dc.description.abstract |
Network censorship and surveillance generally involves
ISPs working under the orders of repressive regimes,
monitoring (and sometimes filtering) users’ traffic, often using
powerful networking devices, e.g. routers capable of performing
Deep Packet Inspection (DPI). Such routers enables their operators
to observe contents of network flows (traversing their routers)
having specific byte sequences. Tor, a low-latency anonymity
network has also been widely used to circumvent censorship
and surveillance. However, recent efforts have shown that all
anti-censorship measures employable using Tor, e.g. Bridges
(unadvertised relays) or camouflaging Tor traffic as unfiltered
protocol messages (e.g. SkypeMorph), are detectable. To bypass
this arms race, several recent efforts propose network based anticensorship
systems, collectively and colloquially referred to as
Decoy Routers.
Decoy Routing systems, relying on “friendly” network routers,
aid users behind censorious ISPs to covertly access filtered
networks. These Decoy Routers, otherwise operating as “normal”
network routers, can on-demand double as Decoy Routers, forwarding
network traffic of censored users to covert destinations.
Such architectures however assume complex functionalities and
programmable capabilities in commodity network routers, that
currently seem infeasible. However Software Defined Networking
(SDN), the emergent network design and management paradigm,
involving centralized control over a network of switches, seems
well suited for such requirements. In this position paper, we
present the overview of a network based anti-censorship system
consisting of several centrally co-ordinated switches, operating as
Decoy Routers. Deploying centrally controlled switches, that double
as Decoy Routers, could potentially have several advantages
over existing proposal, that have until now only been prototyped
through commodity desktops – efficiency to switch traffic at line
speeds, detecting misbehaving switches, cascading multiple Decoy
Routers to assume a hybrid posture for both anonymity and
censorship resistance, load-balancing, and automatic failover. |
en_US |