Who Is Scanning the Internet?

Total Page:16

File Type:pdf, Size:1020Kb

Who Is Scanning the Internet? Who Is Scanning the Internet? Roman Trapickin Betreuer: Oliver Gasser, Johannes Naab Innovative Internet-Technologien und Mobilkommunikation SS2015 Lehrstuhl Netzarchitekturen und Netzdienste Fakultät für Informatik, Technische Universität München Email: [email protected] ABSTRACT ning activities in section 2. Popular software tools will be Today’s port scanning software is able to perform massive discussed in section 3. In section 4 we will talk about the port scans up to the complete IPv4 space within minutes. individuals and organizations, which openly perform Internet- Once a device is connected to the Internet, it will be almost wide scans. We will focus on understanding their intentions, immediately scanned for open ports and services. Most of used tools and techniques. Finally, we will endeavor a clas- these scans are done by anonymous individuals, in particular sification model for these entities in section 5. As a short targeting at finding and exploiting system vulnerabilities. supplement we will revitalize the discussion about the legal However, there is also a variety of individuals and organiza- and ethical aspects of (massive) port scanning in section 6. tions openly practicing massive port scanning and pursuing different objectives. In this paper we will introduce several 2. SCANNING BASICS scanning entities, while emphasizing their motives. In addi- The term “Internet(-wide) scan(ning)” describes a port scan- tion we will propose an entity classification model. In order ning procedure performed by a single or multiple scanning to endorse further understanding of the topic we will also entities on a considerable amount of hosts. There is no clear discuss port scanning as a measurement discipline as well as requirement or specification at which point scanning multiple introduce the contemporary port scanning software used for hosts may be dubbed an “Internet scan”, however scanning Internet-wide scans. the complete IP spaces of regional Internet registries or even countries definitely falls into this term. In this section we Keywords will shortly describe the main reason behind such massive port scan, internet-wide scan, measurement, entities, nmap, port scanning initiatives and also port scans in general as zmap, masscan, classification, caida, sonar, sipscan, conficker, well as introduce main concepts and terms used throughout shodan, hacienda, legality, ethics this paper. Although rudimentarily explained in this section, the real motives will be introduced in sections 4 and 5. 1. INTRODUCTION The main purpose of port scanning is gathering information IPv4 address space consists of 232 or almost 4.3 billion possi- about offered services from hosts connected to a network. ble IP addresses, which is within the giga order of magnitude. This is done via sending probe messages to targeted hosts Today’s computers have CPUs with gigahertz clock rates and and prompting a response later on. As the name suggests, gigabytes of RAM and storage. Today’s networks allow band- port scanning is centered around Transport layer ports and widths exceeding 1 gigabit per second. This makes iterations hence mostly based on the Transmission Control Protocol over the entire IPv4 space possible within a comparatively (TCP). Nevertheless both adjoining Network and Application short time period. By comparison, IPv6 address space con- layers often provide additional information about the targeted sists of 2128 or nearly 340 undecillion (1036) addresses, which system. is rather unlikely to iterate over entirely in the nearest future. Since the massive transition to IPv6 has not yet begun and 2.1 Port Status IPv4 is still by far the dominant Internet protocol,[18] we First, we explain what kind of knowledge a scanning entity now have a unique opportunity to reach every IPv4 address can receive from a TCP segment. The essential step in on the Internet in reasonable time. The year 2013 has seen (Internet-wide) port scanning is to determine the port status ZMap and masscan emerging, two port scanning tools, which of a remote host:[24] promised to port scan the entire Internet in under an hour on consumer hardware. Particularly ZMap has received an open port indicates that an application is accepting con- extensive IT media coverage,[2][10][31] which once again nections on this port. Finding an open port is the main raised the discussion about port scanning and associated goal for a scanning entity, since it discloses the most threats. knowledge about targeted host. closed port indicates that there is no active application In this paper we will attempt to answer the question “Who on the other end. Bearing significantly less information is scanning the Internet?” by giving an insight into the cur- about the host, a closed port could still provide some clues rent trends of massive port scanning. First, we will briefly about e. g. the operating system by fingerprinting the introduce the technical terms used for describing port scan- TCP/IP stack. Various operating systems exhibit char- Seminars FI / IITM SS 15, 81 doi: 10.2313/NET-2015-09-1_11 Network Architectures and Services, September 2015 acteristic behavior while generating the freely selectable An extreme example is a /0 vanilla scan. As mentioned TCP/IP fields, so that collecting multiple responses and before, large block scans are poorly scalable, since includ- matching them against a database with known finger- ing a single host to the target domain results in up to 216 prints makes OS detection possible. additional ports. In practice only a small number of ports undetermined port status is the least desirable message per host is scanned. Hence an Internet-wide block scan for a scanning entity. The port scanning software does may rather be considered as a series of few horizontal not receive any response. In most cases the port is fil- scans or alternatively as a /0 strobe scan. Such scans tered – protected by a firewall. Some port scanning are as well interesting for attackers aiming at multiple software, most prominently nmap, which offers various vulnerabilities and security experts doing global research, scanning techniques that – under favorable circumstances – but also useful for various service discovery tasks. may return more informative results. As a matter of consequence, the entire scanning process slows down dras- Figure 1 visualizes the three types of scanning in terms of tically. The scanning techniques will be introduced in targeted scope. section 3.1. 216 In addition to Transport and Application layer knowledge, horizontal vertical block a scanning entity can acquire relevant information from the Network layer. Querying a WHOIS database with targeted IP address will provide the scanning entity with approximate host geolocation and ISP data among other things. A variety of WHOIS services is publicly available on the Internet. In general, retrieving a short description of running services is called banner grabbing. ports 2.2 Defining the Scope of a Scan The next step is to define the scope of Internet scanning. This scope is defined by two dimensions, namely ports and hosts. A na¨ıve calculation for IPv4 address space for every port results in 232 216 = 248 communication endpoints · to be scanned. However, subtracting private IP ranges as 32 well as blacklisting some IP addresses will not change the 0 IPv4 addresses (hosts) 2 order of magnitude. By comparison, brute-forcing a 48-bit cryptographic key space is considered feasible today,[6] but Figure 1: A simplified visualization of scan types still only on dedicated hardware.[29] Even though iterating over 248 combinations alone can take significant amount of time on consumer-grade machines, actually it is the bandwidth 2.3 Measurement Standards that creates the major bottleneck. While scanning a remote Finally, we will discuss port scanning from a scientific, or host on the Internet, the scanning performance depends on more precisely, experimental point of view. Regardless of bandwidth of every path segment a packet has to traverse. the real motivation of a scanning entity, a (massive) port In fact, there are various factors, such as congestion control, scanning initiative is a quantitative research, and, as such, it is which negatively affect the overall bandwidth. As a result, subject to several measurement and quality standards. Vern such scans are indeed possible, albeit rather impractical. Paxson from the International Computer Science Institute Instead, scanning entities concentrate their effort on relevant in Berkeley, California has proposed the following aspects ports, so that time to completion can be thoroughly improved. for sound Internet measurement:[25] There exist three major approaches to reduce the scanning scope:[22] Precision describes a degree of relative proximity between individual measured values. A telling example is the Horizontal scan describes a port scan performed for the sampling rate of a continuous signal, whereas Paxson same port on multiple hosts. An extreme example of a cites an example of clocks with 1 μs and 1 ms precision horizontal scan is a /0 scan (entire IPv4 space) on a each as well as filtering responses. He also states, that, single port. Horizontal scans are often used by attackers concerning the Internet measurement, precision is “readily to detect open ports on a large number of machines in apparent” and hence is rather of secondary importance. order to exploit vulnerabilities of the listening application. However, according to Paxson, a sound measurement In turn, such scans can be used for massive security audits, study should at least respond to precision concerns. i. e. measuring global distribution of a vulnerability. Metadata is the data that accompanies the actually mea- Vertical scan describes scanning multiple ports on a single sured data. A prominent example of metadata preser- host. Scanning every port out of 216 of a host is called vation are (human-readable) logs which save additional vanilla scan, while scanning a small subset is dubbed information during the measurement. Metadata is an strobe scan.
Recommended publications
  • Inferring TCP/IP-Based Trust Relationships Completely Off-Path
    ONIS: Inferring TCP/IP-based Trust Relationships Completely Off-Path Xu Zhang Jeffrey Knockel Jedidiah R. Crandall Department of Computer Science Department of Computer Science Department of Computer Science University of New Mexico University of New Mexico University of New Mexico [email protected] [email protected] [email protected] Abstract—We present ONIS, a new scanning technique that researcher in country X who wants to learn if network traffic can perform network measurements such as: inferring TCP/IP- from a host in country Y can connect to a Tor server in country based trust relationships off-path, stealthily port scanning a Z. Performing this measurement off-path is necessary when target without using the scanner’s IP address, detecting off- path packet drops between two international hosts. These tasks vantage points (VPNs, Planet Lab nodes, etc.) are limited or typically rely on a core technique called the idle scan, which is unavailable in some countries. Ensafi et al. detail this off- a special kind of port scan that appears to come from a third path trust relationship testing by using the idle scan in [2]. machine called a zombie. The scanner learns the target’s status Specifically, they measured packet drops from clients to Tor from the zombie by using its TCP/IP side channels. directory servers by using machines with global incrementing Unfortunately, the idle scan assumes that the zombie has IP identifiers (IPIDs) which exhibit the now-discouraged behavior IPIDs as vantage points without those machines being under of being globally incrementing. The use of this kind of IPID their control.
    [Show full text]
  • Red Hat Enterprise Linux 3 Security Guide
    Red Hat Enterprise Linux 3 Security Guide Red Hat Enterprise Linux 3: Security Guide Copyright © 2003 by Red Hat, Inc. Red Hat, Inc. 1801 Varsity Drive Raleigh NC 27606-2072 USA Phone: +1 919 754 3700 Phone: 888 733 4281 Fax: +1 919 754 3701 PO Box 13588 Research Triangle Park NC 27709 USA rhel-sg(EN)-3-Print-RHI (2003-07-25T17:12) Copyright © 2003 by Red Hat, Inc. This material may be distributed only subject to the terms and conditions set forth in the Open Publication License, V1.0 or later (the latest version is presently available at http://www.opencontent.org/openpub/). Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder. Distribution of the work or derivative of the work in any standard (paper) book form for commercial purposes is prohibited unless prior permission is obtained from the copyright holder. Red Hat, Red Hat Network, the Red Hat "Shadow Man" logo, RPM, Maximum RPM, the RPM logo, Linux Library, PowerTools, Linux Undercover, RHmember, RHmember More, Rough Cuts, Rawhide and all Red Hat-based trademarks and logos are trademarks or registered trademarks of Red Hat, Inc. in the United States and other countries. Linux is a registered trademark of Linus Torvalds. Motif and UNIX are registered trademarks of The Open Group. XFree86 is a trademark of The XFree86 Project, Inc, and is pending registration. Intel and Pentium are registered trademarks of Intel Corporation. Itanium and Celeron are trademarks of Intel Corporation. AMD, Opteron, Athlon, Duron, and K6 are registered trademarks of Advanced Micro Devices, Inc.
    [Show full text]
  • An Internet-Wide View of Internet-Wide Scanning
    This paper appeared in Proceedings of the 23rd USENIX Security Symposium, August 2014. An Internet-Wide View of Internet-Wide Scanning Zakir Durumeric Michael Bailey J. Alex Halderman University of Michigan University of Michigan University of Michigan [email protected] [email protected] [email protected] Abstract scanning, and successfully fingerprint ZMap and Mass- can. We present a broad view of the current scanning While it is widely known that port scanning is widespread, landscape, including analyzing who is performing large neither the scanning landscape nor the defensive reactions scans, what protocols they target, and what software and of network operators have been measured at Internet scale. providers they use. In some cases we can determine the In this work, we analyze data from a large network tele- identity of the scanners and the intent of their scans. scope to study scanning activity from the past year, un- We find that scanning practice has changed dramati- covering large horizontal scan operations and identifying cally since previous studies from 5–10 years ago [5,39,45]. broad patterns in scanning behavior. We present an analy- Many large, likely malicious scans now originate from sis of who is scanning, what services are being targeted, bullet-proof hosting providers instead of from botnets. and the impact of new scanners on the overall landscape. Internet-scale horizontal scans have become common. Al- We also analyze the scanning behavior triggered by recent most 80% of non-Conficker probe traffic originates from vulnerabilities in Linksys routers, OpenSSL, and NTP. scans targeting ≥1% of the IPv4 address space and 68% We empirically analyze the defensive behaviors that orga- from scans targeting ≥10%.
    [Show full text]
  • Design and Implementation of Port Scanner and Sniffer
    DESIGN AND IMPLEMENTATION OF PORT SCANNER AND SNIFFER 1Snehal Dhabarde, 2Reshma Zade,3Nayan Paraswar, 4Samruddhi Sonak, Department of Information Technology, Rajiv Gandhi College of Engineering and Research Nagpur Email:[email protected],[email protected],3nayanparaswar [email protected],[email protected] Abstract: A port scanner is a piece of software Port scanning has different legitimate uses that it designed to search a network host for open performs in a system. It can be used to send a ports. The only way to track open ports is by request to connect to the aimed computer and using a port scanner, and the most accurate note the ports that responds or appears to open. port scanner will be an online port scan. This Port scanning is also used to configure project aims at the creation of a applications for network security to inform the comprehensive application, which can be used administrators in case they detect some at corporate environments. The port scanner connections across a wide range of ports from a and sniffer software is as simple as possible so single host. Port scanning may involve all of the that it can be configured even by a 65,535 ports or only the ports that are well- nontechnical person. This is often used by known to provide services vulnerable to different administrators to check the security of their security related exploits. If a port on a remote networks and by hackers to compromise it. host is open for incoming connection requests The main objective of this project is to scan and you send it a SYN packet, the remote host the various ports within a specified range.
    [Show full text]
  • GL550 Enterprise Linux Security Administration
    EVALUATION COPY Unauthorized Reproduction or Distribution Enterprise LinuxProhibited Security Administration Student Workbook EVALUATION COPY Unauthorized Reproduction GL550 ENTERPRISE LINUX SECURITY ADMINISTRATION RHEL7 SLES12 or Distribution The contents of this course and all its modules and related materials, including handouts to audience members, are copyright ©2017 Guru Labs L.C. No part of this publication may be stored in a retrieval system, transmitted or reproduced in any way, including, but not limited to, photocopy, photograph, magnetic, electronic or other record, without the prior written permission of Guru Labs. This curriculum contains proprietary information which is for the exclusive use of customers of Guru Labs L.C., and is not to be shared with personnel other than those in attendance at this course. This instructional program, including all material provided herein, is supplied without any guarantees from Guru Labs L.C. Guru Labs L.C. assumes no liability for damages or legal action arising from Prohibited the use or misuse of contents or details contained herein. Photocopying any part of this manual without prior written consent of Guru Labs L.C. is a violation of federal law. This manual should not appear to be a photocopy. If you believe that Guru Labs training materials are being photocopied without permission, please email [email protected] or call 1-801-298-5227. Guru Labs L.C. accepts no liability for any claims, demands, losses, damages, costs or expenses suffered or incurred howsoever arising from or in
    [Show full text]
  • Hacking Techniques & Intrusion Detection
    Hacking Techniques & Intrusion Detection Ali Al-Shemery arabnix [at] gmail All materials is licensed under a Creative Commons “Share Alike” license. • http://creativecommons.org/licenses/by-sa/3.0/ 2 # whoami • Ali Al-Shemery • Ph.D., MS.c., and BS.c., Jordan • More than 14 years of Technical Background (mainly Linux/Unix and Infosec) • Technical Instructor for more than 10 years (Infosec, and Linux Courses) • Hold more than 15 well known Technical Certificates • Infosec & Linux are my main Interests 3 Scanning and Fingerprinting Outline • Diving into Important Network Protocols (TCP, UDP, ICMP, ARP, etc) • Nmap – Intro. • Host Discovery • Tracing the Route • Port Scanning • OS and Service Fingerprinting • Learning Python in 4 Slides • Packet Crafting 5 Diving into Important Network Protocols • Diving into Important Network Protocols: – TCP – UDP – ICMP – ARP – HTTP – etc 6 Nmap • "Network Mapper” is a free and open source utility for network discovery and security auditing. - Fyodor • IMO: #1 tool in your security arsenal! Important Note: A huge difference between running Nmap as a privileged/unprivileged user! 7 Host Discovery • Identifying Live Systems • Also called “Network Sweep” • Nmap ping sweeps: – Ping Only (-sP) – ARP Ping (-PR) – ICMP Echo Request Ping (-PE) – TCP SYN Ping (-PS) – TCP ACK Ping (-PA) – UDP Ping (-PU) DEMO 8 Assignment #1 • Why do host discovery or network sweeping if we already have the target list of IP(s)? 9 Tracing the Route • Nmap --traceroute option • DEMO DEMO 10 Port Scanning • The act of testing a remote
    [Show full text]
  • How to Scan a Network with Hping3
    How To Scan a Network With Hping3 Hping3 Hping3 is a command-line oriented TCP/IP packet assembler and analyser and works like Nmap. The application is able to send customizes TCP/IP packets and display the reply as ICMP echo packets, even more Hping3 supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered channel, and many other features like DDOS flooding attacks. Hping3 can be used to perform: OS fingerprinting ICMP pings Traceroute Port scanning Firewall testing Test IDSes Network testing and auditing MTU discovery Exploit and vulnerabilities discovery DDOS and ICMP flooding Hping3 comes pre-installed with Kali Linux but and can also be installed on most Linux distros, also you need to run the commands with sudo privileges. Visit the official documentation at to learn more on how you can use Hping3 http://www.hping.org/documentation.php Useful Options -h Show this help -v Show version -c Packet count -i –interval –flood -V Verbose mode -D Debugging -f Fragment packets -Q Display sequence number -0 RAW IP mode -1 ICMP mode -2 UDP mode -8 SCAN mode -9 listen mode -F Set the FIN flag -S Set the SYN flag -P Set the PUSH flag -A Set the ACK flag -U Set the URG flag Commands Send a ACK packet to a target hping3 –A 192.168.100.11 HPING 192.168.100.11 (eth0 192.168.100.11): A set, 40 headers + 0 data bytes len=46 ip=192.168.100.11 ttl=128 id=29627 sport=0 flags=R seq=0 win=32767 rtt=4.0 ms len=46 ip=192.168.100.11 ttl=128 id=29628 sport=0 flags=R seq=1 win=32767 rtt=2.0 ms len=46 ip=192.168.100.11
    [Show full text]
  • 4. Offensive and Defensive Network Security Cryptoworks21 • July 15, 2021
    Fundamentals of Network Security 4. Offensive and defensive network security CryptoWorks21 • July 15, 2021 Dr Douglas Stebila https://www.douglas.stebila.ca/teaching/cryptoworks21 Fundamentals of Network Security • Basics of Information Security – Security architecture and infrastructure; security goals (confidentiality, integrity, availability, and authenticity); threats/vulnerabilities/attacks; risk management • Cryptographic Building Blocks – Symmetric crypto: ciphers (stream, block), hash functions, message authentication codes, pseudorandom functions – Public key crypto: public key encryption, digital signatures, key agreement • Network Security Protocols & Standards – Overview of networking and PKI – Transport Layer Security (TLS) protocol – Overview: SSH, IPsec, Wireless (Tool: Wireshark) • Offensive and defensive network security – Offensive: Pen-tester/attack sequence: reconnaissance; gaining access; maintaining access (Tool: nmap) • Supplemental material: denial of service attacks – Defensive: Firewalls and intrusion detection • Access Control & Authentication; Web Application Security – Access control: discretionary/mandatory/role-based; phases – Authentication: something you know/have/are/somewhere you are – Web security: cookies, SQL injection – Supplemental material: Passwords 3 Assignment 2 2a) Offensive network 2b) Defensive network security security • Use nmap to scan • Set up firewall rules in services running on your Kali to prevent your computer certain types of – Will be scanning from outbound traffic (egress guest
    [Show full text]
  • Nmap Tutorial 1/10 2004-10-10 Lätt Redigerad Av Jan-Erik Jonsson
    NMap tutorial 1/10 2004-10-10 Lätt redigerad av Jan-Erik Jonsson Basic Scan Types [-sT, -sS] TCP connect() Scans [-sT] SYN Stealth Scanning [-sS] FIN, Null and Xmas Tree Scans [- sF, -sN, -sX] Ping Scanning [-sP] UDP Scans [-sU] IP Protocol Scans [-sO] Idle Scanning [-sI] ACK Scan [-sA] Window Scan, RPC Scan, List Scan [-sW, -sR, -sL] Timing And Hiding Scans Timing Decoys FTP Bounce Turning Pings Off Fragmenting Idle Scanning http://www.security-forums.com/forum/viewtopic.php?t=7872 NMAP - A Stealth Port Scanner by Andrew J. Bennieston 1 INTRODUCTION ................................................................................................................................................. 2 2 DISCLAIMER...................................................................................................................................................... 2 3 BASIC SCAN TYPES [-ST, -SS] ........................................................................................................................... 2 3.1 TCP connect() Scans [-sT]........................................................................................................................ 2 3.2 SYN Stealth Scanning [-sS]....................................................................................................................... 2 4 FIN, NULL AND XMAS TREE SCANS [-SF, -SN, -SX] ......................................................................................... 3 5 PING SCANNING [-SP] ......................................................................................................................................
    [Show full text]
  • Identifying Vulnerabilities Using Internet-Wide Scanning Data
    Identifying Vulnerabilities Using Internet-wide Scanning Data Jamie O’Hare, Rich Macfarlane, Owen Lo School of Computing Edinburgh Napier University Edinburgh, United Kingdom 40168785, r.macfarlane, [email protected] Abstract—Internet-wide scanning projects such as Shodan and of service, through the considerable time and resources re- Censys, scan the Internet and collect active reconnaissance results quired to perform the scans. Due to this potential issue, as for online devices. Access to this information is provided through well as specific legal requirements, vulnerability assessment associated websites. The Internet-wide scanning data can be used to identify devices and services which are exposed on the Internet. tools typically require permission from the target organization It is possible to identify services as being susceptible to known- before being used. vulnerabilities by analysing the data. Analysing this information The known vulnerabilities identified by these tools are is classed as passive reconnaissance, as the target devices are associated with a specific Common Vulnerabilities and Ex- not being directly communicated with. This paper goes on to posure (CVE), which highlights a vulnerability for a specific define this as contactless active reconnaissance. The vulnerability identification functionality in these Internet-wide scanning tools is service. A CVE entry contains information associated with currently limited to a small number of high profile vulnerabilities. the vulnerability including a Common Platform Enumeration This work looks towards extending these features through the (CPE) and a Common Vulnerability Scoring System (CVSS). creation of a tool Scout which combines data from Censys The CPE ties a CVE to a specific product and version, while and the National Vulnerability Database to passively identify the CVSS provides an impact score.
    [Show full text]
  • Surveying Port Scans and Their Detection Methodologies
    Surveying Port Scans and Their Detection Methodologies Monowar H Bhuyan1, D K Bhattacharyya1 and J K Kalita2 1Department of Computer Science & Engineering Tezpur University Napaam, Tezpur, Assam, India 2Department of Computer Science University of Colorado at Colorado Springs CO 80933-7150, USA Email: mhb,dkb @tezu.ernet.in, [email protected] { } Scanning of ports on a computer occurs frequently on the Internet. An attacker performs port scans of IP addresses to find vulnerable hosts to compromise. However, it is also useful for system administrators and other network defenders to detect port scans as possible preliminaries to more serious attacks. It is a very difficult task to recognize instances of malicious port scanning. In general, a port scan may be an instance of a scan by attackers or an instance of a scan by network defenders. In this survey, we present research and development trends in this area. Our presentation includes a discussion of common port scan attacks. We provide a comparison of port scan methods based on type, mode of detection, mechanism used for detection, and other characteristics. This survey also reports on the available datasets and evaluation criteria for port scan detection approaches. Keywords: TCP/IP, UDP, OS fingerprinting, coordinated scanning Received 21 May 2010; revised 23 August 2010 1. INTRODUCTION similar, except that a positive response from the target results in further communication to determine whether The Internet is a complex entity comprised of diverse the target is vulnerable to a particular exploit. As can networks, users, and resources. Most users are oblivious be found in [3], most attacks are preceded by some form to the design of the Internet and its components and of scanning activity, particularly vulnerability scanning.
    [Show full text]
  • Censored Planet: Global Censorship Observatory
    Censored Planet: Global Censorship Observatory Roya Ensafi University of Michigan Dec 27,2018 In my research lab, we ... develop frameworks to detect network interference, apply these frameworks to understand the behavior of network intermediaries, and use this understanding to defend against interference by building tools that safeguard users. Reports suggest Internet censorship practices are at rise! Network Interference Can Happen on Any Layer 1 A user types www.cnn.com into the browser 2 OS sends a DNS query to learn the IP address 3 Browser fetches the website Authoritative 4 Browser loads third-party resources DNS resolver DNS resolver www.cnn.com Server CDN PoP Home ISP User gateway router ISP router Server Transit Client Side Network Server Side Network Interference Can Happen on Any Layer 1 A user types www.cnn.com into the browser 2 OS sends a DNS query to learn the IP address 3 Browser fetches the website 4 Browser loads third-party resources DNS resolver www.cnn.com Server CDN PoP Home ISP User gateway router ISP router Server Transit Client Side Network Server Side Measuring Censorship is a Complex Problem! Internet censorship practices are diverse in their methods, targets, timing, differing by regions, as well as across time. Why Measure Censorship? NETWORK CENSORSHIP IS ON THE RISE ● Information controls harm citizens ● Spreading beyond the large powers ● Frequently opaque in topic & technique WE NEED DATA TO: ● Support transparency & accountability ● Improve technological defenses ● Inform users & public policy Why Measure
    [Show full text]