Few Throats to Choke: On the Current Structure of the Internet

The original design of the Internet was as a resilient, distributed system, able to route around (and therefore recover from) massive disruption - up to and including nuclear war. However, network effects and business decisions (e.g. the pur- chase of GlobalCrossing by Level-3) have led to centralization of routing power. This is not merely an academic issue; it has practical implications, such as whether the citizens of a country may be subject to censorship by an “upstream” ISP in some other country, that controls its entire access to the Internet. In this paper, we examine the extent of routing centralization in the Internet; identify the major players who control the “Internet backbone”; and point out how many these are, in fact, under the jurisdiction of censorious countries. We also measure the collateral damage caused by censorship, particularly by the two largest Internet-using nations, China and India

Mending Wall: On the Implementation of Censorship in India

This paper presents a study of the Internet infrastructure in India from the point of view of censorship. First, we show that the current state of affairs — where each ISP implements its own content filters (nominally as per a governmental blacklist) — results in dramatic differences in the censorship experienced by customers. In practice, a well-informed Indian citizen can escape censorship through a judicious choice of service provider. We then consider the question of whether India might potentially follow the Chinese model and institute a single, government-controlled filter. This would not be difficult, as the Indian Internet is quite centralized already. A few “key” ASes (≈ 1% of Indian ASes) collectively intercept ≈ 95% of paths to the censored sites we sample in our study, and also to all publicly-visible DNS servers. 5, 000 routers spanning these key ASes would suffice to carry out IP or DNS filtering for the entire country; ≈ 70% of these routers belong to only two private ISPs. If the government is willing to employ more powerful measures, such as an IP Prefix Hijacking attack, any one of several key ASes can censor traffic for nearly all Indian users. Finally, we demonstrate that such federated censorship by India would cause substantial collateral damage to non-Indian ASes whose traffic passes through Indian cyberspace (which do not legally come under Indian jurisdiction at all)

Too Close for Comfort: Morasses of (Anti-) Censorship in the Era of CDNs

Recent research claims that “powerful” nation-states may be hegemonic over significant web traffic of “underserved” nations (e.g., Brazil and India). Such traffic may be surveilled when transiting (or ending in) these powerful nations. On the other hand, content distribution networks (CDNs) are designed to bring web content closer to end-users. Thus it is natural to ask whether CDNs have led to the localization of Internet traffic within the country’s boundary, challenging the notion of nation-state hegemony

SiegeBreaker: An SDN Based Practical Decoy Routing System

Decoy Routing (DR), a promising approach to censorship circumvention, uses routers (rather than end hosts) as proxy servers. Users of censored networks, who wish to use DR, send specially crafted packets, nominally addressed to an uncensored website. Once safely out of the censored network, the packets encounter a special router (the Decoy Router) which identifies them using a secret handshake, and proxies them to their true destination (a censored site). However, DR has implementation problems: it is infeasible to reprogram routers for the complex operations required. Existing DR solutions fall back on using commodity servers as a Decoy Router. But as servers are not efficient at routing, most web applications show poor performance when accessed over DR. A further concern is that the Decoy Router has to inspect all flows in order to identify the ones that need DR. This may itself be a breach of privacy for other users (who neither require DR nor want to be monitored). In this paper, we present a novel DR system, Siege- Breaker (SB), which solves the aforementioned problems using an SDN-based architecture. Previous proposals involve a single unit which performs all major operations (inspecting all flows, identifying the DR requests and proxying them). In contrast, SB distributes the tasks for DR among three independent modules. (1) The SDN controller identifies DR requests via a covert, privacy preserving scheme, and does not need to inspect all flows. (2) The reconfigurable SDN switch intercepts packets, and forwards them to a secret proxy efficiently. (3) The secret proxy server proxies the client’s traffic to the censored site. Our modular, lightweight design achieves performance comparable to direct TCP downloads, for both in-lab setups, and Internet based tests involving commercial SDN switches