TY - GEN
T1 - Conjure
T2 - 26th ACM SIGSAC Conference on Computer and Communications Security, CCS 2019
AU - Frolov, Sergey
AU - Wampler, Jack
AU - Tan, Sze Chuen
AU - Alex Halderman, J.
AU - Borisov, Nikita
AU - Wustrow, Eric
N1 - Funding Information:
The authors thank the incredible partner organizations that have made deployment of Refraction Networking a reality, especially Merit Network and Psiphon. We also thank the University of Colorado IT Security and Network Operations staff. This material is based in part upon work supported by the U.S. National Science Foundation under Awards CNS-1518888 and OAC-1925476.
Publisher Copyright:
© 2019 Copyright held by the owner/author(s).
PY - 2019/11/6
Y1 - 2019/11/6
N2 - Refraction Networking (formerly known as “Decoy Routing”) has emerged as a promising next-generation approach for circumventing Internet censorship. Rather than trying to hide individual circumvention proxy servers from censors, proxy functionality is implemented in the core of the network, at cooperating ISPs in friendly countries. Any connection that traverses these ISPs could be a conduit for the free flow of information, so censors cannot easily block access without also blocking many legitimate sites. While one Refraction scheme, TapDance, has recently been deployed at ISP-scale, it suffers from several problems: a limited number of “decoy” sites in realistic deployments, high technical complexity, and undesirable tradeoffs between performance and observability by the censor. These challenges may impede broader deployment and ultimately allow censors to block such techniques. We present Conjure, an improved Refraction Networking approach that overcomes these limitations by leveraging unused address space at deploying ISPs. Instead of using real websites as the decoy destinations for proxy connections, our scheme connects to IP addresses where no web server exists leveraging proxy functionality from the core of the network. These phantom hosts are difficult for a censor to distinguish from real ones, but can be used by clients as proxies. We define the Conjure protocol, analyze its security, and evaluate a prototype using an ISP testbed. Our results suggest that Conjure can be harder to block than TapDance, is simpler to maintain and deploy, and offers substantially better network performance.
AB - Refraction Networking (formerly known as “Decoy Routing”) has emerged as a promising next-generation approach for circumventing Internet censorship. Rather than trying to hide individual circumvention proxy servers from censors, proxy functionality is implemented in the core of the network, at cooperating ISPs in friendly countries. Any connection that traverses these ISPs could be a conduit for the free flow of information, so censors cannot easily block access without also blocking many legitimate sites. While one Refraction scheme, TapDance, has recently been deployed at ISP-scale, it suffers from several problems: a limited number of “decoy” sites in realistic deployments, high technical complexity, and undesirable tradeoffs between performance and observability by the censor. These challenges may impede broader deployment and ultimately allow censors to block such techniques. We present Conjure, an improved Refraction Networking approach that overcomes these limitations by leveraging unused address space at deploying ISPs. Instead of using real websites as the decoy destinations for proxy connections, our scheme connects to IP addresses where no web server exists leveraging proxy functionality from the core of the network. These phantom hosts are difficult for a censor to distinguish from real ones, but can be used by clients as proxies. We define the Conjure protocol, analyze its security, and evaluate a prototype using an ISP testbed. Our results suggest that Conjure can be harder to block than TapDance, is simpler to maintain and deploy, and offers substantially better network performance.
KW - Anticensorship
KW - Network security
KW - Proxies
UR - http://www.scopus.com/inward/record.url?scp=85075944677&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85075944677&partnerID=8YFLogxK
U2 - 10.1145/3319535.3363218
DO - 10.1145/3319535.3363218
M3 - Conference contribution
AN - SCOPUS:85075944677
T3 - Proceedings of the ACM Conference on Computer and Communications Security
SP - 2215
EP - 2229
BT - CCS 2019 - Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security
PB - Association for Computing Machinery
Y2 - 11 November 2019 through 15 November 2019
ER -