2012-wang-censorspoofer

CensorSpoofer: Asymmetric Communication using IP Spoofing for Censorship-Resistant Web Browsing

Qiyan Wang, Xun Gong, Giang T. K. Nguyen, Amir Houmansadr, Nikita Borisov · Computer and Communications Security · 2012

canonical link →

Tags

censors: generic
techniques: dpi ip-blocking
defenses: tunneling decoy-routing

findings extracted from this paper

A censor can compare the predicted AS path from the claimed dummy host to the client against the actual observed ingress entry point of the spoofed downstream traffic; inconsistency reveals the dummy host as a cover. For clients in China Telecom (ASN 4134) and China Unicom (ASN 4837), 100% of 225 candidate dummy hosts passed AS-path consistency filtering; for clients in ASN 4538 only 18.2% (41/225) passed, sharply narrowing the usable pool for smaller ASes.

§5.2.3, Table 2 detection ip-blocking cn
CensorSpoofer decouples the upstream channel (URLs hidden via steganography in IM/Email) from the downstream channel (web content injected into spoofed UDP/VoIP flows), so the proxy's real IP is never revealed to any user. This asymmetric architecture provides perfect insider-attack resistance: even if all users are compromised, they can only learn cover dummy-host IPs, not the spoofer's address.

§4 defense ip-blockingactive-probing cn
Port-scanning 10,000 randomly selected non-China IPs found 1,213 (12.1%) acceptable as VoIP dummy hosts (SIP, RTP, RTCP ports not in 'closed' or 'host seems down' states). Of 100 sampled dummy hosts tracked over time, over 90% remained usable for more than 2 hours and over 80% for more than 6 hours; the total usable pool was stable across a 7-day measurement window (Feb. 9–16, 2012).

§7.2.2 evaluation ip-blocking cn
The MIT ANA Spoofer project shows that over 400 ASes (22%) and 88.7 million IP addresses (15.7%) permit outbound IP address spoofing, constraining where CensorSpoofer proxy nodes can be deployed. ASes applying ingress/egress filtering make IP-spoofing-based downstream channels infeasible from those locations.

§4.2 deployment ip-blocking generic
Using G.711 or G.722-64 codecs (64 Kbps downstream), CensorSpoofer clients in China downloaded Wikipedia's HTML file in approximately 6 seconds and the full 160 KB page in approximately 27 seconds; Tor and a proxy-based system (NetShade) were measurably faster. The iLBC codec limits downstream throughput to 15.6 Kbps, and all codecs impose equivalent dummy-traffic cost on the dummy host (G.711 consumes 87.2 Kbps at the dummy host).

§7.2.1, Table 1 evaluation traffic-shape cn