogeneous filtering regimes, we should expect greater diversity in implementation, including cheating and slow deployment of rules.
• Atlas provides an early look at the opportunities and impediments ahead for pervasive inference detection, but lingering ethical concerns and available measurement types limit future feasibility.
Thank You.
Code and Data: cartography.io
