Detecting Intentional Packet Drops on the Internet via TCP/IP Side Channels

Abstract: We describe a method for remotely detecting intentional packet drops on the Internet via side channel inferences. That is, given two arbitrary IP addresses on the Internet that meet some simple requirements, our proposed technique can discover packet drops (e.g., due to censorship) between the two remote machines, as well as infer in which direction the packet drops are occurring. The only major requirements for our approach are a client with a global IP Identifier (IPID) and a target server with an open port.… Show more

“…Limitations in this detection technique lie in the necessity to find suitable client machines that provide a predictable IP-ID sequence and in the type of trigger it can use (just IP and TCP port addresses). The first condition according to Ensafi et al [51] reduces to around 1% of reachable IP address space the potential hosts to be used as clients for this technique. 15 4.1.4 HTTP tampering: The detection of censorship techniques of type HTTP tampering (Section 3.8) is the most frequent in literature, being considered virtually by all the censorship-related papers cited so far.…”

“…Considered features for the clustering algorithm are: IP and TCP header field values and counting of TCP, UDP, ICMP, IGMP, "miscellaneous" packets. No results are given in terms of overall accuracy and precision of the classification approach, that is only proposed as a preprocessing stage before 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 A peculiar detection technique is presented by Ensafi et al [51], proposing a variant of the stealth host scanning technique initially proposed by Antirez [11] to reveal open TCP ports while avoiding identification from the IDS. The proposed technique verifies TCP connectivity between a client host and a server host by probing both from a third probe host (in the text dubbed measurement machine or MM).…”

“…Spookyscan is an implementation of the detection technique presented in [51] and described in Section 4.1.3 (TCP-level reachability). The detection technique is designed to reveal TCP-level reachability between a client and a server, with the notable characteristic that none of the two has to be under control of the tester.…”

“…(a) peculiar deployment, see [51] and specific section; (bm) leverages the BISMark platform [140]; (e) a JavaScript code is downloaded while visiting 3rd-party websites;…”

“…With the notable exception of the tool Spookyscan (Ensafi et al [51]), all considered tools and platforms employ a client-based viewpoint, i.e. traffic data is collected from the client itself, and with no exception perform active collection (see Section 4.)…”

Internet Censorship detection: A survey

“…Limitations in this detection technique lie in the necessity to find suitable client machines that provide a predictable IP-ID sequence and in the type of trigger it can use (just IP and TCP port addresses). The first condition according to Ensafi et al [51] reduces to around 1% of reachable IP address space the potential hosts to be used as clients for this technique. 15 4.1.4 HTTP tampering: The detection of censorship techniques of type HTTP tampering (Section 3.8) is the most frequent in literature, being considered virtually by all the censorship-related papers cited so far.…”

“…Considered features for the clustering algorithm are: IP and TCP header field values and counting of TCP, UDP, ICMP, IGMP, "miscellaneous" packets. No results are given in terms of overall accuracy and precision of the classification approach, that is only proposed as a preprocessing stage before 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 A peculiar detection technique is presented by Ensafi et al [51], proposing a variant of the stealth host scanning technique initially proposed by Antirez [11] to reveal open TCP ports while avoiding identification from the IDS. The proposed technique verifies TCP connectivity between a client host and a server host by probing both from a third probe host (in the text dubbed measurement machine or MM).…”

“…Spookyscan is an implementation of the detection technique presented in [51] and described in Section 4.1.3 (TCP-level reachability). The detection technique is designed to reveal TCP-level reachability between a client and a server, with the notable characteristic that none of the two has to be under control of the tester.…”

“…(a) peculiar deployment, see [51] and specific section; (bm) leverages the BISMark platform [140]; (e) a JavaScript code is downloaded while visiting 3rd-party websites;…”

“…With the notable exception of the tool Spookyscan (Ensafi et al [51]), all considered tools and platforms employ a client-based viewpoint, i.e. traffic data is collected from the client itself, and with no exception perform active collection (see Section 4.)…”

Internet Censorship detection: A survey

Alias Resolution Based on ICMP Rate Limiting

Clairvoyance: Inferring Blocklist Use on the Internet