Secure asymmetry and deployability for decoy routing systems

Cecylia Bocovich 1  and Ian Goldberg 1
  • 1 Cheriton School of Computer Science, University of Waterloo, , Waterloo, Belgium


Censorship circumvention is often characterized as a cat-and-mouse game between a nation-state censor and the developers of censorship resistance systems. Decoy routing systems offer a solution to censor- ship resistance that has the potential to tilt this race in the favour of the censorship resistor by using real connections to unblocked, overt sites to deliver censored content to users. This is achieved by employing the help of Internet Service Providers (ISPs) or Autonomous Systems (ASes) that own routers in the middle of the net- work. However, the deployment of decoy routers has yet to reach fruition. Obstacles to deployment such as the heavy requirements on routers that deploy decoy router relay stations, and the impact on the quality of service for customers that pass through these routers have deterred potential participants from deploying existing systems. Furthermore, connections from clients to overt sites often follow different paths in the upstream and downstream direction, making some existing designs impractical. Although decoy routing systems that lessen the burden on participating routers and accommodate asymmetric flows have been proposed, these arguably more deployable systems suffer from security vulnerabilities that put their users at risk of discovery or make them prone to censorship or denial of service attacks. In this paper, we propose a technique for supporting route asymmetry in previously symmetric decoy routing systems. The resulting asymmetric solution is more secure than previous asymmetric proposals and provides an option for tiered deployment, allowing more cautious ASes to deploy a lightweight, non-blocking relay station that aids in defending against routing-capable adversaries. We also provide an experimental evaluation of relay station performance on off-the-shelf hardware and additional security improvements to recently proposed systems.

If the inline PDF is not rendering correctly, you can download the PDF file here.

  • [1] The CAIDA UCSD Statistical information for the CAIDA Anonymized Internet Traces., 2016. Accessed 22- February-2017.

  • [2] Simurgh Aryan, Homa Aryan, and J. Alex Halderman. Internet censorship in Iran: A first look. In 3rd USENIX Work- shop on Free and Open Communications on the Internet (FOCI), 2013.

  • [3] Diogo Barradas, Nuno Santos, and Luís Rodrigues. DeltaShaper: Enabling unobservable censorship-resistant TCP tunneling over videoconferencing streams. Privacy Enhancing Technologies, 2017(4):1-18, 2017.

  • [4] Cecylia Bocovich and Ian Goldberg. Slitheen: Perfectly imitated decoy routing through traffic replacement. In Pro- ceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS ’16, pages 1702-1714. ACM, 2016.

  • [5] Jacopo Cesareo, Josh Karlin, Michael Schapira, and Jennifer Rexford. Optimizing the placement of implicit proxies. Technical report, Princeton, NJ, USA, 2012.

  • [6] Roger Dingledine. Obfsproxy: The next step in the censorship arms race., February 2012. [Online; accessed 29-February-2016].

  • [7] Roger Dingledine and Nick Mathewson. Design of a blocking-resistant anonymity system. Technical report, 2006.

  • [8] Roger Dingledine, Nick Mathewson, and Paul Syverson. Tor: The second-generation onion router. In 13th USENIX Security Symposium, pages 303-320, 2004.

  • [9] Kevin P. Dyer, Scott E. Coull, and Thomas Shrimpton. Marionette: A programmable network-traffic obfuscation system. In 24th USENIX Security Symposium, pages 367-382, 2015.

  • [10] Tariq Elahi, John A Doucette, Hadi Hosseini, Steven J Murdoch, and Ian Goldberg. A framework for the game-theoretic analysis of censorship resistance. Proceedings on Privacy Enhancing Technologies, 2016(4):83-101, 2016.

  • [11] D. Ellard, C. Jones, V. Manfredi, W.T. Strayer, B. Thapa, M. Van Welie, and A. Jackson. Rebound: Decoy routing on asymmetric routes via error messages. In Local Computer Networks (LCN), 2015 IEEE 40th Conference on, pages 91- 99, October 2015.

  • [12] David Fifield, Chang Lan, Rod Hynes, Percy Wegmann, and Vern Paxson. Blocking-resistant communication through domain fronting. Proceedings on Privacy Enhancing Tech- nologies, 2015(2):46-64, 2015.

  • [13] Sergey Frolov, Fred Douglas, Will Scott, Allison McDonald, Benjamin VanderSloot, Rod Hynes, Adam Kruger, Michalis Kallitsis, David G. Robinson, Steve Schultze, Nikita Borisov, Alex Halderman, and Eric Wustrow. An ISP-scale deployment of TapDance. In 7th USENIX Workshop on Free and Open Communications on the Internet (FOCI 17), Vancouver, BC, 2017. USENIX Association.

  • [14] John Geddes, Max Schuchard, and Nicholas Hopper. Cover your ACKs: Pitfalls of covert channel censorship circumvention. In Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS ’13, pages 361-372, New York, NY, USA, 2013. ACM.

  • [15] Yihua He, Michalis Faloutsos, Srikanth Krishnamurthy, and Bradley Huffaker. On routing asymmetry in the internet. In Global Telecommunications Conference, 2005. GLOBE- COM’05. IEEE, volume 2, pages 6-pp. IEEE, 2006.

  • [16] Dominik Herrmann, Rolf Wendolsky, and Hannes Federrath. Website fingerprinting: Attacking popular privacy enhancing technologies with the multinomial naïve-bayes classifier. In Proceedings of the 2009 ACM Workshop on Cloud Comput- ing Security, CCSW ’09, pages 31-42, 2009.

  • [17] Amir Houmansadr, Chad Brubaker, and Vitaly Shmatikov. The parrot is dead: Observing unobservable network communications. In 2013 IEEE Symposium on Security and Privacy, pages 65-79, May 2013.

  • [18] Amir Houmansadr, Giang T.K. Nguyen, Matthew Caesar, and Nikita Borisov. Cirripede: Circumvention infrastructure using router redirection with plausible deniability. In 18th ACM Conference on Computer and Communications Security, CCS ’11, pages 187-200, 2011.

  • [19] Amir Houmansadr, Thomas J Riedl, Nikita Borisov, and Andrew C Singer. I want my voice to be heard: IP over Voice-over-IP for unobservable censorship circumvention. In 2013 Network and Distributed System Security (NDSS) Symposium, 2013.

  • [20] Amir Houmansadr, Edmund L Wong, and Vitaly Shmatikov. No direction home: The true cost of routing around decoys. In 2014 Network and Distributed System Security (NDSS) Symposium, 2014.

  • [21] Amir Houmansadr, Wenxuan Zhou, Matthew Caesar, and Nikita Borisov. Sweet: Serving the web by exploiting email tunnels. arXiv preprint arXiv:1211.3191, 2012.

  • [22] Wolfgang John, Maurizio Dusi, and K. C. Claffy. Estimating routing symmetry on single links by passive flow measurements. In Proceedings of the 6th International Wire- less Communications and Mobile Computing Conference, IWCMC ’10, pages 473-478, New York, NY, USA, 2010. ACM.

  • [23] Antoine Joux. Authentication failures in NIST version of GCM. 2006.

  • [24] Josh Karlin, Daniel Ellard, Alden W Jackson, Christine E Jones, Greg Lauer, David P Mankins, and W Timothy Strayer. Decoy routing: Toward unblockable internet communication. In USENIX workshop on free and open commu- nications on the Internet, 2011.

  • [25] Sanja Kelly, Mai Truong, Adrian Shahbaz, Madeline Earp, Jessica White, and Rose Dlougatch. Silencing the messenger: Communication apps under pressure., 2016. [Online; accessed 28-April-2017].

  • [26] David McGrew and John Viega. The galois/counter mode of operation (GCM). 2005.

  • [27] Richard McPherson, Amir Houmansadr, and Vitaly Shmatikov. Covertcast: Using live streaming to evade internet censorship. Proceedings on Privacy Enhancing Tech- nologies, 2016(3):212-225, 2016.

  • [28] Hooman Mohajeri Moghaddam, Baiyu Li, Mohammad Derakhshani, and Ian Goldberg. Skypemorph: Protocol obfuscation for Tor bridges. In 2012 ACM Conference on Computer and Communications Security, CCS ’12, pages 97-108, 2012.

  • [29] Zubair Nabi. The anatomy of web censorship in Pakistan. In 3rd USENIX Workshop on Free and Open Communications on the Internet (FOCI), 2013.

  • [30] Milad Nasr and Amir Houmansadr. Game of decoys: Optimal decoy routing through game theory. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS ’16, pages 1727-1738. ACM, 2016.

  • [31] Milad Nasr, Hadi Zolfaghari, and Amir Houmansadr. The waterfall of liberty: Decoy routing circumvention that resists routing attacks. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS ’17, pages 2037-2052, 2017.

  • [32] Max Schuchard, John Geddes, Christopher Thompson, and Nicholas Hopper. Routing around decoys. In 2012 ACM Conference on Computer and Communications Security, CCS ’12, pages 85-96, 2012.

  • [33] Y. Schwartz, Y. Shavitt, and U. Weinsberg. On the diversity, stability and symmetry of end-to-end Internet routes. In 2010 INFOCOM IEEE Conference on Computer Communi- cations Workshops, pages 1-6, March 2010.

  • [34] M. C. Tschantz, S. Afroz, Anonymous, and V. Paxson. SoK: Towards grounding censorship circumvention in empiricism. In 2016 IEEE Symposium on Security and Privacy (SP), pages 914-933, May 2016.

  • [35] Tao Wang, Xiang Cai, Rishab Nithyanand, Rob Johnson, and Ian Goldberg. Effective attacks and provable defenses for website fingerprinting. In Proceedings of the 23rd USENIX Conference on Security Symposium, SEC’14, pages 143-157, 2014.

  • [36] Zachary Weinberg, Jeffrey Wang, Vinod Yegneswaran, Linda Briesemeister, Steven Cheung, Frank Wang, and Dan Boneh. StegoTorus: A camouflage proxy for the Tor anonymity system. In 2012 ACM Conference on Computer and Communications Security, CCS ’12, pages 109-120, 2012.

  • [37] Philipp Winter and Stefan Lindskog. How the Great Firewall of China is blocking Tor. In 2nd USENIX Workshop on Free and Open Communications on the Internet (FOCI), 2012.

  • [38] Philipp Winter, Tobias Pulls, and Juergen Fuss. Scramble- Suit: A polymorphic network protocol to circumvent censorship. In 12th ACM Workshop on Workshop on Privacy in the Electronic Society, WPES ’13, pages 213-224, 2013.

  • [39] Eric Wustrow, Colleen M. Swanson, and J. Alex Halderman. TapDance: End-to-middle anticensorship without flow blocking. In 23rd USENIX Security Symposium, pages 159-174, 2014.

  • [40] Eric Wustrow, Scott Wolchok, Ian Goldberg, and J. Alex Halderman. Telex: Anticensorship in the network infrastructure. In 20th USENIX Security Symposium, 2011.


Journal + Issues