2018-bocovich-secure

Secure asymmetry and deployability for decoy routing systems

Cecylia Bocovich, Ian Goldberg · Privacy Enhancing Technologies · 2018

canonical link →

Tags

censors: generic
techniques: dpi
defenses: decoy-routing

findings extracted from this paper

For China (a highly connected, routing-capable adversary), the gossip protocol combined with any symmetric decoy routing design requires only 5 heavyweight downstream stations plus 880 lightweight upstream gossip stations — versus 880 heavyweight stations for purely symmetric designs. Five downstream stations alone impact 78% of routes from Chinese users, while a single downstream station already covers nearly 25% of traffic.

Table 2 / §3.2 evaluation bgp-hijack cn
An asymmetric gossip protocol adds only 1.0055× bandwidth overhead for n=5 downstream stations — approximately 11 Mb/s extra on a typical 2 Gb/s OC48 link. Upstream gossip stations require no in-line blocking and impose zero additional load on overt sites, making them substantially lighter than heavyweight symmetric relay stations that must check every TLS connection for steganographic tags.

§3.3 evaluation
A censor using latency analysis to classify decoy routing sessions achieves a maximum F-score that drops to nearly 0 when the base rate of decoy routing falls below 10^-4 (one in 10,000 connections). Even at higher adoption rates the F-score remains below 0.5 for most overt sites, making reliable detection infeasible without unacceptable false-positive rates on legitimate traffic.

§4.2 evaluation traffic-shapeflow-correlation
Between 80% and 90% of internet routes are asymmetric, with only about 10% of flows symmetric in Tier-1 (backbone) networks and roughly 70% symmetric at the network edge. This asymmetry makes decoy routing systems requiring relay stations on both upstream and downstream paths impractical for the majority of real-world deployments.

§3 evaluation
Decoy routing systems that re-encrypt TLS application data across the relay station (Slitheen, Rebound, Waterfall) are vulnerable to nonce-reuse attacks: an adversary capable of observing traffic on both sides of the relay can exploit reused GCM nonces to decrypt or modify covert traffic. Although this falls outside the standard decoy routing threat model, it poses a concrete risk to users already under heightened surveillance who face adversaries with broad network visibility.

§5.2 detection flow-correlation