DeResistor is a research project that provides a system extension to protect Probing for Evasion of Internet Censorship from detection. Specifically, DeResistor offers IP address protection for internet users that are running automated tools for censorship measurments and evasion (e.g. Geneva)
In this repo, we provide an instance of DeResistor implemented on top of Geneva (Code, Docs). DeResistor leverages Machine Learning techniques to model a censor-side flow-level detector and use it to guide Geneva genitic evolution towards more detection-resilient evasion strategies. Additionnaly, DeResistor introduces guided-pauses of censorship evasion attempts and interleaving them with normal user-driven network activity to comfuse IP-level detection. Details of DeResistor are in our USENIX Security 2023 paper.
DeResistor has been developed and tested on Ubuntu. However, it should support Centos or Debian-based systems. Similar to Geneva, due to limitations of netfilter and raw sockets, this code does not work on OS X or Windows at this time and requires python3.6.
Install netfilterqueue dependencies:
sudo apt-get install build-essential python-dev libnetfilter-queue-dev libffi-dev libssl-dev iptables python3-pip
Create a new python3.6 environment and install Python dependencies:
sudo /path/to/python_environment/bin/python -m pip install -r requirements.txt
If needed for Debian 10 systems, you can install netfilterqueue directly from Github:
sudo /path/to/python_environment/bin/python -m pip install --upgrade -U git+https://github.com/kti/python-netfilterqueue
If needed, on Arch systems, you can make liblibc.a available for netfilterqueue:
sudo ln -s -f /usr/lib64/libc.a /usr/lib64/liblibc.a
After you make sure you install and run docker on your system use the dockerfile provided in /docker to build the base image:
sudo docker build -t base:latest -f docker/Dockerfile .
Optionally, to manually run/inspect the docker image to explore the image, run:
sudo docker run -it base
Installing Harpoon: In docker experiments Harpoon is used to simulate normal background traffic. In folder /docker/harpoon, run:
./configure
In case of permission denied error you can access root mode with sudo su -. Locate the script in DeResistor/docker/harpoon, run chmod 755 configure, then run ./configure again. Configuration status should display to your screen as it executes.
After that run in the same folder:
$ make
You can run DeResistor against the 11 mock censors censor1,..,censor11 defined in /censors using:
sudo /path/to/python_environment/bin/python evolve.py --censor censor3 --server forbidden.org --log debug --workers 1 --runs 1 --population 100 --generation 5 --jump 1
- You can increase
--populationand--generationto reach fitter startegies - You can increase the jump size
--jump - To include real-time IP-level detection of DeResitor, use
--real-time-detection - To specify DeResistor's local detection model for detection-resilience training, use
--local-model [model-name]. The model should be stored in/ML detectorsusingjoblib - To specify the Censor's detection model for censor-side detection evaluation, use
--censor-model [model-name]. The model should be stored in/ML detectorsusingjoblib
Before every run make sure the docker containers are not still running: sudo docker kill $(sudo docker ps -q)
DeResistor is tested in China (GFW), India and Kazakhstan
Example: In China against GFW
sudo /path/to/python_environment/bin/python evolve.py --external-server --server www.hrw.org --test-type http --log debug --workers 1 --runs 1 --population 100 --generation 5 --real-time-detection --jump 1 --local-model rfc_gfw.joblib --censor-model rfc_gfw2.joblib
- You can change the censored server
--serveraccording to the country you are running the command from. - More ML detectors for India and Kazakhstan are provided in
/ML detectorsYou need to flush the iptables after every run to avoid related errors:sudo iptables -F