Censorship Resistance: Decoy Routing Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources. See.

Slides:



Advertisements
Similar presentations
Grand Challenges in Networking Nick Feamster CS 7001.
Advertisements

I Want My Voice to Be Heard: IP over Voice-over-IP for Unobservable Censorship Circumvention Amir Houmansadr (The University of Texas at Austin) Thomas.
Ragib Hasan Johns Hopkins University en Spring 2010 Lecture 3 02/15/2010 Security and Privacy in Cloud Computing.
Information Hiding: Watermarking and Steganography
Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.
CSE534- Fundamentals of Computer Networking Lecture 12-13: Internet Connectivity + IXPs (The Underbelly of the Internet) Based on slides by D. Choffnes.
Information Hiding: Anonymous Communication
CS540/TE630 Computer Network Architecture Spring 2009 Tu/Th 10:30am-Noon Sue Moon.
CS 4700 / CS 5700 Network Fundamentals Lecture 16: IXPs (The Underbelly of the Internet) Revised 3/23/2015.
By Hitesh Ballani, Paul Francis, Xinyang Zhang Slides by Benson Luk for CS 217B.
Inferring Autonomous System Relationships in the Internet Lixin Gao.
University of Nevada, Reno Ten Years in the Evolution of the Internet Ecosystem Paper written by: Amogh Dhamdhere, Constantine Dovrolis School of Computer.
Mohamed Hefeeda 1 School of Computing Science Simon Fraser University, Canada ISP-Friendly Peer Matching without ISP Collaboration Mohamed Hefeeda (Joint.
Security and Privacy of Future Internet Architectures: Named-Data Networking Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content.
Interdomain Routing Security COS 461: Computer Networks Michael Schapira.
Practical and Configuration issues of BGP and Policy routing Cameron Harvey Simon Fraser University.
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
Traffic Engineering in IP Networks Jennifer Rexford Computer Science Department Princeton University; Princeton, NJ
Stable Internet Routing Without Global Coordination Jennifer Rexford Princeton University Joint work with Lixin Gao (UMass-Amherst)
Slide -1- February, 2006 Interdomain Routing Gordon Wilfong Distinguished Member of Technical Staff Algorithms Research Department Mathematical and Algorithmic.
Wresting Control from BGP: Scalable Fine-grained Route Control UCSD / AT&T Research Usenix —June 22, 2007 Dan Pei, Tom Scholl, Aman Shaikh, Alex C. Snoeren,
Inherently Safe Backup Routing with BGP Lixin Gao (U. Mass Amherst) Timothy Griffin (AT&T Research) Jennifer Rexford (AT&T Research)
Economic Incentives in Internet Routing Jennifer Rexford Princeton University
University of Massachusetts, Amherst 1 On the Evaluation of AS Relationship Inferences Jianhong Xia and Lixin Gao Department of Electrical and Computer.
1 Autonomous Systems An autonomous system is a region of the Internet that is administered by a single entity. Examples of autonomous regions are: UVA’s.
Stable Internet Routing Without Global Coordination Jennifer Rexford AT&T Labs--Research Joint work with Lixin Gao.
Information Hiding: Covert Channels Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources. See.
Inter-domain Routing Outline Border Gateway Protocol.
Censorship Resistance: Parrots Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources. See the.
Anticensorship in the Network Infrastructure Eric Wustrow University of Michigan.
1 Meeyoung Cha, Sue Moon, Chong-Dae Park Aman Shaikh Placing Relay Nodes for Intra-Domain Path Diversity To appear in IEEE INFOCOM 2006.
Constructing Inter-Domain Packet Filters to Control IP Spoofing Based on BGP Updates Zhenhai Duan, Xin Yuan Department of Computer Science Florida State.
Impact of Prefix Hijacking on Payments of Providers Pradeep Bangera and Sergey Gorinsky Institute IMDEA Networks, Madrid, Spain Developing the Science.
9/15/2015CS622 - MIRO Presentation1 Wen Xu and Jennifer Rexford Department of Computer Science Princeton University Chuck Short CS622 Dr. C. Edward Chow.
1 Controlling IP Spoofing via Inter-Domain Packet Filters Zhenhai Duan Department of Computer Science Florida State University.
The Parrot is Dead: Observing Unobservable Network Communications
How Secure are Secure Inter- Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir.
Advanced Networking Lab. Given two IP addresses, the estimation algorithm for the path and latency between them is as follows: Step 1: Map IP addresses.
Jennifer Rexford Fall 2014 (TTh 3:00-4:20 in CS 105) COS 561: Advanced Computer Networks BGP.
Usable Security Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources. See the last slide for.
TDTS21: Advanced Networking Lecture 7: Internet topology Based on slides from P. Gill and D. Choffnes Revised 2015 by N. Carlsson.
Finding Vulnerable Network Gadgets in the Internet Topology Author: Nir Amar Supervisor: Dr. Gabi Nakibly Author: Nir Amar Supervisor: Dr. Gabi Nakibly.
Traffic Analysis: Network Flow Watermarking Amir Houmansadr CS660: Advanced Information Assurance Spring CS660 - Advanced Information Assurance.
CS 4396 Computer Networks Lab BGP. Inter-AS routing in the Internet: (BGP)
NT1210 Introduction to Networking
Routing Around Decoys Max Schuchard, John Geddes, Christopher Thompson, Nicholas Hopper Proposed in FOCI'11, USINIX Security'11 and CCS'11 Presented by:
CSE 592 INTERNET CENSORSHIP (FALL 2015) LECTURE 20 PHILLIPA GILL - STONY BROOK U.
CSE 592 INTERNET CENSORSHIP (FALL 2015) LECTURE 22 PHILLIPA GILL - STONY BROOK U.
CSE534- Fundamentals of Computer Networking Lecture 12-13: Internet Connectivity + IXPs (The Underbelly of the Internet) Based on slides by D. Choffnes.
CSE 592 INTERNET CENSORSHIP (FALL 2015) LECTURE 23 PHILLIPA GILL - STONY BROOK U.
CS 6401 Overlay Networks Outline Overlay networks overview Routing overlays Resilient Overlay Networks Content Distribution Networks.
CSE 592 INTERNET CENSORSHIP (FALL 2015) LECTURE 16 PHILLIPA GILL - STONY BROOK U.
ICNP 2006 Inter­domain Policy Violations in Overlay Routes Srinivasan Seetharaman, Mostafa Ammar Networking and Telecommunications Group College of Computing.
Measuring and Mitigating AS-level Adversaries Against Tor
GLOBECOM 2007 Exit Policy Violations in Multi-hop Overlay Routes Srinivasan Seetharaman, Mostafa Ammar Networking and Telecommunications Group College.
Decoy Router Placement Jacopo Cesareo, Michael Schapira, and Jennifer Rexford Princeton University.
Inter-domain Routing Outline Border Gateway Protocol.
Constructing Inter-Domain Packet Filters to Control IP Spoofing Based on BGP Updates Zhenhai Duan, Xin Yuan Department of Computer Science Florida State.
One Hop for RPKI, One Giant Leap for BGP Security Yossi Gilad (Hebrew University) Joint work with Avichai Cohen (Hebrew University), Amir Herzberg (Bar.
Decoy Router Placement Against a Smart Adversary Jacopo Cesareo, Michael Schapira, and Jennifer Rexford Princeton University.
Are We There Yet? On RPKI Deployment and Security
Autonomous Systems An autonomous system is a region of the Internet that is administered by a single entity. Examples of autonomous regions are: UVA’s.
CS590B/690B Detecting Network Interference (FALL 2016)
CS590B/690B Detecting Network Interference (Fall 2016)
CS590B/690B Detecting Network Interference
No Direction Home: The True cost of Routing Around Decoys
Autonomous Systems An autonomous system is a region of the Internet that is administered by a single entity. Examples of autonomous regions are: UVA’s.
Are We There Yet? On RPKI Deployment and Security
COS 561: Advanced Computer Networks
COS 561: Advanced Computer Networks
Presentation transcript:

Censorship Resistance: Decoy Routing Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources. See the last slide for acknowledgements!

Classes of Information Hiding Digital watermarking Steganography Covert channels Anonymous communications Protocol obfuscation CS660 - Advanced Information Assurance - UMassAmherst 2

The Non-Democratic Republic of Repressistan Gateway Traditional circumvention 3 Blocked Proxy User’s AS X X IP Filtering DNS Hijacking DPI Insider attaacks Network identifiers DPI Active probes CS660 - Advanced Information Assurance - UMassAmherst

Decoy routing circumvention An alternative approach for circumvention – It builds circumvention into network infrastructure DR (Karlin et al., FOCI 2011) Cirripede (Houmansadr et al., ACM CCS 2011) Telex (Wustrow et al., USENIX Security 2011) 4 CS660 - Advanced Information Assurance - UMassAmherst

Some background

Internet topology 101 The Internet is composed of Autonomous Systems (ASes) – An Autonomous System is a network operated by a single organization 44,000 ASes are inter-connected based on their business relationships 6 CS660 - Advanced Information Assurance - UMassAmherst

The Internet map of ASes 7 CS660 - Advanced Information Assurance - UMassAmherst

Routing in the Internet 8 User’s AS CNN’s AS Transit AS CS660 - Advanced Information Assurance - UMassAmherst

The Non-Democratic Republic of Repressistan Gateway Decoy Routing Circumvention 9 Blocked Proxy User’s AS Non-blocked X Decoy AS CS660 - Advanced Information Assurance - UMassAmherst

Cirripede

Threat model Warden ISP – Monitor traffic – Block arbitrarily – Constraint: Do not degrade the usability of the Internet TLS is open 11 Client (C) Warden ISP CS660 - Advanced Information Assurance - UMassAmherst

12 Main idea Overt Destination (OD) Covert Destination (CD) C CS660 - Advanced Information Assurance - UMassAmherst

Good ISP Cirripede Architecture Registration Server (RS) 13 Cirripede’s Service Proxy C Deflecting Router (DR) CS660 - Advanced Information Assurance - UMassAmherst

Client Registration Registration Server (RS) Good ISP Client IP 14 C OD CS660 - Advanced Information Assurance - UMassAmherst Uses TCP ISN steganography discussed earlier

Registration 15 Client (C) Cirripede’s RS Collaborating DR CS660 - Advanced Information Assurance - UMassAmherst

Covert communication Client IP RS Cirripede’s Service Proxy 16 OD CD C CS660 - Advanced Information Assurance - UMassAmherst

Routing Around Decoys Schuchard et al., ACM CCS 2012

The Non-Democratic Republic of Repressistan Gateway 18 Blocked Routing Around Decoys (RAD) Decoy AS Non-blocked CS660 - Advanced Information Assurance - UMassAmherst

The Costs of Routing Around Decoys Houmansadr et al., NDSS 2014

This paper Concrete analysis based on real inter-domain routing data – As opposed to relying on the AS graph only While technically feasible, RAD imposes significant costs to censors 20 CS660 - Advanced Information Assurance - UMassAmherst

Main intuition: Internet paths are not equal! – Standard decision making in BGP aims to maximize QoS and minimize costs 21 CS660 - Advanced Information Assurance - UMassAmherst

The Non-Democratic Republic of Repressistan Gateway 22 Blocked 1.Degraded Internet reachability Decoy AS Non-blocked Decoy AS CS660 - Advanced Information Assurance - UMassAmherst

Path preference in BGP ASes are inter-connected based on business relationships – Customer-to-provider – Peer-to-peer – Sibling-to-sibling Standard path preference: 1.Customer 2.Peer/Sibling 3.Provider 23 CS660 - Advanced Information Assurance - UMassAmherst

Valley-free routing A valley-free Internet path: each transit AS is paid by at least one neighbor AS in the path ISPs widely practice valley-free routing 24 CS660 - Advanced Information Assurance - UMassAmherst

The Non-Democratic Republic of Repressistan Gateway 25 Blocked 2. Non-valley-free routes Decoy AS Non-blocked Provider Customer Provider CS660 - Advanced Information Assurance - UMassAmherst

The Non-Democratic Republic of Repressistan Gateway 26 Blocked 3. More expensive paths Decoy AS Non-blocked Customer Provider CS660 - Advanced Information Assurance - UMassAmherst

The Non-Democratic Republic of Repressistan Gateway 27 Blocked 4. Longer paths Decoy AS Non-blocked CS660 - Advanced Information Assurance - UMassAmherst

The Non-Democratic Republic of Repressistan Gateway 28 Blocked 5. Higher path latencies Decoy AS Non-blocked CS660 - Advanced Information Assurance - UMassAmherst

The Non-Democratic Republic of Repressistan Gateway 29 Blocked 6. New transit ASes Decoy AS Non-blocked Edge AS CS660 - Advanced Information Assurance - UMassAmherst

The Non-Democratic Republic of Repressistan Gateway 30 Blocked 7. Massive changes in transit load Decoy AS Non-blocked Transit AS Loses transit traffic Over-loads CS660 - Advanced Information Assurance - UMassAmherst

Simulations Use CBGP simulator for BGP – Python wrapper Datasets: – Geographic location (GeoLite dataset) – AS relations (CAIDA’s inferred AS relations) – AS ranking (CAIDA’s AS rank dataset) – Latency (iPlane’s Inter-PoP links dataset) – Network origin (iPlane’s Origin AS mapping dataset) Analyze RAD for – Various placement strategies – Various placement percentages – Various target/deploying Internet regions 31 CS660 - Advanced Information Assurance - UMassAmherst

Costs for the Great Firewall of China A 2% random decoy placement disconnects China from 4% of the Internet Additionally: – 16% of routes become more expensive – 39% of Internet routes become longer – Latency increases by a factor of 8 – The number of transit ASes increases by 150% – Transit loads change drastically (one AS increases by a factor of 2800, the other decreases by 32%) 32 CS660 - Advanced Information Assurance - UMassAmherst

Strategic placement RAD considers random selection for decoy ASes – This mostly selects edge ASes – Decoys should be deployed in transit ASes instead For better unobservability For better resistance to blocking 33 86% are edge ASes CS660 - Advanced Information Assurance - UMassAmherst

Strategic placement 34 4% unreachability 20% unreachability 43% unreachability CS660 - Advanced Information Assurance - UMassAmherst

Lessons 1.RAD is prohibitively costly to the censors – Monetary costs, as well as collateral damage 2.Strategic placement of decoys significantly increases the costs to the censors 3.The RAD attack is more costly to less-connected state-level censors 4.Even a regional placement is effective 5.Analysis of inter-domain routing requires a fine- grained data-driven approach 35 CS660 - Advanced Information Assurance - UMassAmherst

Acknowledgement Some pictures are obtained through Google search without being referenced 36 CS660 - Advanced Information Assurance - UMassAmherst

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.