2011-houmansadr-cirripede
findings extracted from this paper
-
If clients probe the top 1,000 Alexa-ranked sites to discover a deflecting router, a censor would have to block more than 95% of those 1,000 sites to prevent any client from joining Cirripede. Clients aware of failed probes can continue cycling through additional popular sites, further raising the blocking cost.
-
In an emulation testbed with 200 ms effective client-server RTT, Cirripede added no more than a few seconds to time-to-first-byte, attributable primarily to two extra TLS round-trips and the SOCKS request-response. For large file downloads, Cirripede's TCP connection splitting (two lower-RTT hops instead of one high-RTT hop) produced faster total transfer times than the non-Cirripede baseline, confirmed with a control non-Cirripede SOCKS proxy.
-
Replaying 94 million TCP SYN packets from 6.4 million unique client IPs at ~41,000 packets/second, the Cirripede registration server (quad-core Xeon E5530, 12 GB RAM) achieved a 97% detection rate — 1,038,689 out of 1,069,318 embedded registrations — with average CPU utilization of 56% (max 73%) and average memory of 1.1 GB (max 1.6 GB). The 3% miss rate was caused entirely by network-layer packet reordering, not server capacity.
-
Using two CAIDA traces from March 2011, the byte volume of TCP SYN packets across all ports was only 4–7% that of port-443 traffic. Cirripede's registration design inspects only SYN packet headers rather than full HTTPS payloads, reducing the traffic an ISP must process by 14–25× compared to Telex/Decoy routing architectures that must reconstruct all port-443 TCP sessions.
-
Simulations on the CAIDA AS-level topology (January 2011 snapshot) show that deploying Cirripede deflecting routers at just 1 tier-1 AS enables 97% of Internet clients to use the system, and 2 participating tier-1 ASes achieve 100% client reachability. When clients probe only the Alexa top-30 most popular sites as overt destinations, 2 tier-1 ISPs still yield 100% reachability.