Tools for Rendering Censorship Firewalls Ineffective

[Gary Howland]

Bill Stewart wrote:
> 
> The obvious techniques I can see include
> 1) Filter on IP address (e.g. German attack on XS4ALL)
> 2) Filter on DNS Name
> 3) Filter on Patterns in URL
> 4) Filter on Patterns in PUT/GET Requests
> 5) Filter on Patterns in Response.
> 6) Traffic Analysis on reading patterns
> 
> 1) It's easy to evade the crude version of this attack - use rolling IP
> addresses, and use DNS to publish the new ones.  For the German model,
> where the government has to tell the ISPs who to block, this wins.
> They can counter by blocking your whole IP network, not just a single
> machine, which you can counter by hopping IP networks as well as hosts,
> though that's more trouble (and blocking routes is probably easier
> than blocking hosts, since you do it at the routers, and harder to
> get people to turn back on.)  They can also enforce boycotts on the ISP,
> as they did with XS4ALL - blocking most of the traffic to a site
> can affect its other traffic enough to be economically annoying.

I would guess that most sites censoring http by IP would be doing so by
only censoring the http port.  If the http servers were to be run on
other ports too (perhaps well known ports like DNS), then this would
make life a little harder for the bad guys.  This would be especially
true if their routers were configured to allow ALL DNS requests through
(for example).  This may be a problem for some browsers (I know it's a
problem with netscape), as I mentioned a few weeks ago.


> What other kinds of attacks are there?  What other defenses?
> What kinds of holes are there in these defenses?

I have some encrypted HTTP relay software if anyone is interested in
setting up a server.

Gary
--
"Of course the US Constitution isn't perfect; but it's a lot better
than what we have now."  -- Unknown.

pub  1024/C001D00D 1996/01/22  Gary Howland <gary at systemics.com>
Key fingerprint =  0C FB 60 61 4D 3B 24 7D  1C 89 1D BE 1F EE 09 06