code for Tor is released • 2006, April - Thailand - DNS Filtering of tpo • 2006, Websense/netfilter - Block Tor based on Tor GET requests • 2007, Iran, Saudi - Blocks Tor thanks to Websense • 2009, Iran throttles SSL • 2009, Tunisia - Smartfilter to block all expect 443, 80 • 2009, China blocks public relays • 2009, Tor bridges are introduced • 2010, China starts collecting and blocking bridges • 2011, Iran by DPI on DH parameter in SSL • 2011, Egypt selected targetted sites for blocking • 2011, Lybia, throttling to limit use • 2011, Syria, DPI on Tor’s TLS renegotiation and killed connections • 2011, Iran DPI on SSL and TLS certificate timeline For more details on these events see, “How governments have tried to block Tor”
2012, Iran total SSL blockage • 2012, China proactive censorship evolutions • February - March 2012, Kazakhstan • 22 May 2012, Ethiopia • 25 June 2012, UAE, Tor blocking via DPI
traffic • Selective blocking of IP Address and TCP port combinations • Some keyword filtering • Not nationwide, certain areas no SSL traffic. • February 2012, First real world deployment of obfsproxy
• IP:Port blocking (layer 4) • RST based filtering (layer 4, active, easy circumvention) • HTTP blocking (layer 5) • Detection techniques • Active probing of *every* SSL connection (speaking Tor protocol) • Tor fingerprints for TLS Helo • Philip Winter, Fabio Pietrosanti worked on understanding active chinese probing.
in Zhanaozen • Previously • IP address blocking • DNS based blocking • DPI SSL blocking • JSC KazTransCom starts blocking SSL traffic based on client key exchange • Some businesses affected (no SSL, no IPSEC, no PPTP, no certain VPNs) • Obfsproxy used
(Tor) • Help people circumvent censorship (Tor, Tor Bridges) • Measure Internet filtering in the world (OONI-Probe) • Help people speak freely and anonymously (Tor Hidden Services, APAF)
either: • Closed source • Closed methodologies • Closed data • OONI is to be: • Free Software • using Open and described methodologies • publishing all the collected data with Open License
results • Open License (Creative Commons by Attribution) • People will independently draw their conclusions based on the *data* • Data driven journalism, Political Science studies, Anti-Censorship activism.
Network filtering (“Is my network traffic being tampered with?”) • Content restrictions (“What is being blocked?”) • Filtering technique (“How is it being blocked?”, “What software are they using?”)
of the test logic • Takes an input and performs measurements on the test network • It can run the test on the local network or send it to a remote Node (SOCKS, OONIProxy, PlanetLab, etc.)
a difference between an inbound traceroute and an outbound traceroute for certain source and destination ports this may be an indication of traffic being routed to interception de- vices. • Header field manipulation By varying the capitalization and adding certain headers to layer 7 protocols it is possible to detect on the receiving end if the traffic has been tampered with.
Host header field of an HTTP request to that of the site one wishes to check for censorship. • DNS lookup This involves doing a DNS lookup for the in question hostname. If the lookup result does not match the expected result the site is marked as being censored. • Keyword filtering This involves sending an receiving data that contains certain keywords and matching for censorship. It is possible to use bisection method to understand what subset of keywords are triggering the filter. • HTTP scan This involves doing a full connection to the in question site. If the content does not match the expected result then a censored flag is raised. • Traceroute This involves doing TCP, UDP, ICMP traceroute for certain destination addresses if there are discrepancies in the paths with locations in the vicinities then a censorship flag is raised. • RST packet detection This involves attempting to con- nect to a certain destination and checking if the client gets back a RST packet.
• Provides scapy twisted integration • Is currently a prototype. • Expect problems and to need to have to use the source • Please kill bugs • Parts of OONIB implemented, no remote reporting, OONI- probe runs only locally