Recent research claims that “powerful” nation states may be hegemonic over significant web traffic of “underserved” nations (e.g. Brazil and India). Such traffic may be surveilled when transiting (or ending in) these powerful nations. Conversely, Content Distribution Networks (CDNs) are designed to bring web content closer to end-users. Does the presence of CDNs contradict the notion of nation state hegemony? Our empirical study, involving five countries, shows that popular websites ( 80% of Alexa top-1k for each nation) are hosted within a client’s domicile, affirming the contradiction.
On the negative side, this may inadvertently enhance a country’s ability to coerce content providers to regulate (or monitor) access within its boundary. On top of that, the obvious solution, i.e. anti-censorship approaches, sadly face a new dilemma. Traditional ones, relying on proxies, are easily discoverable. Whereas newer ones (e.g. Decoy Routing, CacheBrowser, Meek and CovertCast etc.) might not work as they require accessing web content hosted outside the censors’ boundary. We thus quantitatively analyzed the impact of web content localization on various anti-censorship systems.
Such analysis requires geolocating the websites. Thus we adapted a multilateration method, Constraint Based Geolocation (CBG), with novel heuristics. We call it as Region Specific CBG (R-CBG). In 91% cases R-CBG correctly classifies hosts as inside (or outside) w.r.t. a nation. Using R-CBG, we observed that most of the popular sites are hosted inside each of the nations. Additional heuristics classify majority of them to be on CDNs.
In this work we present a detailed study of the Internet censorship in India. We consolidated a list of potentially blocked websites from various public sources to assess censorship mechanisms used by nine major ISPs.
To begin with, we demonstrate that existing censorship detection tools like OONI are grossly inaccurate. We thus developed various techniques and heuristics to correctly assess censorship and study the underlying mechanism involved in these ISPs. At every step we corroborated our finding manually to test the efficacy of our approach, a step largely ignored by others. We fortify our findings by adjudging the coverage and consistency of censorship infrastructure, broadly in terms of average number of network paths and requested domains the infrastructure surveils.
Our results indicate a clear disparity among the ISPs, on how they install censorship infrastructure. For instance, in Idea network we observed the censorious middleboxes on over 90% of our tested intra-AS paths whereas for Vodafone, it is as low as 2.5%. We conclude our research by devising our own anti-censorship strategies, that does not depend on third party tools (like proxies, Tor and VPNs etc.). We managed to anti-censor all blocked websites in all ISPs under test.
This work presents a study of the Internet infrastructure in India from the point of view of censorship. First, we show that the current state of affairs --- where each ISP implements its own content filters (nominally as per a governmental blacklist) --- results in dramatic differences in the censorship experienced by customers. In practice, a well-informed Indian citizen can escape censorship through a judicious choice of service provider.
We then consider the question of whether India might potentially follow the Chinese model and institute a single, government-controlled filter. This would not be difficult, as the Indian Internet is quite centralized already. A few "key" ASes ( 1% of Indian ASes) collectively intercept 95% of paths to the censored sites we sample in our study, and also to all publicly-visible DNS servers. 5,000 routers spanning these key ASes would su ce to carry out IP or DNS filtering for the entire country; 70% of these routers belong to only two private ISPs. If the government is willing to employ more powerful measures, such as an IP Prefix Hijacking attack, any one of several key ASes can censor traffic for nearly all Indian users. Finally, we demonstrate that such federated censorship by India would cause substantial collateral damage to non-Indian ASes whose traffic passes through Indian cyberspace (which do not legally come under Indian jurisdiction at all).
Decoy Routing, the use of routers (rather than end hosts) as proxies, is a new direction in anti-censorship research. Decoy Routers (DRs), placed in Autonomous Systems, proxy traffic from users; so the adversary, e.g. a censorious government, attempts to avoid them.
It is quite difficult to place DRs so the adversary cannot route around them – for example, we need the cooperation of 850 ASes to contain China alone. In this work, we consider a different approach. We begin by noting that DRs need not intercept all the network paths from a country, just those leading to Overt Destinations, i.e. unfiltered websites hosted outside the country (usually popular ones, so that client traffic to the OD does not make the censor suspicious).
Our first question is – How many ASes are required for installing DRs to intercept a large fraction of paths from e.g. China to the top n websites (as per Alexa)? How does this number grow with n ? To our surprise, the same few (≈ 30) ASes intercept over 90% of paths to the top n sites worldwide, for n = 10, 20...200 and also to other destinations. Investigating further, we find that this result fits perfectly with the hierarchical model of the Internet; our first contribution is to demonstrate with real paths that the number of ASes required for a world-wide DR framework is small (≈ 30). Further, censor nations’ attempts to filter traffic along the paths transiting these 30 ASes will not only block their own citizens, but others residing in foreign ASes.
Our second contribution in this paper is to consider the details of DR placement: not just in which ASes DRs should be placed to intercept traffic, but exactly where in each AS. We find that even with our small number of ASes, we still need a total of about 11, 700 DRs. We conclude that, even though a DR system involves far fewer ASes than previously thought, it is still a major undertaking. For example, the current routers cost over 10.3 billion USD, so if Decoy Routing at line speed requires all-new hardware, the cost alone would make such a project unfeasible for most actors (but not for major nation states).
The original design of the Internet was a resilient, distributed system, that maybe able to route around (and therefore recover from) massive disruption—up to and including nuclear war. However, network routing effects and business decisions cause traffic to often be routed through a relatively small set of Autonomous Systems (ASes). This is not merely an academic issue; it has practical implications — some of these frequently appearing ASes are hosted in censorious nations.
Other than censoring their own citizens’ network access, such ASes may inadvertently filter traffic for other foreign customer ASes. In this work, we examine the extent of routing centralization in the Internet; identify the major players who control the “Internet backbone”; and point out how many of these are, in fact, under the jurisdiction of censorious countries (specifically, Russia, China, and India). Further, we show that China and India are not only the two largest nations by number of Internet users, but that many users in free and democratic countries are affected by collateral damage caused due to censorship by such countries.
Bandwidth measurement is a deeply studied problem; but so far, all the techniques to measure the bandwidth between two hosts, require the experimenter to have control over one or both hosts. In this paper, we present Telemetron, the first active bandwidth measurement tool, that can estimate the path capacity between two remote hosts, using only an off-path Measuring Machine (MM).
Interestingly, it is not difficult to cause traffic flow between two off-path remote hosts. Sending request packets to one host, with a spoofed source IP (so the packets look like they are from the other host), will cause the first host to send reply packets to the other. The challenge for MM is to measure the rate at which these packets arrive at the latter. Our key observation is that if the said machine has a global IP-ID counter, the arrival of packets (or more precisely, the number of replies they cause) can be monitored remotely, using probes from MM. By observing the rate of increment in global IP-ID counter, MM estimates the path capacity between the remote hosts. Telemetron shows high accuracy in both laboratory and Internet tests, and on average, reports path capacity of 92.5% of theoretical limit.
National governments know the Internet as both a blessing and a headache. On the one hand, it unlocks great opportunity — economic as well as strategic. On the other hand, cyberspace is a whole new arena to secure. Cyber attacks threaten all Internet-enabled services, including emergency-response and military services. Indeed, the risk of serious attacks (too large for individual ISPs or consumers to mitigate) has risen dramatically in recent years, with the emergence of botnets such as Mirai, Hajime and Gafgyt.
Is it even possible for a national government to secure its cyberspace, short of extreme measures (turning off Internet access nation-wide)? In this work, we study the problem of constructing a responsible nation-wide defense. Using only publicly-available network information, we carry out case studies in eight countries; in each case, we successfully identify a Line of Defense — a small number of important ASes that intercept most (> 95%) the network paths of the country. Intuitively, such ASes can serve as a cordon to monitor and filter cyber attacks. Our results indicate that, in practice, a government need only collaborate with a small number of strategic ASes to guard against several attacks.
(A project in collaboration with my fellow PhD scholar Piyush Sharma )
Decoy Routing (DR), a promising new approach to censorship circumvention, uses routers (rather than end hosts) as proxy servers. Users of censorious networks, who wish to use DR, send specially crafted packets, nominally addressed to an uncensored website. Once safely out of the censorious network, the packets encounter a special router (the Decoy Router) which identifies them using a secret handshake, decrypts their content, and proxies them to their true destination (a censored site). However, DR has implementation problems: it is unfeasible to reprogram routers for the complex operations required. Existing DR solutions fall back on using commodity servers as a Decoy Router, but as servers are not efficient at routing, most web applications show poor performance when accessed over DR. A further concern is that the DR has to inspect all flows in order to identify the ones that need DR; this may itself be a breach of privacy for other users (who neither wish Decoy Routing, and nor want to be monitored).
In this work, we present a novel DR system, SiegeBreaker, which solves the above problems using an SDN-based architecture. Unlike previous proposals, where a single unit performs all major operations (inspecting all flows, identifying the Decoy Routing requests, and proxying them), SiegeBreaker distributes the tasks for Decoy Routing among three independent modules. (1) The SDN controller identifies the Decoy Routing requests via a covert, privacy preserving scheme. (2) The reconfigurable SDN switch intercepts packets, and forwards them to a secret proxy. (3) The secret proxy server proxies the client’s traffic to the censored site. Our modular, lightweight design shows performance comparable to direct TCP operations (even at line rates of 1 Gbps), both in emulation setups, and Internet based tests involving commercial SDN switches.