research-article

Routing around decoys

Authors:

Christopher Thompson,

Nicholas HopperAuthors Info & Claims

CCS '12: Proceedings of the 2012 ACM conference on Computer and communications security

Pages 85 - 96

https://doi.org/10.1145/2382196.2382209

Published: 16 October 2012 Publication History

Abstract

Decoy Routing is a new approach to Internet censorship circumvention that was recently and independently proposed at FOCI'11, USENIX Security'11 and CCS'11. Decoy routing aims to hamper nation-state level Internet censorship by having routers, rather than end hosts, relay traffic to blocked destinations. We analyze the security of these schemes against a routing capable adversary, a censoring authority that is willing to make routing decisions in response to decoy routing systems.

We explore China, Syria, Iran, and Egypt as routing capable adversaries, and evaluate several attacks that defeat the security goals of existing decoy routing proposals. In particular, we show that a routing capable adversary can enumerate the participating routers implementing these protocols; can successfully avoid sending traffic along routes containing these routers with little or no adverse effects; can identify users of these schemes through active and passive attacks; and in some cases can probabilistically identify connections to targeted destinations.

References

[1]

Knock Knock Knockin' on Bridges' Doors. https://blog.torproject.org/blog/knock-knock-knockin-bridges-doors.

[2]

CAIDA AS relationship dataset. http://www.caida.org/data/active/as-relationships/index.xml.

[3]

JAP: The JAP anonymity & privacy homepage. http://www.anon-online.de.

[4]

New blocking activity from iran, Sep, 14, 2011. https://blog.torproject.org/blog/iran-blocks-tor-tor-releases-same-day-fix.

[5]

A. Back, U. Möller, and A. Stiglic. Traffic analysis attacks and trade-offs in anonymity providing systems. In Proceedings of the 4th International Workshop on Information Hiding, IHW '01, pages 245--257. Springer-Verlag, 2001.

Digital Library

[6]

Berkman Center for Internet & Society. Mapping local internet control. http://cyber.law.harvard.edu/netmaps/geo_map_home.php.

[7]

U. I. Corporation. Ultrasurf - proxy-based internet privacy and security tools. http://ultrasurf.us.

[8]

T. Dierks and E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (Proposed Standard), Aug. 2008. Updated by RFCs 5746, 5878, 6176.

[9]

R. Dingledine, N. Mathewson, and P. Syverson. Tor: The second-generation onion router. In Proceedings of the 13th conference on USENIX Security Symposium, pages 21--21. USENIX Association, 2004.

Digital Library

[10]

K. P. Dyer, S. E. Coull, T. Ristenpart, and T. Shrimpton. Peek-a-boo, i still see you: Why efficient traffic analysis countermeasures fail. In Proceedings of the 2012 IEEE Symposium on Security and Privacy, May 2012.

Digital Library

[11]

M. Edman and P. Syverson. As-awareness in tor path selection. In Proceedings of the 16th ACM conference on Computer and communications security, CCS '09. ACM, 2009.

Digital Library

[12]

N. Feamster and R. Dingledine. Location diversity in anonymity networks. In Proceedings of the 2004 ACM workshop on Privacy in the electronic society, WPES '04, 2004.

Digital Library

[13]

L. Gao and J. Rexford. Stable internet routing without global coordination. IEEE/ACM Transactions on Networking (TON), 9(6):681--692, 2001.

Digital Library

[14]

Y. He, M. Faloutsos, and S. Krishnamurthy. Quantifying routing asymmetry in the internet at the as level. In Global Telecommunications Conference, 2004, volume 3 of GLOBECOM '04, pages 1474--1479. IEEE, 2004.

[15]

D. Herrmann, R. Wendolsky, and H. Federrath. Website fingerprinting: attacking popular privacy enhancing technologies with the multinomial naive-bayes classifier. In Proceedings of the 2009 ACM workshop on Cloud computing security (CCSW '09), pages 31--42, New York, NY, USA, 2009. ACM.

Digital Library

[16]

A. Hintz. Fingerprinting websites using traffic analysis. In R. Dingledine and P. Syverson, editors, Proceedings of Privacy Enhancing Technologies workshop (PET 2002). Springer-Verlag, LNCS 2482, April 2002.

Digital Library

[17]

N. Hopper, E. Y. Vasserman, and E. Chan-tin. How much anonymity does network latency leak. In Proceedings of the 14th ACM conference on Computer and communications security, CCS '07, 2007.

Digital Library

[18]

A. Houmansadr, G. T. Nguyen, M. Caesar, and N. Borisov. Cirripede: circumvention infrastructure using router redirection with plausible deniability. In Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS), 2011.

Digital Library

[19]

J. Karlin, D. Ellard, A. W. Jackson, C. E. Jones, G. Lauer, D. P. Mankins, and W. T. Strayer. Decoy routing: Toward unblockable internet communication. In Proceedings of the USENIX Workshop on Free and Open Communications on the Internet (FOCI), 2011.

[20]

Z. Mao, L. Qiu, J. Wang, and Y. Zhang. On as-level path inference. In ACM SIGMETRICS Performance Evaluation Review, volume 33, pages 339--349. ACM, 2005.

Digital Library

[21]

S. J. Murdoch and P. Zielinski. Sampled traffic analysis by internet-exchange-level adversaries. In Proceedings of the 7th international conference on Privacy enhancing technologies, PET'07, 2007.

Digital Library

[22]

A. Panchenko, L. Niessen, A. Zinnen, and T. Engel. Website fingerprinting in onion routing based anonymization networks. In Proceedings of the 10th annual ACM workshop on Privacy in the electronic society, WPES '11. ACM, 2011.

Digital Library

[23]

J. Postel. Transmission Control Protocol. RFC 793 (Standard), Sept. 1981. Updated by RFCs 1122, 3168, 6093, 6528.

[24]

J. Qiu and L. Gao. As path inference by exploiting known as paths. In IEEE GLOBECOM, 2006.

[25]

Y. Rekhter, T. Li, and S. Hares. A Border Gateway Protocol 4 (BGP-4). RFC 4271 (Draft Standard), Jan. 2006. Updated by RFC 6286.

[26]

E. Rosen and Y. Rekhter. BGP/MPLS IP Virtual Private Networks (VPNs). RFC 4364 (Proposed Standard), Feb. 2006. Updated by RFCs 4577, 4684, 5462.

[27]

E. Wustrow, S. Wolchok, I. Goldberg, and J. A. Halderman. Telex: anticensorship in the network infrastructure. In Proceedings of the 20th USENIX Conference on Security (SEC), 2011.

Digital Library

Cited By

Kon PGattani ASaharia DCao TBarradas DChen ASherr MUjcich B(2024)NetShuffle: Circumventing Censorship with Shuffle Proxies at the Edge2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00036(3497-3514)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00036
Arora AKarra RLevin DGarman C(2023)Provably Avoiding Geographic Regions for Tor’s Onion ServicesFinancial Cryptography and Data Security10.1007/978-3-031-47754-6_17(289-305)Online publication date: 1-Dec-2023
https://doi.org/10.1007/978-3-031-47754-6_17
Al Azad MTourani RMtibaa AMastorakis SDietrich SChowdhury OTakabi D(2022)Harpocrates: Anonymous Data Publication in Named Data NetworkingProceedings of the 27th ACM on Symposium on Access Control Models and Technologies10.1145/3532105.3535025(79-90)Online publication date: 7-Jun-2022
https://dl.acm.org/doi/10.1145/3532105.3535025
Show More Cited By

Index Terms

Routing around decoys
1. Security and privacy
  1. Network security

Recommendations

The Waterfall of Liberty: Decoy Routing Circumvention that Resists Routing Attacks
CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

Decoy routing is an emerging approach for censorship circumvention in which circumvention is implemented with help from a number of volunteer Internet autonomous systems, called decoy ASes. Recent studies on decoy routing consider all decoy routing ...
GAME OF DECOYS: Optimal Decoy Routing Through Game Theory
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

Decoy routing is a promising new approach for censorship circumvention that relies on traffic re-direction by volunteer autonomous systems. Decoy routing is subject to a fundamental censorship attack, called routing around decoy (RAD), in which the ...
Dynamics of hot-potato routing in IP networks

Despite the architectural separation between intradomain and interdomain routing in the Internet, intradomain protocols do influence the path-selection process in the Border Gateway Protocol (BGP). When choosing between multiple equally-good BGP routes, ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '12: Proceedings of the 2012 ACM conference on Computer and communications security

October 2012

1088 pages

ISBN:9781450316514

DOI:10.1145/2382196

General Chair:
Ting Yu
North Carolina State University, USA
,
Program Chairs:
George Danezis
Microsoft Research Cambridge, UK
,
Virgil Gligor
Carnegie Mellon University, USA

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 16 October 2012

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'12

Sponsor:

SIGSAC

CCS'12: the ACM Conference on Computer and Communications Security

October 16 - 18, 2012

North Carolina, Raleigh, USA

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

36
Total Citations
View Citations
641
Total Downloads

Downloads (Last 12 months)27
Downloads (Last 6 weeks)12

Reflects downloads up to 19 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Kon PGattani ASaharia DCao TBarradas DChen ASherr MUjcich B(2024)NetShuffle: Circumventing Censorship with Shuffle Proxies at the Edge2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00036(3497-3514)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00036
Arora AKarra RLevin DGarman C(2023)Provably Avoiding Geographic Regions for Tor’s Onion ServicesFinancial Cryptography and Data Security10.1007/978-3-031-47754-6_17(289-305)Online publication date: 1-Dec-2023
https://doi.org/10.1007/978-3-031-47754-6_17
Al Azad MTourani RMtibaa AMastorakis SDietrich SChowdhury OTakabi D(2022)Harpocrates: Anonymous Data Publication in Named Data NetworkingProceedings of the 27th ACM on Symposium on Access Control Models and Technologies10.1145/3532105.3535025(79-90)Online publication date: 7-Jun-2022
https://dl.acm.org/doi/10.1145/3532105.3535025
Gosain DMohindra MChakravarty S(2021)Too Close for Comfort: Morasses of (Anti-) Censorship in the Era of CDNsProceedings on Privacy Enhancing Technologies10.2478/popets-2021-00232021:2(173-193)Online publication date: 29-Jan-2021
https://doi.org/10.2478/popets-2021-0023
Krupp JRossow C(2021)BGPeek-a-Boo: Active BGP-based Traceback for Amplification DDoS Attacks2021 IEEE European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP51992.2021.00036(423-439)Online publication date: Sep-2021
https://doi.org/10.1109/EuroSP51992.2021.00036
VanderSloot BFrolov SWampler JTan SSimpson IKallitsis MHalderman JBorisov NWustrow E(2020)Running Refraction Networking for RealProceedings on Privacy Enhancing Technologies10.2478/popets-2020-00752020:4(321-335)Online publication date: 17-Aug-2020
https://doi.org/10.2478/popets-2020-0075
Sharma PGosain DSagar HKumar CDogra ANaik VAcharya HChakravarty S(2020)SiegeBreaker: An SDN Based Practical Decoy Routing SystemProceedings on Privacy Enhancing Technologies10.2478/popets-2020-00512020:3(243-263)Online publication date: 17-Aug-2020
https://doi.org/10.2478/popets-2020-0051
Reininger MArora AHerwig SFrancino NGarman CLevin DLigatti JOu XKatz JVigna G(2020)Bento: Bringing Network Function Virtualization to TorProceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security10.1145/3372297.3420020(2109-2111)Online publication date: 30-Oct-2020
https://dl.acm.org/doi/10.1145/3372297.3420020
Barradas DSantos NRodrigues LNunes VLigatti JOu XKatz JVigna G(2020)Poking a Hole in the Wall: Efficient Censorship-Resistant Internet Communications by Parasitizing on WebRTCProceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security10.1145/3372297.3417874(35-48)Online publication date: 30-Oct-2020
https://dl.acm.org/doi/10.1145/3372297.3417874
McDaniel TSmith JSchuchard M(2020)The Maestro Attack: Orchestrating Malicious Flows with BGPSecurity and Privacy in Communication Networks10.1007/978-3-030-63086-7_7(97-117)Online publication date: 12-Dec-2020
https://doi.org/10.1007/978-3-030-63086-7_7
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents