Arjun Devraj
Jennifer Rexford
Abstract
Refraction networking is a promising censorship circumvention technique in which a participating router along the path to an innocuous destination deflects traffic to a covert site that is otherwise blocked by the censor. However, refraction networking faces major practical challenges due to performance issues and various attacks (e.g., routing-around-the-decoy and fingerprinting). Given that many sites are now hosted in the cloud, data centers offer an advantageous setting to implement refraction networking due to the physical proximity and similarity of hosted sites. We propose REDACT, a novel class of refraction networking solutions where the decoy router is a border router of a multi-tenant data center and the decoy and covert sites are tenants within the same data center. We highlight one specific example REDACT protocol, which leverages TLS session resumption to address the performance and implementation challenges in prior refraction networking protocols. REDACT also offers scope for other designs with different realistic use cases and assumptions.
- Jeff Benson. 2021. Blocked by Iran, Signal App Moves to Decentralize Servers. (February 2021). https://decrypt.co/56665/blocked-by-iran-signal-app-moves-to-decentralize-servers Accessed on: May 28, 2021.Google Scholar
- Cecylia Bocovich and Ian Goldberg. 2016. Slitheen: Perfectly Imitated Decoy Routing through Traffic Replacement. In ACM SIGSAC Conference on Computer and Communications Security (CCS). 1702--1714.Google ScholarDigital Library
- Pat Bosshart, Dan Daly, Glen Gibb, Martin Izzard, Nick McKeown, Jennifer Rexford, Cole Schlesinger, Dan Talayco, Amin Vahdat, George Varghese, et al. 2014. P4: Programming protocol-independent packet processors. ACM SIGCOMM Computer Communication Review 44, 3 (2014), 87--95.Google ScholarDigital Library
- Tim Dierks and Eric Rescorla. 2008. The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246. (August 2008). https://rfc-editor.org/rfc/rfc5246.txtGoogle Scholar
- Roger Dingledine, Nick Mathewson, and Paul Syverson. 2004. Tor: The Second-Generation Onion Router. In USENIX Security Symposium.Google ScholarDigital Library
- D. Ellard, C. Jones, V. Manfredi, W. T. Strayer, B. Thapa, M. Van Welie, and A. Jackson. 2015. Rebound: Decoy Routing on Asymmetric Routes via Error Messages. In Annual IEEE Conference on Local Computer Networks (LCN). 91--99.Google Scholar
- Roya Ensafi, David Fifield, Philipp Winter, Nick Feamster, Nicholas Weaver, and Vern Paxson. 2015. Examining How the Great Firewall Discovers Hidden Circumvention Servers. In Internet Measurement Conference. 445--458.Google Scholar
- Marwan Fayed, Lorenz Bauer, Vasileios Giotsas, Sami Kerola, Marek Majkowski, Pavel Odintsov, Jakub Sitnicki, Taejoong Chung, Dave Levin, Alan Mislove, Christopher A. Wood, and Nick Sullivan. 2021. The ties that un-bind: decoupling IP from web services and sockets for robust addressing agility at CDN-scale. In ACM SIGCOMM Conference. 433--446.Google ScholarDigital Library
- David Fifield, Chang Lan, Rod Hynes, Percy Wegmann, and Vern Paxson. 2015. Blocking-resistant communication through domain fronting. In Proceedings on Privacy Enhancing Technologies. 46--64.Google ScholarCross Ref
- Sergey Frolov, Jack Wampler, Sze Chuen Tan, J. Alex Halderman, Nikita Borisov, and Eric Wustrow. 2019. Conjure: Summoning Proxies from Unused Address Space. In ACM SIGSAC Conference on Computer and Communications Security (CCS). 2215--2229.Google ScholarDigital Library
- Nikhil Handigol, Brandon Heller, Vimal Jeyakumar, Bob Lantz, and Nick McKeown. 2012. Reproducible Network Experiments Using Container-Based Emulation. In CoNEXT.Google Scholar
- Nguyen Phong Hoang, Arian Akhavan Niaki, Michalis Polychronakis, and Phillipa Gill. 2020. The web is still small after more than a decade. ACM SIGCOMM Computer Communication Review (CCR) 50, 2 (April 2020), 24--31.Google Scholar
- Amir Houmansadr, Giang Nguyen, Matthew Caesar, and Nikita Borisov. 2011. Cirripede: Circumvention Infrastructure Using Router Redirection with Plausible Deniability. In ACM Conference on Computer and Communications Security (CCS). 187--200.Google ScholarDigital Library
- Josh Karlin, Daniel Ellard, Alden W. Jackson, Christine E. Jones, Greg Lauer, David P. Mankins, and W. Timothy Strayer. 2011. Decoy Routing: Toward Unblockable Internet Communication. In USENIX Workshop on Free and Open Communications on the Internet (FOCI).Google Scholar
- Victoria Manfredi and Pi Songkuntham. 2018. MultiFlow: Cross-Connection Decoy Routing using TLS 1.3 Session Resumption. In USENIX Workshop on Free and Open Communications on the Internet (FOCI).Google Scholar
- Hodan M. Musse and Lama A. Alamro. 2016. Cloud Computing: Architecture and Operating System. In Global Summit on Computer Information Technology (GSCIT). 3--8.Google Scholar
- Milad Nasr, Hadi Zolfaghari, and Amir Houmansadr. 2017. The Waterfall of Liberty: Decoy Routing Circumvention That Resists Routing Attacks. In ACM SIGSAC Conference on Computer and Communications Security (CCS). 2037--2052.Google ScholarDigital Library
- Hal Roberts, Ethan Zuckerman, Jillian York, Robert Faris, and John Palfrey. 2010. 2010 Circumvention Tool Usage Report. Technical Report. The Berkman Center for Internet & Society.Google Scholar
- James Sanders. 2018. As Google and AWS kill domain fronting, users must find a new way to fight censorship. (May 2018). https://www.techrepublic.com/article/as-google-and-aws-kill-domain-fronting-users-must-find-a-new-way-to-fight-censorship/ Accessed on: October 8, 2021.Google Scholar
- Sambhav Satija and Rahul Chatterjee. 2021. BlindTLS: Circumventing TLS-based HTTPS censorship. In ACM SIGCOMM Workshop on Free and Open Communications on the Internet (FOCI). 43--49.Google ScholarDigital Library
- Max Schuchard, John Geddes, Christopher Thompson, and Nicholas Hopper. 2012. Routing Around Decoys. In ACM Conference on Computer and Communications Security (CCS).Google Scholar
- Piyush Kumar Sharma, Devashish Gosain, Himanshu Sagar, Chaitanya Kumar, Aneesh Dogra, Vinayak Naik, H B Acharya, and Sambuddho Chakravarty. 2020. SiegeBreaker: An SDN Based Practical Decoy Routing System. In Proceedings on Privacy Enhancing Technologies. 243--263.Google ScholarCross Ref
- Ramesh Subramanian. 2011. The Growth of Global Internet Censorship and Circumvention: A Survey. Communications of the International Information Management Association (CIIMA) 11, 2 (October 2011), 33--42.Google Scholar
- Erik Sy, Christian Burkert, Hannes Federrath, and Mathias Fischer. 2018. Tracking Users across the Web via TLS Session Resumption. In Annual Computer Security Applications Conference (ACSAC). 289--299.Google ScholarDigital Library
- uProxy. 2017. uProxy: Your private access to the open internet. (2017). https://www.uproxy.org/Google Scholar
- Philipp Winter and Stefan Lindskog. 2012. How the Great Firewall of China is Blocking Tor. In USENIX Workshop on Free and Open Communications on the Internet (FOCI).Google Scholar
- Eric Wustrow, Colleen M. Swanson, and J. Alex Halderman. 2014. TapDance: End-to-Middle Anticensorship without Flow Blocking. In USENIX Security Symposium. 159--174.Google Scholar
- Eric Wustrow, Scott Wolchok, Ian Goldberg, and J. Alex Halderman. 2011. Telex: Anticensorship in the Network Infrastructure. In USENIX Security Symposium.Google ScholarDigital Library
Index Terms
- REDACT: refraction networking from the data center
Recommendations
The Waterfall of Liberty: Decoy Routing Circumvention that Resists Routing Attacks
CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications SecurityDecoy routing is an emerging approach for censorship circumvention in which circumvention is implemented with help from a number of volunteer Internet autonomous systems, called decoy ASes. Recent studies on decoy routing consider all decoy routing ...
Conjure: Summoning Proxies from Unused Address Space
CCS '19: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications SecurityRefraction Networking (formerly known as "Decoy Routing") has emerged as a promising next-generation approach for circumventing Internet censorship. Rather than trying to hide individual circumvention proxy servers from censors, proxy functionality is ...
Poking a Hole in the Wall: Efficient Censorship-Resistant Internet Communications by Parasitizing on WebRTC
CCS '20: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications SecurityMany censorship circumvention tools rely on trusted proxies that allow users within censored regions to access blocked Internet content by tunneling it through a covert channel (e.g,. piggybacking on Skype video calls). However, building tools that can ...
Comments