Skip to main content
Annual Computer Security Applications Conference (ACSAC) 2017

Full Program »

The Devil’s in The Details: Placing Decoy Routers in the Internet

Decoy Routing, the use of routers (rather than end hosts) as proxies, is a new direction in anti-censorship research. Existing proposals for placing Decoy Routers (DRs)in the Internet require control of hundreds of Autonomous Systems (AS) to provide anti-censorship services to users in a single censorious country (e.g. 850 ASes in the case of China), so as to ensure that there is simply no way to route around them.

In this paper, we consider a different approach. We begin by noting that DRs need not intercept all the network paths from a country, b t just those leading to Overt Destinations, i.e. unfiltered websites hosted outside the country. Overt Destinations must be popular enough that client traffic to them does not make the censor suspicious. Our first question is – How many ASes are required for installing DRs to intercept a large fraction of paths from e.g. China to the top-n websites (as per Alexa)? How does this number grow with n ? To our surprise, the same few (≈ 30) ASes cover over 90% of paths to the top n sites worldwide, for n = 10, 20...200 and also to other destinations. Investigating further, we find that this result fits perfectly with the hierarchical model of the Internet; our first contribution is to demonstrate with real paths that the number of ASes required for a world-wide DR framework is small (≈ 30). Further, attempts to screen traffic along the paths transiting these 30 ASes, by censorious nations, not only filters their own citizens, but also others residing in foreign ASes.

Our second contribution in this paper is to consider the details of DR placement: not just in which ASes DRs should be placed to intercept traffic, but exactly where in each AS. We find that even with our small number of ASes, we still need a total of about 11, 700 DRs. We conclude that, even though a DR system involves far fewer ASes than previously thought, it is still a major undertaking. For example, the current routers cost over 10.3 billion USD, so if Decoy Routing at line speed requires all-new hardware, the cost alone would make such a project unfeasible for most actors (but not for major nation states).

Devashish Gosain
Indraprastha Institute of Information Technology Delhi
India

Anshika Aggarwal
Indraprastha Institute of Information Technology Delhi
India

Sambuddho Chakravarty
Indraprastha Institute of Information Technology Delhi
India

Hrishikesh Bhattacharya
Rochester Institute of Technology
United States

 

Powered by OpenConf®
Copyright ©2002-2017 Zakon Group LLC