Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSE 592 INTERNET CENSORSHIP (FALL 2015) LECTURE 23 PHILLIPA GILL - STONY BROOK U.

Published byMarybeth Weaver Modified over 9 years ago

Similar presentations

Presentation on theme: "CSE 592 INTERNET CENSORSHIP (FALL 2015) LECTURE 23 PHILLIPA GILL - STONY BROOK U."— Presentation transcript:

1 CSE 592 INTERNET CENSORSHIP (FALL 2015) LECTURE 23 PHILLIPA GILL - STONY BROOK U.

2 WHERE WE ARE Last time: Parrot is dead + Cover Your Acks Today Quick hands on activity Decoy routing overview Telex Tap Dance (video)

3 REVIEW QUESTIONS 1.What type of censor adversary does decoy routing assume? 2.How does it try to evade this type of censor? 3.Describe how decoy routing works. 4.What is a sentinel? What is its purpose? Give an example. 5.Why would operators be reluctant to deploy Telex/Cirripede? 6.What property of Tap Dance is meant to reduce operator reluctance? 7.What key observation does Tap Dance use to suppress a response from the legitimate server? Why does this type of packet not get a response from the server?

4 TODAY: DECOY ROUTING Defending against decoy routing! - Routing around decoys - No way home. ACKS: Slides courtesy Amir Houmansadr @ UMass.

5 Routing Around Decoys Schuchard et al., ACM CCS 2012

6 The Non-Democratic Republic of Repressistan Gateway 6 Blocked Routing Around Decoys (RAD) Decoy AS Non-blocked CS660 - Advanced Information Assurance - UMassAmherst

7 The Costs of Routing Around Decoys Houmansadr et al., NDSS 2014

8 This paper Concrete analysis based on real inter-domain routing data – As opposed to relying on the AS graph only While technically feasible, RAD imposes significant costs to censors 8 CS660 - Advanced Information Assurance - UMassAmherst

9 Main intuition: Internet paths are not equal! – Standard decision making in BGP aims to maximize QoS and minimize costs 9 CS660 - Advanced Information Assurance - UMassAmherst

10 The Non-Democratic Republic of Repressistan Gateway 10 Blocked 1.Degraded Internet reachability Decoy AS Non-blocked Decoy AS CS660 - Advanced Information Assurance - UMassAmherst

11 Path preference in BGP ASes are inter-connected based on business relationships – Customer-to-provider – Peer-to-peer – Sibling-to-sibling Standard path preference: 1.Customer 2.Peer/Sibling 3.Provider 11 CS660 - Advanced Information Assurance - UMassAmherst

12 Valley-free routing A valley-free Internet path: each transit AS is paid by at least one neighbor AS in the path ISPs widely practice valley-free routing 12 CS660 - Advanced Information Assurance - UMassAmherst

13 The Non-Democratic Republic of Repressistan Gateway 13 Blocked 2. Non-valley-free routes Decoy AS Non-blocked Provider Customer Provider CS660 - Advanced Information Assurance - UMassAmherst

14 The Non-Democratic Republic of Repressistan Gateway 14 Blocked 3. More expensive paths Decoy AS Non-blocked Customer Provider CS660 - Advanced Information Assurance - UMassAmherst

15 The Non-Democratic Republic of Repressistan Gateway 15 Blocked 4. Longer paths Decoy AS Non-blocked CS660 - Advanced Information Assurance - UMassAmherst

16 The Non-Democratic Republic of Repressistan Gateway 16 Blocked 5. Higher path latencies Decoy AS Non-blocked CS660 - Advanced Information Assurance - UMassAmherst

17 The Non-Democratic Republic of Repressistan Gateway 17 Blocked 6. New transit ASes Decoy AS Non-blocked Edge AS CS660 - Advanced Information Assurance - UMassAmherst

18 The Non-Democratic Republic of Repressistan Gateway 18 Blocked 7. Massive changes in transit load Decoy AS Non-blocked Transit AS Loses transit traffic Over-loads CS660 - Advanced Information Assurance - UMassAmherst

19 Simulations Use CBGP simulator for BGP – Python wrapper Datasets: – Geographic location (GeoLite dataset) – AS relations (CAIDA’s inferred AS relations) – AS ranking (CAIDA’s AS rank dataset) – Latency (iPlane’s Inter-PoP links dataset) – Network origin (iPlane’s Origin AS mapping dataset) Analyze RAD for – Various placement strategies – Various placement percentages – Various target/deploying Internet regions 19 CS660 - Advanced Information Assurance - UMassAmherst

20 Costs for the Great Firewall of China A 2% random decoy placement disconnects China from 4% of the Internet Additionally: – 16% of routes become more expensive – 39% of Internet routes become longer – Latency increases by a factor of 8 – The number of transit ASes increases by 150% – Transit loads change drastically (one AS increases by a factor of 2800, the other decreases by 32%) 20 CS660 - Advanced Information Assurance - UMassAmherst

21 Strategic placement RAD considers random selection for decoy ASes – This mostly selects edge ASes – Decoys should be deployed in transit ASes instead For better unobservability For better resistance to blocking 21 86% are edge ASes CS660 - Advanced Information Assurance - UMassAmherst

22 Strategic placement 22 4% unreachability 20% unreachability 43% unreachability CS660 - Advanced Information Assurance - UMassAmherst

23 Lessons 1.RAD is prohibitively costly to the censors – Monetary costs, as well as collateral damage 2.Strategic placement of decoys significantly increases the costs to the censors 3.The RAD attack is more costly to less-connected state-level censors 4.Even a regional placement is effective 5.Analysis of inter-domain routing requires a fine- grained data-driven approach 23 CS660 - Advanced Information Assurance - UMassAmherst

Download ppt "CSE 592 INTERNET CENSORSHIP (FALL 2015) LECTURE 23 PHILLIPA GILL - STONY BROOK U."

Similar presentations

Multihoming and Multi-path Routing

Multihoming and Multi-path Routing
1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.

1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.
Censorship Resistance: Decoy Routing Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources. See.

Censorship Resistance: Decoy Routing Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources. See.
By Hitesh Ballani, Paul Francis, Xinyang Zhang Slides by Benson Luk for CS 217B.

By Hitesh Ballani, Paul Francis, Xinyang Zhang Slides by Benson Luk for CS 217B.
Inferring Autonomous System Relationships in the Internet Lixin Gao Dept. of Electrical and Computer Engineering University of Massachusetts, Amherst

Inferring Autonomous System Relationships in the Internet Lixin Gao Dept. of Electrical and Computer Engineering University of Massachusetts, Amherst
Inferring Autonomous System Relationships in the Internet Lixin Gao.

Inferring Autonomous System Relationships in the Internet Lixin Gao.
Inferring Autonomous System Relationships in the Internet Lixin Gao Presented by Santhosh R Thampuran.

Inferring Autonomous System Relationships in the Internet Lixin Gao Presented by Santhosh R Thampuran.
Part II: Inter-domain Routing Policies. March 8, 20042 What is routing policy? ISP1 ISP4ISP3 Cust1Cust2 ISP2 traffic Connectivity DOES NOT imply reachability!

Part II: Inter-domain Routing Policies. March 8, What is routing policy? ISP1 ISP4ISP3 Cust1Cust2 ISP2 traffic Connectivity DOES NOT imply reachability!
University of Nevada, Reno Ten Years in the Evolution of the Internet Ecosystem Paper written by: Amogh Dhamdhere, Constantine Dovrolis School of Computer.

University of Nevada, Reno Ten Years in the Evolution of the Internet Ecosystem Paper written by: Amogh Dhamdhere, Constantine Dovrolis School of Computer.
Mohamed Hefeeda 1 School of Computing Science Simon Fraser University, Canada ISP-Friendly Peer Matching without ISP Collaboration Mohamed Hefeeda (Joint.

Mohamed Hefeeda 1 School of Computing Science Simon Fraser University, Canada ISP-Friendly Peer Matching without ISP Collaboration Mohamed Hefeeda (Joint.
Practical and Configuration issues of BGP and Policy routing Cameron Harvey Simon Fraser University.

Practical and Configuration issues of BGP and Policy routing Cameron Harvey Simon Fraser University.
Stable Internet Routing Without Global Coordination Jennifer Rexford Princeton University Joint work with Lixin Gao (UMass-Amherst)

Stable Internet Routing Without Global Coordination Jennifer Rexford Princeton University Joint work with Lixin Gao (UMass-Amherst)
BGP EE122 Discussion 11/7/11.

BGP EE122 Discussion 11/7/11.
Slide -1- February, 2006 Interdomain Routing Gordon Wilfong Distinguished Member of Technical Staff Algorithms Research Department Mathematical and Algorithmic.

Slide -1- February, 2006 Interdomain Routing Gordon Wilfong Distinguished Member of Technical Staff Algorithms Research Department Mathematical and Algorithmic.
On Power-Law Relationships of the Internet Topology CSCI 780, Fall 2005.

On Power-Law Relationships of the Internet Topology CSCI 780, Fall 2005.
Inherently Safe Backup Routing with BGP Lixin Gao (U. Mass Amherst) Timothy Griffin (AT&T Research) Jennifer Rexford (AT&T Research)

Inherently Safe Backup Routing with BGP Lixin Gao (U. Mass Amherst) Timothy Griffin (AT&T Research) Jennifer Rexford (AT&T Research)
Link Flooding DDoS Attack

Link Flooding DDoS Attack
University of Massachusetts, Amherst 1 On the Evaluation of AS Relationship Inferences Jianhong Xia and Lixin Gao Department of Electrical and Computer.

University of Massachusetts, Amherst 1 On the Evaluation of AS Relationship Inferences Jianhong Xia and Lixin Gao Department of Electrical and Computer.
Building a Strong Foundation for a Future Internet Jennifer Rexford ’91 Computer Science Department (and Electrical Engineering and the Center for IT Policy)

Building a Strong Foundation for a Future Internet Jennifer Rexford ’91 Computer Science Department (and Electrical Engineering and the Center for IT Policy)
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Similar presentations

Ads by Google