Pages

Tuesday, 22 August 2017

研究人员大规模测试新的反审查工具 TapDance

传统的反审查工具通常是利用境外的服务器作为代理,而政府则随时可能屏蔽这些服务器。这是一种猫鼠游戏,政府想要发现用户使用的代理服务器,而用户则努力通过各种方法(比如流量混淆)来躲避政府的检测。密歇根大学等大学和机构的研究人员研究出了一种新一代的反审查技术,它不是利用特定的代理服务器,而是利用一个或多个 ISP,反审查技术直接部署在 ISP 的路由上。这种技术被称为“折射网络”。利用折射网络,用户向一个没有被屏蔽但经过特定 ISP 的网站发出请求,在请求中嵌入额外的数据,一个部署了反审查功能的 ISP 探测到这些秘密代码,检测到用户实际上请求的是一个被屏蔽的网站,它将请求重路由到了被屏蔽网站。在整个过程中,作为中间人的审查者不会注意到网络请求有问题。如果要封杀折射网络,审查者将需要屏蔽掉特定网络的所有连接,这会造成巨大的附带损害,参与部署的 ISP 越多,损害将会越大。研究人员组建了一个联盟,今年首次将被称为 TapDance 的折射网络技术部署到中等规模的 ISP 网络,测试了这项技术的可用性,他们的技术整合在 Psiphon中,在部署的一周时间里服务了超过 5 万用户。他们的研究报告(PDF)发表在上周举行的 USENIX Security 会议上。

from http://www.solidot.org/story?sid=53534
------------


High performance implementation of the Tapdance decoy routing design.

Building and Running the Tapdance Station

These instructions are for the standard build, which includes drivers for Intel i40e- and ixgbe-based NICs.

Station installation

  1. Install Ubuntu 16.04.1 for amd64
  2. Run sudo apt-get update
  3. Clone this repo into $HOME/tapdance
  4. In $HOME/tapdance, run ./scripts/tapdance-prereqs.sh (NOT sudo/as root)
  5. In $HOME/tapdance, run ./scripts/tapdance-build.sh (NOT sudo/as root)
  6. In $HOME/tapdance/libtapdance, run ./genkey (unless you already have a keypair you're planning to use for this station).
  7. Copy the generated 'pubkey' file to your client: gotapdance/assets/station_pubkey
  8. Installing the PF_RING zero-copy license can wait until you confirm everything is working properly. Even without the license, you can use PF_RING-ZC-enabled programs for 5 minutes at a time.
  9. Double-check that the interface for the tunneled traffic is running at the expected rate (1Gb or better, usually)

Once-per-reboot setup

Do this after the above station installation process, as well as after every reboot.
  1. In $HOME/tapdance, run sudo ./startup.sh. The output should include the following instructions on running the station.

Running the station (production)

Use the service interface, as described in sysvinit/README. Note that you might need to wait a few seconds after starting zbalance before you start tapdance, to let zbalance come fully online.

Running the station (development)

If you want to recompile before running:
  1. In $HOME/tapdance, run ./scripts/tapdance-build.sh (NOT sudo/as root)
Run these three programs in separate screens, in this order.
  1. In $HOME/tapdance/pfring-framework/userland/examples_zc, run sudo ./zbalance_ipc -i zc:$INTERFACE -c 99 -n 4 -m 1 -g 1.
  2. (Optional) In $HOME/tapdance/gobbler, run ./gobbler after building with go build gobbler.go. If gobbler isn't run, the station will still work; the Gobbler's purpose is to collect and report statistics.
  3. In $HOME/tapdance/pfring-framework/userland/examples, run sudo RUST_BACKTRACE=1 ./zc_tapdance -c 99 -n 4 -K /path/to/privkey.
The -n and -c arguments are number of processes to split over, and cluster ID. You can safely change them (-n must be no more than number of logical CPU cores on the host machine), but you must give zbalance_ipc and zc_tapdance the same values.

Registering PF_RING ZC for the network interface

Getting an order ID for the license(s)

  1. Go to this page: https://shop.ntop.org/cart.php
  2. Scroll down to the PF_RING section, and find the 10/40 Gbit PF_RING ZC Intel [Linux] driver, and on the right side of the table put as many licenses as you need. (The price was 149.95 euros at the time of writing)
  3. Scroll down the bottom of the page and click on the "go to next page" button
  4. From this point on it's just filling out info and paying, which should be straightforward

Once you have an order ID:

After completing the previous steps, you should have an email from an ntop employee, giving you an OrderId.
  1. Try both tap interfaces (their names in ifconfig should look something like enp5s0f0 and enp5s0f1) to figure out which one is getting traffic. Get the traffic-getting one's MAC address. To check for traffic, you can try running our station program, or even just ./zcount -i theIFname
  2. In examples_zc, run ./zcount -h to get PF_RING ZC version.
  3. Go to http://shop.ntop.org/mkzclicense/
  4. Fill in the MAC address, OrderId, and PF_RING ZC Version. Select Product Family PF_RING ZC 10/40/100 Gbit [Intel].
  5. Click the "Create PF_RING License" button.
  6. Follow the next page's instructions. (After putting the license key string in the MAC-address-named file, you're all set - don't even need to reboot!) You can verify the registration with sudo ./zcount -C -i zc:enp5s0f0

Running the station without zero-copy

If you have previously configured the station for ZC operation, you must reboot in order to run non-ZC! (You can run non-ZC and then switch to ZC without rebooting).
To run the non-zero-copy multi-process TapDance station, follow the installation and setup instructions as above, but:
  1. Rather than sudo ./startup.sh, run sudo ./startup.sh --nozerocopy.
  2. Rather than ./scripts/tapdance-build.sh, run ./scripts/tapdance-build.sh --nozerocopy.
  3. When running the station, you do not need zbalance_ipc at all.
  4. Run the station with sudo RUST_BACKTRACE=1 ./tapdance -i $INTERFACE -c 7 -o 0 -n 4 -K /path/to/privkey.
The gobbler remains the same. Running tapdance-prereqs.sh remains the same. n and c are the same as in the ZC version; -o is core id offset. (So, -o 3 -n 4 would use cores 3,4,5,6).

from https://github.com/refraction-networking/tapdance

官网:https://refraction.network/
--------
为言论自由而战 “无法屏蔽的网络”进入实验阶段
在实行网络封锁的地方,比如中国,通常的方式是屏蔽整个软件或是网页。而如果有人使用“翻墙”软件绕过去,很快那些软件也会被屏蔽。
研究者们一直在努力尝试突破这类封锁。
想象一下,规避审查不再依赖于软件或是供应商 – 因为这些最终会被屏蔽 – 而是将反屏蔽的设计安装在路由器以及服务器的内核中,而使得这些支撑互联网的基础设施也成为“翻墙”的工具,令屏蔽变得不可操作。
经过6年的研究,这个概念现在看来似乎并不那么疯狂。
美国的三个研究小组一起努力,进行了“折射互联网”新技术测试,他们称之为TapDance。
今年春天,两个中型的美国互联网开发公司以及流行软件Psiphon一起,实验推出了TapDance,帮助世界各地的5万名用户绕过屏蔽,进入自由网络世界。
这也是类似技术首次用于实地互联网。
按照研究者的说法,折射互联网的概念,也被称为“诱饵路由”,从2011年起已经出现了,也在一些大学实验室进行了研究。
在本星期的USENIX安全年会上,研发者就这项技术做了报告。
其中的一位主创者David Robinson表示,希望折射互联网技术能够被装进更多的网络内核。
目前这项技术依然有待于进一步的实验,以及实践的检验。
无法屏蔽的互联网时代是否可以真的到来?
(下面是TapDance应用图解)

来自http://www.rcinet.ca/zh/2017/08/16/130938/

No comments:

Post a Comment