Transcription
Domain Shadowing:Leveraging Content Delivery Networks forRobust Blocking-Resistant CommunicationsMingkui WeiAssistant ProfessorCybersecurity Engineering DepartmentGeorge Mason University
Layout1.2.3.4.5.6.What is domain shadowingHow domain shadowing worksPerformance evaluationSecurity considerationsBlocking resistanceConclusion
Layout1.2.3.4.5.6.What is domain shadowingHow domain shadowing worksPerformance evaluationSecurity considerationsBlocking resistanceConclusion
Domain Shadowing A censorship evasion technique using content delivery networks(CDNs) Similar to, but different from, domain fronting: Can use one CDN to visit any websites, no matter they are on the same CDNor even using a CDNExploits a legitimate CDN feature that is harder to be disabled
Layout1.2.3.4.5.6.What is domain shadowingHow domain shadowing worksPerformance evaluationSecurity considerationsBlocking resistanceConclusion
Content Delivery Networks Basically, a CDN is a shared web cache
Content Delivery Networks But it also handles domain name transformationabc.aws.comback endfront endabc.aws.comexample.com
Domain Name Transformation The Fastly version (abc.aws.com example.com)User123458GoDaddyName ServerFastlyName Server(ns1.fastly.net)FastlyEdge Server(IP: 10.20.30.40)PublisherOrigin Server(Domain: abc.aws.com)DNS: example.com?global.ssl.fastly.netDNS: global.ssl.fastly.net?IP: ET / HTTP/1.1Host: example.com.6GET / HTTP/1.1Host: abc.aws.com.example.com/index.html7200 OK.abc.aws.com/index.html200 OK.
Domain Name Transformation The Cloudflare version (abc.aws.com example.com)User1236CloudflareCloudflareName ServerEdge Server(dara.ns.cloudflare.com) (IP: 10.20.30.40)PublisherOrigin Server(Domain: abc.aws.com)DNS: example.com?IP: ET / HTTP/1.1Host: example.com.4GET / HTTP/1.1Host: abc.aws.com.example.com/index.html5200 OK.abc.aws.com/index.html200 OK.
Domain Name Transformation inside a CDN User123458No one (either a user or the censor) knows the domaintransformation but the domain ownerGoDaddyName ServerFastlyName Server(ns1.fastly.net)FastlyEdge Server(IP: 10.20.30.40)PublisherOrigin Server(Domain: abc.aws.com)DNS: example.com?User1global.ssl.fastly.net2DNS: global.ssl.fastly.net?3IP: ET / HTTP/1.1Host: example.com.6GET / HTTP/1.1Host: abc.aws.com.example.com/index.html7200 OK.abc.aws.com/index.html200 OK.6CloudflareCloudflareEdge ServerName Server(dara.ns.cloudflare.com) (IP: 10.20.30.40)PublisherOrigin Server(Domain: abc.aws.com)DNS: example.com?IP: ET / HTTP/1.1Host: example.com.4GET / HTTP/1.1Host: abc.aws.com.example.com/index.html5200 OK.abc.aws.com/index.html200 OK.
Evade Censorship using a CDN1.2.3.4.5.6.The user registers a new domain, say, shadow.com (assume newdomain is not blocked by the censor).The user subscribes to a CDN service that is not censored.In the CDN, the user sets shadow.com as the front-end andblocked.com as the back-end.After all set, the user can visit the blocked (censored) domain by visitingthe shadow domain.All above configuration steps can be handled by a browser extension,which we have developed for Firefox.More details of the configuration can be found in the paper.
Result we registereddomainshadowing.netand linked it to Facebookfrom within a censoredcountry.Also used forbes.comas the front domain (as indomain fronting).UserCensoredhttps://forbes.comGET / html200 OK.//facebook index pageCDNedge ET / HTTP/1.1Host: facebook.com.facebook.com/index.html200 OK.//facebook index page
Result we registereddomainshadowing.netand linked it to Facebookfrom within a censoredcountry.Also used forbes.comas the front domain (as indomain fronting).
Layout1.2.3.4.5.6.What is domain shadowingHow domain shadowing worksPerformance evaluationSecurity considerationsBlocking resistanceConclusion
Performance Delay performance beats most virtual private server (VPS) based approaches.It is even faster than directly fetching web pages from the origin server.
Layout1.2.3.4.5.6.What is domain shadowingHow domain shadowing worksPerformance evaluationSecurity considerationsBlocking resistanceConclusion
Security Concerns Root cause: the domain name transformation confuses thebrowser, which may allows cross-domain attacks. Cross-site scriptingSame origin policyCookies and sessionsSolutions Integrate into browser extensionUser educationUltimate solution: deeply modified browser (e.g., the Tor browser)
Layout1.2.3.4.5.6.What is domain shadowingHow domain shadowing worksPerformance evaluationSecurity considerationsBlocking resistanceConclusion
Blocking Resistance Domain shadowing is made possible because the CDN allows a user to set anydomains as the backend. The censor can see nothing but normal communication between the user andshadow.com, as long as HTTPS is used. The CDN cannot easily disallow it because it has legitimate use.Traffic analysis, website fingerprinting, etc., are not impossible to circumvent.The CDN can identify the use of domain shadowing but the identification canbe laborious. Essentially an arms race, counter-counter- -measures are not impossible.
Layout1.2.3.4.5.6.What is domain shadowingHow domain shadowing worksPerformance evaluationSecurity considerationsBlocking resistanceConclusion
Conclusion A single-user censorship evasion solution. The user handles everything, anddoes not need support from any dedicated third-party, nor collaboration fromthe censored website.Light-weight, only reply on a simple browser extension to work; and betterperformance, faster than VPS-based or even direct-access.Harder to block. Utilized a legitimate feature of the CDN, without which theCDN won’t work (or at least will sacrifice a lot).More details can be found in the paper.
Thanks!Thanks for watching!Please direct any questions to mwei2@gmu.edu.
Mingkui Wei. Assistant Professor. Cybersecurity Engineering Department. George Mason University. Domain Shadowing: Leveraging Content Delivery Networks for
