budaworkshop
TRANSCRIPT
Internet Censorship
Detecting Internet Censorship: Tools and Techniques
Nart Villeneuve PHD Candidate, Senior Research Fellow
Citizen Lab , Munk Centre for International StudiesUniversity of Toronto
Overview
Techniques to test for Internet censorship. Key Questions Tests and Tools Drawing Conclusions
Key Questions
Filtering can take a variety of forms and can be implemented at a variety of locations: Is there a way to determine what is filtered? Is there a way to determine how filtering is
occuring? Is there a way to determine why specific content is
filtered?
Strategy
Know your testing environment. Distinguish between errors and deliberate
filtering. Distinguish between filtering by an intermediary
and filtering by the destination. Isolate the scope of the test, and test each
component. Test each component again through an
encrypted, external connection. Carefuly observe and evaluate the results.
Simple Anatomy of a URL
http://www.example.com/example.html Protocol: http, port 80 (https://, port 443, ftp://, port
21 etc...) Domain name: www.example.com
You may wish to test www.example.com or example.com or both
Path: /example.html Before testing this path, we want to test the default path
of / The requested page may attemp to load content
from other (possibly blocked) locations (images, frames, etc...)
DNS
DNS translates domain names into IP addresses.
A single domain name may have multiple IP addresses, these IP addresses may vary depending on geographical location.
Sub-domain(s) may have different IP addresses (www.x.com and x.com may even resolve to different Ips)
There may be many domains hosted on one IP address DNS Tampering
Interference with DNS resulting in domain names being translated into incorrect or invalid IP addresses
An ISP's local DNS servers can be modified, an intermediary can send a forged answer.
DNS Tests
Compare the IP's returned from the local dns with one from a remote location. Nslookup (host, digg)
nslookup example.com Use a remote DNS Server
nslookup example.com 208.67.222.222 See, opendns.com – It may be already blocked?
Look up the IP's https://asn.cymru.com/ Note the reverse DNS for the IPs, note the network and range to
which IP's are assigned, look for services such as Akamai Don't have a remote location?
https://www.websitepulse.com/help/tools.php
TCP/IP
TCP/IP is a set of protocols upon which the Internet runs. Traceroute is a tool that determines that path packets take on an
IP network
On Windows traceroute is ICMP, UDP on *nix, we want to use TCP Traceroute (and be able to receive ICMP packets).
IP Blocking A router is configured to drop packets to particular IP addresses
A destination may block requestions form a particular source
Packet Injection An entity other than the destination send packet(s) that appear to
be from the requesting source.
These can be RST packets, that disrupt the connection.
TCP/IP Tests
Connect to the IP's obtained from the DNS tests, compare the results of the TCP probes from the local and remote locations.
TCP Traceroute http://tracetcp.sourceforge.net/ A transparent proxy may interefere, this is not necessarily bad. Hops may timeout, this is not necessarily bad.
TCP Ping http://www.elifulkerson.com/projects/tcping.php
Technical folks will want to use a packet sniffer such as wireshark to sniff te connection. Look for a situation in which there are only outgoing SYN's and no SYN/ACK's
HTTP
HTTP is the protocol upon which information is tranfered on the WWW.
Headers contain information that is transfered between a browser and a web server that the user does not typically see.
http://livehttpheaders.mozdev.org/ is a Firefox extension that shows http headers.
Filtering Proxies A (transparent) filtering proxy blocks access to content based on a
blocklist, whitelist, keyword in URL, keyword in content or dynamic analysis (links, reputation, file type, image analysis etc...)
Users typically receive a blockpage indicating that the request has been blocked.
HTTP Tests
Connect to the IP's obtained from the DNS tests, compare the content returned from the local and remote locations. Request the path of / first, then the path you are testing.
Look for a blockpage. Often the page will have the logo of the company that produced the filtering software, it may also have category information.
Look at the source code of the blockpage.
NOTE: Some proxies do not allow direct connections to IP addresses.
Compare the HTTP headers. Some times you get a 200, sometimes a 403, sometimes a 302. Filtering software often have unique identifying headers.
If you are behind a proxy you may get what appears to be block page as a result of some other form of filtering (or error) such as IP blcoking (connection timeout).
Drawing Conclusions
Is it the source that is blocking itself from you? Blocked in X? In many countries there are
significant variations among ISP's. Overblocking due to commercial product?
http://www.trustedsource.org/TS?do=feedback&subdo=url
Overblocking due to virtual hosting? http://www.domaintools.com/reverse-ip/