Scalable Anti-Censorship Framework Using Moving Target Defense for Web Servers

Although the Internet has become a hub around which every aspect of our lives—from commerce to leisurely activities—is centered, many around the world are not able to freely access information over the Internet. Some governments censor what the people can and cannot see. In this paper, regardless of the socio-political view points, we focus on the design of anti-censorship technology that can be implemented on the side of the information purveyors. The primary objective is to develop a framework for combating censorship. Our approach aims to make it too expensive and impractical for the adversary to censor Web sites. In particular, we propose the use of Mobile IPv6 to form a moving target defense strategy, where the Web servers logically behave as if they are the mobile nodes (without actually moving). The potential efficacy of this framework is modeled analytically. Probabilistic models are used to derive important metrics and parameters. One key factor termed swarming ratio enables hosting sites to reason about the amount of resources needed to force the adversary’s costs over practical limits. This model is used to guide the performance goals and architectural setup of the prototype implementation (modifications are made on the server-side software and Kernel without changing the standard Mobile IPv6 protocol). Hence, the solution can be utilized without any changes to the existing network infrastructure. Furthermore, we introduce a novel, credit-based accounting strategy for grouping of users to drastically shift resource requirements in our favor. Lab-based tests are used to measure performance overheads, and based on the findings, targeted optimizations are performed to consider practical deployment scenarios. The end result is a solution that may also be combined with existing anti-censorship methods (that are end-user-based and/or assisted by friendly network assets) to form a robust anti-censorship solution.

[1]  Pekka Nikander,et al.  Mobile IP Version 6 Route Optimization Security Design Background , 2005, RFC.

[2]  Nikita Borisov,et al.  Cirripede: circumvention infrastructure using router redirection with plausible deniability , 2011, CCS '11.

[3]  Vitaly Shmatikov,et al.  The Parrot Is Dead: Observing Unobservable Network Communications , 2013, 2013 IEEE Symposium on Security and Privacy.

[4]  Nicholas Hopper,et al.  Routing around decoys , 2012, CCS.

[5]  Stefan Lindskog,et al.  How the Great Firewall of China is Blocking Tor , 2012, FOCI.

[6]  Vinod Yegneswaran,et al.  StegoTorus: a camouflage proxy for the Tor anonymity system , 2012, CCS.

[7]  Angelos D. Keromytis,et al.  MOVE: An End-to-End Solution to Network Denial of Service , 2005, NDSS.

[8]  Vahid Heydari,et al.  Anti-Censorship Framework using Mobile IPv6 based Moving Target Defense , 2016, CISRC.

[9]  Jari Arkko,et al.  Enhanced Route Optimization for Mobile IPv6 , 2007, RFC.

[10]  Ian Goldberg,et al.  SkypeMorph: protocol obfuscation for Tor bridges , 2012, CCS.

[11]  Ian Goldberg,et al.  Telex: Anticensorship in the Network Infrastructure , 2011, USENIX Security Symposium.

[12]  Charles E. Perkins Securing Mobile IPv6 Route Optimization Using a Static Shared Key , 2006, RFC.

[13]  Eric Wustrow,et al.  TapDance: End-to-Middle Anticensorship without Flow Blocking , 2014, USENIX Security Symposium.

[14]  Joseph G. Tront,et al.  MT6D: A Moving Target IPv6 Defense , 2011, 2011 - MILCOM 2011 Military Communications Conference.

[15]  Fei Li,et al.  A moving target DDoS defense mechanism , 2014, Comput. Commun..

[16]  Christopher Morrell,et al.  Scaling IPv6 address bindings in support of a moving target defense , 2014, The 9th International Conference for Internet Technology and Secured Transactions (ICITST-2014).

[17]  Fei Li,et al.  Catch Me If You Can: A Cloud-Enabled DDoS Defense , 2014, 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[18]  W. Timothy Strayer,et al.  Decoy Routing: Toward Unblockable Internet Communication , 2011, FOCI.