Upload
antitree
View
52
Download
10
Tags:
Embed Size (px)
Citation preview
Meek and Domain FrontingMutually assured destruction for Internet censorship
Overview
• Internet Censorship Overview and Tools• SNI and Domain Fronting• Meek• Meek and Psiphon• Meek and Tor• Meek and Others
How Do I Block
• DNS• IP blacklist• URL blacklist• Routing• DPI• Keyword (China) RST• Protocol Fingerprinting (China, JP/BroIDS)
• Tor TLS ciphersuites
Censorship Arms Race
Censor
Block URL
Block Proxy sites
Block Proxy protocol
Fingerprint OSSH protocol
…
Block the Internet
Evasion
VPN/Proxy
Hidden Proxy
Obfuscate Proxy (OSSH)
ScrambleSuit
…
Meek Protocol
• Protection against Balls Deep Packet Inspection(BDPI)™• Uses SNI and CDN• “Domain Fronting”• To block it, you must block the CDN• Your move, motherfucker!
Server Name Extension (SNI)
• Virtual hosting for SSL• One web server hosts multiple certificates• Used by CDN’s all the time
https://www.google.com
https://www.antitree.com
GET / HTTP/1.1
Domain Fronting
TLS connection with client
TLS connection with
www.google.com
Ciphers and Extensions
decided upon
Handshake Established
Client Sends “server_name”
extension value of meek-
server.antitree.com
Receive request, send to server.antitree.com
Server reads this value and looks up if it has a
record for meek-server.antitree.com
Response from server returned
POST / <PROXIED TRAFFIC>
Meek
• Uses Domain Fronting to hide the request to the final endpoint• Adversaries see that a connection is made to
https://www.google.com • Subsequent connections are encrypted• For all intensive purposes, appears as a request to
google.com, or cloudflare.net, or another CDN• Blocking of CDN’s would result in blocking of most of the
top 100 sites
Meek Psiphon
• Psiphon is a censorship circumvention tool (one hop proxy)• Supports Meek• Meek service hosted on Psiphon servers• Clients receive information about the servers
configuration• Use Google and Cloudflare to proxy connections• So far unblockable
Meek Tor
• Tor uses this as a transport for the Tor protocol• Run on unlisted Bridge Nodes• Instead of just a HTTP request (Psiphon, Lantern, Fog)
the entire protocol is sent over it• Uses a web reflector to forward requests from the
fronted domain to a Tor bridge
Meek Tor
Tor Meek-clientMeek
Browser Client
https://www.google.com
https://meek-server.appspot.com
Meek.bamsoftware.com:7002
Meek-server
Tor Bridge Node
Meek Tor Normal Tor
Meek Tor
• Problem with HTTP keeping the tunnel alive• Use a polling method so the server sends a request• Server checks whether or not the client has data it
wants to deliver• Done using POST requests over the tunnel• If there is no new data to send, an empty packet is sent
to keep the tunnel open
Attacks/Defense from DPI
• Polling period• This period is relatively random but over time can be profiled• Intervals increase geometrically
• Payload Length• Normally this is dynamic but has a max size that can be profiled over
time
• TLS extensions• If you don’t use the browser plugin, it’s easy to fingerprint based on
TLS extensions
• Drop behavior• When a packet is RST for a web user, they just refresh. For Meek this
kills the whole tunnel.
Success
• Very successful right now• Only recently became
popular• Other tools like
ScrambleSuite, obfs4, and BananaPhone on deck for when this gets exploited
Review
• Domain Fronting = SNI• Meek: Uses domain fronting to tunnel connections and
evade censorship• ALL of the anti-censorship tools at this point are using it• You should host a Meek bridge