Embed Size (px)
Citation preview
Strategy To Filter And Blocking Traffic Create By Anti-Censorship Software In LAN
1
byKamal harmoni kamal Ariff
“Human Knowledge Belong To The World”
OutlineChapter 1. Introduction
i. Overviewii. Problem Statementiii. Research Questioniv. Research Objectivev. Scope And Limitationvi. Significant Of The Study
Chapter 2. Literature Reviewi. Fundamental of anti-censorship softwareii. Why Ultrasurfiii. About Ultrasurfiv. Why Ultrasurf difficult to detect ?v. Any firewall can block Ultrasurf?
Chapter 3. Research Designi. Methodologyii. Form Hypothesisiii. Perform experiment and data collectioniv. Analyze datav. Interpreter and draw Conclusionvi. Propose Strategyvii. Validate The Hypothesis
Chapter 4. Experimental Resulti. Form Hypothesisii. Perform experiment and collect dataiii. Analyze dataiv. Interpreter and draw Conclusionv. Propose Strategyvi. Validate The Hypothesis
Chapter 5. Conclusion and future worki. Recommendation and Possible Future Developments.
References
Outline
Overview• Computer technology change tremendously.• Internet access are commonly as an essential to everybody.• Internet policy become common to organization.
• Prevent user from :• Accessing pornography web site • Conduct internet activities such as downloading movie, songs, etc
•Network administrator need to•Filter traffic•Monitor trafic•Block trafic
• War between users and network administrator never end.
• Users will find away to bypass firewall
Chapter 1
Problem Statement
Uses http and https from local computer to external proxies. Only commercial firewal with DPI able to block. Becchi & Crowley, (2007)
Cannot block port 80 & 443 and firewall with DPI is expensive.
They have a thousands of proxies and proxies IP always change.
Cannot block by IP.
By using Ultrasurf user able to bypass firewall . Ayacock (2008), Ultrasurf is extremely difficult to block. Xia (2004)
SOLUTION:
This project presents a better way for filtering and blocking Ultrasurf at affordable cost.
Chapter 1
Research Question
• How to filter and block traffic that create by Ultrasurf ?
• How Ultrasurf connected to internet?
• How to filter traffic created by Ultrasurf?
• How to block traffic created by Ultrasurf?
Chapter 1
Research Objective
• The aim of this study is to filter and blocking traffic
created by Ultrasurf from LAN to internet.
In order to achieve the main objective, the specific
objective has been planned as follows:
• To identify how Ultrasurf connected to internet.
• To produce at lease 1 strategy that are able to block Ultrasurf.
• To evaluate the strategies that are able to block trafic from
Ultrasurf without disturbing others trafic.
Chapter 1
Scope and Limitation
• Scope• Focus only on Ultrasurf since Ultrasurf was the “possible
as the best proxy server, 2008” Kaiser, (2008) and the most commontly use (GIFC, 2010)
• These project used Linux Squid proxies to filter and block Ultrasurf.
• Data Source (Wireshark captured data)• Tools ( Wireshark , Ultrasurf ) - Gerry (2009) and Vasil
(2008), “ Wireshark is the best free tool for protocol analyzer ”
• Limitation• Time (need to be complete within 2 month)
Chapter 1
GANTT Chart Chapter 1
Significant of The Study
The purpose of this research are as stated below :
• Allow network administrator to use an enhance propose
technique and new strategies to filter and block traffic created by Ultrasurf.
• Provide a worthy traffic for the benefit used in the organization.
• Solution on overcome the weakness occurred in the firewall
connection to access the restricted web sites.
Chapter 1
Fundamental of anti-censorship
• In this studies it define as “Software that has been used to bypass firewall that provides
censorship system”.
• Capable to hide user information such as user’s IP
address, transmitting or receiving content.
• Example of anti-censorship software are Ultrasurf, Freegate, Gpass, Garden, GTunnel, and FirePhoenix.
• User used this anti-censorship software absolutely to bypass firewall,in order for them accessing the prohibited web sites.
Chapter 2
Internet censorship by countries
• Figure below show the level of internet censorship by country. User using anti censorship software to bypass the firewall.
• Mostly come from countries which colored as black and red. There are 15 countries were labeling as “heavily censorship” (Strange Maps, 2007). Besides that, this 15 countries also being known as the “Internet Black Hole” based on the bad reputation.
Chapter 2
Software Comment
Ultrasurf
http://www.ultrareach.com
Provide privacy and safely
Free to use.
Works together with the GIFT (a dynamic node-proxy anti-jamming system);
No installation or change requires in system setting.
FirePhoenix
http://firephoenix.edoors.com
Encrypts all Internet traffic.
Protects privacy and identity while surfing
Hide IP address.
Use virtual private network (VPN) technology.
This software suitable for journalists while they working in territories that censorship internet were
applied.
FreeGate
http://us.dongtaiwang.com
Users access international web sites as fast as their local ones.
Not required installation
A single executable file on a Windows platform.
GPass
http://gpass1.com/
Integrates online security tools.
Encrypted storage.
Personal data management tools
Encrypted online communication
Web base technology
GTunnel
http://gardennetworks.org
Connected SOCKS proxy server.
Hide IP users.
Traffic content is encrypted.
Blockade of target servers circumvented.
Comparison of anti-censorship software
Chapter 2
Why Ultrasurf ?
• “Ultrasurf are the most commonly used”-
(GIFC, 2010)
• “Possible as The Best Proxy Server, 2008”. Kaiser (2008),
Chapter 2
About Ultrasurf
The overview and the idea on Ultrasurf being implemented • Pioneer of Ultrasurf was Ultrareach, who one of a member of Global
Internet Freedom Consortium.
• Being developed originally to gain the privacy, security and freedom in surfing the internet.
• Strongly against the internet censorship in China as on that moment,
goverment imposed strictly controlled on web content and accessing.
• According to Tan, Mueller & Foster in 1997, “In February 1996, all internet users are required to register with ministry of Public Security and their activities may be monitored by police”. Under China golden shield project and as reported by Reuters (2007).
Chapter 2
Why Ultrasurf difficult to detect ?
• According to Xia (2004), “Ultrasurf is extremely difficult to block”.
• Ultrasurf is using port 9666 to communicate from web browser to the Ultrasurf services, but communication using this port only at local computer that can’t be block.
• Ultrasurf also use a secure socket layer (SSL) to communicate from local computer to their proxies.
• Due to thousand of proxies and the IP address that increasing from time to time, the blocking of IP address is not practical at this circumstances.
• Ultrasurf also use Port 80 and 443 to communicate with external proxies and should not block by firewall.
Chapter 2
Any firewall can block Ultrasurf ?
• “Filteration can be done by using SSL interceptor and perform DPI (deep packet inspection)”. Kumar, Turner, & Williams (2006) and Piyachon & Luo (2006),
• Firewalls that have DPI capabilities are able to filter traffic that come from anti-censorship software.
• Sonic Wall and Symantec firewall are example of firewall that capable to prevent anti-censorship but the price is extremely expensive for small organization to buy.
Chapter 2
Research Design
• This methodology is adapted from (Peisert & Bishop, 2007). This methodology has been used for “How To Design Computer Security Experiment ”.
• The original methodology only has five phases which are : Form hypothesis Perform experiment and collecting data Analyse the data Interpret data and draw the conclusion Depend on conclusion, return to #1
• The two phases “ Propose Strategy ” and “ Validate hypothesis” being added to meet this project requirement.
Chapter 3
Methodology used in this studies
• Review from the proposed methodology, this project been divided into 7 main phases.
Chapter 3
Form Hypothesis
• Hyphothesis information gathered from the literature review.
• Below is the table of how hypothesis was formed.
Chapter 4
Process of connection Location
Ability to
control by
network admin
Web browser connect to Ultrasurf using localhost (IP
127.0.0.1) port 9666 and create as local proxy server.
Local Computer No
Ultrasurf (discovery agent) connect to various external IP
(external proxies server) using port https (443) and http
(80).
LAN to WAN via
Gateway
Yes
External proxies server will connect to restricted web site and
passing back to proxies server.
WAN No
Proxies server will encrypt (if using port 443) the content and
send back to Ultrasurf (discovery agent).
WAN to LAN Via
Gateway
No
Ultrasurf as local proxy server will pass the content to web
browser.
Local Computer No
Table 3.1 : Process of connection and location of Ultrasurf
Perform experiment and data collection
Experiment being conduct in 2 conditions :
• Firewall block specify domain name WITHOUT Ultrasurf installed.• Firewall block specify domain name WITH Ultrasurf installed.
On two network Infrastructure :• Firewall at Router• Firewall at Proxies
Chapter 4
client Internet
Block Domain Name
Squid Proxy
Router/Firewall
Port80 /443
Others Port
Forward Port80 /443
client InternetRouter/Firewall
Un-restricted Domain Name
Restricted Domain Name
Figure 3.2 : Web filtering at router (Exp: 1)
Figure 3.3 : Web filtering at proxy (exp 2)
Chapter 4
client InternetRouter/Firewall
Un-restricted Domain Name
Restricted Domain Name
Ultrasurf and wiresharkInstalled
client Internet
Block Domain Name
Squid Proxy
Router/Firewall
Port80 /443
Others Port
Forward Port80 /443
Ultrasurf and wiresharkInstalled
Figure 3.5: Web filtering at squid (Exp: 4)
Figure 3.5: Web filtering at squid (Exp: 3)
Chapter 4
Blacklist Domain (using Ultrasurf)
No Site Exp 1 Exp 2 Exp 3 Exp 41spicy-video.com No No Yes Yes2gayhotmovies.com No No Yes Yes3qusk.com No No Yes Yes4sex-harem.com No No Yes Yes5porn-whores.com No No Yes Yes6teenslikeitbig.com No No Yes Yes7jizzhardcore.com No No Yes Yes8websofpassion.com No No Yes Yes9enter.realwifestories.com No No Yes Yes
10free-pornpics.net No No Yes Yes11capn-xxx.com No No Yes Yes12epochstats.com No No Yes Yes13asiannude.com No No Yes Yes14cleospornalacarte.com No No Yes Yes15qusk.com No No Yes Yes16sexy-babes.tv No No Yes Yes17wildsexlinks.com No No Yes Yes18ccbill.com No No Yes Yes19ebonylesbiansebony.com No No Yes Yes20bottle-insertion.com No No Yes Yes21facebook.com No No Yes Yes22myspace.com No No Yes Yes23beno.com No No Yes Yes24friendster.com No No Yes Yes25hi5.com No No Yes Yes26orkout.com No No Yes Yes27perfspot.com No No Yes Yes28zorpia.com No No Yes Yes29netlog.com No No Yes Yes30playboy.com No No Yes Yes
Whitelist Domain (using Ultrasurf)
No Domain Name Exp 1 Exp 2 Exp 3 Exp 41admaxasia.com Yes Yes Yes Yes2bluelithium.com Yes Yes Yes Yes3crowdstar.com Yes Yes Yes Yes4dropbox.com Yes Yes Yes Yes5facebook.com Yes Yes Yes Yes6farmville.com Yes Yes Yes Yes7fbcdn.net Yes Yes Yes Yes8flickr.com Yes Yes Yes Yes9friendster.com Yes Yes Yes Yes
10google.com.my Yes Yes Yes Yes11innity.com Yes Yes Yes Yes12jobstreet.com Yes Yes Yes Yes13malaysiakini.com Yes Yes Yes Yes14mcafeeasap.com Yes Yes Yes Yes15mudah.my Yes Yes Yes Yes16nuffnang.com.my Yes Yes Yes Yes17oum.edu.my Yes Yes Yes Yes18pandonetworks.com Yes Yes Yes Yes19perfisio.com Yes Yes Yes Yes20projectplaylist.com Yes Yes Yes Yes21sweetim.com Yes Yes Yes Yes22tagstat.com Yes Yes Yes Yes23uum.edu.my Yes Yes Yes Yes24baidu.com Yes Yes Yes Yes25bharian.com.my Yes Yes Yes Yes26blogger.com Yes Yes Yes Yes27e-zakat.com.my Yes Yes Yes Yes28facebook.com Yes Yes Yes Yes29gmodules.com Yes Yes Yes Yes30google.com Yes Yes Yes Yes
Ability to Access internet site (Outcome from Experiment) Chapter 4
Analyze Data
• Client installed with Ultrasurf are able to access black list domain.
The table below show the result of the experiment.
• Wireshark is used to capture packet that transmit and receive data at client site. This provided with a data that can be used for filtering and blocking.
NoDomain Name
Exp: 1 Exp: 2 Exp: 3 Exp: 4
1 White List Domain
Yes Yes Yes Yes
2 Black List Domain
No No Yes Yes
Table 3.2 : Ability client to access web site
Chapter 4
Interpreter and Draw conclusion
• Ultrasurf used http and https port to communicate with outside server and used various IP that become Ultrasurf external proxies and used TCP protocol.
• That is possible to block traffic create by Ultrasurf
• This phase suggest that by blocking communication trough IP, It will block Ultrasurf connection.
• On this phase objective 1 “To identify how Ultrasurf connect to internet” has been achieve.
Chapter 4
Propose Strategy
• One final strategy that been defined in this project is :
“To reject ALL traffic using TCP protocol port 80 and 445 that try to
connect based on IP address.”
• Strategy to filter and block traffic should be place at centralize location. This means, all connections from LAN are passed through this filter
• Only network using proxies server (experiment no 4) will be test due lack of resources. Experiment no 4 has been modify to include propose strategy diagram is as below :
Chapter 4
Client
Internet
Block Domain Name +
Block All http access connect using IP
Squid Proxy
Router/Firewall
Port80 /443
Others Port
Forward Port80 /443
Ultrasurf Installed
Switch
Client
Normal connection
Figure 3.11 : propose strategy diagram
Chapter 4
• “Drop connection if client request URL using IP address”.
• http_access deny access_by_ip
• acl access_by_ip url_regex \b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b
• On this phase objective 2 “To produce strategy that able to block Ultrasurf” has been achieve.
Chapter 4
acl blacklist_domain_contain url_regex -i
"/etc/squid/blacklist_domains_contain.acl"
acl blacklist_domain dstdomain "/etc/squid/blacklist_domain.acl"
acl access_by_ip url_regex \b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|
2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|
2[0-4][0-9]|[01]?[0-9][0-9]?)\b
http_access deny access_by_ip
http_access deny blacklist_domain
http_access deny blacklist_domain_contain
http_access allow all
squid.conf
Chapter 4
.bigfishgames.com
.roadandtrack.com
.sex.com
.youtube.com
blacklist_domain.acl
Chapter 4
Sex
Playboy
pronografy
blacklist_domain_contain.acl
Validate the hypothesis
• This phase of the project is to show either the Ultrasurf blocking method that being used is working or not.
• Based on the proposed strategy that been used, Experiment 4 (Web filtering at squid with Ultrasurf Installed) has been conducted again to validate the requirement needed.
• It show that “it is possible to block Ultrasurf traffic” by using propose strategy derive from hypothesis
• Below is figure of Ultrasurf 9.4 Vs Proposed strategy.
• On this phase objective 3 “To evaluate the strategy” has been achieve
Chapter 4
Blacklist Domain (using Ultrasurf)
No Site Exp 1 Exp 2 Exp 3 Exp 41spicy-video.com No No - No2gayhotmovies.com No No - No3qusk.com No No - No4sex-harem.com No No - No5porn-whores.com No No - No6teenslikeitbig.com No No - No7jizzhardcore.com No No - No8websofpassion.com No No - No9enter.realwifestories.com No No - No
10free-pornpics.net No No - No11capn-xxx.com No No - No12epochstats.com No No - No13asiannude.com No No - No14cleospornalacarte.com No No - No15qusk.com No No - No16sexy-babes.tv No No - No17wildsexlinks.com No No - No18ccbill.com No No - No19ebonylesbiansebony.com No No - No20bottle-insertion.com No No - No21facebook.com No No - No22myspace.com No No - No23beno.com No No - No24friendster.com No No - No25hi5.com No No - No26orkout.com No No - No27perfspot.com No No - No28zorpia.com No No - No29netlog.com No No - No30playboy.com No No - No
Whitelist Domain (using Ultrasurf)
No Domain Name Exp 1 Exp 2 Exp 3 Exp 41admaxasia.com Yes Yes - Yes2bluelithium.com Yes Yes - Yes3crowdstar.com Yes Yes - Yes4dropbox.com Yes Yes - Yes5facebook.com Yes Yes - Yes6farmville.com Yes Yes - Yes7fbcdn.net Yes Yes - Yes8flickr.com Yes Yes - Yes9friendster.com Yes Yes - Yes
10google.com.my Yes Yes - Yes11innity.com Yes Yes - Yes12jobstreet.com Yes Yes - Yes13malaysiakini.com Yes Yes - Yes14mcafeeasap.com Yes Yes - Yes15mudah.my Yes Yes - Yes16nuffnang.com.my Yes Yes - Yes17oum.edu.my Yes Yes - Yes18pandonetworks.com Yes Yes - Yes19perfisio.com Yes Yes - Yes20projectplaylist.com Yes Yes - Yes21sweetim.com Yes Yes - Yes22tagstat.com Yes Yes - Yes23uum.edu.my Yes Yes - Yes24baidu.com Yes Yes - Yes25bharian.com.my Yes Yes - Yes26blogger.com Yes Yes - Yes27e-zakat.com.my Yes Yes - Yes28facebook.com Yes Yes - Yes29gmodules.com Yes Yes - Yes30google.com Yes Yes - Yes
Ability to Access internet site (Outcome for validation) Chapter 4
Figure 3.16 : Ultrasurf 9.4 Vs Proposed Strategy.
Chapter 4
Figure 3.17 : Ultrasurf 9.5 Vs Proposed Strategy
Chapter 4
Figure 3.18 : Ultrasurf 9.92 Vs Proposed Strategy
Chapter 4
Ultrasurf 95 Connect To Internet With Propose Strategy Applied
No. Time Source DestinationProtocol Info
1 010.0.0.5 114.41.24.184 TCP saris > https [SYN] Seq=0 Win=65535 Len=0 MSS=1460
2 0.00001710.0.0.5 61.227.103.228 TCP krb524 > https [SYN] Seq=0 Win=65535 Len=0 MSS=1460
3 0.00002210.0.0.5 114.41.21.49 TCP 4441 > https [SYN] Seq=0 Win=65535 Len=0 MSS=1460
4 0.00002210.0.0.5 65.49.2.123 TCP pharos > https [SYN] Seq=0 Win=65535 Len=0 MSS=1460
5 0.00008210.0.0.5 65.49.2.115 TCP 4440 > https [SYN] Seq=0 Win=65535 Len=0 MSS=1460
6 0.00013710.0.0.5 66.245.218.168 TCP upnotifyp > https [SYN] Seq=0 Win=65535 Len=0 MSS=1460
7 0.000431114.41.24.184 10.0.0.5 TCP https > saris [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460
8 0.00044910.0.0.5 114.41.24.184 TCP saris > https [ACK] Seq=1 Ack=1 Win=65535 Len=0
9 0.00045561.227.103.228 10.0.0.5 TCP https > krb524 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460
10 0.00046510.0.0.5 61.227.103.228 TCP krb524 > https [ACK] Seq=1 Ack=1 Win=65535 Len=0
11 0.000468114.41.21.49 10.0.0.5 TCP https > 4441 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460
12 0.00047610.0.0.5 114.41.21.49 TCP 4441 > https [ACK] Seq=1 Ack=1 Win=65535 Len=0
13 0.00047965.49.2.123 10.0.0.5 TCP https > pharos [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460
14 0.00048610.0.0.5 114.41.24.184 TCP saris > https [FIN, ACK] Seq=1 Ack=1 Win=65535 Len=0
15 0.00049310.0.0.5 65.49.2.123 TCP pharos > https [ACK] Seq=1 Ack=1 Win=65535 Len=0
16 0.00049865.49.2.115 10.0.0.5 TCP https > 4440 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460
Chapter 4
Conclusion
• This project has introduced a strategy to block user from accessing prohibited website via Ultrasurf.
• Squid proxy server has ability to provide a blocking IP address based
on http and https connection.
• Below are the two strategies that being implemented in this project to block Ultrasurf :
Chapter 5
Figure 5.1: Router, Firewall and Proxy In a Box
Chapter 5
Figure 5.2: Independent Proxy
Chapter 5
Future work• This project will be a good resource and as a guide for the never
ending enchantment in this method to block Ultrasurf.
• The following pit points maybe useful for this project regarding the
developing and finding the new approach in the future.
Performance. What happen if 1000 user request at same time ?
Squid new technology. working perfectly in all version of squid ?
Network model. Can this applied at IPTables ?
Integrate into current firewall technology incorporate this strategy into low end firewall ?
Others type of anti-censorship software May the same strategy work on others anti-censorship software ?
Chapter 5
Aycock, J., & Maurushat, A. (2008, March ). "Good" worms and human rights. SIGCAS Computers and Society, Volume 38 Issue 1 . Becchi, M., & Crowley, P. (December 2007). A hybrid finite automaton for practical deep packet inspection. CoNEXT '07: Proceedings of the 2007 ACM CoNEXT conference. ACM. Becchi, M., & Crowley, P. (December 2007). A hybrid finite automaton for practical deep packet inspection. CoNEXT '07: Proceedings of the 2007 ACM CoNEXT conference. ACM. GIFC. (2010). Retrieved 01 05, 2010, from About Global Internet Freedom Consortium: http://www.internetfreedom.org/ Hunter, C. D. (April 2000). Internet filter effectiveness (student paper panel): testing over and underinclusive blocking decisions of four popular filters. CFP '00: Proceedings of the tenth conference on Computers, freedom and privacy: challenging the assumptions. ACM. Kaiser, A. (2008, Aug 12). technopedia. Retrieved 01 05, 2010, from UltraSurf : Probably The Best Proxy Server Ever!!!: http://technopedia.info/tech/2008/08/12/ultrasurf-probably-the-best-proxy-server.html Kumar, S., Turner, J., & Williams, J. (December 2006). Advanced algorithms for fast and scalable deep packet inspection. ANCS '06: Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systems. ACM. Peisert, S., & Bishop, M. (2007). how to Design Computer Security Experiments. Springer Boston. Volume 237/2007, pp. 141-148. Springer Boston. Piyachon, P., & Luo, Y. (December 2006 ). Efficient memory utilization on network processors for deep packet inspection. ANCS '06: Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systems. ACM. Regular Expressions.info. (2010). Retrieved 4 20, 2010, from Sample Regular Expressions: http://www.regular-expressions.info/examples.html Reuters. (2007, July 18). Retrieved 01 05, 2010, from Chinese Internet censors blamed for email chaos: http://www.reuters.com/article/idUSPEK9185520070718 Strange Maps. (2007, 8 3). Retrieved 3 20, 2010, from A Map of the Internet’s Black Holes: http://strangemaps.wordpress.com/2007/08/31/170-a-map-of-the-internets-black-holes/ Tan, Z. A., Mueller, M., & Foster, W. (1997). China's new Internet regulations: two steps forward, one step back. Communications of the ACM archive , 11 - 16. Whitten, J. L., Bentley, L. D., & Dittman, K. (2004). System Analysis and Design Method. 6th ed. Boston: Mc-Graw-Hill Education. Wikipedia. (2010). Retrieved 01 05, 2010, from Internet censorship: http://en.wikipedia.org/wiki/Internet_censorship Wikipedia. (2010). Retrieved 4 20, 2010, from Regular_expression: http://en.wikipedia.org/wiki/Regular_expression Xia, B. (2004). The Coming Crash Of The Matrix. China Right Forum , pp. 42-44.
References.
43
Thank You
Q & A
“Human Knowledge Belong To The World”
