2020-sharma-siegebreaker

SiegeBreaker: An SDN Based Practical Decoy Routing System

Piyush Kumar Sharma, Devashish Gosain, Himanshu Sagar, Chaitanya Kumar, Aneesh Dogra, Vinayak Naik, H. B. Acharya, Sambuddho Chakravarty · Privacy Enhancing Technologies · 2020

canonical link →

Tags

censors: generic
techniques: dpi
defenses: decoy-routing

findings extracted from this paper

SiegeBreaker's session bootstrapping (from initial email to installed SP redirection rule) averaged 3–4 seconds across 100 trials, with the dominant delay attributed to email handling (SMTP connection, Selenium composition) rather than network latency; this setup cost is not included in the download-time benchmarks. The auxiliary ping-based switch-selection signal encodes 48 bits across three ICMP header fields (IP-ID, ping sequence number, ping identifier), requiring ~281 trillion spoofed ping packets per client–OD pair to brute-force.

§4.4, §5.2 evaluation dpi generic
SiegeBreaker explicitly acknowledges two unresolved attack vectors: (1) latency-based traffic analysis attacks (forced-asymmetry / RAD-style), which the system does not mitigate, and (2) website fingerprinting attacks against the proxied traffic, for which no defense is implemented. Additionally, the email-based control channel is vulnerable to a censor who can delay or block emails to the controller's address, disrupting rule installation before the client's SYN packet arrives.

§3, §4.1, §4.3 detection traffic-shapewebsite-fingerprintdpi generic
Prior decoy routing deployments suffered severe throughput degradation: the TapDance ISP pilot reported average client throughput of only ~5 KB/s, making it unsuitable for most web content; other DR prototypes restricted evaluation to files under 1 MB in controlled lab settings, with some reporting over 30 seconds to load home pages under 1.5 MB in size.

§3, §2.3 evaluation generic
All prior decoy routing systems (Cirripede, Telex, TapDance, Slitheen, Waterfall) require the DR to inspect every traversing flow — either all TCP SYN packets or all TLS flows — to identify DR requests, creating a privacy breach for non-DR users and a computational bottleneck. SiegeBreaker eliminates this by using an out-of-band email pre-registration (encrypted to the controller's 2048-bit RSA public key) that pins the controller's inspection rule to a single client-IP/OD-IP/ISN triple, so only authenticated potential DR flows are ever redirected.

§3, §4.3 defense dpi generic
SiegeBreaker achieves near-native TCP performance in Internet experiments: average download time for Alexa top-500 home pages via SB was 1.8 s versus 1.7 s for direct wget, across 500 concurrent client instances; bulk downloads of 1 GB files over a shared 1 Gbps link showed SB and native TCP sharing bandwidth almost equally, and throughput remained stable under 15 Gbps of cross-traffic or 50,000 parallel flows on the SDN switch.

§5.1, §5.2 defense generic