2024-kon-netshuffle
findings extracted from this paper
-
NetShuffle targets edge networks — small autonomous systems and entities that obtain IP address blocks from upstream providers — as a new class of support base for circumvention infrastructure. This class has received scant attention from prior work, which has focused on cloud providers and volunteer desktop machines. Edge networks represent a large pool of diverse IP space that is harder to block via ASN blackholing compared to a small number of major cloud providers.
-
NetShuffle decouples regular proxy services (e.g., HTTPS proxies, Tor bridges) from their network addresses via continuous in-network change using programmable switches at edge networks. Because the network location of a proxy is in constant flux, blocking by IP or address enumeration becomes structurally ineffective: the proxy service itself is unchanged but its visible address rotates continuously.
-
NetShuffle was prototyped in testbed environments and operated on a live campus network for more than one month. The evaluation shows that the in-network address shuffling provided by programmable switches is transparent to both services and clients and incurs negligible performance overhead, validating the drop-in appliance deployment model.