Abstract:
Decoy Routing, the use of routers (rather than end hosts) as proxies, is a new direction in anti-censorship research. However, existing proposals require control of hundreds of Autonomous Systems (AS) to provide Decoy Routing to Internet users in a single censorious country (e.g. China). This is considered necessary, as the adversary - in this case the Chinese Government - has connections to many Autonomous Systems
(ASes), and we want to make sure it cannot simply route around those ASes which have decoy routers.
In this paper, we present a new approach to the question of placing decoy routers. In decoy routing, the router intercepts
messages en route to an overt destination and proxies them to covert destinations. Instead of trying to capture flows from
an entire country, as proposed, we stipulate that the overt destination be a well known site (such as Alexa top-100), and
concentrate on the AS-level paths to these sites. We construct a map of the structure of the Internet, as a graph of such AS-level
paths and present a new way to identify key points - those few ASes which appear on a large fraction of paths leading to these
popular websites. Our method yields results an order of magnitude cheaper than earlier proposals, and needs to be run only once,
rather than for each censorious country. (We also identify the key routers inside a few key ASes.) Our results indicate that
decoy routing is much more powerful than previously believed: using our new approach to place decoy routers, we need very few
(less than 0:1% of Internet AS) to force an adversary to route through them. However, while the number of key ASes is small,
the number of key routers in these ASes may be quite large – a new challenge for decoy routing.