2017-gosain-devil-s

The Devil's in The Details: Placing Decoy Routers in the Internet

Devashish Gosain, Anshika Agarwal, Sambuddho Chakravarty, H. B. Acharya · ACSAC · 2017

canonical link →

Tags

censors: generic
techniques: dpi
defenses: decoy-routing

findings extracted from this paper

The 30 key ASes computed from globally popular sites also intercept over 90% of paths to country-specific popular sites in nine censorious nations (China, Venezuela, Russia, Syria, Bahrain, Pakistan, Saudi Arabia, Egypt, Iran), covering 93.3% of paths to the top-50 country-specific sites. The same key AS set remained stable across repeated experiments conducted four months apart, suggesting durability over time.

§6.1–6.2, Figure 8 evaluation cnirrusyvesapk
Only ~30 ASes intercept more than 90% of paths to popular websites globally, regardless of the target destination set (Alexa top-10 through top-200). The top 2 ASes alone (AS3356 Level-3 Communications and AS174 Cogent) intercept 45.1% of all 4,497,547 paths to Alexa top-100 sites; the full set of 30 intercepts 92.4%. This is approximately 30× fewer ASes than prior work required for a single adversary country (858 ASes for China alone).

§5.1, Figure 3, Table 1 evaluation cn
If China attempts the Routing-Around-Decoys (RAD) attack by blackholing paths that transit the 30 key ASes, 92.25% of all paths transiting Chinese ASes (306,874 of 332,742) originate at ASes outside China, making such filtering self-defeating through severe collateral damage to foreign transit customers. The 30 key ASes cover 98.8% of paths from Chinese ASes to globally popular destinations and at least 80% for nearly all adversary countries studied.

§6.2, Figure 7, Figure 9 defense asn-blackholing cn
Customer-cone size — the AS selection metric used by prior work (Houmansadr et al. 2014) — is poorly correlated with actual path frequency (Spearman rank correlation = 0.2). 33.17% of paths to Alexa top-100 prefixes traverse 1-hop customers of the largest-cone AS (AS3356, cone size 24,553) without transiting AS3356 itself, showing that cone-based heuristics systematically misidentify which ASes actually carry traffic.

§6.6, Figure 10, Table 5 evaluation generic
Router-level mapping of the 30 key ASes reveals that 11,709 individual routers must be replaced with Decoy Routers (non-censorious ASes only), at a hardware cost exceeding $10.3 billion USD. Individual large ASes require hundreds to over 1,600 router replacements (e.g., AS3356 needs 576, AS209 Quest Communications needs 1,662). Even targeting the weakest adversary studied, Syria (containable by 3 ASes at AS level), requires 1,117 DRs.

§5.2, §6.4, Table 3–4 evaluation cnsy