2015-jones-can
findings extracted from this paper
-
Beverly et al. found that 77% of Internet clients can spoof source addresses within their own /24 and 11% can spoof within their own /16, with these characteristics holding across a wide range of countries and regions. The authors use this result to argue that IP-spoofed cover traffic — where measurement probes appear to originate from many hosts in the same AS — is broadly feasible in practice.
-
The authors argue that it is almost certainly impossible to eliminate — or even definitively quantify — the risk to users who perform censorship measurements, because surveillance system capabilities are rapidly evolving and in some cases unknowable; retribution in adversarial environments may not follow due process. The paper explicitly states that its techniques had not been deployed on real networks as of writing because "a better consideration of the associated risks is warranted."
-
Spam-cloaked censorship measurements were correctly classified as spam by Proofpoint (the authors' university spam filter), validating surveillance evasion; separately, MX queries sent from a PlanetLab node in China confirmed that the GFW injected bad A DNS responses for both A-record and MX-record lookups for twitter.com and youtube.com, validating measurement accuracy.
-
Surveillance systems are fundamentally more selective than censorship systems due to storage constraints: as of 2009 the NSA could store only 7.5% of received traffic across 592 tapped 10 Gbps links with only 69 10 Gbps backhaul links, and the authors' campus network retains non-alert metadata for ~36 hours and IDS alerts for ~1 year. Censorship systems by contrast are transaction-focused and retain only enough data to process real-time requests. This asymmetry creates an exploitable gap: traffic that does not stand out from the population is discarded before reaching human analysts.
-
Analysis of two days of leaked censorship log files from Syria shows that 1.57% of the population accessed at least one censored site — a proportion the authors argue is far too large for a user-focused surveillance system to pursue individually. This implies that simply flagging all users who access censored content is not a feasible targeting strategy for surveillance.