Professional Documents
Culture Documents
Where The Light Gets In: Analyzing Web Censorship Mechanisms in India
Where The Light Gets In: Analyzing Web Censorship Mechanisms in India
Where The Light Gets In: Analyzing Web Censorship Mechanisms in India
Mechanisms in India
Tarun Kumar Yadav, Akshat Sinha, Devashish Gosain, Piyush Sharma, Sambuddho Chakravarty
{tarun14110,akshat14132,devashishg,piyushs,sambuddho}@iiitd.ac.in
Indraprastha Insitute of Information Technology Delhi, New Delhi, India
ABSTRACT
arXiv:1808.01708v1 [cs.CY] 6 Aug 2018
1
site. In one particular ISP network, we observed that four of these ISPs viz. Airtel, Vodafone, Idea and Re-
whenever the client connected to the censored site, it liance Jio (potentially carrying a large fraction of net-
received a valid HTTP response bearing a statutory work traffic [22]), employ stateful inspection of HTTP
censorship notification with appropriate sequence num- requests alone to censors access. For some ISPs, like
ber and bits (e.g. FIN, RST) in the TCP headers that Idea Cellular, we detected the presence of censorship
enforce the client to disconnect with the server. Even- infrastructure in over a very large fraction (>90%) of
tually, the actual response from the censored site also the intra-AS network paths.
arrives, but by then the connection is already termi- Others, viz. BSNL and MTNL, prime government op-
nated, and the packet is discarded. erators, poison DNS responses for censored sites. In our
All such protocol exchanges hinted toward the pres- experiments, we identified about 600 censorious DNS
ence of malicious network elements (we collectively call resolvers spread across these two ISPs.
middleboxes) that snoop (or intercept) users’ traffic and Traffic of non-censorious ISPs transiting the censori-
upon observing requests to filtered websites, injects the ous ones often gets inadvertently filtered. Collectively,
aforementioned crafted packets to censor traffic. this is known as collateral damage [39]. We observed
To identify the network location of such censorship such phenomenon for various non-censorious ISPs in
infrastructures, we devise a technique which we collec- India. For example, censorship in Vodafone network
tively call Iterative Network Tracing, that works on the causes collateral damage to NKN, an otherwise non-
principle used by traceroute. It is quite similar to censorious educational network.
those proposed earlier by Xu et al. [52] and involves Through our detailed explorations, we discovered net-
sending web requests to censored sites but with increas- work middleboxes that either intercept traffic (like trans-
ing IP header TTL values, so that en route the messages proxies) or merely snoop on users traffic and sends back
encounter middleboxes, that are triggered upon the ar- specially crafted messages disconnecting the client–server
rival of request to the censored sites. connection. While a vast majority of previous efforts,
Using our approach, Iterative Network Tracing, and like [35, 42, 49] report the latter, to the best of our
and various heuristics which we developed after observ- knowledge we are the first ones to discover the presence
ing peculiarities of censorship techniques, we conducted of intercepting middle box in any ISP.
an investigative study of various censorship mechanism, Finally, while relatively powerful censorious nations
employed by major ISPs in the country. Our research have evolved mechanism to counter censorship circum-
engages long-term data collections to answer the follow- vention mechanism [17], we demonstrate simple, yet ef-
ing questions: fective, mechanisms that can be used to bypass censor-
ship without relying on popular anti-censorship tools
• What sequence of protocol messages triggers cen- like proxies or VPNs; making them harder to bypass
sorship? approaches proposed by others. Our approach relies on
• Exactly what techniques are employed by ISP net- identifying the packets generated from the middleboxes
works to filter users’ requests to censored sites? and filtering them at the client, or sending crafted re-
quests that go undetected by the middleboxes, but are
• Approximately what fraction of network paths are correctly recognized by the server. This is harder for
impacted by these censors? ISPs to identify that work by restricting access to anti-
censorship infrastructure. Moreover, efforts to retrofit
• Is censorship uniform and consistent across the
the solution into existing censorship middleboxes may
various ISPs? More specifically –
incur high costs on the part of the middlebox manu-
– Do various ISPs block the same set of sites? facturers and the ISPs, without factoring in downtimes
– Do various censorship devices of an ISP (aka and potential failures.
the middleboxes) block the same set of sites?
2. BACKGROUND AND RELATED WORK
• How hard or easy is it to bypass such censorship
mechanism? According to Open Net Initiative report, India is among
the list of countries that restricts the Internet content
Unlike several previous efforts, that directly draw con- and ranks India as “Partly Free” [9]. Internet cen-
clusions based on the results generated by their respec- sorship in India can be traced back to the year 1999,
tive tools and techniques [30, 31, 44] ours, at every pos- where website of the popular Pakistani daily newspaper
sible step, involves corroborating the results via manu- ‘Dawn’ was blocked from access within India, immedi-
ally connecting to the sites and inspecting the results. ately after the Kargil War [14]. Since then, there are
The key contribution of our research efforts, span- numerous instances of Internet censorship recorded [9]
ning over 18 months, involves detailed answers to all by the orders of the government to an extent of Inter-
the aforementioned questions. Our findings show that net Shutdowns. In the year 2015, there were at least
2
22 instances of Internet shutdowns in different parts of ences in the censorship experienced by customers. Also,
the country [50]. And later in the same year, Internet we studied the hypothetical scenario — assuming in fu-
service providers (ISPs) have been asked by the Gov- ture, the government of India plans to implement strict
ernment of India to block 857 websites, on the basis of censorship what would be the probable ‘key points’ to
restricting access to pornographic content [3]. place the filters, for different censorship mechanisms
Very recently transparency reports published by Face- viz., IP filtering, Prefix Hijack, DNS filtering etc.
book [4] and Google [5] also confirm that censorship in In this research, we rather carried out a comprehen-
India is on the rise. It indicates there were a total of sive study on the ‘present’ Internet censorship imple-
21 instances of complete Internet shutdowns and 1, 228 mentation in India, which was missing in our previous
instances of content removal by Facebook because a ma- analysis.
jority of content restricted was alleged to violate local
laws relating to defamation of religion and hate speech. 3. DATA COLLECTION AND APPROACH
Thus, we conducted a detailed study of web censor- For our research, we curated a list of potentially blocked
ship trends pertaining to Indian ISPs. Specifically, we websites (which we conveniently refer to as PBW) from
aim to explore the censorship mechanism and its asso- different sources which include Citizen Labs [10], Her-
ciated infrastructure deployed in the country. dict [6] and various past government and court orders
We begin by discussing important studies in the area of the country [11]. The list includes a total of 1200
of Internet Censorship, primarily reporting the type and websites which we consider to be sensitive (and thus
mechanism of censorship. Zittrain [55] in his seminal potentially censored). They span across 7 major cate-
analysis of censorship observed IP, keyword and DNS gories viz., escort services, pornography, music, torrent
filtering in China. Later many studies focused on cen- sites, politics, tools and social networks.
sorship specific to particular countries for eg., China [51, We commenced our research by using the already
27], Pakistan [42], Italy [20], Greece [48] Iran [24], Egypt available tool OONI [18]. A client which intends to de-
and Libia [28] etc. Verkamp et al., [47] extended this tect possible instances of censorship (at different layers
work by deploying clients in 11 countries to identify of network stack) installs OONI probe. This fully au-
their network censorship activities encompassing IP and tomatic tool, after running for finite time, reports the
URL filtering, keyword filtering and DNS based censor- blocked websites and possible censorship mechanisms
ship etc. Gill et al., [33] rather than deploying clients, behind them. After running OONI from five differ-
used data gathered by the OpenNet Initiative to detect ent vantage points we observed that it results in high
censorship in 77 countries. false positives and negatives. Thus, we created our own
Dalek et al., [29] used data from Shodan [16] to iden- scripts to detect Internet censorship in India.
tify URL filtering products deployed across many coun-
tries including Qatar, Yemen, Saudi Arabia and India. 3.1 The OONI tool
For large scale detection of censorship across multiple Open Observatory of Network Interference (OONI)
countries, there are several projects which provide tools [19], is an open source tool under the Tor project and
to determine censorship policy: HerdictWeb [54], Cens- is designed to detect censorship.
Mon [45], and Encore [25], OONI [19] and Augur [43]. We ran OONI on five popular ISP networks, using
However, a significant portion of censorship literature the PBW, and recorded the results. To corroborate our
focuses only on the Republic of China — Great Firewall findings we also manually checked the sites that were re-
of China (GFW) [55, 27, 53, 52, 41, 30, 31, 49, 38]. Win- ported by OONI as being censored. To our surprise, we
ter et al., [17] studied how DPI-enabled routers detect observed very few true positives. An exceedingly large
Tor bridges based on specific TLS cipher suits. Others number of sites which were reported as being censored
such as [39] reported that China is heavily contributing was however easily accessible.
towards collateral damage by DNS filtering. Khattak Table 1 summarizes our findings. The rows represent
et al., [37] observed that GFW operates similarly to the ISPs, columns correspond to the type of censorship
NIDS and found exploitable flaws in state management reported by OONI, and each entry is a 2-tuple (P,R)
of GFW. Later authors in [49], reported that GFW has representing the precision and recall.
evolved over a period of time and previous solutions [37] To explain our results better we use the example of
to bypass it, have failed. They proposed a novel tool data gathered for Airtel (a major ISP of the country2 ).
INTANG, to anti-censor GFW using carefully crafted The OONI tool reported that about 78 sites (BO ) were
packets, without relying on third-party software bun- being blocked by the Airtel. Upon manual inspection we
dles like Tor and VPNs. observed this number to be much higher, i.e. 133 (BM ).
In the year 2017, we [22] explored that Indian ISPs Only 15 websites (BO ∩ BM ) that were actually being
have incoherent censorship policies and they implement censored were also corrected detected by OONI. This
their own content filters resulting in dramatic differ- 2
In terms of network paths it intercepts [22]
3
Popular Censorship Type We now present our approach for determining the
ISPs Total DNS TCP HTTP
MT NL 0.57, 0.42 0.44, 0.10 0, 0 0.60, 0.64 type of censorship (DNS, TCP/IP and HTTP blocking)
Airtel 0.19, 0.11 0, 0 0, 0 0.19, 0.11 and mechanisms behind them.
Idea 0.57, 0.62 0, 0 0, 0 0.57, 0.62
V odaf one 0.69, 0.82 0, 0 0, 0 0.70, 0.78 3.2 DNS Blocking
Jio 0.34, 0.15 0, 0 0, 0 0.36, 0.14
Table 1: Accuracy of OONI: Precision and Re- I. Background:. For ordinary netizens, DNS resolu-
call values, measured in various ISPs. tion is the primary step for accessing any website. URL
entered by such netizens is first resolved to its associated
correct IP address. Thus, invariably censors exploit this
provides us with a precision of 0.19 (|BO ∩ BM |/|BO |) step, and often return an incorrect IP address, resulting
and a recall of 0.11 (|BO ∩ BM |/|BM |). Similar results in website’s unavailability.
were observed for other ISPs as well. DNS based blocking can be achieved by (1) DNS poi-
Such low values of precision and recall can be at- soning [46]— whereby a local resolver is corrupted and
tributed to the fact that OONI tool uses rudimentary replies with the incorrect IP for the specific DNS queries
approaches to detect potential censoring activities. For (2) DNS injection [23] — where some middlebox be-
instance, while detecting DNS filtering, it compares the tween the client and local resolver intercepts the DNS
IP address of a given host name returned by Google query and deliberately responds with an incorrect IP
DNS resolver (which they assume to not be tampered) address.
with the IP address mapped to that website by the
client’s ISP. If the two IP addresses of the same website II. Identifying filtered domains:. In order to iden-
are different they assume it to be censorship. But, in tify DNS filtering by ISPs, we selected PBWs that could
many cases differences in URL resolution is likely an otherwise be successfully resolved through Tor circuits
artifact of network hosting architectures (e.g. CDNs). (ending with exit nodes in non-censorious nations). There-
Also, while detecting HTTP filtering, OONI sends after, we attempted to resolve these PBWs through
an HTTP request to a given website over the network ISPs that we chose to test for potential censorship ac-
where the client (running the OONI probe) is hosted. tivities.
Following it, the same request is sent from the control A URL may resolve to different IP addresses, depend-
server (of OONI). HTTP responses obtained from these ing on the network from which resolution is attempted
requests are compared (based on a threshold) and the (due to reasons such as CDN based hosting). We iden-
website is assumed to be filtered if the responses differ. tified URLs whose resolution resulted in an overlapping
However, while doing our experiments, in many cases set of IPs when the resolution was attempted both by
we observed that in spite of having the difference in the the client (hosted in the ISP under consideration), as
results, websites are not blocked (explained in detail in well as via the Tor circuit. The sites corresponding
section 6). to such overlapping sets of IPs were considered uncen-
Thus, for our research, we abandoned OONI and cre- sored.
ated our own semi-automatic scripts to record the cen- In order to ascertain DNS filtering on the remain-
sorship instances by various ISPs across India. For in- ing list, we first tested our intuition i.e., an ISP, may
stance, similar to OONI, we tried sending GET requests resolve multiple blocked websites to some unique IP ad-
to PBWs from the client in test ISPs and through Tor. dresses. Thus, we performed frequency analysis on the
If the difference in responses is less than the threshold observed IP addresses i.e, if more than one website is
we considered them non-censored, otherwise we manu- resolved to same IP address4 , we checked it for DNS
ally inspect the responses further, unlike OONI, which filtering. Invariably we found static IP address of the
directly flags them as censorious. For instance, in Airtel same ISP appearing multiple times. We also observed
network, when we selected the threshold as 0.3, we ob- several bogon IP [1] addresses.
served that difference between aforementioned HTTP Thus, for the remaining URLs, that resolved to non-
responses for 390 websites, were more than the thresh- overlapping sets of IP addresses, we applied the fol-
old. On manually verifying the contents we observed lowing heuristics to decide if they corresponded to re-
that 40% of 390 websites were still non-censored3 . We sponses that is seemingly manipulated by the censor.
repeated the same experiments for all test ISPs under
consideration and found that 30 − 40% of the websites 1. Resolved IPs belong to the same AS that hosts the
which would have been flagged as censorious by OONI client: None of the PBWs were hosted in the clients’
are actually non-censorious. AS. Thus if any of the resolved IPs belong to the
4
We initially scanned the list and removed those cases for
3
This difference between the responses is further explained which multiple websites were actually hosted on the same
in section 6. IP address.
4
Client Destination
clients’ AS (the one under test), the AS is con-
sidered censorious and the corresponding URL is R1 R2 R3 R4 R5 R6 R7 R8
TTL=1
marked censored. TTL=2
TTL=3 Sensitive request
TTL=4 (with increasing TTL)
2. Resolved IPs are Bogons: If any of the resolved IPs
is a bogon [1], we consider the AS to be censorious Censored response
and the URL as being censored. TTL=9
Actual response
In order to ensure that only the aforementioned heuris-
tics are applied by our tested ISPs, to the remaining
IPs we sent the HTTP request through Tor circuit. We
manually confirmed that content was received from all Figure 1: Iterative Network Tracer: client sends
the IP addresses, indicating that all the remaining IPs a crafted query (DNS query/HTTP GET request)
were correctly mapped to the websites. containing a blocked domain with increasing
TTL. Censored response is observed from the
III. Identifying DNS filtering mechanism:. After malacious network element. 1
5
domain). dlebox and would respond back with a censorship
notification-cum-disconnection message.
II. Detecting HTTP filtering:. In our experiments,
• Possibility 2 (Middlebox inspects only the response):
we tested all our ISPs for potential censorship using
The middlebox would be triggered when it inspects
our curated list of 1200 PBWs. We began by creat-
the response messages, which happens only when
ing Tor circuits terminating in non-censorious coun-
the request actually reaches the site and elicits it
tries. Through these, we tried accessing all the PBWs.
(i.e. only corresponding to the second request).
The retrieved contents were compared against the con-
tents obtained by connecting directly to same respective • Possibility 3 (Middlebox inspects both request and
PBWs, directly from our clients hosted in the individual response): The middlebox sends censorship notification-
ISPs. cum-disconnection message for both the request.
We calculated the HTTP diff 5 between the afore-
mentioned responses and if the difference is less than In our measurements for all ISPs, we observed cen-
the threshold (0.3 in our case), we consider it to be sorship notification-cum-disconnection packet for both
non-blocked otherwise else we manually inspected all the requests (i.e. for TTL=n−1 and TTL=n). This di-
the responses to remove false positives/negatives. rectly rules out the possibility 2, i.e middlebox getting
triggered only through responses.
III. Which HTTP messages trigger censorship?. The only remaining possibility is possibility 3, wherein
We initiated our study of determining what triggers the middlebox inspects both requests and responses. In
censorship by observing the protocol messages between order to distinguish possibilities 1 from 3, we crafted
client and PBWs. For e.g., for a client hosted in Air- our own HTTP GET request such that PBW interprets
tel, we observed that as soon after it sends an HTTP it correctly but not the middlebox. For e.g., in Airtel
GET request to a PBW (following a regular TCP 3-way network, merely manipulating the case of the HTTP
handshake), a HTTP 200 OK response packet arrives, header field Host and changing it to HOST was suffi-
whose source IP address is that of the PBW. It had the cient for the request to go undetected by the middlebox
TCP FIN bit set and payload carried the censorship (while be correctly interpreted by the PBW). We show
notification. TCP FIN bit forced the client’s browser in section 5 that for all ISPs, we managed to bypass the
to initiate TCP 4-way connection termination with the censorship by only modifying the HTTP header fields
PBW. Eventually, the packet from the PBW also ar- of the GET request. This confirms that middlebox is
rived. We were thus unsure as to what triggered cen- only inspecting the request (possibility 1) and not the
sorship – requests from the client to the PBW or their response, as otherwise, we would still be receiving cen-
responses? sorship notification when the responses carrying poten-
In the past researchers have reported evidence of mid- tially censored content would be intercepted (by the said
dleboxes in China that inspect both request from the middlebox).
client and response from the server for censoring con-
tent [26, 27]. Thus, we also required heuristics to deter- IV. How GET request triggers the middlebox?:.
mine whether censorship was triggered by requests or Since middleboxes inspect the GET request for potential
by responses. censorship, we intend to confirm exactly how the mid-
In order to distinguish between the two possibilities, dleboxes get triggered. By default a regular GET request
we adopted the following approach. Initially, the client bares only the domain name along with the requested
runs traceroute to obtain the number of hops (n) to page. We first ran traceroute to obtain the number
the actual website. Thereafter, we establish a TCP 3- of hops to the server. Then, we crafted a GET request
way connection with the website and send two consecu- whose IP TTL was set to the value of penultimate hop,
tive HTTP GET requests for the blocked website. The IP such that it passes the middlebox but never reaches the
header of the first request has a TTL value of n − 1 and server. Thus, we ensured that response (if) received
is not expected to reach the site, and thus no responses is from the middlebox and not the actual server. In
from the site are expected. Whereas, the second is sent the payload, we fudged the domain name and its offset
to the site bearing a TTL value of n (and is expected within the request to determine exactly what triggered
to be handled like a regular request). censorship. For e.g., we set the HTTP Host field to that
Depending upon what the middleboxes en route in- of an uncensored site, while the domain name of the cen-
spect, there could be three possibilities: sored site was positioned at a random offset within the
HTTP header (say beyond the requested page indicated
• Possibility 1 (Middlebox inspects only the request): in the GET field). In all our tests we observed only when
Both the above requests would traverse the mid- the Host field is set to the domain name of the cen-
sored site. Further details of more related experiments
5
we used python difflib library for this purpose. are presented in section 4.2.
6
As described ahead in Section 4, in three of the four
ISP where we observed HTTP censorship, the middle- 2. Consistency: Ideally the same set of sites must be
box responds back to the client with a variant of the blocked by all the poisoned resolvers of an ISP. We de-
aforementioned censorship notification-cum-disconnection termined the set of filtered URLs as well as all the re-
messages. These were mostly HTTP 200 OK responses solvers that blocked them. For every filtered URL we
carrying the state’s censorship notification along with determine the fraction of poisoned resolver blocking it.
appropriate TCP bits enabled that force the client to Consistency is the average of these fractions.
terminate the connection with the PBW. They bore ap- In MTNL, we found a total of 448 resolvers, out of
propriate sequence and acknowledgement numbers (along which 383 were poisoned, i.e. coverage was around 77%.
with other protocol header information) to make them Whereas, in BSNL we found only 17 poisoned resolvers
indistinguishable from legitimate packets which the client’s out of a total of 182 (a smaller coverage of around 9.3%).
underlying protocol stack expects, wrt the initial TCP The consistency of each ISP can be inferred from Fig-
connection to the PBW. ure 2. Websites which are blocked in any of the two
In Section 5, we show how we exploit this knowledge ISPs are represented on the X-axis. The percentage of
of protocol header idiosyncrasies, along with deliberate resolvers blocking the website are represented on Y-axis.
fudging of the requested domain name in the Host field For the sake of preserving anonymity, we represent the
of the GET requests to sidestep censorship. sites with unique numbers, rather than actual names.
It can be clearly seen from the figure that in general
V. Identifying location of HTTP middleboxes:. a single website (for eg., website ID 450) is blocked by
After characterizing the blocking behavior, we intend more number of resolvers in MTNL (44%) than in BSNL
to identify the network location of middleboxes viz., IP (6.6%). The consistency metric in MTNL (42.4%) is
address. As earlier 3.2, we first ran traceroute to de- also higher than that of BSNL (7.5%).
termine the number of hops between the client and a
PBW (to be tested). We then use Iterative Network
Tracing (shown in figure 1) whereby following a regular M T N L
1 0 0 B S N L
3-way handshake to the PBW, we sent series a crafted
P e r c e n ta g e o f r e s o lv e r s b lo c k in g th e w e b s ite
9 0
HTTP GET request to it, with increasing TTL values
until it encounters the middlebox whence the client ob- 8 0
the middleboxes. 4 0
3 0
4. EXPERIMENTAL RESULTS
2 0
In order to determine the censorship mechanism we
1 0
inspected for DNS, TCP/IP and HTTP blocking for the
list of potentially blocked websites in nine major ISPs 0
0 5 0 1 0 0 1 5 0 2 0 0 2 5 0 3 0 0 3 5 0 4 0 0 4 5 0 5 0 0 5 5 0
of the country (as explained in Section 3). For all ISPs,
In d iv id u a l W e b s ite ID
we found instances of DNS and HTTP filtering only.
7
Using the approach described in subsection 3.4 we de- order to verify that triggering event occurs only for
termined that censorship triggered solely due to request the blocked domain in Host field of GET request, we
and not the response6 . sent a crafted request where Host field’s value was a
Finally, we attempt to find the actual network loca- non-censored domain, with iteratively increasing val-
tion of the middleboxes with a variant of our Iterative ues. Interestingly, in these cases, we always received
Network Tracing, involving crafted HTTP GET requests. ICMP TTL Expired messages, even after TTL was large
However, we were unable to pinpoint the exact IP ad- enough for the packets to transit the middlebox.
dress of the middleboxes in most of our measurements We went a step ahead and selected an array of hosts
because of anonymization by the ISP. We discuss this we controlled in different networks7 outside Indian ISPs.
in detail in Section 6. On these machines, we hosted an ordinary webserver.
We now present in the behavior of the different types From our client, hosted in the ISP under test, we cre-
of middleboxes, we identified in the wild and describe ated TCP connections to these remote machines. The
their censorship mechanisms in detail. remote host simultaneously also monitors its own traf-
fic. The client sends crafted GET requests with Host
4.2.1 Types of middleboxes field requesting a censored domain. The destination IP
In our experiments, we identified two kinds of middle- address, however, was that of the remote host. Upon
boxes–viz. Interceptive Middlebox (IM) and Wiretap traversing a censorious middlebox positioned on the in-
Middlebox (WM). IMs, hitherto unreported by others [49] tervening network path, the client receives a censorship
are akin to transparent proxies which intercept connec- notification packet-cum-disconnection packets, with TCP
tions between the client and server and establish their FIN bits enabled. The subsequent the 4-way disconnec-
own to the server. In our studies, we found IMs which tion always timeout (very likely dropped by the mid-
intercept client to PBW connections and send back cen- dlebox). Eventually, the client attempts to terminate
sorship notification messages back to the client, without the connection by sending a RST packet. The remote
relaying the requests to the PBWs. host receives none of these packets, other than the ini-
The other, i.e. WMs, have also observed in various tial handshake messages and the said RST packet. The
other censorious regimes [49], and involve a host that TCP sequence number of this RST packet differs from
is connected to an active network element via a wire- the one sent by the client, thereby confirming that it
tap. It receives a copy of all the packets exchanged and was sent by the middlebox.
inspects for requests that need to be censored. There- Further, all packets with the source IP of client and
after, it crafts responses and sends it back to the censor, destination IP of the blocked site are filtered after the
with appropriate TCP header bits, with the intent to initial GET request and before the final RST packet.
terminate existing connections. We repeated the same exercise, by replacing the Host
The WMs are not as efficient as IMs, as they incur a field with that of an uncensored domain. Interestingly
higher cost in searching all flows to find the ones cen- enough, the request reaches the remote host unfiltered.
sor. They cannot outpace the client–PBW traffic flow, The functioning of the interceptive middlebox can be
as they work with a copy of the packets, and therefore is schematically shown in Figure 3.
not as effective in filtering every single request with
real-time efficiency (For WMs, in roughly 3 out of 10 Wiretapping middleboxes. Similar to interceptive mid-
attempts website gets rendered at the client machine, dleboxes, we used our own variant of iterative network
whereas for IMs all attempts to open the website were tracer, to first obtain the location of the middlebox in
unsuccessful). the network path intervening the client and a filtered
site.
Interceptive middleboxes. We used our variant of iter- After establishing TCP connection to the filtered site,
ative network tracer (explained in Subsection 3.4) to the client sent HTTP GET requests to it that bore the
first obtain the location of middlebox in the network URL of the blocked domain in the Host field. Inspect-
path intervening the client and a filtered site (identified ing the network traffic for the said message exchanges
beforehand using traceroute). through pcap, we see that the client receives the cen-
Thereafter, we sent crafted HTTP GET requests with sorship notification-cum-disconnection packet, with the
TTL values large enough to get past the network hop, forged IP address (that of the server) and TCP FIN+PSH
corresponding to the middlebox. Regardless of any fur- bits enabled, which thereby enforces connection termi-
ther increments to this IP TTL value, we never ob- nation. But even before the termination process re-
served the expected ICMP TTL Expired responses, but solves, the client receives a fresh TCP RST packet from
rather received the censorship notification messages. In the middlebox, bearing the forged IP address of the
server that forces the client to terminate the connec-
6
Middleboxes gets triggered solely in the presence of filtered
7
domains in Host field of the GET requests Planetlab, cloud services and hosts in different universities
8
3 Way Handshake
3 Way Handshake
RST (Seq=Y)
9
a case we say the ISP is 100% consistent. For every fil- ISP Coverage (%) Coverage (%) Middle- No. of
(VP: (VPs: Box websites
tered URL we determine the fraction of poisoned paths within ISP) outside ISP) Type blocked
blocking it. Consistency is the average of these frac- Airtel 75.2 54.2 WM 234
Idea 92 90 IM 338
tions. Vodafone 11 2.5 IM 483
Jio 6.4 0 WM 200
In order to find consistency and coverage we started
our experiments with single vantage point (VP) in the Table 2: HTTP filtering in different ISPs.
ISPs. As already discussed earlier, HTTP censorship
middleboxes are agnostic to the destination IP addresses
no middleboxes when probing for middleboxes from re-
of the HTTP GET requests (as long as they appear to
mote hosts to hosts inside the ISP with open TCP port
be a part of an existing TCP connection). We harness
80. We never observed a single instance of middlebox
this behavior of middlebox to find their coverage and
while we were probing from our distributed VPs. There
placement statistics.
are two possible explanations for this – either they have
We establish TCP connections with Alexa top 1000
placed middleboxes sub-optimally and thus they are not
websites from the client machine and sent GET requests
observed to the VPs outside of ISP. Alternatively, they
with Host fields pointing to all 1200 PBWs. Even if
maybe filtering request not only on domain names but
for single GET request we observed the censorship, we
also for source IPs belonging to Jio network itself.
considered that path to be poisoned by the middlebox.
Since, we never observed the IP address of the mid-
For Reliance Jio ISP, we only observed 64 out of 1000
dlebox, we were unable to find the exact reason that
paths to be tainted with middlebox. This gave us the
why we never observed any middlebox when tested from
hint that maybe middleboxes are not placed optimally
outside of the ISP network.
to intercept a large fraction of ISP paths.
Thus, to further test our observation with more van-
tage points, we used various hosts outside India, but A ir te l
under our control (PlanetLab nodes, cloud infrastruc- 1 0 0 V o d a fo n e
Id e a
ture, and some others in various universities). Our aim 9 0
P e r c e n ta g e o f p a th s b lo c k in g th e w e b s ite
10
poisoned paths. correctly interpreted by the middlebox but by the actual
So far we discussed all details regarding HTTP filter- website. We tried various techniques involving string
ing, but ignore HTTPS. We observed fewer than five fudging [36], such as manipulating the Host field values,
instances of HTTPS filtering which were actually due prepending www to the website name, changing cases of
to manipulated DNS responses by poisoned resolvers. the keywords like HTTP, GET and HOST, adding spaces
before and after the domain name etc.. Additionally
4.3 Collateral Damage within Indian ISPs we also tried approaches, like sending fragmented GET
ISPs have contractual commercial agreements for rout- requests and using HTTP 2.0 as the underlying web
ing Internet traffic among themselves [32] making them protocol (instead of HTTP 1.1). Different approaches
neighbors. Collateral damage occurs when traffic of worked for sidestepping different middleboxes.
non-censorious ISP transit through its peering censori- I. Wiretapping middleboxes: There are two ap-
ous ISP. Previous studies that have explored censorship proaches with which we bypassed these middleboxes.
by collateral damage [39, 21], have focused on how one
nation is impacted by the Internet censorship policies • Changing the case of Host keyword in the GET re-
of other nation. Whereas, in this work we highlight quest: Most popular browsers, like Mozilla Firefox
collateral damage is possible within the same country and Google Chrome, use the title case for the Host
itself. For instance, in ISPs like NKN, Sify and Siti, we keyword. Merely changing the case (e.g. changing
never observed any filtering caused by their own poli- it to HOst, HoST, HoSt or HOSTetc.) was suffi-
cies, rather all the censorship instances are solely due cient for request to go undetected via the middle-
to its peers policies, whereas for MTNL and BSNL it is boxes (of Airtel and Jio), but resulting in response
the cumulative effect of its own and neighbors’ policies. from the actual blocked webserver. This suggests
Table 3 summarizes our findings. that the webservers, corresponding to the PBWs,
adhere to RFC 2616 [8] and accept the keyword
ISPs Neighboring ISPs Host agnostic of the case, while the middleboxes
(cesnored) (causing censorship) look for exact keyword matches.
NKN Vodafone (69), TATA9 (8)
Sify TATA (142), Airtel (2) • Dropping the packets with RST or FIN bit set:
Siti Airtel (110)
MTNL Airtel (25), TATA (134) As mentioned earlier, the censorship notification-
BSNL Airtel (1), TATA (156) cum-disconnection packet has the TCP FIN bit
set. Subsequently the middlebox also sends a TCP
Table 3: Collateral Damage: Non censorious RST packet to enforce the client to disconnect.
ISP observe censorship due to their censorious
Using iptables utility, all the packets (of blocked
peering ISPs. In NKN, we observed 69 websites
website’s IP) which have FIN or RST bit set were
were blocked by Vodafone and 8 were blocked
dropped by the kernel. For Airtel, we observed
by TATA communication.
that responses from middleboxes of Airtel always
bear a fixed IP-Identifier value of 242. Thus, we
added a general rule that FIN or RST packets with
5. ANTI-CENSORSHIP APPROACHES IP-Identifier field 242 must be dropped. This effec-
Broadly classifying we observed two types of censor- tively filters the responses from the middleboxes.
ships in popular ISPs of India viz., HTTP filtering and Since the actual GET requests are not dropped by
DNS poisoning. In order to anti-censor them, we opted the middlebox, they reached the blocked website
techniques depending upon the middlebox under action. and elicit regular responses. These response con-
Our solutions are simple and extremely effective. taining the actual content of the website and are
accepted by the client browser.
Evading DNS poisoning: In order to circumvent
poisoned DNS resolver, any non-poisoned resolvers can II. Interceptive middleboxes: We further found
be used. We tested with OpenDNS, Google’s public two types of interceptive middleboxes i.e., one which
DNS (8.8.8.8) and many other non-poisoned resolvers sends only censorship notification-cum-disconnection mes-
which belong to non - censorious countries like Ireland, sage to the client (overt) and other which sends only a
Canada, and Sweden. With each of them, we were able RST packet to the client without any censorship notifi-
to bypass the DNS based censorship. cation (covert).
Evading HTTP filtering: As already explained in • Overt Censorship: To bypass such middleboxes
section 3.4 middlebox gets triggered upon identifying a which overtly censors the content, we fudged the
blocked domain in the HOST field of GET request only. Host field of the GET request. The standard do-
Our goal is to craft such a GET request, which is not main request looks like “Host: blocked.com”, i.e.
11
only one space between ‘:’ and ‘blocked.com’. But, (2) In path segments where asterisked router appeared
instead, if we place additional spaces (or tab) in- between visible ones, we checked if the latter belonged
between, i.e. “Host: blocked.com”, then the to the same test ISP. If so then we assume that anonymized
requests go undetected by the middleboxes, but IPs belong to the same ISP.
servers interpret them correctly. Also, adding ex- (3) The censorship notification messages have unique
tra spaces (or tables) after the domain name works, characteristics for eg., in Airtel, the censorship notifica-
e.g.“Host:blocked.com ”. tion packet has an embedded iframe which redirects to
“airtel.com/dot” and in Reliance JIO censored response
• Covert Censorship: For bypassing such middlebox
redirects to its own unique IP address. In such cases,
we intentionally inserted multiple Host fields (with
we easily identify the ISP of anonymized middlebox.
different website names) in the same GET request
to check which one of those is inspected by the 6.2 Issues with OONI
middlebox. For all cases, we observed that it is
As already explained in section 3.1, OONI performs
triggered upon inspecting only the last Host key-
two sets of experiments for a given list of PBWs (1) ac-
word. Thus appending an uncensored domain re-
cessing sites from client machine and (2) and accessing
quest to the array of such Host keywords, we were
the same from a control sever (of OONI). If discrepan-
able to bypass the middleboxes, but the server also
cies in IP address resolutions (DNS censorship) or re-
neglects it as the request is not a standard one.
trieved site contents (HTTP censorship) are observed,
Thus we crafted an unusual GET request, which
OONI flags the PBW to censored.
looked something like “GET / HTTP/1.1 Host:
However, we found that results of OONI are mis-
blocked.com...\r\n\r\n Host: allowed.com”. This
leading. It suffers from both false positives and false
request is neglected by the middlebox but on the
negatives. We now outline few possible reasons for false
other hand, accepted by the actual blocked web-
positives (incorrect flagging of sites as being censored):
site. Since middlebox is only looking at last Host
keyword, it interprets that packet as non-suspicious • An Unavailable website, previously hosted on host-
and allows it to pass through. The server, on the ing services like GoDaddy, if removed, may give
other hand, treats the ‘\r\n\r\n’ as the end of different HTTP responses when accessed from dif-
the GET request and the subsequent “Host: al- ferent locations – an artifact of distributed hosting.
lowed.com” as a separate request. Thus, the client Though not a case of censorship, OONI flags them
receives two responses from the website — the ac- as filtered.
tual content which due to the first Host field and
the BAD REQUEST message for the subsequent • Many websites have dynamic content such as live
one. news feeds and advertisement embedded in the
HTTP 200 OK messages that are often location
6. DISCUSSION dependent. These are also classified by OONI as
being censored.
6.1 Count of middleboxes in the ISP Also, OONI tool inspects differences in HTTP head-
In the previous study on China [52] authors reported ers and body lengths of the response. If differences are
that they found 495 router interfaces that have filter- greater than a threshold, it considers the site to be fil-
ing device attached to them. However, in India, we tered. We observe that for a website hosted on CDN,
could not follow the same approach. Throughout our the response at different geographic locations may come
research, we used traceroutes and iterative network through different servers having obvious differences in
tracer, with an intent of finding the location of cen- the response metadata. In reality, such sites may not
sorship infrastructure. In all our tested ISPs, generally be blocked.
middlebox (or routers to which they are attached) show Thus when we created our scripts, we only calculated
up as unresponsive routers (asterisked) when probed us- the difference in the content of the response, not the
ing traceroute. It is natural to ask if IP address of the headers. If the difference is greater than the thresh-
middlebox is not known then how we confirmed that old, rather than directly reporting them as blocked, we
blocking behavior was an outcome of our test ISP or manually verified them for blocking.
one its upstream provider? We applied few heuristics: We now discuss why OONI often fails to detect a
(1) On the paths where we observed the IP of a mid- censored site (false negatives). In order to identify cen-
dlebox, first we confirmed that it belongs to same test sorship, OONI calculates the difference between (1) the
ISP and later we recorded the corresponding censorship body length of compared websites (over the control server
notification. If from other anonymized middleboxes we and the network of the user) differs by some percentage
got the same notification, we considered it to be from (2) the HTTP header names do not match and (3) the
same ISP. HTML title tags do not match.
12
Even if a single aforementioned condition does not packet in that duration, it times out and purges
hold true [7, 12], OONI considers the website to be non the corresponding TCP state data. However, if
censorious. The following are few possible cases where fresh packets (corresponding to the individual flows,
OONI reports false negatives: regardless of whether they are GET requests or not)
arrive in the meantime, it restarts the timer for the
• We observed that for some websites, the response
timeout.
does not contain the content, rather a legitimate
redirection link sent by the actual server. Simi-
larly, in the censorship notification-cum-disconnection 7. CONCLUDING REMARKS
packets, there is an embedded iframe (which redi- In this work, we report a comprehensive analysis of
rects to blocked page). For both the cases, the dif- censorship mechanism and infrastructure in nine popu-
ference in the body length (of the responses) may lar ISPs of India. We commenced our research by using
be very less 10 . Thus, violating the condition one. popular censorship detection tool OONI, but since we
• OONI flags a website as non censored if the header observed high false positives and negatives, we discon-
fields (not their values) of both the HTTP response tinued it. We developed our own automated approach
11
matches exactly . In our measurements, we have (Interative Network Tracer), along with various heuris-
observed that most of the middleboxes use the tics, which we used to determine the type of censorship
same HTTP header as of the actual web server. mechanism involved (and in some cases the approximate
Thus, the headers of censorship notification-cum- location of the censorship infrastructure as well). At
disconnection packets matches with response header every step we confirm our findings against the ground
from the actual server. So, OONI mistakenly clas- truth, an effort largely ignored by several others in the
sifies a censored website to be non censored as the recent and distant past.
second condition is violated. We primarily found DNS and HTTP filtering as the
only techniques of censorship employed by these ISPs.
Censorship notification-cum-disconnection packets that Further, we evolved metrics, viz. coverage and con-
we observed have no HTML title tags. On the con- sistency that respectively describe how well the cen-
trary, most of the responses from the actual website sorship infrastructure covers the ISP and how consis-
did. OONI compares the title tags from both responses tent they are in censoring filtered domains. In passing,
only if at least one word in both the tags is at least we also observed interesting cases of collateral damage
five characters long. Thus, in our case, this condition within the ISPs of the same country. Finally, we devel-
is never checked. Thus, only the two aforementioned oped novel anti-censorship techniques, involving local
conditions may contribute towards the false negatives. firewalling and manipulating the HTTP GET requests,
6.3 Idiosyncrasy of middleboxes through which we were able to bypass all forms of cen-
sorship without relying on conventional methods involv-
• Ideal middleboxes inspect traffic agnostic of their ing proxies and VPNs.
port number, while all the rest inspect only re-
quests destined to TCP port 80. 8. REFERENCES
• WM specific to Airtel have a unique characteris-
[1] Bogon ip addresses. https://ipinfo.io/bogon.
tic – all packets generated from these middleboxes
[2] Cidr report.
have a fixed IP-ID value (242) in the IP header;
https://www.cidr-report.org/as2.0/.
whereas for all others’, this is variable.
[3] Dna india. http://www.dnaindia.com/india/
• There are some websites which are now unavailable report-government-orders-blocking-of\
(tested via Tor circuits ending in non-censorious \-857-pornographic-websites-2110545.
country) but still blocked by the ISPs (both through [4] Facebook transparency report 2017.
HTTP and DNS filtering). This implies that ISPs https://transparency.facebook.com/
are not updating their blacklists. country/India/2017-H1/.
• Middlebox (IM and WM) maintains a state for all [5] Google transparency report 2017.
transiting TCP connections. It inspects all the https://transparencyreport.google.com/
connections for 2 − 3 minutes, waiting for sensi- government-removals/by-country/IN.
tive content12 to arrive. If it does not receive any [6] Herdict:Help Spot Web Blockages.
10 http://herdict.org/.
Other variants of such scenarios are also possible for eg., a
small sign up/login page upon accessing the website
[7] How ooni detects http filtering? https://ooni.
11
We inspected the source code to ensure that this is the only torproject.org/nettest/web-connectivity/.
case [8] Http 1.1 rfc 2616.
12
Domain names which are possibly blocked. https://tools.ietf.org/html/rfc2616.
13
[9] Instances of internet censorship in india. https: [24] Aryan, S., Aryan, H., and Halderman,
//opennet.net/research/profiles/india. J. A. Internet censorship in iran: A first look. In
[10] List of potentially blocked websites in india — FOCI (2013).
citizen labs. https://github.com/citizenlab/ [25] Burnett, S., and Feamster, N. Encore:
test-lists/blob/master/lists/in.csv. Lightweight measurement of web censorship with
[11] Ministry of it orders isp to ban sexual abuse cross-origin requests. ACM SIGCOMM Computer
material. http://www.meity.gov.in/content/ Communication Review 45, 4 (2015), 653–667.
order-issued-meity-isps-adopt-and-implement\ [26] Clayton, R., Murdoch, S. J., and Watson,
\-iwf-resources-prevent-distribution-and. R. N. Ignoring the great firewall of china. In
[12] Ooni source code. International Workshop on Privacy Enhancing
https://github.com/TheTorProject/ Technologies (2006), Springer, pp. 20–35.
ooni-probe/blob/master/ooni/nettests/ [27] Crandall, J. R., Zinn, D., Byrd, M., Barr,
blocking/web_connectivity.py. E. T., and East, R. Conceptdoppler: a weather
[13] Porn websites blocked in india: Government plans tracker for internet censorship. In ACM
ombudsman for online content. Conference on Computer and Communications
http://gadgets.ndtv.com/internet/news/ Security (2007), pp. 352–365.
porn-websites-blocked-in-india-government\ [28] Dainotti, A., Squarcella, C., Aben, E.,
\-plans-ombudsman-for-online-content-723485. Claffy, K. C., Chiesa, M., Russo, M., and
[14] Rediff. http://www.rediff.com/computer/ Pescapé, A. Analysis of country-wide internet
1999/jul05dawn.htm. outages caused by censorship. In Proceedings of
[15] Right to information, a citizen gateway. the 2011 ACM SIGCOMM conference on Internet
http://rti.gov.in/. measurement conference (2011), ACM, pp. 1–18.
[16] Shodan-search engine for internet-connected [29] Dalek, J., Haselton, B., Noman, H., Senft,
devices. https://www.shodan.io/. A., Crete-Nishihata, M., Gill, P., and
[17] How the great firewall of china is blocking tor. In Deibert, R. J. A method for identifying and
Presented as part of the 2nd USENIX Workshop confirming the use of url filtering products for
on Free and Open Communications on the censorship. In Proceedings of the 2013 conference
Internet (Berkeley, CA, 2012), USENIX. on Internet measurement conference (2013),
[18] Ooni: Open observatory of network interference. ACM, pp. 23–30.
In Presented as part of the 2nd USENIX [30] Ensafi, R., Fifield, D., Winter, P.,
Workshop on Free and Open Communications on Feamster, N., Weaver, N., and Paxson, V.
the Internet (Berkeley, CA, 2012), USENIX. Examining how the great firewall discovers hidden
[19] OONI: Open observatory of network interference. circumvention servers. In Proceedings of the 2015
In Presented as part of the 2nd USENIX Internet Measurement Conference (2015), ACM,
Workshop on Free and Open Communications on pp. 445–458.
the Internet (Bellevue, WA, 2012), USENIX. [31] Ensafi, R., Winter, P., Mueen, A., and
[20] Aceto, G., Montieri, A., and Pescapé, A. Crandall, J. R. Analyzing the great firewall of
Internet censorship in italy: An analysis of 3g/4g china over space and time. Proceedings on privacy
networks. In Communications (ICC), 2017 IEEE enhancing technologies 2015, 1 (2015), 61–76.
International Conference on (2017), IEEE, [32] Gao, L., and Wang, F. The extent of as path
pp. 1–6. inflation by routing policies. In Global
[21] Acharya, H., Chakravarty, S., and Gosain, Telecommunications Conference, 2002.
D. Few throats to choke: On the current GLOBECOM’02. IEEE (2002), vol. 3, IEEE,
structure of the internet. In Local Computer pp. 2180–2184.
Networks (LCN), 2017 IEEE 42nd Conference on [33] Gill, P., Crete-Nishihata, M., Dalek, J.,
(2017), IEEE, pp. 339–346. Goldberg, S., Senft, A., and Wiseman, G.
[22] Acharya, H., Chakravarty, S., and Gosain, Characterizing web censorship worldwide:
D. Mending wall: On the implementation of Another look at the opennet initiative data. ACM
censorship in india. In SecureComm 2018 - 13th Transactions on the Web (TWEB) 9, 1 (2015), 4.
EAI International Conference on Security and [34] Guo, S., and Feng, G. Understanding support
Privacy in Communication Networks (2017), for internet censorship in china: An elaboration of
Springer. the theory of reasoned action. Journal of Chinese
[23] Anonymous. The collateral damage of internet Political Science 17, 1 (2012), 33–52.
censorship by dns injection. SIGCOMM Comput. [35] Internet censorship in iran.
Commun. Rev. 42, 3 (June 2012), 21–27. [36] Jermyn, J., and Weaver, N. Autosonda:
14
Discovering rules and triggers of censorship Understanding internet censorship policy: The
devices. In 7th USENIX Workshop on Free and case of greece. In 5th USENIX Workshop on Free
Open Communications on the Internet (FOCI and Open Communications on the Internet
17). USENIX Association, Vancouver, BC. (FOCI) (2015).
https://www. usenix. [49] Wang, Z., Cao, Y., Qian, Z., Song, C., and
org/conference/foci17/workshop- Krishnamurthy, S. V. Your state is not mine: a
program/presentation/jermyn closer look at evading stateful internet censorship.
(2017). In Proceedings of the 2017 Internet Measurement
[37] Khattak, S., Javed, M., Anderson, P. D., Conference (2017), ACM, pp. 114–127.
and Paxson, V. Towards illuminating a [50] West, D. M. Internet shutdowns cost countries
censorship monitor’s model to facilitate evasion. $2.4 billion last year. Center for Technological
In FOCI (2013). Innovation at Brookings, Washington, DC (2016).
[38] Knockel, J., Ruan, L., and [51] Wright, J. Regional variation in chinese internet
Crete-Nishihata, M. Measuring filtering. Information, Communication & Society
decentralization of chinese keyword censorship via 17, 1 (2014), 121–141.
mobile games. In 7th {USENIX} Workshop on [52] Xu, X., Mao, Z. M., and Halderman, J. A.
Free and Open Communications on the Internet Internet censorship in china: Where does the
({FOCI} 17) (2017), USENIX Association. filtering occur? In International Conference on
[39] Levis, P. The collateral damage of internet Passive and Active Network Measurement (2011),
censorship by dns injection. ACM SIGCOMM Springer, pp. 133–142.
CCR 42, 3 (2012). [53] Yang, Q., and Liu, Y. Whats on the other side
[40] MacKinnon, R. Flatter world and thicker walls? of the great firewall? chinese web users
blogs, censorship and civic discourse in china. motivations for bypassing the internet censorship.
Public Choice 134, 1-2 (2008), 31–46. Computers in human behavior 37 (2014), 249–257.
[41] Marczak, B., Weaver, N., Dalek, J., [54] Zittrain, J., Budish, R., and Faris, R.
Ensafi, R., Fifield, D., McKune, S., Rey, Herdict: Help spot web blockages, 2014.
A., Scott-Railton, J., Deibert, R., and [55] Zittrain, J., and Edelman, B. Internet
Paxson, V. Chinas great cannon. Citizen Lab 10 filtering in china. IEEE Internet Computing 7, 2
(2015). (2003), 70–77.
[42] Nabi, Z. The anatomy of web censorship in
pakistan. In FOCI (2013).
[43] Pearce, P., Ensafi, R., Li, F., Feamster,
N., and Paxson, V. Augur: Internet-wide
detection of connectivity disruptions. In Security
and Privacy (SP), 2017 IEEE Symposium on
(2017), IEEE, pp. 427–443.
[44] Pearce, P., Jones, B., Li, F., Ensafi, R.,
Feamster, N., Weaver, N., and Paxson, V.
Global measurement of dns manipulation. In
Proceedings of the 26th USENIX Security
Symposium (Security17) (2017).
[45] Sfakianakis, A., Athanasopoulos, E., and
Ioannidis, S. Censmon: A web censorship
monitor. In USENIX Workshop on Free and Open
Communication on the Internet (FOCI) (2011).
[46] Son, S., and Shmatikov, V. The hitchhikers
guide to dns cache poisoning. In International
Conference on Security and Privacy in
Communication Systems (2010), Springer,
pp. 466–483.
[47] Verkamp, J.-P., and Gupta, M. Inferring
mechanics of web censorship around the world. In
FOCI (2012).
[48] Ververis, V., Kargiotakis, G., Filasto, A.,
Fabian, B., and Alexandros, A.
15