Empirical study of a national-scale distributed intrusion detection system: Backbone-level filtering of HTML responses in China

Jong Chun Park, Jedidiah R. Crandall

Research output: Chapter in Book/Report/Conference proceedingConference contribution

32 Scopus citations

Abstract

We present results from measurements of the filtering of HTTP HTML responses in China, which is based on string matching and TCP reset injection by backbone-level routers. This system, intended mainly for Internet censorship, is a national-scale filter based on intrusion detection system (IDS) technologies. Our results indicate that the Chinese censors discontinued this HTML response filtering for the majority of routes some time between August 2008 and January 2009 (other forms of censorship, including backbone-level GET request filtering, are still in place). In this paper, we give evidence to show that the distributed nature of this filtering system and the problems inherent to distributed filtering are likely among the reasons it was discontinued, in addition to potential traffic load problems. When the censor successfully detected a keyword in our measurements and attempted to reset the connection, their attempt to reset the connection was successful less than 51% of the time, due to late or out-of-sequence resets. In addition to shedding light on why HTML response filtering may have been discontinued by the censors, we document potential sources of uncertainty, which are due to routing and protocol dynamics, that could affect measurements of any form of censorship in any country. Between a single client IP address in China and several contiguous server IP addresses outside China, measurement results can be radically different. This is probably due to either traffic engineering or one node from a bank of IDS systems being chosen based on source IP address. Our data provides a unique opportunity to study a national-scale, distributed filtering system.

Original languageEnglish (US)
Title of host publicationICDCS 2010 - 2010 International Conference on Distributed Computing Systems
Pages315-326
Number of pages12
DOIs
StatePublished - 2010
Event30th IEEE International Conference on Distributed Computing Systems, ICDCS 2010 - Genova, Italy
Duration: Jun 21 2010Jun 25 2010

Publication series

NameProceedings - International Conference on Distributed Computing Systems

Other

Other30th IEEE International Conference on Distributed Computing Systems, ICDCS 2010
CountryItaly
CityGenova
Period6/21/106/25/10

ASJC Scopus subject areas

  • Software
  • Hardware and Architecture
  • Computer Networks and Communications

Fingerprint Dive into the research topics of 'Empirical study of a national-scale distributed intrusion detection system: Backbone-level filtering of HTML responses in China'. Together they form a unique fingerprint.

Cite this