2011-karlin-decoy

Decoy Routing: Toward Unblockable Internet Communication

Josh Karlin, Daniel Ellard, Alden W. Jackson, Christine E. Jones, Greg Lauer, David P. Mankins, W. Timothy Strayer · Free and Open Communications on the Internet · 2011

canonical link →

Tags

censors: generic
techniques: dpi
defenses: decoy-routing

findings extracted from this paper

Decoy routing places the circumvention service at transit routers rather than fixed-IP edge proxies, so the client addresses packets to any reachable decoy destination and the router hijacks the flow on the client's behalf. A single well-placed router may lie on paths to millions of destinations, making circumvention proxies appear ubiquitously deployed from an adversary's perspective. Blocking such a router requires disrupting ordinary traffic for large fractions of the Internet, qualitatively raising the cost of IP-address-based censorship.

§1.2 defense ip-blocking generic
An adversary aware of a decoy router's location can force decoy-routed flows to be unprocessable by fragmenting all packets below the size of a complete TCP header in the first fragment, preventing flow assignment and forcing the router into expensive reassembly. Alternatively, the adversary can use small-fragment attacks to grow the router's state table, analogous to NAT resource exhaustion. The paper identifies fragmentation-based denial as a harder-to-mitigate attack class than sentinel replay.

§4.2 detection ip-blockingmiddlebox-interference generic
A preplay attack defeats the TLS-sentinel covert channel: the adversary intercepts each ClientHello, immediately sends a copy to the decoy destination before the client's copy arrives, causing the sentinel to be consumed and poisoned. The client can never establish a decoy routing session while ordinary TLS to the decoy destination continues to work normally, giving the adversary both blocking capability and forensic confirmation that decoy routing was attempted. The paper notes this vulnerability is specific to the TLS sentinel and that alternatives such as port-knocking sentinels may not share it.

§4.1 detection active-probingdpi generic
TCP flow hijacking by the decoy proxy is practical under an asymmetric routing assumption: expected sequence numbers are recoverable from ACK values in client-originated packets alone, so the decoy router need not observe return traffic. The proxy forges a TCP RST to the decoy destination and mimics its TCP options (timestamp, window scale, SACK) to reduce detectability; these options are conveyed encrypted inside the sentinel's 28-byte TLS random field.

§3.3 defense dpimiddlebox-interference generic
Clients embed HMAC-derived, time-varying sentinels into the 28-byte random field of the TLS ClientHello message, which decoy routers can scan at line rate. Sentinels are keyed to the current hour and a per-hour sequence number, providing freshness. This covert channel requires no out-of-band signaling and is invisible to passive observers who see only a normal TLS handshake toward the decoy destination.

§3.2 defense tls-fingerprintdpi generic