towards a secure zero-rating framework with three … · china mobile lost over 0.5 million/month...
TRANSCRIPT
TOWARDS A SECURE ZERO-RATINGFRAMEWORK WITH THREE PARTIES
Authors: Zhiheng Liu, Zhen Zhang, Yinzhi Cao†, Zhaohan Xi, Shihao Jing and Humberto
La Roche ‡
Lehigh University, †Johns Hopkins University/Lehigh University, ‡Cisco System
08/15/2018 @Zhen Zhang ([email protected]) 2
08/15/2018 @Zhen Zhang ([email protected]) 3
Hi Zhen,Give me some data …
08/15/2018 @Zhen Zhang ([email protected]) 4
08/15/2018 @Zhen Zhang ([email protected]) 5
08/15/2018 @Zhen Zhang ([email protected]) 6
2G…
08/15/2018 @Zhen Zhang ([email protected]) 7
2G…
08/15/2018 @Zhen Zhang ([email protected]) 8
2G…
08/15/2018 @Zhen Zhang ([email protected]) 9
2G…
08/15/2018 @Zhen Zhang ([email protected]) 10
2G…
08/15/2018 @Zhen Zhang ([email protected]) 14
Yes, Let’s fool the ISP…Launch free-riding attacks
Zero-rating Services
Threat Model of Free-riding Attacks
08/15/2018 @Zhen Zhang ([email protected]) 15
ISP
Clients
Content Providers
Threat Model of Free-riding Attacks
08/15/2018 @Zhen Zhang ([email protected]) 16
malicious
ISP
Clients
Content Providers
Threat Model of Free-riding Attacks
08/15/2018 @Zhen Zhang ([email protected]) 17
malicious
ISP
ISP is benign/victimClients
Content Providers
Threat Model of Free-riding Attacks
08/15/2018 @Zhen Zhang ([email protected]) 18
malicious
ISP
ISP is benign/victim
Zero-rated CPs arebenign/victim
Clients
Content Providers
Threat Model of Free-riding Attacks
08/15/2018 @Zhen Zhang ([email protected]) 19
malicious
ISP
ISP is benign/victim
Zero-rated CPs arebenign/victim
Attacker can masquerade zero-rating CP
Clients
Content Providers
Outline
▪ Introduction
▪ Free-riding Attacks
▪ System Design
▪ Formal Security Analysis
▪ Implementation
▪ Evaluation
▪ Conclusion
08/15/2018 @Zhen Zhang ([email protected]) 20
Request Masquerade Attack on Industry System
▪ Masquerade request domain▪ HTTP: “Host” field [1]
▪ HTTPs: “SNI” field
08/15/2018 @Zhen Zhang ([email protected]) 21
ISP Network
Zero-rated domain list
www.attacker.com
Client[1] Kakhki, Arash Molavi, et al. "Bingeon under the microscope: Understanding T-Mobiles zero-rating implementation." Proceedings of the 2016 workshop on QoE-based Analysis and Management of Data Communication Networks. ACM, 2016.
Request Masquerade Attack on Industry System
▪ Masquerade request domain▪ HTTP: “Host” field [1]
▪ HTTPs: “SNI” field
08/15/2018 @Zhen Zhang ([email protected]) 22
ISP Network
Zero-rated domain list
Request
srcIP, dstIP …
<data>SNI/Host:www.youtube.com
www.attacker.com
Client[1] Kakhki, Arash Molavi, et al. "Bingeon under the microscope: Understanding T-Mobiles zero-rating implementation." Proceedings of the 2016 workshop on QoE-based Analysis and Management of Data Communication Networks. ACM, 2016.
Request Masquerade Attack on Industry System
▪ Masquerade request domain▪ HTTP: “Host” field [1]
▪ HTTPs: “SNI” field
08/15/2018 @Zhen Zhang ([email protected]) 23
ISP Network
Zero-rated domain list
Request
srcIP, dstIP …
<data>SNI/Host:www.youtube.com
Requestwww.attacker.com
Client[1] Kakhki, Arash Molavi, et al. "Bingeon under the microscope: Understanding T-Mobiles zero-rating implementation." Proceedings of the 2016 workshop on QoE-based Analysis and Management of Data Communication Networks. ACM, 2016.
Request Masquerade Attack on Industry System
▪ Masquerade request domain▪ HTTP: “Host” field [1]
▪ HTTPs: “SNI” field
08/15/2018 @Zhen Zhang ([email protected]) 24
ISP Network
Zero-rated domain list
Request
srcIP, dstIP …
<data>SNI/Host:www.youtube.com
Requestwww.attacker.com
Client[1] Kakhki, Arash Molavi, et al. "Bingeon under the microscope: Understanding T-Mobiles zero-rating implementation." Proceedings of the 2016 workshop on QoE-based Analysis and Management of Data Communication Networks. ACM, 2016.
Request Masquerade Attack on Industry System
▪ Masquerade request domain▪ HTTP: “Host” field [1]
▪ HTTPs: “SNI” field
08/15/2018 @Zhen Zhang ([email protected]) 25
ISP Network
Zero-rated domain list
Request
srcIP, dstIP …
<data>SNI/Host:www.youtube.com
Requestwww.attacker.com
Response
srcIP, dstIP …
<data>
Client[1] Kakhki, Arash Molavi, et al. "Bingeon under the microscope: Understanding T-Mobiles zero-rating implementation." Proceedings of the 2016 workshop on QoE-based Analysis and Management of Data Communication Networks. ACM, 2016.
Response Modification Attack on Industry System
▪ Inject non-zero-rated content
08/15/2018 @Zhen Zhang ([email protected]) 26
ISP Network
Client
Request
srcIP, dstIP …
<data>SNI/Host: www.zero-rated.com
Response
srcIP, dstIP …
<data>
Zero-rated domain list
Zero-rated CP
Response Modification Attack on Industry System
▪ Inject non-zero-rated content
08/15/2018 @Zhen Zhang ([email protected]) 27
ISP Network
Client
Request
srcIP, dstIP …
<data>SNI/Host: www.zero-rated.com
Response
srcIP, dstIP …
<data>
Response
srcIP, dstIP …
<modified-data>
Zero-rated domain list
Zero-rated CP
Prototype Zero-Rating Systems
▪ Network Cookies [1]
▪ A malicious user can abuse the cookie.
▪ IP Whitelist-based Method [2]
▪ An attacker at the server side can abuse source IP address.
08/15/2018 @Zhen Zhang ([email protected]) 28
[1] Yiakoumis, Yiannis, Sachin Katti, and Nick McKeown. "Neutral net neutrality." Proceedings of the 2016 ACM SIGCOMM Conference. ACM, 2016.[2] (2014, Dec.) Delivering zero-rated traffic. https://connect.limelight.com/blogs/limelight/2014/12/08/delivering-zero-rated-traffic
Attacks on Network Cookies
▪ Network Cookies [1]
▪ A malicious user can abuse the cookie.
08/15/2018 @Zhen Zhang ([email protected]) 29
[1] Yiakoumis, Yiannis, Sachin Katti, and Nick McKeown. "Neutral net neutrality." Proceedings of the 2016 ACM SIGCOMM Conference. ACM, 2016.[2] (2014, Dec.) Delivering zero-rated traffic. https://connect.limelight.com/blogs/limelight/2014/12/08/delivering-zero-rated-traffic
Client
ISP Network
Zero-rated CP
Charged CP
Attacks on Network Cookies
▪ Network Cookies [1]
▪ A malicious user can abuse the cookie.
08/15/2018 @Zhen Zhang ([email protected]) 30
[1] Yiakoumis, Yiannis, Sachin Katti, and Nick McKeown. "Neutral net neutrality." Proceedings of the 2016 ACM SIGCOMM Conference. ACM, 2016.[2] (2014, Dec.) Delivering zero-rated traffic. https://connect.limelight.com/blogs/limelight/2014/12/08/delivering-zero-rated-traffic
Client
ISP Network
Zero-rated CP
Charged CP
Attacks on Network Cookies
▪ Network Cookies [1]
▪ A malicious user can abuse the cookie.
08/15/2018 @Zhen Zhang ([email protected]) 31
[1] Yiakoumis, Yiannis, Sachin Katti, and Nick McKeown. "Neutral net neutrality." Proceedings of the 2016 ACM SIGCOMM Conference. ACM, 2016.[2] (2014, Dec.) Delivering zero-rated traffic. https://connect.limelight.com/blogs/limelight/2014/12/08/delivering-zero-rated-traffic
Client
ISP Network
Zero-rated CP
Charged CP
Attacks on IP whitelist based system
▪ Facebook Zero [2]
▪ An attacker at the server side can abuse source IP address.
08/15/2018 @Zhen Zhang ([email protected]) 32
[1] Yiakoumis, Yiannis, Sachin Katti, and Nick McKeown. "Neutral net neutrality." Proceedings of the 2016 ACM SIGCOMM Conference. ACM, 2016.[2] (2014, Dec.) Delivering zero-rated traffic. https://connect.limelight.com/blogs/limelight/2014/12/08/delivering-zero-rated-traffic
ISP Network
IP whitelist
Client
Zero-rated CP
Attacker CP
Attacks on IP whitelist based system
▪ Facebook Zero [2]
▪ An attacker at the server side can abuse source IP address.
08/15/2018 @Zhen Zhang ([email protected]) 33
[1] Yiakoumis, Yiannis, Sachin Katti, and Nick McKeown. "Neutral net neutrality." Proceedings of the 2016 ACM SIGCOMM Conference. ACM, 2016.[2] (2014, Dec.) Delivering zero-rated traffic. https://connect.limelight.com/blogs/limelight/2014/12/08/delivering-zero-rated-traffic
ISP Network
IP whitelist
Client
Zero-rated CP
Attacker CP
Attacks on IP whitelist based system
▪ Facebook Zero [2]
▪ An attacker at the server side can abuse source IP address.
08/15/2018 @Zhen Zhang ([email protected]) 34
[1] Yiakoumis, Yiannis, Sachin Katti, and Nick McKeown. "Neutral net neutrality." Proceedings of the 2016 ACM SIGCOMM Conference. ACM, 2016.[2] (2014, Dec.) Delivering zero-rated traffic. https://connect.limelight.com/blogs/limelight/2014/12/08/delivering-zero-rated-traffic
ISP Network
IP whitelist
Client
Zero-rated CP
Attacker CP
srcIP of Zero-rated CP, ACK, Seq
Attacks on IP whitelist based system
▪ Facebook Zero [2]
▪ An attacker at the server side can abuse source IP address.
08/15/2018 @Zhen Zhang ([email protected]) 35
[1] Yiakoumis, Yiannis, Sachin Katti, and Nick McKeown. "Neutral net neutrality." Proceedings of the 2016 ACM SIGCOMM Conference. ACM, 2016.[2] (2014, Dec.) Delivering zero-rated traffic. https://connect.limelight.com/blogs/limelight/2014/12/08/delivering-zero-rated-traffic
ISP Network
IP whitelist
Client
Zero-rated CP
Attacker CP
srcIP of Zero-rated CP, ACK, Seq
Attacks on IP whitelist based system
▪ Facebook Zero [2]
▪ An attacker at the server side can abuse source IP address.
08/15/2018 @Zhen Zhang ([email protected]) 36
[1] Yiakoumis, Yiannis, Sachin Katti, and Nick McKeown. "Neutral net neutrality." Proceedings of the 2016 ACM SIGCOMM Conference. ACM, 2016.[2] (2014, Dec.) Delivering zero-rated traffic. https://connect.limelight.com/blogs/limelight/2014/12/08/delivering-zero-rated-traffic
ISP Network
IP whitelist
Client
Zero-rated CP
Attacker CP
Victim
srcIP of Zero-rated CP, ACK, Seq
Attacks on Zero-Rating Systems
T-Mobile
ChinaMobile
ChinaUnicom
UnitedWiFi
ORDWiFi
NetworkCookies [1]
IPWhitelist
Req-Mas ✕ ✕ N/A ✕ ✕ ✕ ✕
Res-Mod ✕ ✕ N/A ✕ ✕ ✕ ✕
Req-Mas ✕ N/A ✕ N/A ✕ ✕ ✕
Res-Mod ✕ N/A ✕ N/A ✕ ✕ ✕
08/15/2018 @Zhen Zhang ([email protected]) 37
: Unencrypted Traffic; : Encrypted Traffic; Req-Mas: Request Masquerade; Res-Mod: Response Modification
[1] Yiakoumis, Yiannis, Sachin Katti, and Nick McKeown. "Neutral net neutrality." Proceedings of the 2016 ACM SIGCOMM Conference. ACM, 2016.
Impacts of free-riding attacks
▪ A major U.S. network carrier lost over 7 millions in a month [1]
▪ China Mobile lost over 0.5 million/month in one province.
▪ Filtering abnormal users , i.e., those consuming over 3 GB per month zero rating traffic
▪ Inspecting unencrypted data manually
▪ Results: found 71TB free-riding traffic
08/15/2018 @Zhen Zhang ([email protected]) 38
[1] (2017 global internet phenomena) spotlight: Zero-rating fraud. https://www.sandvine.com/hubfs/downloads/archive/2017-global-internet-phenomena-spotlight-zero-rating-fraud.pdf
Outline
▪ Introduction
▪ Free-riding Attacks
▪ System Design
▪ Formal Security Analysis
▪ Implementation
▪ Evaluation
▪ Conclusion
08/15/2018 @Zhen Zhang ([email protected]) 39
System Design: Overview
08/15/2018 @Zhen Zhang ([email protected]) 40
ISPNetwork
ContentProvider
ServerAgent
ISPAssistant
Client
System Design: Overview
08/15/2018 @Zhen Zhang ([email protected]) 41
ISPNetwork
ContentProvider
ServerAgent
ISPAssistant
Control Plane
Client
System Design: Overview
08/15/2018 @Zhen Zhang ([email protected]) 42
ISPNetwork
ContentProvider
ServerAgent
ISPAssistant
Control Plane
Client
System Design: Overview
08/15/2018 @Zhen Zhang ([email protected]) 43
ISPNetwork
ContentProvider
ServerAgent
ISPAssistant
Mirrored traffic
Control Plane
Client
System Design: Overview
08/15/2018 @Zhen Zhang ([email protected]) 44
ISPNetwork
ContentProvider
ServerAgent
ISPAssistant
Mirrored traffic
Control Plane
Mirror/redirect
Client
System Design: Overview
08/15/2018 @Zhen Zhang ([email protected]) 45
ISPNetwork
ContentProvider
ServerAgent
ISPAssistant
Mirrored traffic
Control Plane
Mirror/redirectIf blocking mode
Client
System Design: ISP Assistant
▪ Blocking/Non-Blocking Mode
▪ Accept hash values and match
08/15/2018 @Zhen Zhang ([email protected]) 46
Ctr
lPla
ne
Inte
rfac
e
ISPHashDB CPHashDB
ZFREE ISP Assistant
Integrity CheckHash
Engine
PacketParser
System Design: ISP Assistant
▪ Blocking/Non-Blocking Mode
▪ Accept hash values and match
08/15/2018 @Zhen Zhang ([email protected]) 47
Ctr
lPla
ne
Inte
rfac
e
ISPHashDB CPHashDB
ZFREE ISP Assistant
Integrity CheckHash
Engine
PacketParser
ZFREEControl Plane ZFREE Server
Agents
System Design: ISP Assistant
▪ Blocking/Non-Blocking Mode
▪ Accept hash values and match
08/15/2018 @Zhen Zhang ([email protected]) 48
Ctr
lPla
ne
Inte
rfac
e
ISPHashDB CPHashDB
ZFREE ISP Assistant
Integrity CheckHash
Engine
PacketParser
ZFREEControl Plane ZFREE Server
Agents
System Design: ISP Assistant
▪ Blocking/Non-Blocking Mode
▪ Accept hash values and match
08/15/2018 @Zhen Zhang ([email protected]) 49
Ctr
lPla
ne
Inte
rfac
e
ISPHashDB CPHashDB
ZFREE ISP Assistant
Integrity CheckHash
Engine
PacketParser
ZFREEControl Plane ZFREE Server
Agents
ISP NetworkMirrored or redirectedtraffic
System Design: ISP Assistant
▪ Blocking/Non-Blocking Mode
▪ Accept hash values and match
08/15/2018 @Zhen Zhang ([email protected]) 50
Ctr
lPla
ne
Inte
rfac
e
ISPHashDB CPHashDB
ZFREE ISP Assistant
Integrity CheckHash
Engine
PacketParser
ZFREEControl Plane ZFREE Server
Agents
ISP NetworkMirrored or redirectedtraffic
System Design: ISP Assistant
▪ Blocking/Non-Blocking Mode
▪ Accept hash values and match
08/15/2018 @Zhen Zhang ([email protected]) 51
Ctr
lPla
ne
Inte
rfac
e
ISPHashDB CPHashDB
ZFREE ISP Assistant
Integrity CheckHash
Engine
PacketParser
ZFREEControl Plane ZFREE Server
Agents
ISP NetworkMirrored or redirectedtraffic
If Blocking Mode: send packets back
System Design: ISP Assistant
▪ Blocking/Non-Blocking Mode
▪ Accept hash values and match
08/15/2018 @Zhen Zhang ([email protected]) 52
ChargingSystem
Ctr
lPla
ne
Inte
rfac
e
ISPHashDB CPHashDB
ZFREE ISP Assistant
Integrity CheckHash
Engine
PacketParser
ZFREEControl Plane ZFREE Server
Agents
ISP NetworkMirrored or redirectedtraffic
If Blocking Mode: send packets back
System Design: Server Agent
▪ Get network traffic through port mirror
▪ Real-time/Batch hash report
08/15/2018 @Zhen Zhang ([email protected]) 53
CP Hash Module
ZFREE Server Agent
Ctr
lPla
ne
Inte
rfac
e HashEngine
PacketParser
System Design: Server Agent
▪ Get network traffic through port mirror
▪ Real-time/Batch hash report
08/15/2018 @Zhen Zhang ([email protected]) 54
CP Hash Module
ZFREE Server Agent
Ctr
lPla
ne
Inte
rfac
e HashEngine
PacketParser
CPNetwork
Mirror trafficfrom zero-rating servers
System Design: Server Agent
▪ Get network traffic through port mirror
▪ Real-time/Batch hash report
08/15/2018 @Zhen Zhang ([email protected]) 55
CP Hash Module
ZFREE Server Agent
Ctr
lPla
ne
Inte
rfac
e HashEngine
PacketParser
CPNetwork
Mirror trafficfrom zero-rating servers
System Design: Server Agent
▪ Get network traffic through port mirror
▪ Real-time/Batch hash report
08/15/2018 @Zhen Zhang ([email protected]) 56
CP Hash ModuleReal-time
ZFREE Server Agent
Ctr
lPla
ne
Inte
rfac
e HashEngine
PacketParser
CPNetwork
Mirror trafficfrom zero-rating servers
System Design: Server Agent
▪ Get network traffic through port mirror
▪ Real-time/Batch hash report
08/15/2018 @Zhen Zhang ([email protected]) 57
CP Hash ModuleReal-time
ZFREE Server Agent
Ctr
lPla
ne
Inte
rfac
e
Hash Queue
HashEngine
PacketParser
CPNetwork
Mirror trafficfrom zero-rating servers
System Design: Server Agent
▪ Get network traffic through port mirror
▪ Real-time/Batch hash report
08/15/2018 @Zhen Zhang ([email protected]) 58
CP Hash ModuleReal-time
Batch
ZFREE Server Agent
Ctr
lPla
ne
Inte
rfac
e
Hash Queue
HashEngine
PacketParser
CPNetwork
Mirror trafficfrom zero-rating servers
System Design: Server Agent
▪ Get network traffic through port mirror
▪ Real-time/Batch hash report
08/15/2018 @Zhen Zhang ([email protected]) 59
CP Hash ModuleReal-time
Batch
ZFREE Server Agent
Ctr
lPla
ne
Inte
rfac
e
Hash Queue
HashEngine
PacketParser
CPNetwork
Mirror trafficfrom zero-rating servers
ZFreeControl Plane
Outline
▪ Introduction
▪ Free-riding Attacks
▪ System Design
▪ Formal Security Analysis
▪ Implementation
▪ Evaluation
▪ Conclusion
08/15/2018 @Zhen Zhang ([email protected]) 60
Formal Security Analysis
▪ Using ProVerif
08/15/2018 @Zhen Zhang ([email protected]) 61
Goals NetworkCookies[1]
IP Whitelist ZFree
Packet Integrity ✕ ✕ ✕ ✕ ✓ ✓
CP Authenticity ✕ ✕ ✕ ✕ ✓ ✓
Data Secrecy ✕ ✓ ✕ ✓ ✕ ✓
[1] Yiakoumis, Yiannis, Sachin Katti, and Nick McKeown. "Neutral net neutrality." Proceedings of the 2016 ACM SIGCOMM Conference. ACM, 2016.
/ : Unencrypted/Encrypted data plane communication
Outline
▪ Introduction
▪ Free-riding Attacks
▪ System Design
▪ Formal Security Analysis
▪ Implementation
▪ Evaluation
▪ Conclusion
08/15/2018 @Zhen Zhang ([email protected]) 62
Implementation
▪ ZFree Prototype: 1,890 Lines of Code (LoC):▪ 1,100 LoC for ISP assistant
▪ 790 LoC for Server Agent
▪ LTE network (ns3)
▪ WiFi network (Mininet)
▪ Formal verification code: 1,680 LoC
08/15/2018 @Zhen Zhang ([email protected]) 63
Outline
▪ Introduction
▪ Free-riding Attacks
▪ System Design
▪ Formal Security Analysis
▪ Implementation
▪ Evaluation
▪ Conclusion
08/15/2018 @Zhen Zhang ([email protected]) 64
Evaluation: Environment Setup
▪ Airplane WiFi: Mininet-WiFi
▪ 120 User Equipments (UEs)
▪ Two Access Points (AP)
▪ 30 Mbps
08/15/2018 @Zhen Zhang ([email protected]) 65
AP 1 AP 2
ServerAgent
ISPAssistant
Central Router as ISP CP
Evaluation: Environment Setup
▪ LTE network: ns3
▪ 1,200 UEs, two base stations (BSs)
▪ UE moving at speed 10-120km/h
08/15/2018 @Zhen Zhang ([email protected]) 66
ISPNetwork
Server AgentISP Assistant
ChargingSystem
BS1 BS2
CP
Evaluation: Environment Setup
▪ LTE network: ns3
▪ 1,200 UEs, two base stations (BSs)
▪ UE moving at speed 10-120km/h
08/15/2018 @Zhen Zhang ([email protected]) 67
ISPNetwork
Server AgentISP Assistant
ChargingSystem
BS1 BS2
CP
Evaluation: Page Loading Time Overhead is Ignorable
08/15/2018 @Zhen Zhang ([email protected]) 68
▪ Metric: Loading Time
▪ Content Provider as Network Proxy
▪ Top 500 Alexa websites
Evaluation: Transmission Overhead is Small
08/15/2018 @Zhen Zhang ([email protected]) 69
Evaluation: ZFree is Scalable
08/15/2018 @Zhen Zhang ([email protected]) 70
▪ Cellular Network:Bandwidth 150Mbps
Evaluation: ZFree is Durable
08/15/2018 @Zhen Zhang ([email protected]) 71
Evaluation: ZFree is Secure
▪ ZFree is robust against:▪ Request Masquerade attack
▪ Response Modification attack
▪ TCP retransmission-based attacks [1]
08/15/2018 @Zhen Zhang ([email protected]) 72
[1] Go, Younghwan, et al. "Gaining control of cellular traffic accounting by spurious TCP retransmission." Network and Distributed System Security (NDSS) Symposium 2014. Internet Society, 2014.
Outline
▪ Introduction
▪ Free-riding Attacks
▪ System Design
▪ Formal Security Analysis
▪ Implementation
▪ Evaluation
▪ Conclusion
08/15/2018 @Zhen Zhang ([email protected]) 73
Conclusion
▪ We launch free-riding attacks against real-world zero-rating services.
▪ We propose and implement ZFree, a secure, backward compatible,scalable zero-rating framework.
▪ We formally prove that ZFree is secure.
▪ Our evaluation results show that ZFree incurs ignorable overhead andis scalable.
08/15/2018 @Zhen Zhang ([email protected]) 74
Thank You! Questions?
08/15/2018 @Zhen Zhang ([email protected]) 75
▪ Source Code: https://github.com/zfree2018/ZFREE
▪ Online Demo: http://www.zfree.org