StudyingTransna.onalRou.ngDetoursthrough
SurveillanceStates
AnnieEdmundson,RoyaEnsafi,NickFeamster,JenniferRexfordPrincetonUniversity
RIPE 73 October 24th-28th, 2016 1
CharacterizingandAvoidingRou.ngDetours
2
• WhichcountriesareInternetpathstopopulardes.na.onscurrentlytraversing?
• Doeslocaltrafficleavethecountry?Towhere?
• Canend-usersavoidcertaincountriestopopulardes.na.ons?• Canend-userskeepmorelocaltrafficlocal?
Characterizingdetours
Avoidingdetours
CurrentStateofSurveillance
SurveillanceStatesReac.onsagainstSurveillanceStudiedCountries 3
CharacterizingandAvoidingRou.ngDetours
4
• WhichcountriesareInternetpathstopopulardes.na.onscurrentlytraversing?
• Doeslocaltrafficleavethecountry?Towhere?
• Canend-usersavoidcertaincountriestopopulardes.na.ons?• Canend-userskeepmorelocaltrafficlocal?
Characterizingdetours
Avoidingdetours
Themostcommondes.na.onandtransitcountryamongallfivecountriesstudiedistheUnitedStates.
MeasurementStudy:Experiment
5
AlexaTop100Domains Domains&3rdPartyDomains
Domain:IPsTraceroutes
1.ConnecttoVPNsandcurl
2.Extract3rdpartydomains
3.DNSqueries
4.CollectDNSresponses
5.TraceroutetoallIPs
VPNs
RIPEAtlas
RIPEAtlas
Wherearepopulardomainshosted?
77.4%ofpathsthatstartinBrazilterminateintheUnitedStates
6
Whichcountriesareonthepathtopopulardomains?
84.4%ofpathsthatstartinBrazilhavetheUnitedStatesonthepath
7
CharacterizingandAvoidingRou.ngDetours
8
• WhichcountriesareInternetpathstopopulardes.na.onscurrentlytraversing?
• Doeslocaltrafficleavethecountry?Towhere?
• Canend-usersavoidcertaincountriestopopulardes.na.ons?• Canend-userskeepmorelocaltrafficlocal?
Characterizingdetours
Avoidingdetours
DespitehavinglargeIXPs,BrazilandNetherlandspathso_entrombonestotheUnitedStates.
Netherlands:Whereislocaltrafficgoing?
9
Brazil:Whereislocaltrafficgoing?
10
Kenya:Whereislocaltrafficgoing?
11
CharacterizingRou.ngDetours:Summary
• Rou.ngdetourso_entransitsurveillancestates–especiallytheUnitedStates
• Localtrafficdoesn’talwaysstaylocal
• Isitpossibletoavoidcertaincountriesbytunnelingtrafficthroughrelays?
12
CharacterizingandAvoidingRou.ngDetours
13
• WhichcountriesareInternetpathstopopulardes.na.onscurrentlytraversing?
• Doeslocaltrafficleavethecountry?Towhere?
• Canend-usersavoidcertaincountriestopopulardes.na.ons?• Canend-userskeepmorelocaltrafficlocal?
Characterizingdetours
Avoidingdetours
Yes,butit’smoredifficulttoavoidtheUnitedStatesthanitistoavoidanyothercountry.
CountryAvoidance
• CountryAvoidance=frac.onofpathsthatdonotpassthroughCountryX
1/32/3
14
RelayPathwithoutRelayPathwithRelay
AvoidanceStudy:Experiment
15
Domain:IPs
1.ConnecttoVPNs
VPNsRelays
2.TraceroutetorelayIPs
Traceroutes
Relays
Traceroutes
1.sshtorelays
2.TraceroutetoallIPs
ClienttoRelayPath:
RelaytoServerPath:
Canclientsavoidcountriesmoreo_en?Yes–manycountriesarealmostcompletelyavoidableforthetop100domains
16
CharacterizingandAvoidingRou.ngDetours
17
• WhichcountriesareInternetpathstopopulardes.na.onscurrentlytraversing?
• Doeslocaltrafficleavethecountry?Towhere?
• Canend-usersavoidcertaincountriestopopulardes.na.ons?• Canend-userskeepmorelocaltrafficlocal?
Characterizingdetours
AvoidingdetoursTromboningBrazilianpathsdecreasedfrom13.2%to9.7%.
System:Rou.ngAroundNa.on-States
• Developedanoverlaynetworkthat:– Providescountryavoidance– Isusable– Isscalable
System:Rou.ngAroundNa.on-States
• ClientsusePACfiletoselectappropriaterelayforavoidingacountry
• Relaysactaswebproxies+conductmeasurements
• OracletriggersRIPEAtlasprobestoconductmeasurements
FutureWork
• CountryavoidancebasedonIPv4vs.IPv6connec.vity
20
• Connec.vitywithinacountry
• Rela.onshipbetweenIXPsandna.onstaterou.ng
Conclusion
• Pathscommonlytraverseknownsurveillancestates–84%ofpathsfromBraziltraversetheUnitedStates
• Relayscanhelppreventrou.ngdetours,butsomeofthemoreprominentsurveillancestatesaretheleastavoidable
• TromboningBrazilianpathsdecreasedfrom13.2%to9.7%withrelays.
21
Fullwrite-upandmoredataat:ransom.cs.princeton.edu
System:Rou.ngAroundNa.on-States
0 1 2 3 4Number of Relays
0.0
0.2
0.4
0.6
0.8
1.0Fr
actio
nof
Dom
ains
Acc
esse
dw
hile
Avo
idin
ga
Cou
ntry
United StatesIrelandFranceGermanyUnited KingdomIndia
System:Rou.ngAroundNa.on-States
0.0 0.2 0.4 0.6 0.8 1.0
Time to First Byte (s)
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1.0
Frac
tion
ofD
omai
ns
With RANDirect
AvoidingRou.ngDetours:Summary
24
• ItismoredifficulttoavoidtheUnitedStatesthanitistoavoidanyothercountry
• TromboningBrazilianpathsdecreasedfrom13.2%to9.7%