Eric, I haven't read the full paper yet, however, are you simply acting as a proxy and redirecting based on the secret tag found in the header? What is your expectation for session/second use? I would think you would need to scale largely, however, I don't have a good understanding of how large the market is for users trying to obfuscate the states firewall/proxy/dns controls etc. ISP seems like a great place to live for that; what have they said so far? On Fri, Jun 14, 2013 at 12:30 PM, Eric Wustrow <ewust@umich.edu> wrote:
Oddly enough, anticensorship. We use similar technology as the censors (DPI, flow blocking), but use our system in a non-censoring country's ISP to detect secret tags in connections from censored countries, and serve as a proxy for them. Once we detect a flow with a secret tag passing through the ISP, we block the real flow, and start spoofing half of the connection. We use this covert channel to communicate to the client and act as a proxy. To the censor, this looks like a normal connection to some innocuous, unrelated (and unblocked) website. The obvious difficulty is convincing ISPs to deploy such a proxy. More details can be found at https://telex.cc/
On Fri, Jun 14, 2013 at 3:15 AM, Dobbins, Roland <rdobbins@arbor.net> wrote:
On Jun 14, 2013, at 2:32 AM, Eric Wustrow wrote:
I'm looking for a way to block individual TCP flows (5-tuple) on a 1-10 gbps link, with new blocked flows being dropped within a millisecond or
so
of
being added.
What's the actual application for this mechanism?
----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Luck is the residue of opportunity and design.
-- John Milton
-- Phil Fagan Denver, CO 970-480-7618