The road not taken: Secure asymmetry and deployabilityfor decoy routing systems

Censorship circumvention is often characterized as an arms race between a nation-state censor and the developers of censorship resistance systems. Decoy routing systems offer a solution to censorship resistance that has the potential to tilt this arms race in the favour of the censorship resistor. Decoy routing uses real connections to unblocked, overt sites to deliver censored content to users. It aims to make connections to censored content indistinguishable from connections to uncensored sites. This is achieved by employing the help of Internet Service Providers or Autonomous Systems (ASes) that own routers in the middle of the network. However, the deployment of decoy routers has yet to reach fruition. Obstacles to deployment such as the heavy requirements on routers that deploy decoy router relay stations, and possible effects on the quality of service for existing costumers that pass through these routers have deterred potential participants from deploying existing systems. Furthermore, connections from clients to overt sites often follow different paths in the upstream and downstream direction, hampering most existing designs. Although decoy routing systems that lessen the burden on participating routers and accommodate asymmetric flows have been proposed, these arguably more deployable systems suffer from security vulnerabilities that put their users at risk of discovery. In this paper, we propose two different techniques for supporting route asymmetry in previously symmetric decoy routing systems. The resulting asymmetric solutions are more secure than previous asymmetric proposals and provide an option for tiered deployment, allowing more cautious ASes to deploy a lightweight, non-blocking relay station that aids in defending against routing-capable adversaries. We also provide an experimental evaluation of relay station performance on off-the-shelf hardware and additional security improvements to recently proposed systems.