A quest for cyber high ground : impact of internet structure on (anti-) censorship

Abstract

The original design of the Internet was a resilient, distributed architecture, that should be able to route around (and therefore recover from) massive disruption — up to and including nuclear war. However, network routing policies and business decisions cause traffic to be often routed through a relatively small set of Autonomous Systems (ASes). It has practical implications — some of these frequently appearing ASes (i.e., “key” ASes) are hosted in censorious nations. Other than censoring their own citizens’ network access, such ASes may inadvertently filter traffic for other foreign customer ASes as well. Thus in this thesis, we analyzed, “how can inferences drawn from Internet maps be used to aid (Anti-)censorship?” Specifically, we attempted to answer questions like — Is Internet structure still hierarchical? What are the key ASes, and in which countries they are located? Can censorious countries (which may host key ASes) filter Internet traffic of other nations transiting them? To begin with, we constructed a map of the Internet and examined the extent of routing centralization on the Internet. We identified the major players who control the “Internet back-bone” and point out how many of these are, in fact, under the jurisdiction of censorious countries (specifically Russia, China, and India). We found that approx. one-third of the Internet backbone belongs to the aforementioned known censors that may potentially monitor a large fraction of global Internet traffic. Further, we went ahead to study whether this hierarchy exists within the nation(s) itself? If so, can censorious nations exploit this hierarchy to achieve censorship/- surveillance within their national boundary? With censorship mechanisms deployed in a few key ASes, a censor may achieve large scale censorship within its territory. As a case study, we selected India that has the second-largest Internet user base. We conducted a study on the Internet hierarchy in India from the point of view of the censor. We then consider the question (feasibility) of whether India might potentially follow the Chinese model and institute a single, government-controlled filter. We found that a few “key” ASes (1% of Indian ASes) collectively intercept 95% of paths to the censored sites, and also to all publicly-visible DNS servers. Five thousand routers spanning these key ASes would suffice to carry out IP or DNS filtering for the entire country; 70% of these routers belong to only two private ISPs. However, the previous feasibility study does not consider the present censorship mechanisms and infrastructure employed by Indian ISPs. Thus, we developed various techniques and heuristics to assess the pervasiveness of censorship and study the underlying mechanisms used by these ISPs to achieve them. We fortified our findings by adjudging the coverage and consistency of censorship infrastructure, broadly in terms of the average number of network paths and requested domains, the infrastructure censors. Our results indicate an apparent disparity among the ISPs — what they filter and on how they install censorship infrastructure. For instance, in Idea cellular (a popular ISP), we observed the censorious middle boxes in over 90% of our tested intra-AS paths, whereas for others like Vodafone, it is as low as 2.5%. We later devised novel anti-censorship strategies that do not depend on third-party tools (like proxies, Tor, and VPNs, etc.). We managed to access all blocked websites in all ISPs under test. It must be noted that the proposed anti-censorship solutions were temporary, i.e., they were based on obfuscating the pattern matching used by the censorship infrastructure (e.g., in HTTP GET request changing the Host: evil.com to HoSt: evil.com). If in the future, censors evolve and improve their infrastructure, the proposed solutions may likely fail. Thus, we focused on a relatively new anti-censorship scheme Decoy Routing, which aims to end the arms race between the censor and the free speech activists. Decoy Routing, the use of routers (rather than end hosts) as proxies, is a new direction in anti-censorship research. However, practical decoy routing deployment poses a new challenge of where to place decoy Routers (DRs) on the Internet? Thus, we proposed an efficient decoy router placement strategy that requires the construction of global (and country-level) Internet maps. We found that few (≈30) ASes intercepted over 90% of paths to the top n sites worldwide, for n = 10, 20...200 and also to other destinations. Our first contribution is to demonstrate with real paths that the number of ASes required for a world-wide DR framework is small (≈30). Our second contribution is to consider the details of DR placement — not just in which ASes DRs should be placed to intercept traffic, but exactly where in each AS. We found that even with 30 ASes, we still need a total of about 11,700 DRs. Decoy Routing requires accessing web content hosted outside the censors’ boundary. However, Content Distribution Network (CDNs), which are designed to bring web content closer to end-user, might pose operational challenges to DR. Popular web content (e.g., Alexa popular websites) served from CDNs, might be available within the censor’s boundary itself. Thus, we analyzed how do CDN-based web content localization can hinder such systems. Moreover, we quantitatively analyzed the impact of CDN localization on various anti-censorship systems, including DR. Such analysis requires geolocating the websites. Thus we adapted a multilateration method, Constraint Based Geolocation (CBG), with novel heuristics and termed it as Region Specific CBG (R-CBG). In ≈91% cases, R-CBG correctly classifies hosts as inside (or outside) w.r.t. a nation. Using R-CBG, we observe that most of the popular websites are hosted inside each of the nations. Our empirical study, involving five countries, shows that popular websites (≈ 80% of Alexa top-1k for each nation) are hosted within a client’s domicile. These results reveal that anti-censorship approaches like DR may not directly use a significant fraction of popular websites. However, a small, yet a significant set of websites (≈20%), are hosted outside the censors’ boundaries and may be used.