Censorship Resistance: Decoy Routing Amir Houmansadr CS660: Advanced Information Assurance Spring...
-
Upload
malakai-hollin -
Category
Documents
-
view
221 -
download
2
Transcript of Censorship Resistance: Decoy Routing Amir Houmansadr CS660: Advanced Information Assurance Spring...
Censorship Resistance: Decoy Routing
Amir HoumansadrCS660: Advanced Information Assurance
Spring 2015
Content may be borrowed from other resources. See the last slide for acknowledgements!
2
Classes of Information Hiding
• Digital watermarking• Steganography• Covert channels• Anonymous communications• Protocol obfuscation
CS660 - Advanced Information Assurance - UMassAmherst
CS660 - Advanced Information Assurance - UMassAmherst
3
The Non-Democratic Republic of Repressistan
Gateway
Traditional circumvention
Blocked
Proxy
User’s ASXX IP Filtering
DNS HijackingDPI
Insider attaacksNetwork identifiers
DPIActive probes
CS660 - Advanced Information Assurance - UMassAmherst
4
Decoy routing circumvention
• An alternative approach for circumvention– It builds circumvention into network infrastructure
• DR (Karlin et al., FOCI 2011)• Cirripede (Houmansadr et al., ACM CCS 2011)• Telex (Wustrow et al., USENIX Security 2011)
Some background
CS660 - Advanced Information Assurance - UMassAmherst
6
Internet topology 101
• The Internet is composed of Autonomous Systems (ASes)–An Autonomous System is a network
operated by a single organization
• 44,000 ASes are inter-connected based on their business relationships
CS660 - Advanced Information Assurance - UMassAmherst
7
The Internet map of ASes
CS660 - Advanced Information Assurance - UMassAmherst
8
Routing in the Internet
User’s ASCNN’s AS
Transit AS Transit AS
CS660 - Advanced Information Assurance - UMassAmherst
9
The Non-Democratic Republic of Repressistan
Gateway
Decoy Routing Circumvention
Blocked
Proxy
User’s AS
Non-blocked
X
Decoy AS
Cirripede
CS660 - Advanced Information Assurance - UMassAmherst
11
Threat model
• Warden ISP– Monitor traffic– Block arbitrarily – Constraint: Do not
degrade the usability of the Internet• TLS is open
Client (C)
Warden ISP
CS660 - Advanced Information Assurance - UMassAmherst
12Main idea
Overt Destination (OD)
Covert Destination (CD)
C
CS660 - Advanced Information Assurance - UMassAmherst
13
Good ISP
Cirripede Architecture
Registration Server (RS)
Cirripede’sService Proxy
C
Deflecting Router (DR)
CS660 - Advanced Information Assurance - UMassAmherst
14Client Registration
Registration Server (RS)
Good ISP
Client IP
C
OD
OD
OD
Uses TCP ISN steganography discussed earlier
CS660 - Advanced Information Assurance - UMassAmherst
15
Registration
Client (C) Cirripede’s RSCollaborating DR
CS660 - Advanced Information Assurance - UMassAmherst
16Covert communication
Client IP
RS
Cirripede’sService Proxy
OD
CD
C
Routing Around Decoys
Schuchard et al., ACM CCS 2012
CS660 - Advanced Information Assurance - UMassAmherst
18
The Non-Democratic Republic of Repressistan
Gateway
Blocked
Routing Around Decoys (RAD)
Decoy ASNon-blocked
The Costs of Routing Around Decoys
Houmansadr et al., NDSS 2014
CS660 - Advanced Information Assurance - UMassAmherst
20
This paper
• Concrete analysis based on real inter-domain routing data– As opposed to relying on the AS graph only
• While technically feasible, RAD imposes significant costs to censors
CS660 - Advanced Information Assurance - UMassAmherst
21
• Main intuition: Internet paths are not equal!– Standard decision making in BGP aims to maximize
QoS and minimize costs
CS660 - Advanced Information Assurance - UMassAmherst
22
The Non-Democratic Republic of Repressistan
Gateway
Blocked
1. Degraded Internet reachability
Decoy ASNon-blocked
Decoy AS
CS660 - Advanced Information Assurance - UMassAmherst
23
Path preference in BGP
• ASes are inter-connected based on business relationships– Customer-to-provider– Peer-to-peer– Sibling-to-sibling
• Standard path preference:1. Customer2. Peer/Sibling3. Provider
CS660 - Advanced Information Assurance - UMassAmherst
24
Valley-free routing
• A valley-free Internet path: each transit AS is paid by at least one neighbor AS in the path
• ISPs widely practice valley-free routing
CS660 - Advanced Information Assurance - UMassAmherst
25
The Non-Democratic Republic of Repressistan
Gateway
Blocked
2. Non-valley-free routes
Decoy ASNon-blocked
Provider
Customer Provider
CS660 - Advanced Information Assurance - UMassAmherst
26
The Non-Democratic Republic of Repressistan
Gateway
Blocked
3. More expensive paths
Decoy ASNon-blocked
Customer
Provider
CS660 - Advanced Information Assurance - UMassAmherst
27
The Non-Democratic Republic of Repressistan
Gateway
Blocked
4. Longer paths
Decoy ASNon-blocked
CS660 - Advanced Information Assurance - UMassAmherst
28
The Non-Democratic Republic of Repressistan
Gateway
Blocked
5. Higher path latencies
Decoy ASNon-blocked
CS660 - Advanced Information Assurance - UMassAmherst
29
The Non-Democratic Republic of Repressistan
Gateway
Blocked
6. New transit ASes
Decoy ASNon-blocked
Edge AS
CS660 - Advanced Information Assurance - UMassAmherst
30
The Non-Democratic Republic of Repressistan
Gateway
Blocked
7. Massive changes in transit load
Decoy ASNon-blocked
Transit AS
Transit AS
Loses transit traffic
Over-loads
CS660 - Advanced Information Assurance - UMassAmherst
31
Simulations
• Use CBGP simulator for BGP– Python wrapper
• Datasets:– Geographic location (GeoLite dataset)– AS relations (CAIDA’s inferred AS relations)– AS ranking (CAIDA’s AS rank dataset)– Latency (iPlane’s Inter-PoP links dataset)– Network origin (iPlane’s Origin AS mapping dataset)
• Analyze RAD for– Various placement strategies– Various placement percentages– Various target/deploying Internet regions
CS660 - Advanced Information Assurance - UMassAmherst
32
Costs for the Great Firewall of China
• A 2% random decoy placement disconnects China from 4% of the Internet
• Additionally:– 16% of routes become more expensive– 39% of Internet routes become longer– Latency increases by a factor of 8– The number of transit ASes increases by 150%– Transit loads change drastically (one AS increases
by a factor of 2800, the other decreases by 32%)
CS660 - Advanced Information Assurance - UMassAmherst
33
Strategic placement
• RAD considers random selection for decoy ASes– This mostly selects edge ASes – Decoys should be deployed in transit ASes instead• For better unobservability• For better resistance to blocking
86% are edge ASes
CS660 - Advanced Information Assurance - UMassAmherst
34
Strategic placement
4% unreachability
20% unreachability
43% unreachability
CS660 - Advanced Information Assurance - UMassAmherst
35
Lessons
1. RAD is prohibitively costly to the censors– Monetary costs, as well as collateral damage
2. Strategic placement of decoys significantly increases the costs to the censors
3. The RAD attack is more costly to less-connected state-level censors
4. Even a regional placement is effective 5. Analysis of inter-domain routing requires a
fine-grained data-driven approach
CS660 - Advanced Information Assurance - UMassAmherst
36
Acknowledgement
• Some pictures are obtained through Google search without being referenced