Sunday, December 21, 2008

Cavity searches and Internet Filtering

Proxying and tunnels will always get around filters. Full stop. I do not support censorship. Full stop. I do not support child pornography. Full stop. If child pornography was served from static webservers it would be easy to pull down. Full stop. There are 65,535 usable tcp ports. There are 65,535 usable udp ports. There are ~4 billion usable IP addresses spread around different regions on the planet and advertised by different Autonomous Systems.

However some thoughts.

a) From a Cisco perspective on a CRS/SSG/SCE, a thousand+ line ACL and Policy Map that routes requests for certain IP addresses to 'null 0' or sets the next hop for traffic to a logging/404 host would be feasible at peering edges. Feasible. As would a live feed akin to the Team Cymru dynamic bogon and martian feed. Feasible but very dangerous to centralise such dynamic control. One could also insert better prefixed /32 routes on the fly, akin to 'clean pipes' solutions that sinkhole and try to scrub distributed denial of service attacks.

The above points in (a) are equally achievable with Juniper high end gear also... and probably others too.

b) Any appliance/blade based content filtering or 'inline/OOB' IDS(Intrusion Detection System) will result in an epic fail; as opponents could shunt bad packets and malformed/obfuscated http gets at the device from multiple shifting sources all day and night to bring it to its knees! (Unless it only runs a DST IP block list...) There would also be massive issues with scaling and redundancy for most ISPs, let alone power and space constraints.

Both of the above techniques with the exception perhaps of the Null routing option for option(a) would allow one to reverse engineer the list with web spidering and/or large scale scanning.

c) AHTCC(Australian High Tech Crime Centre) and AFP(Australian Federal Police); if they are aware of known IP source addresses of 'kiddie porn', should already be looking for these traffic flows via a form of (a) that only provides them logging e.g. fully honors the traffic request and then subsequently investigate which Australian devices have sent said illegal requests via standard process. Unfortunately there can be issues with malware and establishment of identity/intent, however subsequent forensic investigations on offending hard-disks *should* confirm innocence or guilt (though costly to pursue as most good investigations are). If the list of DST IP addresses was leaked, miscreants could play havoc with the authorities through spoofing requests from local ISP IP addresses e.g. valid local SRC ranges(which an ISP cannot filter), and/or use botnets on Australian networks to achieve denial of service. Devices would have to fail open.

If logging was bidirectional then both inbound requests to Australian hosted content and requests to external countries would be enumerated. Unfortunately one could only effectively begin with IP's reported to authorities as any form of deeper content inspection would facilitate issues and abuses mentioned in (b).

Essentially, as with real world crime, one issue encountered is sometimes to balance the benefit of blocking or pre-empting an ongoing 'crime', with the possible information garnered by passively monitoring and going for the 'crimebosses' or actual perpetrators. This is a tough topic. No one is suggesting child pornography is a victimless crime, however are we going after paedophiles or trying to block what kids *might* see?

I do not support censorship. I am across LI(Legal Interception) in mobile/PSTN and data networks somehwhat and one should have warrants to actively tap citizens communications based upon probable cause. If one can prove that an IP address serves or accesses child pornography individuals should be prosecuted as per the judicial system. Unfortunately filtering *all* flows is a slippery slope, especially for those that control the blacklist(s).

d) How does one vet content and keep the IP addresses in (a) up-to-date and based upon what criteria? This can be especially difficult when recent research found that 69.8% of the websites for .com, .org and .net domains shared an IP address with 50 or more other websites. Such that a device served illegal content from a fixed IP, the content would be brought down very quickly by the authorities in the hosting country once that country had laws governing hosting of said content.

e) DNS poisoning = epic fail. Go direct to IP. Do not pass go. Do not collect $200.

I do not support child pornography. I do not support censorship. I do not support wasting millions of tax payers hard earned money on a fallacy.

I support law enforcement that works. I support the AHTCC and AFP. I support democracy. I do not support strip searching everyone that enters and leaves the country. I do not support all phone calls being tapped for illegal seditious conversations. I do not support our mail service opening every one of our letters. What are we doing about child pornography being physically mailed around in hardcopy or encrypted on USB thumb drives in the regular mail, or is that too hard?

And yes I am having seditious thoughts.

Cyberlaw, cybercops and cyber-democracy are required for cyberspace. Not cyber kid gloves and cyber sledge hammers.


Deda said...

Can't claim to follow all the technical stuff, but the sentiments sound about right to me.

Anonymous said...

Bit of a let down comment, but of course, you're exactly right.

There is no way this will work.

The 2 most logical reasons why I've heard this is going ahead are:-

1) Au's a world wide scapegoat/proof of concept. I don't think, however, nations are that friendly.

2) They want a fall guy. Supposedly they've wanted to get rid of Conroy for a while. He's got "strategic partnerships" keeping him in. Put this in badly, and you're out the door....

Keep doing your thing on this.

If we can come up with a meme worth spreading, we can create the website behind the message. Just need a good catch phrases. Censorship Australia is the best thing I've got is Uncensor Australia.



effy-d said...

Good post. I'm still confused as to who the filter is meant to be protect. Sure children from seeing bad stuff, right, but what bad stuff exactly?

All this child porn bs too, it's not like any of that goes over HTTP from

"Devices would have to fail open."

All network devices that do any filtering or packet inspection fail open.

Donal said...

Thanks effy-d, the fail open aspect as we know, the majority of devices default to in high load or failure scenarios.

My point, though not as clear as I'd hoped, was that a sustained attack on a dynamic filtering node would provoke it in to failing open, thus no filter. Yay!

Unfortunately in unexpected circumstances devices such as these can have software bugs/defects that black-hole traffic.

Essentially 'inline' can be a bad thing and out-of-band can only send RST's or instruct other inline nodes to drop traffic.


DD said...

'Inline' or not....what is the difference if no one looks at the info being fed through? It only becomes BS regardless of the technology! we all allude too!

Mark Newton said...

Hi Donal.

The problem with using an ACL on an edge router is that the Government, in their technical testing framework, has already defined overblocking in terms of blocking non-blacklisted URLs on the same server as blacklisted URLs.

So you can't wipe out entire IP addresses due to an ACMA blacklist entry without violating the govt's stated requirements.

Even if you could, the collateral damage would be just awful. The entire world would end up laughing at us the first time a Yahoo, Google, Youtube or Facebook URL got blacklisted.

The Technical Testing Framework definition essentially mandates some kind of appliance.

The UK uses a 2-stage system: An ACL built out of the A records for hosts mentioned in blacklisted URLs is used as a WCCP divert list on core routers. Traffic to those IPs ends up being sent into proxy/cache systems which contain the actual blacklist on a URL-by-URL granularity.

So if you visit a URL that's not blacklisted but which is on the same server as a blacklisted URL, your HTTP request comes from the proxy/cache's source IP address instead of the requesting user's IP. Besides providing an effective vector for reverse-engineering the blacklist (which is being exploited by some researchers at Cambridge as we speak), the Wikipedia episode has shown that this approach doesn't actually avoid the "deny access to the entire server when a single URL is blocked" problem because the caches are so easily DoS'ed by load.

This policy is so profoundly unpopular that any engineered solution is going to have to assume that it'll be under constant attack by people who are trying to overwhelm censorship systems to either disable them or to embarrass the government into abandoning them. It's one thing to design a benign, optional system that just sits there and works because the only people who use it want it, but that'll be a different solution to the one you end up with when you're designing for a hostile audience.

Donal said...

Hi Mark,

Agreed on single IPs taking out additional vhosts/content for http(s). ACLs/Policy Map/WCCP would still punt+sinkhole SRCs of other protocols though too, if required, such as torrent trackers/IRC servers etc...

As stated in post re:URL/URIs "This can be especially difficult when recent research found that 69.8% of the websites for .com, .org and .net domains shared an IP address with 50 or more other websites."
Which we all know pretty much already.. I just found the percentages fascinating...

Aside, I wonder how stable WCCP code is as haven't used for years :) dodgy stuff! As is Fortinet codebase!