{"id":13624042,"url":"https://github.com/breakerspace/weaponizing-censors","last_synced_at":"2025-04-15T20:33:08.123Z","repository":{"id":47652068,"uuid":"390203349","full_name":"breakerspace/weaponizing-censors","owner":"breakerspace","description":"censors pose a threat to the entire Internet","archived":false,"fork":false,"pushed_at":"2021-09-12T23:39:38.000Z","size":38,"stargazers_count":132,"open_issues_count":0,"forks_count":22,"subscribers_count":11,"default_branch":"main","last_synced_at":"2025-04-13T15:21:53.753Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/breakerspace.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":"CITATION.cff","codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2021-07-28T03:44:09.000Z","updated_at":"2024-10-14T22:10:13.000Z","dependencies_parsed_at":"2022-09-23T15:20:49.696Z","dependency_job_id":null,"html_url":"https://github.com/breakerspace/weaponizing-censors","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/breakerspace%2Fweaponizing-censors","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/breakerspace%2Fweaponizing-censors/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/breakerspace%2Fweaponizing-censors/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/breakerspace%2Fweaponizing-censors/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/breakerspace","download_url":"https://codeload.github.com/breakerspace/weaponizing-censors/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249148285,"owners_count":21220510,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T21:01:38.147Z","updated_at":"2025-04-15T20:33:07.880Z","avatar_url":"https://github.com/breakerspace.png","language":"Python","funding_links":[],"categories":["Python"],"sub_categories":[],"readme":"# weaponizing-censors [![badge](https://img.shields.io/badge/In%20Proceedings-USENIX%20Security%202021-blue.svg)](https://www.usenix.org/conference/usenixsecurity21/presentation/bock)\n\nCensors pose a threat to the entire Internet. In this work, we show that censoring middleboxes and firewalls can be weaponized by attackers to launch unprecedented reflected denial of service attacks. We find hundreds of thousands of IP addresses that offer amplification factors greater than 100× and IP addresses that technically offer _infinite amplification_. \n\nThis is the code repository for the USENIX Security 2021 paper, \"[Weaponizing Middleboxes for TCP Reflected Amplification](https://geneva.cs.umd.edu/papers/usenix-weaponizing-ddos.pdf)\". \n\nThis repository contains submodules for our two forks of ZMap, a submodule to the main [Geneva](https://github.com/Kkevsterrr/geneva) repository containing the plugin used to identify the amplifying sequences, and processing scripts for analyzing scan results.  \n\nAmplification attacks are not the only way that censors pose a threat to those living outside their borders. See our concurrent work from WOOT 2021 on [weaponizing censors for availability attacks](https://geneva.cs.umd.edu/papers/woot21-weaponizing-availability.pdf) and its [repository](https://github.com/breakerspace/weaponizing-residual-censorship/). \n\n## 📝 Abstract\n\nReflective amplification attacks are a powerful tool in the arsenal of a DDoS attacker, but to date have almost exclusively targeted UDP-based protocols. In this paper, we demonstrate that non-trivial TCP-based amplification is possible and can be orders of magnitude more effective than well-known UDP-based amplification. By taking advantage of TCP-non-compliance in network middleboxes, we show that attackers can induce middleboxes to respond and amplify network traffic. With the novel application of a recent genetic algorithm, we discover and maximize the efficacy of new TCP-based reflective amplification attacks, and present several packet sequences that cause network middleboxes to respond with substantially more packets than we send.\n\nWe scanned the entire IPv4 Internet to measure how many IP addresses permit reflected amplification. We find hundreds of thousands of IP addresses that offer amplification factors greater than 100×. Through our Internet-wide measurements, we explore several open questions regarding DoS attacks, including the root cause of so-called \"mega amplifiers\". We also report on network phenomena that causes some of the TCP-based attacks to be so effective as to technically have _infinite_ amplification factor (after the attacker sends a constant number of bytes, the reflector generates traffic indefinitely). \n\n## 🧪 Try it yourself\n\nTo clone the repo, make sure you clone all of the submodules present.\n\n```\n# git clone --recursive https://github.com/breakerspace/weaponizing-censors\n```\n\nDisclaimer: this code will intentionally try to trigger real censoring middleboxes and can generate large volumes of traffic (both on its own, and with the presence of amplifiers). Understand the risks of running it in your network before doing so. \n\n## 🕵️‍♀️ Finding Amplifiers: ZMap Forks\n\nWe scanned the entire IPv4 Internet dozens of times to find IP addresses with middleboxes on their path that could be weaponized. To find these, we created two custom forks of the open-source scanning tool [`ZMap`](https://github.com/zmap/zmap). ZMap is a fast single packet network scanner designed for Internet-wide network surveys. We modified ZMap first to add a new probe module (the `forbidden_scan` module defined in `src/probe_modules/module_forbidden_scan.c`), and then created a second fork to add the ability to craft two distinct packets for each probe (this enables us to send a custom `SYN` packet, followed by a second custom packet containing a well-formed HTTP `GET` request). \n\nThe submodule `zmap` in this repository is for single packet scans (the `SYN`, `PSH`, or `PSH+ACK` scans from our paper) and `zmap_multiple_probes` (for the `SYN; PSH` or `SYN; PSH+ACK` scans from our paper).\n\nThe module has multiple options compiled in, including the `Host:` header included in the payload. To change any of the following options, edit the `module_forbidden_scan.c` file located in `src/probe_modules` and recompile ZMap to use. \n\n## 🏃 Running ZMap\n\nExample on how to build `zmap` and run the `forbidden_scan` module to scan a single IP address and record the responses received: \n\n```\n$ IP=\u003cIP address to scan here\u003e\n$ cmake . \u0026\u0026 make -j4  \u0026\u0026 sudo src/zmap -M forbidden_scan -p 80 $IP/32 -f \"saddr,len,payloadlen,flags,validation_type\" -o scan.csv -O csv \n```\n\nThe output of the scan is a csv file called `scan.csv`. For each packet that ZMap identified as a response to our scan, the output file will contain the `src` IP address, the IP length of the packet, the length of the payload itself, the TCP flags, and the _validation_type_ (the reason the probe treated the incoming packet as a response to a probe). \n\nThis module can be used to test firewalls or other middleboxes to see if they are vulnerable to this attack. \n\nAlso in this repsitory is a helper script `scan_all.py`, which can be used to automate multiple ZMap scans with different scanning parameters.  \n\n## 🔬 Processing Scan Results\n\nIncluded in this repository are two helper scripts to process the results of a ZMap scan. The main processing script is `stats.py`, which will consume the output of ZMap and generate graphs and summary statistics about the scan. See the below example of the `stats.py` script processing a `scan.csv` file (note the IP addresses have been anonymized). \n\n```    \n# python3 stats.py scan.csv 149\nProcessing scan data assuming attacker sent 149 bytes per IP.\nInitializing analysis of scan.csv\nCalculating total length of file to analyze:\n949099449 total packets to analyze.\n  - Unique responding IPs: 362138621\n  - Number of amplifying IP addresses: 218015761\n  - Total number of bytes sent by amplifying IP addresses: 45695690843\n  - Average amplification rate from amplifying IP addresses: 1.407000\n  - Highest total data received by IP:\n        7632101 96.96.96.96 141334\n        9788625 97.97.97.97 181270\n        44365380 98.98.98.98 142200\n        238162104 99.99.99.99 1011556\n  - Highest total packets received by IP:\n        7360299 1.1.1.1 136301\n        8040711 2.2.2.2 148901\n        8186133 3.3.3.3 151594\n        238162104 4.4.4.4 1011556\n  - Flags on packets sent by responders:\n    + 472: S\n    + 119609984: R\n    + 680892582: RA\n    + 12: FSPA\n    + 1: SPUE\n    + 2: PAU\n    + 1: SUEC\n    + 1: FAU\n    + 1: PAUE\n    + 1: SRPAUEC\n    + 7217: FRPA\n    + 4734607: FA\n    + 5540525: RPA\n    + 3687478: PA\n    + 58615499: SA\n    + 11928812: FPA\n    ...\n  - CDF of number of packets sent: scan_packets_cdf.eps\n  - CDF of bytes sent: scan_bytes_cdf.eps\n  - CDF of amplification rate: scan_amplification_cdf.eps\n```\n\n## 📃 License\n\nThis repository is licensed under BSD 3-Clause license. Please note that this repository contains multiple submodule pointers to other repositories, each of which contains its own license. Please consult each for license information. \n\n## 📑 Citation\n\nTo cite this paper, please use the Bibtex [here](https://www.usenix.org/biblio/export/bibtex/272318).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbreakerspace%2Fweaponizing-censors","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbreakerspace%2Fweaponizing-censors","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbreakerspace%2Fweaponizing-censors/lists"}