Autosonda, automated discovery of firewall rules

Skip to first unread message

David Fifield

Aug 21, 2017, 8:50:31 PM8/21/17
Here's a paper from FOCI 2017.

Autosonda: Discovering Rules and Triggers of Censorship Devices
Jill Jermyn and Nicholas Weaver

My summary follows.

Autosonda is a tool for the automated discovery of firewall rule sets
and vulnerabilities, treating the firewall as a black box. It automates
previously used manual techniques. Autosonda aims to discovers the
firewall's "model," "mechanism," and "technique." Model is the set of
feature values that the firewall uses for detection, for example
protocol field values. Mechanism is how the features are extracted or
identified, for example using a regular expression. Technique is how the
blocking is effected, for example a block page or injected RST. The
system relies on running client software inside the censor's sphere of
influence, in cooperation with a server running outside. Some of the
client tests require root. It has automatic fuzzing of some features,
for example replacing "GET /" with "GeT /" or "GET/".

They tried it on 76 open wi-fi networks around New York City. They used
a fetch of (literally: "the number one most popular Adult
category site in Alexa's top 500 sites by category") as a prefilter to
decide whether a network was censored or not. Regarding model, they
found firewalls that examined DNS requests, some that examined the HTTP
Host header, and some that resolved the domain name of the Host header
and then matched against an IP address blacklist. Regarding technique,
some firewalls sent a false DNS response pointing to a block page, and
some that returned a block page in band. Regarding mechanism, they tried
sending HTTP over UDP, which none of the firewalls blocked. They tried
using a ports other than 80; most but not all firewalls still blocked.
It was possible to evade URL blocks by appending a query string. They
tried sending two Host headers at once; roughly half of firewalls looked
at the first, the other roughly half looked at the second, and a small
number looked at both. 11/44 HTTP filters did not reassemble TCP; 7 did
not defragment IP. Changing capitalization in DNS requests did not evade
filters, but sometimes changing .com to .org did (when those happened to
point to the same site). A majority of firewalls are fooled by altering
the whitespace around the Host header, but not capitalization.

The authors say that they found at least one firewall bypass for 100% of
the filters, but that statement needs to be qualified with the fact that
some of the bypasses require cooperation by the server. The authors
acknowledge this, saying "with special implementation of a server," and
"note that actual retrieval of prohibited content depends on the
implementation of the server." For example, requesting HTTP over UDP, or
moving the host from the Host header to another header, won't work with
standard HTTP servers.
Reply all
Reply to author
0 new messages