towards a secure zero-rating framework with three … · china mobile lost over 0.5 million/month...

75
TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE PARTIES Authors: Zhiheng Liu, Zhen Zhang, Yinzhi Cao†, Zhaohan Xi, Shihao Jing and Humberto La Roche ‡ Lehigh University, †Johns Hopkins University/Lehigh University, ‡Cisco System

Upload: others

Post on 15-Jul-2020

1 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

TOWARDS A SECURE ZERO-RATINGFRAMEWORK WITH THREE PARTIES

Authors: Zhiheng Liu, Zhen Zhang, Yinzhi Cao†, Zhaohan Xi, Shihao Jing and Humberto

La Roche ‡

Lehigh University, †Johns Hopkins University/Lehigh University, ‡Cisco System

Page 2: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

08/15/2018 @Zhen Zhang ([email protected]) 2

Page 3: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

08/15/2018 @Zhen Zhang ([email protected]) 3

Hi Zhen,Give me some data …

Page 4: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

08/15/2018 @Zhen Zhang ([email protected]) 4

Page 5: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

08/15/2018 @Zhen Zhang ([email protected]) 5

Page 6: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

08/15/2018 @Zhen Zhang ([email protected]) 6

2G…

Page 7: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

08/15/2018 @Zhen Zhang ([email protected]) 7

2G…

Page 8: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

08/15/2018 @Zhen Zhang ([email protected]) 8

2G…

Page 9: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

08/15/2018 @Zhen Zhang ([email protected]) 9

2G…

Page 10: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

08/15/2018 @Zhen Zhang ([email protected]) 10

2G…

Page 11: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

08/15/2018 @Zhen Zhang ([email protected]) 11

2G…

Zero-rating Services

Page 12: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

08/15/2018 @Zhen Zhang ([email protected]) 12

Is that possible

Zero-rating Services

Page 13: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

08/15/2018 @Zhen Zhang ([email protected]) 13

Yes, Let’s fool the ISP…

Zero-rating Services

Page 14: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

08/15/2018 @Zhen Zhang ([email protected]) 14

Yes, Let’s fool the ISP…Launch free-riding attacks

Zero-rating Services

Page 15: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

Threat Model of Free-riding Attacks

08/15/2018 @Zhen Zhang ([email protected]) 15

ISP

Clients

Content Providers

Page 16: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

Threat Model of Free-riding Attacks

08/15/2018 @Zhen Zhang ([email protected]) 16

malicious

ISP

Clients

Content Providers

Page 17: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

Threat Model of Free-riding Attacks

08/15/2018 @Zhen Zhang ([email protected]) 17

malicious

ISP

ISP is benign/victimClients

Content Providers

Page 18: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

Threat Model of Free-riding Attacks

08/15/2018 @Zhen Zhang ([email protected]) 18

malicious

ISP

ISP is benign/victim

Zero-rated CPs arebenign/victim

Clients

Content Providers

Page 19: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

Threat Model of Free-riding Attacks

08/15/2018 @Zhen Zhang ([email protected]) 19

malicious

ISP

ISP is benign/victim

Zero-rated CPs arebenign/victim

Attacker can masquerade zero-rating CP

Clients

Content Providers

Page 20: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

Outline

▪ Introduction

▪ Free-riding Attacks

▪ System Design

▪ Formal Security Analysis

▪ Implementation

▪ Evaluation

▪ Conclusion

08/15/2018 @Zhen Zhang ([email protected]) 20

Page 21: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

Request Masquerade Attack on Industry System

▪ Masquerade request domain▪ HTTP: “Host” field [1]

▪ HTTPs: “SNI” field

08/15/2018 @Zhen Zhang ([email protected]) 21

ISP Network

Zero-rated domain list

www.attacker.com

Client[1] Kakhki, Arash Molavi, et al. "Bingeon under the microscope: Understanding T-Mobiles zero-rating implementation." Proceedings of the 2016 workshop on QoE-based Analysis and Management of Data Communication Networks. ACM, 2016.

Page 22: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

Request Masquerade Attack on Industry System

▪ Masquerade request domain▪ HTTP: “Host” field [1]

▪ HTTPs: “SNI” field

08/15/2018 @Zhen Zhang ([email protected]) 22

ISP Network

Zero-rated domain list

Request

srcIP, dstIP …

<data>SNI/Host:www.youtube.com

www.attacker.com

Client[1] Kakhki, Arash Molavi, et al. "Bingeon under the microscope: Understanding T-Mobiles zero-rating implementation." Proceedings of the 2016 workshop on QoE-based Analysis and Management of Data Communication Networks. ACM, 2016.

Page 23: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

Request Masquerade Attack on Industry System

▪ Masquerade request domain▪ HTTP: “Host” field [1]

▪ HTTPs: “SNI” field

08/15/2018 @Zhen Zhang ([email protected]) 23

ISP Network

Zero-rated domain list

Request

srcIP, dstIP …

<data>SNI/Host:www.youtube.com

Requestwww.attacker.com

Client[1] Kakhki, Arash Molavi, et al. "Bingeon under the microscope: Understanding T-Mobiles zero-rating implementation." Proceedings of the 2016 workshop on QoE-based Analysis and Management of Data Communication Networks. ACM, 2016.

Page 24: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

Request Masquerade Attack on Industry System

▪ Masquerade request domain▪ HTTP: “Host” field [1]

▪ HTTPs: “SNI” field

08/15/2018 @Zhen Zhang ([email protected]) 24

ISP Network

Zero-rated domain list

Request

srcIP, dstIP …

<data>SNI/Host:www.youtube.com

Requestwww.attacker.com

Client[1] Kakhki, Arash Molavi, et al. "Bingeon under the microscope: Understanding T-Mobiles zero-rating implementation." Proceedings of the 2016 workshop on QoE-based Analysis and Management of Data Communication Networks. ACM, 2016.

Page 25: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

Request Masquerade Attack on Industry System

▪ Masquerade request domain▪ HTTP: “Host” field [1]

▪ HTTPs: “SNI” field

08/15/2018 @Zhen Zhang ([email protected]) 25

ISP Network

Zero-rated domain list

Request

srcIP, dstIP …

<data>SNI/Host:www.youtube.com

Requestwww.attacker.com

Response

srcIP, dstIP …

<data>

Client[1] Kakhki, Arash Molavi, et al. "Bingeon under the microscope: Understanding T-Mobiles zero-rating implementation." Proceedings of the 2016 workshop on QoE-based Analysis and Management of Data Communication Networks. ACM, 2016.

Page 26: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

Response Modification Attack on Industry System

▪ Inject non-zero-rated content

08/15/2018 @Zhen Zhang ([email protected]) 26

ISP Network

Client

Request

srcIP, dstIP …

<data>SNI/Host: www.zero-rated.com

Response

srcIP, dstIP …

<data>

Zero-rated domain list

Zero-rated CP

Page 27: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

Response Modification Attack on Industry System

▪ Inject non-zero-rated content

08/15/2018 @Zhen Zhang ([email protected]) 27

ISP Network

Client

Request

srcIP, dstIP …

<data>SNI/Host: www.zero-rated.com

Response

srcIP, dstIP …

<data>

Response

srcIP, dstIP …

<modified-data>

Zero-rated domain list

Zero-rated CP

Page 28: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

Prototype Zero-Rating Systems

▪ Network Cookies [1]

▪ A malicious user can abuse the cookie.

▪ IP Whitelist-based Method [2]

▪ An attacker at the server side can abuse source IP address.

08/15/2018 @Zhen Zhang ([email protected]) 28

[1] Yiakoumis, Yiannis, Sachin Katti, and Nick McKeown. "Neutral net neutrality." Proceedings of the 2016 ACM SIGCOMM Conference. ACM, 2016.[2] (2014, Dec.) Delivering zero-rated traffic. https://connect.limelight.com/blogs/limelight/2014/12/08/delivering-zero-rated-traffic

Page 29: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

Attacks on Network Cookies

▪ Network Cookies [1]

▪ A malicious user can abuse the cookie.

08/15/2018 @Zhen Zhang ([email protected]) 29

[1] Yiakoumis, Yiannis, Sachin Katti, and Nick McKeown. "Neutral net neutrality." Proceedings of the 2016 ACM SIGCOMM Conference. ACM, 2016.[2] (2014, Dec.) Delivering zero-rated traffic. https://connect.limelight.com/blogs/limelight/2014/12/08/delivering-zero-rated-traffic

Client

ISP Network

Zero-rated CP

Charged CP

Page 30: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

Attacks on Network Cookies

▪ Network Cookies [1]

▪ A malicious user can abuse the cookie.

08/15/2018 @Zhen Zhang ([email protected]) 30

[1] Yiakoumis, Yiannis, Sachin Katti, and Nick McKeown. "Neutral net neutrality." Proceedings of the 2016 ACM SIGCOMM Conference. ACM, 2016.[2] (2014, Dec.) Delivering zero-rated traffic. https://connect.limelight.com/blogs/limelight/2014/12/08/delivering-zero-rated-traffic

Client

ISP Network

Zero-rated CP

Charged CP

Page 31: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

Attacks on Network Cookies

▪ Network Cookies [1]

▪ A malicious user can abuse the cookie.

08/15/2018 @Zhen Zhang ([email protected]) 31

[1] Yiakoumis, Yiannis, Sachin Katti, and Nick McKeown. "Neutral net neutrality." Proceedings of the 2016 ACM SIGCOMM Conference. ACM, 2016.[2] (2014, Dec.) Delivering zero-rated traffic. https://connect.limelight.com/blogs/limelight/2014/12/08/delivering-zero-rated-traffic

Client

ISP Network

Zero-rated CP

Charged CP

Page 32: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

Attacks on IP whitelist based system

▪ Facebook Zero [2]

▪ An attacker at the server side can abuse source IP address.

08/15/2018 @Zhen Zhang ([email protected]) 32

[1] Yiakoumis, Yiannis, Sachin Katti, and Nick McKeown. "Neutral net neutrality." Proceedings of the 2016 ACM SIGCOMM Conference. ACM, 2016.[2] (2014, Dec.) Delivering zero-rated traffic. https://connect.limelight.com/blogs/limelight/2014/12/08/delivering-zero-rated-traffic

ISP Network

IP whitelist

Client

Zero-rated CP

Attacker CP

Page 33: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

Attacks on IP whitelist based system

▪ Facebook Zero [2]

▪ An attacker at the server side can abuse source IP address.

08/15/2018 @Zhen Zhang ([email protected]) 33

[1] Yiakoumis, Yiannis, Sachin Katti, and Nick McKeown. "Neutral net neutrality." Proceedings of the 2016 ACM SIGCOMM Conference. ACM, 2016.[2] (2014, Dec.) Delivering zero-rated traffic. https://connect.limelight.com/blogs/limelight/2014/12/08/delivering-zero-rated-traffic

ISP Network

IP whitelist

Client

Zero-rated CP

Attacker CP

Page 34: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

Attacks on IP whitelist based system

▪ Facebook Zero [2]

▪ An attacker at the server side can abuse source IP address.

08/15/2018 @Zhen Zhang ([email protected]) 34

[1] Yiakoumis, Yiannis, Sachin Katti, and Nick McKeown. "Neutral net neutrality." Proceedings of the 2016 ACM SIGCOMM Conference. ACM, 2016.[2] (2014, Dec.) Delivering zero-rated traffic. https://connect.limelight.com/blogs/limelight/2014/12/08/delivering-zero-rated-traffic

ISP Network

IP whitelist

Client

Zero-rated CP

Attacker CP

srcIP of Zero-rated CP, ACK, Seq

Page 35: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

Attacks on IP whitelist based system

▪ Facebook Zero [2]

▪ An attacker at the server side can abuse source IP address.

08/15/2018 @Zhen Zhang ([email protected]) 35

[1] Yiakoumis, Yiannis, Sachin Katti, and Nick McKeown. "Neutral net neutrality." Proceedings of the 2016 ACM SIGCOMM Conference. ACM, 2016.[2] (2014, Dec.) Delivering zero-rated traffic. https://connect.limelight.com/blogs/limelight/2014/12/08/delivering-zero-rated-traffic

ISP Network

IP whitelist

Client

Zero-rated CP

Attacker CP

srcIP of Zero-rated CP, ACK, Seq

Page 36: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

Attacks on IP whitelist based system

▪ Facebook Zero [2]

▪ An attacker at the server side can abuse source IP address.

08/15/2018 @Zhen Zhang ([email protected]) 36

[1] Yiakoumis, Yiannis, Sachin Katti, and Nick McKeown. "Neutral net neutrality." Proceedings of the 2016 ACM SIGCOMM Conference. ACM, 2016.[2] (2014, Dec.) Delivering zero-rated traffic. https://connect.limelight.com/blogs/limelight/2014/12/08/delivering-zero-rated-traffic

ISP Network

IP whitelist

Client

Zero-rated CP

Attacker CP

Victim

srcIP of Zero-rated CP, ACK, Seq

Page 37: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

Attacks on Zero-Rating Systems

T-Mobile

ChinaMobile

ChinaUnicom

UnitedWiFi

ORDWiFi

NetworkCookies [1]

IPWhitelist

Req-Mas ✕ ✕ N/A ✕ ✕ ✕ ✕

Res-Mod ✕ ✕ N/A ✕ ✕ ✕ ✕

Req-Mas ✕ N/A ✕ N/A ✕ ✕ ✕

Res-Mod ✕ N/A ✕ N/A ✕ ✕ ✕

08/15/2018 @Zhen Zhang ([email protected]) 37

: Unencrypted Traffic; : Encrypted Traffic; Req-Mas: Request Masquerade; Res-Mod: Response Modification

[1] Yiakoumis, Yiannis, Sachin Katti, and Nick McKeown. "Neutral net neutrality." Proceedings of the 2016 ACM SIGCOMM Conference. ACM, 2016.

Page 38: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

Impacts of free-riding attacks

▪ A major U.S. network carrier lost over 7 millions in a month [1]

▪ China Mobile lost over 0.5 million/month in one province.

▪ Filtering abnormal users , i.e., those consuming over 3 GB per month zero rating traffic

▪ Inspecting unencrypted data manually

▪ Results: found 71TB free-riding traffic

08/15/2018 @Zhen Zhang ([email protected]) 38

[1] (2017 global internet phenomena) spotlight: Zero-rating fraud. https://www.sandvine.com/hubfs/downloads/archive/2017-global-internet-phenomena-spotlight-zero-rating-fraud.pdf

Page 39: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

Outline

▪ Introduction

▪ Free-riding Attacks

▪ System Design

▪ Formal Security Analysis

▪ Implementation

▪ Evaluation

▪ Conclusion

08/15/2018 @Zhen Zhang ([email protected]) 39

Page 40: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

System Design: Overview

08/15/2018 @Zhen Zhang ([email protected]) 40

ISPNetwork

ContentProvider

ServerAgent

ISPAssistant

Client

Page 41: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

System Design: Overview

08/15/2018 @Zhen Zhang ([email protected]) 41

ISPNetwork

ContentProvider

ServerAgent

ISPAssistant

Control Plane

Client

Page 42: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

System Design: Overview

08/15/2018 @Zhen Zhang ([email protected]) 42

ISPNetwork

ContentProvider

ServerAgent

ISPAssistant

Control Plane

Client

Page 43: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

System Design: Overview

08/15/2018 @Zhen Zhang ([email protected]) 43

ISPNetwork

ContentProvider

ServerAgent

ISPAssistant

Mirrored traffic

Control Plane

Client

Page 44: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

System Design: Overview

08/15/2018 @Zhen Zhang ([email protected]) 44

ISPNetwork

ContentProvider

ServerAgent

ISPAssistant

Mirrored traffic

Control Plane

Mirror/redirect

Client

Page 45: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

System Design: Overview

08/15/2018 @Zhen Zhang ([email protected]) 45

ISPNetwork

ContentProvider

ServerAgent

ISPAssistant

Mirrored traffic

Control Plane

Mirror/redirectIf blocking mode

Client

Page 46: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

System Design: ISP Assistant

▪ Blocking/Non-Blocking Mode

▪ Accept hash values and match

08/15/2018 @Zhen Zhang ([email protected]) 46

Ctr

lPla

ne

Inte

rfac

e

ISPHashDB CPHashDB

ZFREE ISP Assistant

Integrity CheckHash

Engine

PacketParser

Page 47: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

System Design: ISP Assistant

▪ Blocking/Non-Blocking Mode

▪ Accept hash values and match

08/15/2018 @Zhen Zhang ([email protected]) 47

Ctr

lPla

ne

Inte

rfac

e

ISPHashDB CPHashDB

ZFREE ISP Assistant

Integrity CheckHash

Engine

PacketParser

ZFREEControl Plane ZFREE Server

Agents

Page 48: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

System Design: ISP Assistant

▪ Blocking/Non-Blocking Mode

▪ Accept hash values and match

08/15/2018 @Zhen Zhang ([email protected]) 48

Ctr

lPla

ne

Inte

rfac

e

ISPHashDB CPHashDB

ZFREE ISP Assistant

Integrity CheckHash

Engine

PacketParser

ZFREEControl Plane ZFREE Server

Agents

Page 49: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

System Design: ISP Assistant

▪ Blocking/Non-Blocking Mode

▪ Accept hash values and match

08/15/2018 @Zhen Zhang ([email protected]) 49

Ctr

lPla

ne

Inte

rfac

e

ISPHashDB CPHashDB

ZFREE ISP Assistant

Integrity CheckHash

Engine

PacketParser

ZFREEControl Plane ZFREE Server

Agents

ISP NetworkMirrored or redirectedtraffic

Page 50: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

System Design: ISP Assistant

▪ Blocking/Non-Blocking Mode

▪ Accept hash values and match

08/15/2018 @Zhen Zhang ([email protected]) 50

Ctr

lPla

ne

Inte

rfac

e

ISPHashDB CPHashDB

ZFREE ISP Assistant

Integrity CheckHash

Engine

PacketParser

ZFREEControl Plane ZFREE Server

Agents

ISP NetworkMirrored or redirectedtraffic

Page 51: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

System Design: ISP Assistant

▪ Blocking/Non-Blocking Mode

▪ Accept hash values and match

08/15/2018 @Zhen Zhang ([email protected]) 51

Ctr

lPla

ne

Inte

rfac

e

ISPHashDB CPHashDB

ZFREE ISP Assistant

Integrity CheckHash

Engine

PacketParser

ZFREEControl Plane ZFREE Server

Agents

ISP NetworkMirrored or redirectedtraffic

If Blocking Mode: send packets back

Page 52: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

System Design: ISP Assistant

▪ Blocking/Non-Blocking Mode

▪ Accept hash values and match

08/15/2018 @Zhen Zhang ([email protected]) 52

ChargingSystem

Ctr

lPla

ne

Inte

rfac

e

ISPHashDB CPHashDB

ZFREE ISP Assistant

Integrity CheckHash

Engine

PacketParser

ZFREEControl Plane ZFREE Server

Agents

ISP NetworkMirrored or redirectedtraffic

If Blocking Mode: send packets back

Page 53: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

System Design: Server Agent

▪ Get network traffic through port mirror

▪ Real-time/Batch hash report

08/15/2018 @Zhen Zhang ([email protected]) 53

CP Hash Module

ZFREE Server Agent

Ctr

lPla

ne

Inte

rfac

e HashEngine

PacketParser

Page 54: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

System Design: Server Agent

▪ Get network traffic through port mirror

▪ Real-time/Batch hash report

08/15/2018 @Zhen Zhang ([email protected]) 54

CP Hash Module

ZFREE Server Agent

Ctr

lPla

ne

Inte

rfac

e HashEngine

PacketParser

CPNetwork

Mirror trafficfrom zero-rating servers

Page 55: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

System Design: Server Agent

▪ Get network traffic through port mirror

▪ Real-time/Batch hash report

08/15/2018 @Zhen Zhang ([email protected]) 55

CP Hash Module

ZFREE Server Agent

Ctr

lPla

ne

Inte

rfac

e HashEngine

PacketParser

CPNetwork

Mirror trafficfrom zero-rating servers

Page 56: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

System Design: Server Agent

▪ Get network traffic through port mirror

▪ Real-time/Batch hash report

08/15/2018 @Zhen Zhang ([email protected]) 56

CP Hash ModuleReal-time

ZFREE Server Agent

Ctr

lPla

ne

Inte

rfac

e HashEngine

PacketParser

CPNetwork

Mirror trafficfrom zero-rating servers

Page 57: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

System Design: Server Agent

▪ Get network traffic through port mirror

▪ Real-time/Batch hash report

08/15/2018 @Zhen Zhang ([email protected]) 57

CP Hash ModuleReal-time

ZFREE Server Agent

Ctr

lPla

ne

Inte

rfac

e

Hash Queue

HashEngine

PacketParser

CPNetwork

Mirror trafficfrom zero-rating servers

Page 58: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

System Design: Server Agent

▪ Get network traffic through port mirror

▪ Real-time/Batch hash report

08/15/2018 @Zhen Zhang ([email protected]) 58

CP Hash ModuleReal-time

Batch

ZFREE Server Agent

Ctr

lPla

ne

Inte

rfac

e

Hash Queue

HashEngine

PacketParser

CPNetwork

Mirror trafficfrom zero-rating servers

Page 59: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

System Design: Server Agent

▪ Get network traffic through port mirror

▪ Real-time/Batch hash report

08/15/2018 @Zhen Zhang ([email protected]) 59

CP Hash ModuleReal-time

Batch

ZFREE Server Agent

Ctr

lPla

ne

Inte

rfac

e

Hash Queue

HashEngine

PacketParser

CPNetwork

Mirror trafficfrom zero-rating servers

ZFreeControl Plane

Page 60: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

Outline

▪ Introduction

▪ Free-riding Attacks

▪ System Design

▪ Formal Security Analysis

▪ Implementation

▪ Evaluation

▪ Conclusion

08/15/2018 @Zhen Zhang ([email protected]) 60

Page 61: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

Formal Security Analysis

▪ Using ProVerif

08/15/2018 @Zhen Zhang ([email protected]) 61

Goals NetworkCookies[1]

IP Whitelist ZFree

Packet Integrity ✕ ✕ ✕ ✕ ✓ ✓

CP Authenticity ✕ ✕ ✕ ✕ ✓ ✓

Data Secrecy ✕ ✓ ✕ ✓ ✕ ✓

[1] Yiakoumis, Yiannis, Sachin Katti, and Nick McKeown. "Neutral net neutrality." Proceedings of the 2016 ACM SIGCOMM Conference. ACM, 2016.

/ : Unencrypted/Encrypted data plane communication

Page 62: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

Outline

▪ Introduction

▪ Free-riding Attacks

▪ System Design

▪ Formal Security Analysis

▪ Implementation

▪ Evaluation

▪ Conclusion

08/15/2018 @Zhen Zhang ([email protected]) 62

Page 63: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

Implementation

▪ ZFree Prototype: 1,890 Lines of Code (LoC):▪ 1,100 LoC for ISP assistant

▪ 790 LoC for Server Agent

▪ LTE network (ns3)

▪ WiFi network (Mininet)

▪ Formal verification code: 1,680 LoC

08/15/2018 @Zhen Zhang ([email protected]) 63

Page 64: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

Outline

▪ Introduction

▪ Free-riding Attacks

▪ System Design

▪ Formal Security Analysis

▪ Implementation

▪ Evaluation

▪ Conclusion

08/15/2018 @Zhen Zhang ([email protected]) 64

Page 65: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

Evaluation: Environment Setup

▪ Airplane WiFi: Mininet-WiFi

▪ 120 User Equipments (UEs)

▪ Two Access Points (AP)

▪ 30 Mbps

08/15/2018 @Zhen Zhang ([email protected]) 65

AP 1 AP 2

ServerAgent

ISPAssistant

Central Router as ISP CP

Page 66: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

Evaluation: Environment Setup

▪ LTE network: ns3

▪ 1,200 UEs, two base stations (BSs)

▪ UE moving at speed 10-120km/h

08/15/2018 @Zhen Zhang ([email protected]) 66

ISPNetwork

Server AgentISP Assistant

ChargingSystem

BS1 BS2

CP

Page 67: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

Evaluation: Environment Setup

▪ LTE network: ns3

▪ 1,200 UEs, two base stations (BSs)

▪ UE moving at speed 10-120km/h

08/15/2018 @Zhen Zhang ([email protected]) 67

ISPNetwork

Server AgentISP Assistant

ChargingSystem

BS1 BS2

CP

Page 68: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

Evaluation: Page Loading Time Overhead is Ignorable

08/15/2018 @Zhen Zhang ([email protected]) 68

▪ Metric: Loading Time

▪ Content Provider as Network Proxy

▪ Top 500 Alexa websites

Page 69: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

Evaluation: Transmission Overhead is Small

08/15/2018 @Zhen Zhang ([email protected]) 69

Page 70: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

Evaluation: ZFree is Scalable

08/15/2018 @Zhen Zhang ([email protected]) 70

▪ Cellular Network:Bandwidth 150Mbps

Page 71: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

Evaluation: ZFree is Durable

08/15/2018 @Zhen Zhang ([email protected]) 71

Page 72: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

Evaluation: ZFree is Secure

▪ ZFree is robust against:▪ Request Masquerade attack

▪ Response Modification attack

▪ TCP retransmission-based attacks [1]

08/15/2018 @Zhen Zhang ([email protected]) 72

[1] Go, Younghwan, et al. "Gaining control of cellular traffic accounting by spurious TCP retransmission." Network and Distributed System Security (NDSS) Symposium 2014. Internet Society, 2014.

Page 73: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

Outline

▪ Introduction

▪ Free-riding Attacks

▪ System Design

▪ Formal Security Analysis

▪ Implementation

▪ Evaluation

▪ Conclusion

08/15/2018 @Zhen Zhang ([email protected]) 73

Page 74: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

Conclusion

▪ We launch free-riding attacks against real-world zero-rating services.

▪ We propose and implement ZFree, a secure, backward compatible,scalable zero-rating framework.

▪ We formally prove that ZFree is secure.

▪ Our evaluation results show that ZFree incurs ignorable overhead andis scalable.

08/15/2018 @Zhen Zhang ([email protected]) 74

Page 75: TOWARDS A SECURE ZERO-RATING FRAMEWORK WITH THREE … · China Mobile lost over 0.5 million/month in one province. Filtering abnormal users , i.e., those consuming over 3 GB per month

Thank You! Questions?

08/15/2018 @Zhen Zhang ([email protected]) 75

▪ Source Code: https://github.com/zfree2018/ZFREE

▪ Online Demo: http://www.zfree.org