Wong Meraki Inc Vitaly Shmatikov The University of Texas at Austin Abstract Decoy routing is a recently proposed approach for censorship circumvention It relies on cooperating ISPs in the middle of the Internet to deploy the so called decoy routers ID: 74502
Download Pdf The PPT/PDF document "No Direction Home The True Cost of Routi..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
NoDirectionHome:TheTrueCostofRoutingAroundDecoysAmirHoumansadrTheUniversityofTexasatAustinEdmundL.WongMeraki,Inc.VitalyShmatikovTheUniversityofTexasatAustinAbstractDecoyroutingisarecentlyproposedapproachforcensorshipcircumvention.ItreliesoncooperatingISPsinthemiddleoftheInternettodeploythesocalleddecoyroutersthatproxynetworktrafcfromusersinthecensorshipregion.Arecentstudy,publishedinanaward-winningCCS2012paper[ 24 ],suggestedthatcensorsinhighlyconnectedcountrieslikeChinacaneasilydefeatdecoyroutingbyselectingInternetroutesthatdonotpassthroughthedecoys.Thisattackisknownasroutingarounddecoys(RAD).Inthispaper,weperformanin-depthanalysisofthetruecostsoftheRADattack,basedonactualInternetdata.OuranalysistakesintoaccountnotjusttheInternettopology,butalsobusinessrelationshipsbetweenISPs,monetaryandperformancecostsofdifferentroutes,etc.WedemonstratethatevenforthemostvulnerabledecoyplacementassumedintheRADstudy,theattackislikelytoimposetremendouscostsonthecensoringISPs.Theywillbeforcedtoswitchtomuchmorecostlyroutesandsufferfromdegradationinthequalityofservice.Wethendemonstratethatamorestrategicplacementofdecoyswillfurtherincreasethecensors'costsandrendertheRADattackineffective.WealsoshowthattheattackisevenlessfeasibleforcensorsincountriesthatarenotasconnectedasChinasincetheyhavemanyfewerroutestochoosefrom.TherstlessonofourstudyisthatdefeatingdecoyroutingbysimplyselectingalternativeInternetroutesislikelytobeprohibitivelyexpensiveforthecensors.Thesecond,evenmoreimportantlessonisthatane-grained,data-drivenapproachisnecessaryforunderstandingthetruecostsofvariousrouteselec-tionmechanisms.AnalysesbasedsolelyonthegraphtopologyoftheInternetmayleadtomistakenconclusionsaboutthefeasibilityofdecoyroutingandothercensorshipcircumventiontechniquesbasedoninterdomainrouting.I.INTRODUCTIONWithrecentadvancesincensorshiptechnologies,evadingcensorshipisbecomingmorechallenging.Newcircumventionsystemsaimtomaketheirtrafcunobservableinorderto(1)protecttheirusers,and(2)preventtheirservicesfrombeing ResearchdescribedinthispaperwasperformedatTheUniversityofTexasatAustinblockedbycensors.Decoyroutingisanewapproachtoun-observablecensorshipcircumvention,proposedindependentlyinsystemscalledDR[ 17 ],Telex[ 26 ],andCirripede[ 15 ].Incontrasttotraditionalcircumventiontoolsinwhichcircumven-tionproxiesrunonend-hostservers,decoyroutingplacestheseproxiescalleddecoyroutersattheroutersofvolunteerISPs(intherestofthispaper,wewillusethetermsISPandautonomoussysteminterchangeably).Touseadecoyroutingsystem,aclientconnectstoanon-blockeddestinationviaaroutecontainingadecoyrouter;thedecoyrouteractsasaman-in-the-middlefortheconnectionandproxiesthetrafctotheblockeddestinationsrequestedbytheclient.Schuchardetal.[ 24 ]proposedtheroutingaroundde-coysattackagainstdecoyrouting.Intherestofthispaper,wewillusethetermsRADattackandRADpapertorefer,respectively,tothisattackandthepaperinwhichitwaspublished.ThebasisoftheRADattackistheobservationthatISPsinthecensorshipregionarelikelytohavemultiplepathstoanygivendestination.Therefore,censorscaninstructtheISPsundertheirinuencetoexclusivelyselectroutesthatdonotpassthroughtheISPsknowntodeploydecoyrouters.TheRADattackisconsideredsuccessfulonlyifitmanagestoavoidthedecoyswhile(mostly)maintainingtheconnectiv-ityofthecensoringISPstotherestoftheInternet.Schuchardetal.analyzetheInternettopologyandshowthatassumingthatthedecoyroutersareplacedinasmallnumberofrandomlyselectedautonomoussystemstheRADattackwillmaintainthecensors'connectivity.Ourcontributions.Inthispaper,wetakeacloserlookatthetruecostsoftheRADattack.WestartbyestimatingthequalityofthealternativeroutesselectedbytheRADadversary,asopposedtotheirmereexistence.Inthisanalysis,wemakethesamerandomplacementassumptionastheRADpaper,eventhoughitisheavilybiasedinfavoroftheRADadversary(arandomautonomoussystemisunlikelytotransitothers'trafc,thusplacingdecoyroutersinitserveslittlepurpose).TheshortsummaryofourndingsisthattheRADattackislikelytoimposehugemonetaryandperformancecostsonthecensoringISPs.TheRADpaperobservesthatifdecoyroutersareplacedat2%ofallautonomoussystems,ChinabyfartheeasiestcasefortheRADattackduetoitshighconnectivitywouldgetdisconnectedonlyfrom4%oftheInternet[ 24 ,Fig.2a].Whiletrue,thisisnotthewholestory.Oursimulationsshowthat:Onaverage,theestimatedlatencyofChina'sInternetrouteswillincreasebyafactorof8.Permissiontofreelyreproduceallorpartofthispaperfornoncommercialpurposesisgrantedprovidedthatcopiesbearthisnoticeandthefullcitationontherstpage.ReproductionforcommercialpurposesisstrictlyprohibitedwithoutthepriorwrittenconsentoftheInternetSociety,therst-namedauthor(forreproductionofanentirepaperonly),andtheauthor'semployerifthepaperwaspreparedwithinthescopeofemployment.NDSS'14,23-26February2014,SanDiego,CA,USACopyright2014InternetSociety,ISBN1-891562-35-5http://dx.doi.org/doi-info-to-be-provided-later 44ofChina'scustomerautonomoussystemswillhavetobecometransitautonomoussystems,requiringvastre-organizationandinvestmentintheirnetworkinfras-tructure.Bycomparison,Chinatodayhasonly30transitautonomoussystems.TherewillbedramaticchangesinloadsonChina'stransitautonomoussystems.Forexample,transitloadswillin-creasebyafactorof2800foroneautonomoussystem,whiledecreasingby32%foranother.39%ofChina'sInternetrouteswillbecomelonger;12%willbecomemoreexpensive.Amorestrategicplacementofdecoyroutersfurtheram-pliesthecensors'costs,evenintermsofbasicInternetcon-nectivity.Ifdecoyroutersareplacedin2%ofallautonomoussystems,butthesystemsarechosenstrategicallyratherthanrandomly,Chinawillbedisconnectedfrom30%ofallInternetdestinations,not4%ascalculatedintheRADpaper.WealsoanalyzethefeasibilityoftheRADattackforotherstate-levelcensors.Asintuitivelyexpected,thecostsoftheRADattackdependonthecensoringcountry'snetworkinfras-tructure.CountrieswithlessconnectivityintheglobalInternetgraphincurhighercosts.Forinstance,aRADattackagainstdecoyroutersstrategicallyplacedin1%ofallautonomoussystemswilldisconnectChinafrom18%ofallInternetdes-tinations,whereasVenezuelaandSyriawillbedisconnectedfrom54%and87%ofalldestinations,respectively.Inadditiontoshowingthatroutingarounddecoysislikelytobeverycostly,ourstudyprovidesseverallessonsandrecommendations.Animportantmethodologicallessonisthat,whenanalyzingthefeasibilityandcostsofattacksanddefensesbasedonInternetrouting,itisnotenoughtosimplylookatthetopologyoftheInternetgraph.Theedgesinthisgrapharenotallequal,theyhavevastlydifferentcostsandperformancecharacteristics.Relationshipsbetweenautonomoussystems,suchascustomer-provider,peer,etc.,matteralot.Therefore,anyanalysisofdecoyroutingandalternativesmustbebasedonallavailablene-graineddataaboutindividualnodesandedgesintheInternetgraph.Organization.InSection II ,weprovidebackgroundinforma-tionontheInternetASes,decoyrouting,andtheRADattack.InSection III ,wedescribehowtheRADattackworks.InSection IV ,weexplainthecoststhatmustbeincurredbycensorstocarryoutaRADattack.InSection V ,wesuggeststrategicdecoyplacements.InSection VI ,wedescribeourdatasourcesandthesimulationsetup.InSection VII ,weestimatethecostsoftheRADattack.WeconcludewithlessonsandrecommendationsinSection VIII .II.BACKGROUNDA.InternettopologyTheInternetisagloballydistributednetworkcomposedofmorethan44;000[ 3 ]autonomoussystems.Anautonomoussystem(AS)isaconnectedgroupofoneormoreIPprexesrunbyoneormorenetworkoperatorswhichhasasingleandclearlydenedroutingpolicy[ 14 ].WhilethedetailsofbusinessagreementsbetweenASescanbecomplex,thewidelyacceptedGaomodel[ 11 ]ab- ! " # $ % & !"#$%&'()*++(%,-.'(/%0'123%4 565765765765765765 Fig.1:Asub-treeoftheInternettopologygraph. \r \n Fig.2:TheCDFofcustomerconesize(themaximumcus-tomerconesize,whichis22,664,isnotshown).stractsbusinessrelationshipsintothefollowingthreemaintypes[ 1 ]:Customer-to-provider(c2p):AnASAisacustomerofaconnectedneighborASB(theprovider)ifApaysBtotransitA'strafctoInternetdestinationsthatAcannotreachotherwise.Similarly,Bhasaprovider-to-customer(p2c)relationshipwithA.Peer-to-peer(p2p):TwoASesarepeersiftheyexchangeInternettrafcbetweeneachotherandeachother'scus-tomersfreeofcharge,duetoamutualbusinessagreement.Sibling-to-sibling(s2s):TwoASesaresiblingsiftheybelongtothesameorganization.SiblingASesdonotchargeeachotherforthetransittrafc.Figure 1 illustratestheserelationships.AnAS'scustomerconeincludestheASitselfplusallASesthatcanbereachedfromthatASthroughprovider-to-customerlinks. 1 Inotherwords,A'scustomerconeincludesA,A'scustomers,A'scustomers'customers,andsoon.Figure 2 showstheCDFofcustomerconesizeforall44,064InternetASes.AnedgeASisanASwhosecustomerconehassize1,i.e.,ithasnocustomers.AtransitASisanASwhosecustomerconeisgreaterthan1,i.e.,ittransitsotherASes'trafctotherestoftheInternet.InternetroutesarebasedonpathsbetweenASes(inter- 1 http://as-rank.caida.org/?mode0=as-intro#customer-cone 2 domainroutes)whichareestablishedviaBGP,theBorderGatewayProtocol[ 22 ].ApathisasequenceofneighborASesthatconnectthesourceAStothedestinationASintheInternettopologygraph.Apathisvalidif,foreverytransitASonthepath,thereexistsacustomer[ 1 ]whoisitsimmediateneighbor.ApathisinvalidifatleastonetransitASisnotpaidbyaneighborinthepath[ 1 , 10 ].Validpathsarealsoreferredtoasvalley-free(VF).Correspondingly,werefertoinvalidpathsasnon-valley-free(NVF).Figure 3 showsexamplesofvalidandinvalidpaths.Valley-freenessisnotarequirementoftheBGPprotocol,i.e.,BGProutersaretechnicallyabletoadvertiseNVFpaths.However,asdescribedabove,aNVFpathwillimposeunde-siredmonetarycostsonsometransitISPbecauseitwillnotearnmoney(ormayevenhavetopaymoney)fortransitingthetrafcofanotherISP.Therefore,ISPswidelyrefrainfromadvertisingNVFpaths.B.DecoyroutingDecoyroutingisanewarchitectureforcensorshipcir-cumventionwhichwasproposedinthreeindependentworks:DR[ 17 ],Telex[ 26 ],andCirripede[ 15 ].Incontrasttotra-ditionalcircumventiontechniques[ 2 , 5 , 7 , 8 , 9 , 16 , 20 , 25 ]thatoperateoncomputerserverslocatedoutsidecensorshipregions,decoyroutingsystemsaredeployedonanumberofroutersinthemiddleoftheInternet,calleddecoyrouters,byASesthatwerefertoasdecoyASes.Insteadofmakingdirectconnectionstothecircumventionendpoints,e.g.,proxies,adecoyroutingclientmakesaTLS[ 6 ]connectiontoarbitrary,non-blockedInternetdestinations,knownasovertdestinations.Theclientselectsovertdestinationssothattheroutestothesedestinationspassthroughdecoyroutersandstegano-graphicallysignalsthedecoyroutertotreattheseconnectionsascircumventionconnections.Thedecoyrouterinterceptstheclient'strafcandproxiestheconnectiontothecovertdestinationrequestedbytheclient.Toacensorobservingtheclient'strafc,theclientappearstobecommunicatingwithanon-blocked,overtdestination,whiletheclientisactuallycommunicatingwithaforbidden,covertdestination.InDR[ 17 ]andTelex[ 26 ],thedecoyrouteritselfproxiescovertconnections,whereasinCirripede[ 15 ]decoyroutersdeectthetrafctoexternalproxies.Also,whileTelexandCirripederequireclientstoprobeforovertdestinationsthathappentohavedecoyroutersonroutesleadingtothem,DRassumesthatclientsobtainthesecretlocationsofdecoyroutersthroughout-of-bandchannels.Theproposeddecoyroutingdesignsalsousedifferentsignalingtechniques:Cirri-pedeusestheinitialsequencenumberoftheTLSconnection,whereasTelexusestheTLSnonce.Furtherdetailsonthedesignofdecoyroutingsystemscanbefoundintheoriginalpapers[ 15 , 17 , 26 ].HowtoselectASesfordecoyplacementhasbeenstudiedinthreepapers.Houmansadretal.[ 15 ]andCesareoetal.[ 4 ]analyzedtheplacementofdecoyroutersinanon-adversarialsetting,whileSchuchardetal.[ 24 ]analyzedtheplacementofdecoyroutersinthepresenceofacensorcapableofchangingroutingdecisionsseeSection II-C .C.Routingarounddecoys(RAD)Schuchardetal.[ 24 ]introducedtheroutingarounddecoys(RAD)attackagainstdecoyroutingsystems.TheRADattackisconductedbyarouting-capableadversary,i.e.,acensoringregimewhocanmodifythestandardroutingdecisionsoftheISPsunderitsinuenceinordertoensurethattheirInternettrafcdoesnotpassthroughanydecoyASes.TheASescontrolledbyaRADadversarydiscardallBGPpathsthatcontainevenonedecoyASandchoosealternative,decoy-freepaths.InordertolaunchtheRADattack,theRADadversaryneedstoknowwhichASesdeploydecoyrouters.Thiscanbedone,forexample,viaprobingschemesproposedintheRADpaper.ThemainintuitionbehindtheRADattackisasfollows.Foranygivensourceanddestination,theInternettopologyislikelytoprovidemultipleinterdomainpaths.Consequently,aRADadversarycancompelitsASestoavoidpathsthatcontaindecoyASeswithoutsacricingmuchofitsInternetconnectivity.IfcensorshipresultsinasignicantlossordegradationofInternetconnectivityinthecensorshipregion,itcausessignicantcollateraldamageandislesslikelytobeinthecensors'interest.Therefore,theRADattackisconsideredsuccessfulonlyiftheRADadversarycanavoidalldecoyASeswhilemaintainingitsconnectivitywithmostoftheInternet.ToimprovetheRADadversary'sconnectivity,theRADpaperassumesthattheASesundertheadversary'scontrolshareinterdomainpathswitheachotherregardlessoftheirbusinessrelations.Inotherwords,anAScontrolledbyaRADadversarycanusethepathsknowntoanyotherAScontrolledbythesameRADadversary.TheRADpaperconsidersseveralcensoringregimesaspossibleRADadversaries,includingChina,Iran,andSyria.AstheRADpapersuggests,ChinaisthemostpowerfulRADadversaryduetoitssignicantconnectivity.III.INTERDOMAINROUTINGINRADTheBGP[ 22 ]protocolisthedefactostandardusedbyASestoconstructinterdomainpaths.TheRADattackforcesASesundertheRADadversary'scontroltochangehowtheymakeBGProutingdecisions.WerefertotheresultingprotocolasRBGP. 2 A.BGProutingABGProutermaintainsadatabasewiththepathstodifferentInternetdestinationsandadvertisessomeofthesepathstotheroutersoftheneighborASes,asdeterminedbytheASes'businessrelationships(seeSection II-A ).Forinstance,aBGProuterofatransitASadvertisesallknownpathstoitscustomers'routersinordertoearnmoneybytransitingtheirtrafc.Ontheotherhand,aBGProutershouldnotadvertiseitspathstotheproviderASes,otherwisetheASthatownstherouterwouldenduppayingitsprovidersfortransitingtheirtrafc(suchpathsareNVF,asexplainedinSection II-A ).ABGProuterislikelytoknowmultiplepathstoagivenInternetdestination(identiedbyitsIPaddressprex).BGP 2ThenameshouldnotbeconfusedwiththeR-BGPprotocolofKushmanetal.[ 18 ].3 ! " # $ % & ' ! " # $ % & ' (a)Validpaths(VF) ! " # $ % & ' ! " # $ % & ' (b)Invalidpaths(NVF)Fig.3:SampleASpaths.routersusealistofdecisionfactors,showninTable I ,toidentifythebestpath.Thesefactorsareappliedinorder,witheachfactorlteringoutthesetofpathsleftbythepreviouslyappliedfactor.Forexample,theB2factorisappliedonlytothepathsthatareconsideredbestaccordingtotheB1factor.Therouterappliesthefactorsuntilonlyonepathremains,i.e.,thebestpath.Forinstance,supposethatforacertaindestinationaBGProuterknowsfourpaths,twoofwhichpassthroughitsproviderneighborsandtheothertwopassthroughitspeerneighbors(weexplainthedifferencebetweenprovidersandpeersinSection II-A ).Inthiscase,theB3factorltersoutthetwopathsthatroutethroughproviders,andtheB4factorisappliedonlytothetwopathsthatroutethroughpeers.WeonlyfocusontwoofthedecisionfactorsfromTable I sincetheyarehighlyinuencedbytheRADattack.ThedescriptionoftheotherfactorscanbefoundintheBGPspecication[ 22 ].B3Businesspreference(highestLocal-Pref)Thisfactorselectsrouteswiththebestbenetfortherouter'sAS.Thisbenetisusuallymonetary.Typically,B3preferspathsthatroutethroughacustomer,thenthosethatroutethroughapeer,andnallythosethatroutethroughaprovider.ThisisduetotheASbusinessrelationshipsdescribedinSection II-A ,e.g.,routingthroughapeerisfreewhileroutingthroughaprovidercostsmoney.B4ShortestASpathThefourthdecisionfactoristhepathlength,i.e.,thenumberofASesinthepathfromthesourceAStothedestinationprex.Pathlengthaffectsthequalityofserviceoftheconnection,henceitcomesimmediatelyafterthebusinesspreferencefactor.ApathcomposedofmoreASesissusceptibletohighernetworklatencies,lowerthroughputs,andmorefrequentnetworkfailures.B.RBGProutingTheRADattackchangeshowBGProuterschooseASpaths.BGProuterscontrolledbyaRADadversaryuseamodiedlistofdecisionfactorstoselectthebestpathtoagivendestination;wecallsuchroutersRBGProuters.AnRBGProuterhastwoobjectivesthatdistinguishitfromastandardBGProuter.Avoidingdecoyrouters:BecausethemainintentionofaRADadversaryistoavoidpathsthatcontaindecoyrouters,anRBGProutersimplydiscardsallpathsthatpassthroughatleastonedecoyAS.Trafcre-routing:IfaRADASdoesnothaveadecoy-freepathtoagivendestination,theRADpapersuggeststhatitcanusedecoy-freepathsknowntootherRADASes,regardlessofthebusinessrelationbetweentheseASes.Inotherwords,aRADASwhoknowsadecoy-freepathtoagivendestinationtransitsthetrafcofotherRADASestothatdestinationevenifthiscontradictsthestandardBGPdecisionfactors.Forinstance,ifaChineseASdoesnothaveadecoy-freepathtoacertaindestination,itcanre-routetrafctothatdestinationthroughoneoftheother198ASesinChina,e.g.,acustomerASoranASwithwhichithasnobusinessrelationship.ThisisakeyfactorinthesuccessoftheRADattack,becauseitincreasesthenumberofalternativepathsavailabletotheRADASes.Theresultingroutesmaybeinvalid(NVF)routes,asdenedinSection II-A .WhiletheRADpaperdoesnotdescribeindetailhowre-routingisperformed,itsuggeststheuseofnetworkengineeringtoolssuchasMPLSVPNtunnels[ 23 ,Section3.1]acrossallASescontrolledbytheRADadversary.Intherestofthispaper,wewillarguethat,regardlessofthenetworkingtechniqueusedtoimplementre-routing,itwillbeextremelycostlytotheASesinvolved.Toachievethetwoobjectivesdescribedabove,anRBGProuterusesadifferentlistofdecisionfactors(comparedtoBGP)forndingthebestpathtoagivenInternetdestination.ThislistisshowninTable II .Itaddstwonewdecisionfactors:R1(IgnoreiftherouteincludesdecoyASes)andR2(PreferVFroutesoverNVFroutes).ThelatterfactorisnecessarybecauseNVFroutesaremuchmorecostlythanVFroutes.IV.THECOSTSOFRADROUTINGThenon-standarddecisionfactorsusedbyRBGPimposeadditionalcostsontheASescontrolledbytheRADadversary.Thesecostsfallintoseveralcategories:(1)collateraldamage(e.g.,socialunrest)causedbythefactthatsignicantpartsoftheInternetbecomeunreachable;(2)collateraldamageduetothesignicantlyloweredqualityofserviceforthecustomersoftheRAD-controlledASes;3)monetarycostsforbuyinganddeployingnewnetworkingequipment;and4)monetarycostsduetoswitchingtomoreexpensiveInternetroutes.Intuitively,allofthesecostsstemfromonemainreason.ThestandardlistofdecisionfactorsusedbyconventionalBGProutersaimstominimizeASes'routingcostsandtomaximizethequalityofservicefortheirnetworktrafc.Therefore,anychangetothesedecisionfactorsislikelytoincreasetheircosts,decreasequalityofservice,orboth.Inthefollowing,wedescribethenegativeimpactsofRADrouting,arrangedbytype.1.DegradedInternetreachability(Reachability)Avoidingpathsthatcontaindecoyroutersmaydisconnect4 TABLEI:BGP'sdecisionfactorsforchoosingthebestpath(inorder). B1IgnoreifnexthopunreachableB2PreferlocallyoriginatednetworksB3Businesspreference(highestLocal-Pref)B4ShortestASpathB5PreferlowestOriginB6PreferlowestMEDB7PrefereBGPoveriBGPB8PrefernearestnexthopB9PreferlowestRouter-IDorOriginator-IDB10PrefershortestCluster-ID-ListB11Preferlowestneighboraddress TABLEII:RBGP'sdecisionfactorsforchoosingthebestpath(inorder). R1IgnoreiftherouteincludesdecoyASesR2PreferVFroutesoverNVFroutesR3IgnoreifnexthopunreachableR4PreferlocallyoriginatednetworksR5Businesspreference(highestLocal-Pref)R6ShortestASpathR7PreferlowestOriginR8PreferlowestMEDR9PrefereBGPoveriBGPR10PrefernearestnexthopR11PreferlowestRouter-IDorOriginator-IDR12PrefershortestCluster-ID-ListR13Preferlowestneighboraddress RAD-controlledASesfromanInternetdestinationunlesstheRADadversarycanndadecoy-freepathtothatdestination.Bydenition,alargenumberofdisconnecteddestinationsmeansthattheattackhasfailed(seeSection II-C ).2.Less-preferredpaths(Business)AsexplainedinSection III-A ,oneoftherstdecisionfactorsthatstandardBGProutersconsideristhebusinessrelationshipbetweentherouter'sASandtherstASofacandidateinterdomainpath(thedecisionfactorB3).InRBGP,however,twootherdecisionfactors,R1andR2,havehigherpriority.Asaresult,itislikelythatforsomedestinationtheRBGProuterselectsapathwithalowerbusinesspreferencecomparedtowhatastandardBGProuterwouldhaveselected.Forexample,supposethatarouterchoosesbetweentwopathstosomedestination:pathAgoesthroughaproviderandcontainsnodecoyASes,whilepathBgoesthroughapeerandcontainsadecoyAS.AstandardBGProuterwouldhaveselectedpathBbecauseitischeaper,butanRBGProuterwillselectthemoreexpensivepath,A.3.Longerpaths(Length)AsexplainedinSection III-A ,oneofthetopstandarddecisionfactorsofBGPisthelengthoftheavailablepaths(factorB4).Basedonthisfactor,astandardBGProuterprefersthepaththatcontainsthefewesttransitASes.Thishelpsmaximizequalityofserviceforroutedtrafcbecauselongerpathsmayhavehigherlatencyandaremoresusceptibletonetworkfailures.ForRBGProuters,B4islowerinthepreferenceorder,whichmaycausethemtoselectlongerpathsthanBGProuters.4.Higherpathlatencies(Latency)Longerroutesarenottheonlycauseofhigherlatencies.ThealternativepathsselectedbyRBGParelikelytopassthroughlesspopulartransitASesthatofferlowercapacity,causingpacketstoexperiencehigherlatencies.ThisisconrmedbyoursimulationsinSection VII ,whichshowthat,evenwhenanRBGPpathhasthesamelengthasthecorrespondingBGPpath,itusuallyhashigherlatency.5.Non-valley-freeroutes(Valley)Asexplainedabove,RBGProutersmaybeforcedtoselectednon-valley-free(NVF)pathsinordertoavoiddecoyASes.Suchpathsareextremelyexpensive,whichiswhytheyareshunnedbynormalBGProuters.SupposethatforagivenInternetdestination,aRADASAhasnodecoy-freeBGPpathandmustusethepathknowntoanotherRADASB.Inthisexample,eitherAhastopayBfortransitingA'strafc(AwouldnothavehadtopayBifAhadusedstandardBGP),orelseBhastopaytheexpensesfortransitingA'strafc(e.g.,toB'sprovider).Additionally,thesourceASAmayhavetopayitsownproviderinordertotransittrafctoB.ThemonetarycostsofValleyarelikelytobemuchworsethanBusinesscosts.6.NewtransitASes(NewTransit)TheRADattackreliesonthefactthattheASesundertheadversary'scontroltransittrafcforeachother(seeSection II-C ).However,onlyasmallfractionofASesunderthecontrolofatypicalRADadversaryaretransitASesandthushavetherequisitenetworkequipmentandresources.Forinstance,Chinahas199ASes,butonly30ofthemaretransitASes.FortheRADattacktobesuccessful,theRADadversaryneedstotransformmanyoftheedgeASesintotransitASes.ChangingatypicaledgeAStoatransitASisextremelycostlysinceitrequiresthepurchaseandinstallationofsophisticatednetworkingequipment.7.Massivechangesintransitload(TransitLoad)TransitASesearnmoneybytransitingotherASes'trafc.Ontheotherhand,transitingthistrafcimposessignicantxedandvariablecosts,includingequipment,networkmanagement,etc.OursimulationsinSection VII showsthattheRADattacksignicantlychangesthetransitloadofthetransitASesundertheRADadversary'scontrol.DuetotheroutingchangescausedbytheRADattack,sometransitASeslosealargefractionoftheirtransittrafc(andthuslosemoney),whileothertransitASesmusthandletremendousincreasesintheirtransitload.5 V.PLACINGDECOYROUTERSForadecoyroutingsystemtobecomeoperational,itmustbedeployedbyseveralautonomoussystems(decoyASes)whoareeconomicallyorpoliticallymotivatedtoassistincensorshipcircumvention.ThenumberofthedecoyASesaswellastheirlocationintheInternetareimportantfactorsdeterminingwhetheradecoyroutingsystemcanwithstandtheRADattack.TheoriginalRADpapersimulatedtheRADattackfortwospecicplacementsofdecoyASes:top-tierandrandom.Theformerplacementassumesthatthedecoysaredeployedintop-tierInternetASes,whilethelatterassumesthattheASesfordecoydeploymentarechosenrandomlyfromthesetofall44,000ASes.AnalysisintheRADpapersuggeststhattheRADattackfailsagainstthetop-tierplacementbecauseitresultsindisconnectingtheRADadversaryfromlargepartsoftheInternet.TheRADpaperobserves,however,thattop-tierplacementisexpensiveandmaynotbepracticallyfeasible.Fortherandomplacement,theRADpapershowsthatifdecoysaredeployedinasmall,randomfractionofallASes,theRADadversaryisdisconnectedonlyfromasmallpartoftheInternetmainlyfromthedecoyASesthemselvesthustheRADattackisconsideredsuccessful.Webelievethattherandomdecoyplacementanalyzedin[ 24 ]isbiasedinfavoroftheRADadversaryanddoesnotreecthowtheRADattackwouldfareagainstarealisticdecoydeploymentstrategy.BasedontheASrankingstatistics,availablefromCAIDA, 3 weobservethat86.2%ofallASesareedgeASes,i.e.,thesizeoftheircustomerconeis1(seeSection II-A ).Therefore,therandomdecoyplacementconsideredin[ 24 ]islikelytoplacedecoysprimarilyintoedgeASes.Obviously,evadinganedgeASdisconnectstheRADadversaryonlyfromthatASbecauseitisnotonthepathtoanyotherAS.Wearguethat,inanyrealisticdeployment,decoyroutersshouldbeplacedintransitASes,notedgeASes,evenintheabsenceofaRADadversary.ThelargerthecustomerconeofanAS,thebetteritservesasadecoyAS,fortworeasons:(1)anASwithalargercustomerconeisonthepathtomoreASes,thustheRADattackislikelytodisconnecttheadversaryfromthesedownstreamASes,too,and(2)evenintheabsenceofaRADadversary,placingdecoysonASeswithlargercustomerconesprovidesbetterunobservabilityfordecoyroutingclientsandgivesthemmoreoptionsforchoosingtheirovertdestinations.Forexample,supposethatadecoyroutingsystemisinstalledonlyinasingleedgeAS.Inthiscase,itsclients'optionsforovertdestinationsarelimitedtothedestinationsbelongingtothatsingleAS.Therefore,auserwhofrequentlyvisitsdestinationswithinthedecoyASmayraisethecensor'ssuspicionthattheuserisengagingindecoyrouting.Ontheotherhand,ifdecoysareinstalledinatransitASwithacustomerconeof5,thenadecoyroutingclientcanchooseovertdestinationsfrom5ASes,resultinginbetterconnectivityandbetterunobservability.Basedontheseobservations,weproposethefollowingstrategicdecoyplacementstrategies,whicharemuchmore 3 http://as-rank.caida.org/ likelytodefeattheRADattackthantherandomplacementconsideredin[ 24 ].Sortedplacement(sorted):Inthisapproach,decoyASesarechosenfromamongtheASesthattransitmoretrafcfortheRADadversary.Specically,wesortASesbasedonthenumberoftimestheyappearontheBGProutesoftheRADadversary'sASes.WethenchoosedecoyASesfromthetopofthissortedlist.WeexcludeallASescontrolledbytheRADadversary,i.e.,ChineseASesifChinaistheadversary.Weproposetwotypesofsortedplacements.Inthesorted-with-ringplacement,decoyASesarechosenfromthesetofallASesnotdirectlycontrolledbytheRADadversary(i.e.,non-ChineseASesinthecaseofChina).Inthesorted-no-ringplacement,weadditionallyexcludeallASesthathaveadirectbusinessrelationshipwiththeRADadversary,sincetheyarelesslikelytodeploydecoyrouters.WeusethetermringASesfortheASesthatarenotcontrolledbytheadversary,buthaveabusinessrelationship.Fromourdatasources(seeSection VI ),weidentied551,69,and5ringASesforChina,Venezuela,andSyria,respectively.Strategicrandomplacement(random):InsteadofselectingrandomASesfromthesetofallASes,assuggestedin[ 24 ],ourrandomplacementstrategyselectsASesfromthesetofallASeswithagivencustomerconesize.Inarandom-Cplacementstrategy,decoyASesarechosenrandomlyfromthesetofallASeswithacustomerconesizelargerthanorequaltoC.Ourrandom-1strategyisthustheexactrandomstrategysuggestedin[ 24 ](since1istheminimumvalueforthecustomerconesize).Similartothesortedplacement,wefurthersubdividerandom-Cplacementintotwotypes:random-with-ring-Candrandom-no-ring-C.Bothexcludeadversary-controlledASes,andthelatteradditionallyexcludesallringASesthathaveadirectbusinessrelationshipwithanadversary-controlledAS.VI.SIMULATIONSETUPANDDATASOURCESWeusesimulationtoestimatethevariouscostsimposedbyRBGProutingontheRADadversary,describedinSection IV .OursimulatorusesCBGP[ 21 ],apopularBGPsimulator,asitsengine,andaPythoninterfacetointeractwithCBGPandqueryforBGProutesbetweenASes.TherestofthesimulationsareperformedinPython.WeuseseveralsourcesofInternetmeasurementsinoursimulations:Geolocation:WeusetheGeoLiteCountrydatasetfromGeoLite'sgeolocationdatabase 4 tomapIPaddressestocountries.ASrelations:WeuseCAIDA'sinferredASrelationshipdataset, 5 whichisbasedon[ 11 ],tomodeltherelationshipsbetweenASes.ASranking:WeuseCAIDA'sASrankdataset 6 toinferthecustomerconesofindividualASes. 4 http://dev.maxmind.com/geoip/legacy/geolite 5 http://www.caida.org/data/active/as-relationships/ 6 http://as-rank.caida.org/ 6 TABLEIII:ComparingtheInternetconnectivityofstate-levelcensors. Country NumberofASescontrolled NumberofringASes China 199 551 Venezuela 44 69 Syria 3 5 Latency:WeuseiPlane's 7 [ 19 ]Inter-PoPlinksdatasettoestimateBGPandRBGPpathlatencies.Thisdatasetcontainsdailylatencymeasurementsbetweendifferentpoints-of-presence(PoP)ofASes.Networkorigin:WeuseiPlane'sOriginASmappingdatasettomapIPaddressprexestothecorrespondingASes.VII.SIMULATIONRESULTSThesuccessoftheRADattackdependsontheplacementofdecoysinASes.Therefore,weevaluatethecostsoftheattackfordifferentplacementstrategiesdescribedinSection V .Inallcases,weassumethattheRADadversaryknowstheidentitiesofallASesthatdeploythedecoys.Obviously,thisassumptionfavorstheadversary.ARADadversaryisacensorshipauthoritywhocontrolsalargenumberofASesandforcesthemtomodifytheirBGPdecisionsasdescribedinSection III-B .Intuitively,aRADadversary'sInternetconnectivityisproportionaltothenumberofASesitcontrolsandthenumberofitsringASes(seeSec-tion V ).Thelargerthesenumbers,themorealternativeroutesarelikelytobeavailabletotheRADadversaryforanygivenInternetdestination.Asmentionedbefore,theRADattackissuccessfulonlyifitdoesnotdisconnecttheadversary'sASesfrommanyASesintherestoftheInternet.ThissuggeststhatChinaisthemostpowerfulRADadver-sarybecauseitcontrolsalargenumberofASes(199)andisconnectedtomoreringASesthanotherstate-levelcensors(seeTable III ).WedemonstratethisbycomparingChina'ssuccessasaRADadversarywithothercensoringcountries,suchasVenezuela(44ASes)andSyria(3ASes).Figure 4 showsthepercentageofASesthatbecomeunreachableasaconsequenceoftheRADattack,assumingsorted-no-ringdecoyplacement.ThisshowsthatChinasignicantlyoutperformsSyriaandVenezuelainmaintainingitsconnectivitywiththerestoftheInternet.Fortherestofthesimulations,weonlyreporttheresultsforChina.Thesimulationswereperformedfortwodifferentscenarios:China-World:ChinaistheRADadversary;decoyASesarechosen,usingdifferentplacementstrategiesfromSection V ,fromall44,000ASesexcludingthe199ASeslocatedinChina(weadditionallyexcludethe551ringASesofChinainthecaseofno-ringplacements,asdescribedinSection V ).ThecostsoftheRADattackarethenestimatedforconnectionsfromChinatoallInternetdestinationsacrosstheworld,excludingtheChinesedestinations. 7 http://iplane.cs.washington.edu/data/data.html \n \n \n \n\n \n \r\n \n \n \n\n \n Fig.4:LossofconnectivityfordifferentRADadversariesassumingthesorted-no-ringdecoyplacementstrategy.China-US:ChinaistheRADadversary;decoyASesareselectedonlyfromthe13,299ASeslo-catedintheUnitedStates.Thisscenariorepresentsageographicallylimiteddeploymentofdecoyrouters.Inthiscase,thecostsoftheRADattackareonlyestimatedfortheInternetdestinationsinsidetheUS.Asabove,China'sringASesareexcludedintheno-ringdeployments.A.LossofconnectivityFigure 5 showsthepercentageofInternetASesthatbe-comeunreachablefromChinaunderdifferentplacementstrate-giesandfordifferentnumbersofdecoyASes.Asdescribedabove,fortheChina-USscenariobothdecoyASesanddestinationASesareonlyselectedfromtheUS-basedASes,whilefortheChina-Worldscenariotheyareselectedfromallnon-ChineseASes.Therandom-no-ring-1placementisexactlytheplace-mentstudiedintheRADpaper[ 24 ],whereitwascalledrandomplacement.FollowingtheRADpaper[ 24 ],oursimulationsconrmthatrandom-no-ring-1mainlydis-connectsChinafromthedecoyASesonly.ThishappensbecausethemajorityoftheInternetASeshavesmallcustomercones(seeFigure 2 )andrandomplacementislikelytochoosemanyoftheseASes.WhendecoyASesareselectedfromamongthenon-edgeASes,China'sconnectivitydropssignicantly.Forinstance,fortherandom-no-ring-5placement(i.e.,choosingtran-sitASeswithaminimumcustomerconeof5),placingdecoysinonly5%ofglobalASesdisconnectsChinafromaround43%ofallInternetASes,versus7%fortherandom-no-ring-1placement.Figure 5 furthershowsthatdeployingdecoysintheringASesofChinaampliesthecostsoftheChineseRADattack.AnotherobservationbasedonFigure 5 isthat,whileglobaldecoydeploymentismoreeffective,evenregionaldeploymentcausesChinatolosemuchofitsconnectivity.7 Figure 5 alsoestimatespopularity-weightedreachabilityaftertheRADattack(Figures 5c and 5f ).EachASisweightedbythenumberofIPaddressesthatbelongtoit,androutesareweightedaccordingtotheweightsoftheASesontheroute.Intherestofthesimulations,weonlyconsidertheno-ringplacements(i.e.,wedonotselectdecoyAsesfromamongtheringASes).B.Non-valley-freepathsThekeytechniquesuggestedbytheRADpaperistore-routetrafcbetweendifferentadversary-controlledASesinordertotakeadvantageofmorealternativeroutes(seeSection III-B ).AsdiscussedinSection IV ,routingthroughNVFpathsisextremelycostly.Figure 6 showsthepercentageofpathsthatbecomeNVF(thedenominatorincludesonlyreachabledestinations).Inallcases,alargefractionofdes-tinationsareonlyreachableviaNVFpaths.DeployingdecoysinASeswithlargercustomerconesampliesthiseffect.Table 7 showstheaveragenumberofChinesetransitASesthatmusttransitNVFtrafc.ThisestimateshowmanylinksoftheNVFpathsareinsidethevalley.C.Costlyvalley-freepathsWenowdemonstratethatevenvalley-free(VF)pathsselectedbytheChineseASesaspartoftheRADattackaremorecostlythanthepathsthatwouldhavebeenselectedintheabsenceoftheattack.Usingless-preferredpaths(Business):Figure 8 showsthepercentageofVFpathsthatbecomemoreexpensiveasaconsequenceofusingRBGP(thisistheBusinesscostdescribedinSection IV ).Thisratiovariesbetween6%and21%dependingontheplacementstrategy.Notethat,inthecaseofrandom-no-ring-1placement,thisratiodeclinesasthenumberofdecoyASesincreases.ThereasonisthatasthenumberofdecoyASesincreases,moredestinationsarereachableonlyvia(evencostlier)NVFpaths,asshowninFigure 6 .Longerpaths(Length):InSection IV ,wediscussedtheeffectsoflongerpathsonthequalityofservice.Figure 9 showsthepercentageofVFpathsthatbecomelongerwhenRBGPisusedinsteadofBGP.Thispercentagevariesbetween20%and43%dependingontheplacementstrategy.Theaverageincreaseinpathlengthvariesfrom1.12to1.40.Higherlatencies(Latency):WenowshowthatevenwhenRBGPselectspathsofthesamelengthasthecorrespondingBGPpaths,theRBGPpathsarelikelytohavesignicantlyhigherlatency.ThereasonforthisincreaseisthatRBGPpathsareforcedtouselesspopulartransitASeswhichhavelessnetworkcapacity(seeSection IV ).Toestimatelatency,weusethefollowingmetric.FortwoneighborASesAandB,wedeneeLatas:eLat(A;B)=1 nAnBnAX=1nXj=1Lat(A;Bj)whereArepresentstheithpoint-of-presence(PoP)oftheASAandnAisthenumberofA'sPoPs.Lat(X;Y)returnsthemeasuredlatencybetweentwoPoPsXandYfromiPlane'sInter-PoPlinksdataset(seeSection VI ).ForaBGP/RBGPpathcomposedofkASesfT1;:::;Tkg,wedeneeLattobethesumofeLatforallneighborASesinthepath:eLat(fT1;:::;Tkg)=k 1X=1eLat(T;T+1)TheraweLatmetricisacoarseestimatethatmaynotrepresenttheactuallatencyofagivenpath.Thatsaid,wecanusetherelativeincreaseineLatduetotheRADattack,i.e.,theratiobetweeneLatforanRBGPpathandeLatforthecorrespondingBGPpath,toestimatetheincreaseinactuallatency,withoutknowingtheexactvalueoftheformer.TheiPlanedatasetdoesnotcontainthelatenciesforeveryPoPpairandeveryAS.Therefore,weonlyestimatelatenciesforthepathswherethelatencyofeachindividuallinkisavailableinthedataset.Figure 10 showthattheRADattackcausesasignif-icantincreaseintheeLatmetric.Forinstance,fortherandom-no-ring-1placement(therandomplacementstrategyconsideredintheRADpaper,withdecoysplacedinonly1%ofASes),launchingtheRADattackmakestheroutesfromChinatoInternetdestinationsover4timesslower.Theimpactisevenworsewhendecoysareplacedmorestrategicallyand/orinmoreASes.TheuctuationsinthegraphsarecausedbythelimitationsoftheiPlanedataset,whichpreventusfromestimatinglatencyforsomeofthepaths(i.e.,someofthepathschosenbyChineseASestoavoidaparticulardecoyplacementdisappearfromthemeasurements).D.TheneedforinfrastructuralchangesLaunchingtheRADattackrequiresChinatomakedra-maticchangestoitsnetworkinfrastructure.EdgeASesactingastransitASes(NewTransit):TheRADattackfundamentallyassumesthatallChineseASesarecapableandwillingtotransittrafcforeachother(seeSection III-B ).However,asdiscussedearlier,themajorityoftheInternetASesareedgeASesanddonothavetherequisitenetworkequipmentandresourcestotransitotherASes'trafc.OursimulationsshowthattheRADattackrequiresmanyedgeASestobeconvertedintotransitASes,requiringhugere-organizationandinvestmentintheirnetworkinfrastructure.Chinacurrentlyhas199ASes,ofwhichonly30aretransitASes.Figure 11 showsthenumberofChineseedgeASesthatmustbecometransitASesinordertolaunchtheRADattack.Forexample,arandom-no-ring-1placementintheChina-Worldscenariowithdecoysin2%ofallASesrequires59edgeASestobeconvertedintotransitASes,almostdoublingthenumberoftransitASesinChina.ConvertingatypicaledgeASintoatransitASishighlynon-trivial.Besidesthemonetarycostsofpurchasingandde-ployingnewnetworkingequipment,theorganizationalpoliciesofedgeASespresentsignicantobstacles.Forexample,wouldauniversity-ownedISPbuiltforeducationalpurposesoranISPownedbyaprivate,internationalcompanybewillingorevencapable,ifforcedbythegovernmenttoactatransitAS?8 \n \r! # \n " " " " (a)China-World,with-ring \n \r! " \n (b)China-World,no-ring \n \r! # \n " (c)China-World,no-ring,weighted \n \r! # \n " " " " (d)China-US,with-ring \n \r! " \n (e)China-US,no-ring \n \r! # \n " (f)China-US,no-ring,weightedFig.5:ThepercentageofunreachabledestinationASes. \n\r (a)China-World,no-ring \n\r (b)China-US,no-ringFig.6:ThepercentageofpathsthatbecomeNVFduetotheRADattack.IncreasedloadonexistingtransitASes(TransitLoad):TransitASesaresignicantlyaffectedbychangesintheirtransitloads.OursimulationsshowthattheRADattackdramaticallychangestransitloadsonmanyChinesetransitASes.SinceweonlyconsiderthetrafcthatleavesChina,ourestimatesareconservative.TheinformationontrafcvolumesbetweenInternetASesisnotpublic.Tosimulatechangesintransitloads,weassumethattrafcvolumebetweentwoASesAS1andAS2ispropor-tionaltothenumberofIPaddressestheyrespectivelypossess:L(AS1;AS2)=IPs(AS1)IPs(AS2)9 Fig.7:Theaveragepathlengthinsidethevalley.(a)China-World,no-ring Placement/Percent 1 2 3 4 5 6 7 8 9 10 random-no-ring-1 1.84 1.99 2.01 1.81 1.88 1.89 1.88 1.81 1.96 2.00 random-no-ring-5 1.88 1.85 1.97 1.96 1.99 2.00 2.00 2.00 2.00 2.00 random-no-ring-10 1.98 1.95 1.99 1.99 1.99 2.00 2.00 2.00 2.00 2.00 sorted-no-ring 1.98 1.99 1.99 2.00 2.00 2.00 2.00 2.00 2.00 2.00 (b)China-US,no-ring Placement/Percent 1 2 3 4 5 6 7 8 9 10 random-no-ring-1 1.92 1.93 1.92 1.89 1.88 1.87 1.92 1.84 1.96 1.92 random-no-ring-5 2.17 1.94 1.98 1.90 1.97 1.97 1.98 1.97 1.97 1.97 random-no-ring-10 1.84 2.01 1.91 1.97 1.97 1.97 1.98 1.97 1.97 1.98 sorted-no-ring 1.99 1.98 1.99 1.97 1.97 1.97 1.97 1.97 1.97 1.97 \n \r ! \r (a)China-World,no-ring \n \r ! \r (b)China-US,no-ringFig.8:Thepercentageofless-preferredpathsduetotheRADattack.whereIPs(A)isthenumberofIPaddressesownedbytheASA.WeaddL(AS1;AS2)totheloadofeverytransitASonthepathfromAS1toAS2.Inotherwords,wemodelthetransitloadofatransitASasthesumoftrafcvolumesforallpathsthatcrossthisAS.ThismodelmaynotbeaccurateforsomeASessincethehighernumberofIPaddressesdoesnotnecessarilyimplyhighertrafcvolumes.However,itprovidesuswithasimpleestimateoftransitloadsintheabsenceofpublicdataonactualtrafcvolumes.Furthermore,theinaccuracyisaveragedacrossallpaths,thusoverestimatesandunderestimatescancelouttosomeextent.UsingthismodelforeachChinesetransitASA,wecomputethetransitloadincreasefactor,whichistheratioofA'stransitloadaftertheRADattackoverA'stransitloadbeforetheattack(weexcludetrafcthatdoesnotleaveChina).Table IV showsthemaximumvalueofthetransitloadincreasefactoroverall30transitASesinChina,fortheChina-WorldandChina-USscenarios.TheRADattacksignicantlyincreasesloadsonsometransitASesbecausetheyareforcedtotransitadditionaltrafc,e.g.,thatofNVFpaths.SomeoftheincreasesaresodrasticthatwebelieveitisextremelyunlikelythatexistingtransitASeswillbeabletohandlethem.Forexample,assumingarandom-no-ring-1placementwithdecoysdeployedon2%ofASesintheChina-Worldscenario,thereisaChinesetransitASthatmusttransitroughly122timesmoretrafcduetotheRADattack.Tables V and VI showthemediantransitloadincreasefactorforthemostaffected10%and20%oftransitASes,respectively.TheincreasefactorgrowsrapidlywiththenumberofdecoyASesandwithbetterdecoyplacementssincebothforceChineseASestoroutemoretrafcoverNVFpaths.TheRADattackalsocausessometransitASestolosetransittrafc,whichisthesourceoftheirrevenue.Table VII 10 \n \r (a)China-World,no-ring \n \r (b)China-US,no-ringFig.9:ThepercentageofVFpathswithincreasedlength. \n \n \n\n \n \n \n\n \r \n \n\r \n \n\n \r (a)China-World,no-ring \n \n \n\n \n \n \n\n \r \n \n\r \n \n\n \r (b)China-US,no-ringFig.10:TheaverageincreaseinestimatedlatencyduetotheRADattack.showstheminimumvaluesofthetransitloadincreasefactor.Fortherandom-no-ring-1placement,thereisatransitASthatloses30%ofitstransitload.Tables VIII and IX showthemedianandaveragechangesintransitload,respectively.TransitloaddoesnotincreasemonotonicallywiththenumberofdecoyASes.Ontheonehand,increasingthenumberofdecoyASesincreasesloadimbalanceandforcesmoretrafctoshifttobetter-connectedtransitASes.Ontheotherhand,increasingthenumberofdecoyASesmakesmoredestinationASesunreachable(seeFigure 5 )andthusreducesoveralltransittrafc.Furthermore,theresultsfortherandomsimulationsarereportedfordifferent,randomlyselecteddecoyplacements,whichmayhaveslightlydifferenteffectsonthedistributionoftransitloads.VIII.LESSONSANDRECOMMENDATIONS1.TheRADattackproposedbySchuchardetal.[ 24 ]isextremelycostlytothecensors,evenforthesimpledecoyplacementconsideredintheRADpaper.ThecostsincludecollateraldamageduetothelossofconnectivitytomanyInternetdestinationsandmuchlowerqualityofservicefortheremainingdestinations,monetarycostsofbuyingandde-ployingnewnetworkingequipmentneededtore-routemassiveamountsoftrafcandconvertedgeASesintotransitASes,andmonetarycostscausedbyswitchingtoless-preferredand,inparticular,non-valley-freepaths.Evenifthecensorsarewillingtopaythemonetarycosts,evidenceindicatesthatsocialcostsmaypreventthemfrom11 \n \r" \n ! (a)China-World,no-ring \n \r ! \n (b)China-US,no-ringFig.11:ThenumberofedgeASesthatmustbecometransitASes.TABLEIV:MaximumtransitloadincreasefactorforChinesetransitASesduetotheRADattack.(a)China-World,no-ring Placement/Percent 1 2 3 4 5 6 7 8 9 10 random-no-ring-1 122.06x 2807.90x 807.97x 3388.97x 773.61x 14149.49x 3180.45x 3617.08x 3584.44x 9677.14x random-no-ring-5 1718.21x 4588.29x 3402.40x 6418.70x 6338.64x 4688.07x 3972.97x 4173.69x 3128.00x 3030.92x random-no-ring-10 1272.79x 4097.07x 5857.81x 3737.32x 4211.12x 4441.51x 4694.09x 3906.02x 3128.00x 2015.18x sorted-no-ring 7744.57x 6507.31x 7895.25x 5814.86x 5850.94x 5864.12x 5125.12x 5117.52x 5075.41x 4920.45x (b)China-US,no-ring Placement/Percent 1 2 3 4 5 6 7 8 9 10 random-no-ring-1 294.73x 500.66x 1665.49x 1735.54x 1230.66x 1964.71x 2067.50x 2594.94x 2583.04x 3279.70x random-no-ring-5 108.58x 3174.01x 3144.05x 409.45x 521.34x 3217.32x 422.18x 401.43x 388.16x 357.01x random-no-ring-10 540.93x 472.35x 586.65x 596.57x 539.82x 3217.21x 432.20x 401.03x 379.72x 369.57x sorted-no-ring 2474.72x 2499.81x 2502.29x 5269.66x 5269.66x 5270.44x 2978.76x 2965.68x 405.79x 398.96x TABLEV:Mediantransitloadincreasefactorforthemostaffected10%ofChinesetransitASesduetotheRADattack.(a)China-World,no-ring Placement/Percent 1 2 3 4 5 6 7 8 9 10 random-no-ring-1 1.31x 2.26x 35.05x 394.80x 6.56x 106.29x 169.12x 105.93x 122.47x 47.60x random-no-ring-5 215.27x 432.47x 1353.81x 1056.09x 887.89x 922.83x 922.83x 768.59x 728.39x 699.50x random-no-ring-10 567.20x 1733.25x 1181.85x 1058.98x 957.31x 917.58x 882.66x 866.08x 728.81x 703.36x sorted-no-ring 1933.21x 1748.12x 1697.72x 1616.68x 1540.24x 1499.73x 1457.66x 1440.96x 1428.41x 1723.51x (b)China-US,no-ring Placement/Percent 1 2 3 4 5 6 7 8 9 10 random-no-ring-1 2.31x 1.74x 2.51x 4.08x 14.25x 28.58x 241.57x 103.49x 27.23x 11.79x random-no-ring-5 294.66x 159.13x 164.61x 483.25x 488.71x 446.56x 225.57x 108.33x 94.48x 96.31x random-no-ring-10 261.42x 194.69x 281.52x 276.90x 542.18x 442.66x 430.17x 108.33x 105.63x 102.81x sorted-no-ring 1426.64x 1353.49x 1334.47x 1356.43x 1345.60x 1329.11x 461.33x 426.44x 82.77x 82.77x deployingdisruptivecensorshiptechnologies.Forexample,theGreatFirewallofChinadoesnotblockmanypopularInternetserviceseventhoughtheyareencrypted, 8 duetotheirpopularityamongChineseInternetusers.2.Astrategicplacementofdecoyrouterssignicantlyraises 8 http://www.google.com/transparencyreport/trafc/ thecostsfortheRADadversary.Weproposeseveralstrategicdecoyplacementstrategies.3.ThecostsoftheRADattackvarysignicantlyfordifferentstate-levelcensors.CountrieswithlessInternetconnectivity(i.e.,thosethathavefewerinternalASesandareconnectedtofewerringASes)incurhighercostsiftheylaunchtheRAD12 TABLEVI:Mediantransitloadincreasefactorforthemostaffected20%ofChinesetransitASesduetotheRADattack.(a)China-World,no-ring Placement/Percent 1 2 3 4 5 6 7 8 9 10 random-no-ring-1 1.00x 1.00x 1.08x 51.82x 1.05x 1.21x 1.10x 1.84x 5.73x 1.54x random-no-ring-5 2.35x 1.74x 230.34x 3.87x 3.30x 3.31x 3.31x 3.46x 2.82x 2.82x random-no-ring-10 1.41x 303.87x 3.51x 3.52x 3.39x 3.48x 2.88x 2.84x 2.82x 2.80x sorted-no-ring 443.83x 397.87x 369.17x 348.17x 320.85x 312.49x 275.50x 270.01x 267.43x 350.41x (b)China-US,no-ring Placement/Percent 1 2 3 4 5 6 7 8 9 10 random-no-ring-1 1.01x 1.42x 1.01x 1.06x 6.96x 1.70x 102.50x 13.52x 1.18x 1.46x random-no-ring-5 11.02x 20.30x 32.22x 35.48x 44.76x 32.12x 29.97x 22.55x 21.70x 21.07x random-no-ring-10 33.23x 69.44x 51.74x 49.30x 42.17x 30.96x 23.12x 22.55x 21.21x 20.09x sorted-no-ring 68.51x 67.28x 61.12x 66.04x 66.92x 64.93x 39.30x 31.68x 29.94x 29.11x TABLEVII:MinimumtransitloadincreasefactorforChinesetransitASesduetotheRADattack.(a)China-World,no-ring Placement/Percent 1 2 3 4 5 6 7 8 9 10 random-no-ring-1 0.98x 0.67x 0.94x 0.71x 0.62x 0.31x 0.46x 0.60x 0.49x 0.29x random-no-ring-5 0.84x 0.93x 0.81x 0.70x 0.68x 0.65x 0.65x 0.65x 0.65x 0.65x random-no-ring-10 0.88x 0.82x 0.67x 0.66x 0.66x 0.66x 0.65x 0.65x 0.65x 0.64x sorted-no-ring 0.77x 0.76x 0.74x 0.73x 0.73x 0.72x 0.72x 0.72x 0.72x 0.71x (b)China-US,no-ring Placement/Percent 1 2 3 4 5 6 7 8 9 10 random-no-ring-1 0.89x 0.77x 0.71x 0.69x 0.69x 0.74x 0.63x 0.67x 0.58x 0.53x random-no-ring-5 0.63x 0.70x 0.65x 0.78x 0.62x 0.59x 0.58x 0.57x 0.57x 0.57x random-no-ring-10 0.91x 0.66x 0.60x 0.59x 0.60x 0.59x 0.58x 0.57x 0.57x 0.57x sorted-no-ring 0.63x 0.62x 0.61x 0.61x 0.60x 0.60x 0.60x 0.58x 0.58x 0.58x TABLEVIII:MediantransitloadincreasefactorforChinesetransitASesduetotheRADattack.(a)China-World,no-ring Placement/Percent 1 2 3 4 5 6 7 8 9 10 random-no-ring-1 1.00x 1.00x 1.00x 1.00x 1.00x 1.00x 0.99x 1.00x 0.98x 0.99x random-no-ring-5 1.00x 0.98x 0.98x 0.97x 0.95x 0.94x 0.94x 0.90x 0.90x 0.89x random-no-ring-10 0.97x 0.98x 0.95x 0.95x 0.94x 0.94x 0.90x 0.90x 0.90x 0.89x sorted-no-ring 0.98x 1.00x 1.00x 1.00x 1.00x 0.99x 0.99x 0.99x 0.95x 0.95x (b)China-US,no-ring Placement/Percent 1 2 3 4 5 6 7 8 9 10 random-no-ring-1 1.00x 0.99x 1.00x 0.99x 0.99x 1.00x 0.99x 1.00x 0.99x 0.99x random-no-ring-5 0.99x 0.97x 0.95x 0.91x 0.90x 0.87x 0.86x 0.86x 0.85x 0.84x random-no-ring-10 0.98x 0.95x 0.90x 0.88x 0.88x 0.87x 0.86x 0.86x 0.85x 0.84x sorted-no-ring 0.99x 0.97x 0.97x 0.95x 0.95x 0.95x 0.88x 0.84x 0.84x 0.84x TABLEIX:AveragetransitloadincreasefactorforChinesetransitASesduetotheRADattack.(a)China-World,no-ring Placement/Percent 1 2 3 4 5 6 7 8 9 10 random-no-ring-1 1.08x 1.54x 6.41x 61.24x 2.50x 25.49x 23.52x 52.67x 45.09x 19.66x random-no-ring-5 33.40x 54.69x 199.41x 150.03x 254.56x 197.00x 197.00x 179.49x 144.25x 139.41x random-no-ring-10 136.41x 248.79x 257.97x 187.01x 191.15x 194.39x 162.98x 173.49x 144.28x 96.10x sorted-no-ring 378.03x 326.33x 365.64x 294.90x 290.39x 288.00x 261.12x 259.66x 257.47x 273.67x (b)China-US,no-ring Placement/Percent 1 2 3 4 5 6 7 8 9 10 random-no-ring-1 1.54x 2.74x 5.02x 13.55x 28.01x 18.33x 18.89x 30.23x 17.72x 25.68x random-no-ring-5 15.13x 68.83x 110.74x 142.47x 133.46x 125.19x 72.50x 19.27x 18.29x 17.53x random-no-ring-10 16.06x 57.49x 41.76x 33.86x 55.61x 125.26x 73.06x 19.74x 18.50x 17.48x sorted-no-ring 135.88x 134.16x 133.20x 226.48x 226.16x 225.45x 118.10x 115.96x 19.02x 18.74x 13 attack.Thisimpliesthatevenaverylimiteddeploymentofdecoyroutersmaybeenoughtodeterrelativelysmallstate-levelcensorssuchasSyriafromlaunchingtheattack.4.Whileaglobaldeploymentofdecoyroutingisideal(i.e.,theChina-Worldscenario),evenaregionaldeployment(e.g.,onlyintheU.S.,asintheChina-USscenario)iseffectiveindefeatingtheRADattack.Thisisanimportantndingbecauseregionaldeploymentismorepracticalthanglobaldeployment.Forexample,theU.S.governmentmaymandateorincentivizeU.S.-basedASestodeploydecoyrouterstosupportthefreedomofInternetinSyria.5.Anyreal-worlddeploymentofdecoyroutingsystemsrequiresdecoystobeinstalledinmultipleASes.Thenet-workingcommunityhasfacedsimilarchallengeswiththeadoptionofnewnetworkingprotocolsandtechnologies.Theirsolutions[ 12 , 13 ]canbeadaptedtotheproblemofdecoyrouting.Inparticular,techniquesproposedfordeployingsecureBGPprotocolsmayprovideaninspiration.Gilletal.[ 12 ]suggestaninitialdeploymentbyearly-adopterASeswhoareincentivizedbythirdparties.ThisinitialdeploymentwilleventuallyleadtoacompetitionamongASestoinstallthenewtechnology,astheyaimtoincreasetheirrevenue-generatingtrafc.Similarly,aninitialdeploymentofdecoyroutersonasmallnumberoftransitASes,perhapsincentivizedbypro-freedomNGOsorgovernments,candiffusedecoyroutingtoothertransitASeswhowanttocaptureashareofthedecoyroutingtrafc.6.Ane-grained,data-drivenapproachisnecessaryforunderstandingthetruecostsofvariousrouteselectionmech-anisms.AnalysisbasedsolelyonthegraphtopologyoftheInternetmayleadtomistakenconclusionsaboutthefeasibilityofdecoyrouting,aswellasothercensorshipcircumventiontechniquesbasedonInternetrouting.AnyanalysisofdecoyroutingandalternativesmustbebasedonallavailabledataaboutindividualnodesandlinksintheInternetconnectivitygraph.ACKNOWLEDGMENTSThisresearchwassupportedbytheDefenseAdvancedResearchProjectsAgency(DARPA)andSPAWARSystemsCenterPacic,ContractNo.N66001-11-C-4018,andNSFgrantCNS-0746888.REFERENCES[1]ASrelationships, http://www.caida.org/data/active/as-relationships/ .[2]S.Burnett,N.Feamster,andS.Vempala,Chippingawayatcensorshiprewallswithuser-generatedcontent,inUSENIXSecurity,2010.[3]ASrank:ASranking, http://as-rank.caida.org/ .[4]J.Cesareo,J.Karlin,J.Rexford,andM.Schapira,Op-timizingtheplacementofimplicitproxies, http://www.cs.princeton.edu/jrex/papers/decoy-routing.pdf ,2012.[5]I.Clarke,T.W.Hong,S.G.Miller,O.Sandberg,andB.Wiley,ProtectingfreeexpressiononlinewithFreenet,IEEEInternetComputing,vol.6,no.1,pp.4049,2002.[6]T.DierksandE.Rescorla,TheTransportLayerSecurity(TLS)protocolversion1.2,InternetRFC5246,2008.[7]R.DingledineandN.Mathewson,DesignofaBlocking-ResistantAnonymitySystem, https://svn.torproject.org/svn/projects/design-paper/blocking.html .[8]R.Dingledine,N.Mathewson,andP.Syverson,Tor:Thesecond-generationonionrouter,inUSENIXSecurity,2004.[9]N.Feamster,M.Balazinska,G.Harfst,H.Balakrishnan,andD.Karger,Infranet:CircumventingWebcensorshipandsurveillance,inUSENIXSecurity,2002.[10]L.GaoandJ.Rexford,StableInternetroutingwithoutglobalcoordination,IEEE/ACMTON,vol.9,no.6,pp.681692,2001.[11]L.Gao,OninferringautonomoussystemrelationshipsintheInternet,IEEE/ACMToN,vol.9,no.6,pp.733745,2001.[12]P.Gill,M.Schapira,andS.Goldberg,Letthemarketdrivedeployment:AstrategyfortransitioningtoBGPsecurity,inSIGCOMM,2011.[13]S.GoldbergandZ.Liu,Thediffusionofnetworkingtechnologies,inSODA,2013.[14]J.HawkinsonandT.Bates,Guidelinesforcreation,se-lection,andregistrationofanautonomoussystem(AS),1996.[15]A.Houmansadr,G.Nguyen,M.Caesar,andN.Borisov,Cirripede:Circumventioninfrastructureusingrouterredirectionwithplausibledeniability,inCCS,2011.[16]A.Houmansadr,T.Riedl,N.Borisov,andA.Singer,IWantMyVoicetoBeHeard:IPoverVoice-over-IPforUnobservableCensorshipCircumvention,inNDSS,2013.[17]J.Karlin,D.Ellard,A.Jackson,C.Jones,G.Lauer,D.Mankins,andW.Strayer,Decoyrouting:TowardunblockableInternetcommunication,inFOCI,2011.[18]N.Kushman,S.Kandula,D.Katabi,andB.Maggs,R-BGP:Stayingconnectedinaconnectedworld,inNSDI,2007.[19]H.V.Madhyastha,T.Isdal,M.Piatek,C.Dixon,T.Anderson,A.Krishnamurthy,andA.Venkataramani,iPlane:Aninformationplanefordistributedservices,inOSDI,2006.[20]Psiphon, http://psiphon.ca/ .[21]B.QuoitinandS.Uhlig,Modelingtheroutingofanau-tonomoussystemwithC-BGP,IEEENetwork,vol.19,no.6,pp.1219,2005.[22]Y.Rekhter,T.Li,andS.Hares,ABorderGatewayProtocol4(BGP-4),RFC4271,2006.[23]E.RosenandY.Rekhter,BGP/MPLSIPVirtualPri-vateNetworks(VPNs),RFC4364(ProposedStandard),2006.[24]M.Schuchard,J.Geddes,C.Thompson,andN.Hopper,Routingarounddecoys,inCCS,2012.[25]Q.Wang,X.Gong,G.Nguyen,A.Houmansadr,andN.Borisov,CensorSpoofer:AsymmetriccommunicationusingIPspoongforcensorship-resistantWebbrowsing,inCCS,2012.[26]E.Wustrow,S.Wolchok,I.Goldberg,andJ.Halderman,Telex:Anticensorshipinthenetworkinfrastructure,inUSENIXSecurity,2011.14