Quack is a novel technique for measuring keyword blocking at the application layer in a scalable, longitudinal, and safe way. Quack detects DPI interference with HTTP and HTTPS traffic by making use of publicly accessible web-servers with consistent behavior. We send requests with the HTTP "Host" header or TLS SNI extension set to a domain we are interested in. If there is a DPI blocking the domain on the path between our measurement machine and the public web-server, we will receive a TCP reset or block page that does not match the web-server's typically response. By making retries and control measurements, we are able to distinguish between mismatches caused by normal network/server flakiness versus DPI interference.
Quack also uses echo servers to detect DPI blocking of traffic based on request headers. The advantages of using echo servers are: identifying responses that have been interfered with is trivial and arbitrary TCP based protocols (in addition to HTTP) can be tested. By making use of echo's sibling discard protocol, we are able to determine the directionality of interference.
To ensure the safety of our technique, we limit ourselves to 11,000 infrastructure web-servers. These servers are owned by ISPs or governments rather than an individuals. Even with stringent standards for web-server selection, we still maintain broad coverage with ~103 countries having ≥15 vantage points.
Quack was presented at the 2018 USENIX SECURITY SYMPOSIUM.
The Quack tool and methodology underlies many of the data sets made available in the data repository on this site.