US20220303311A1 - Method and apparatus for resilient decoy routing without conspiring autonomous systems (as) via distributed hash table (dht) routing - Google Patents

Method and apparatus for resilient decoy routing without conspiring autonomous systems (as) via distributed hash table (dht) routing Download PDF

Info

Publication number
US20220303311A1
US20220303311A1 US17/714,061 US202217714061A US2022303311A1 US 20220303311 A1 US20220303311 A1 US 20220303311A1 US 202217714061 A US202217714061 A US 202217714061A US 2022303311 A1 US2022303311 A1 US 2022303311A1
Authority
US
United States
Prior art keywords
routing
computer system
dht
decoy
packet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US17/714,061
Inventor
Andrew Daniel McElroy
Kevin Patrick Kane
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ambit Inc
Original Assignee
Ambit Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ambit Inc filed Critical Ambit Inc
Priority to US17/714,061 priority Critical patent/US20220303311A1/en
Assigned to AMBIT INC. reassignment AMBIT INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: KANE, KEVIN P, MCELROY, ANDREW D
Publication of US20220303311A1 publication Critical patent/US20220303311A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/164Implementing security features at a particular protocol layer at the network layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/104Peer-to-peer [P2P] networks
    • H04L67/1061Peer-to-peer [P2P] networks using node-based peer discovery mechanisms
    • H04L67/1065Discovery involving distributed pre-established resource-based relationships among peers, e.g. based on distributed hash tables [DHT] 
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/02Topology update or discovery
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/44Distributed routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing
    • H04L45/745Address table lookup; Address filtering
    • H04L45/7453Address table lookup; Address filtering using hashing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0407Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Definitions

  • This invention relates to computer networks and, more specifically, to enabling the creation of a computer network capable of evading censorship; defend against TCP replay attacks, latency analysis, website fingerprinting, and denial of service (DoS) attacks by way of a modified decoy routing scheme through the use of a distributed hash table.
  • DoS denial of service
  • Decoy Routing traditionally relies on a group of Autonomous Systems having the ability to look at an Internet Protocol (IP) Packet (version 4 or version 6) in a non-standard way (Conspiring Autonomous Systems) to route from one Autonomous System to another on the Internet.
  • IP Internet Protocol
  • Decoy Routing is to allow for an adversarial actor (spy) to see only overt route information and not the actual intended route which is encoded covertly.
  • Decoy Routing at the end of the day, still relies upon known servers to connect to.
  • Current Decoy Routing schemes rely on injecting additional routing information into a Transport Layer Security (TLS) Handshake.
  • TLS Transport Layer Security
  • the injected payload into the TLS Handshake is done using a stenographic encryption methodology.
  • the ClientHello, ClientKeyExchange, and Finished components of a TLS 1.2/1.3 Handshake are modified to contain additional covert information.
  • TLS 1.2/1.3 is defined by RFC5246 and RFC8446.
  • Border Gateway Protocol BGP has been used to route between Autonomous Systems.
  • BGP is defined by RFC 4271.
  • the Internet is a Network of Networks. Autonomous Systems are how the Internet organizes these networks.
  • the Internet is actually a Network of Autonomous Systems. Inside each Autonomous System exists one or more networks.
  • An Internet Service Provider (ISP) for example is at the highest level one such example of an Autonomous System.
  • ISP Internet Service Provider
  • Autonomous Systems are not necessarily Internet Service Providers.
  • ASN Autonomous System Number
  • RIR Regional Internet Registry
  • IANA Internet Assigned Numbers Authority
  • DHTs Distributed Hash Tables
  • P2P peer-to-peer
  • KPS Keyspace Partitioning Scheme
  • Overlay Network A Keyspace is also known as the Key Value Pair (KVP).
  • KVP is a scheme by which the data (the value) can be referenced quickly by the Key (which is a hash, using a standard Hashing Algorithm, of the aforementioned data being stored).
  • the KPS describes how the Keyspace is organized across one or more computing systems.
  • An Overlay Network is simply a network that is built on top of another network.
  • One important property of a DHT is its ability to route between Nodes to access the entire Keyspace across many Nodes.
  • a Node simply being a computer system which is participating in a DHT and providing space to host, in general, part of a DHT's Keyspace. While the KPS defines how the Keyspace is partitioned, a DHT must also have a routing scheme as part of the KPS.
  • FIG. 1 shows an embodiment in which a client (Mobile Phone or Computer) is using a Decoy Routing scheme via a DHT Routing Table in a simple scenario (all DHT nodes residing inside a single Autonomous System).
  • FIG. 2 shows a diagram detailing how a TLS session lifecycle using the architecture described in FIG. 1 .
  • FIG. 3 shows and embodiment in which a client (Mobile Phone or Computer) is using a Decoying routing scheme via a DHT Routing Table which resides inside a collection of separate Autonomous Systems; also a censor is unable to block the traffic.
  • a client Mobile Phone or Computer
  • DHT Routing Table which resides inside a collection of separate Autonomous Systems; also a censor is unable to block the traffic.
  • Decoy Routing Nodes there exists a set of Decoy Routing Nodes which would be connected via a DHT Routing Table which would enable Decoy Routing Nodes to not depend on a manually created list.
  • Embodiments may provide a mechanism for the Decoy Routing to ensure that the connection list is always up to date by way of a DHT Routing which would drop dead connections and add new connections automatically to the DHT Routing table.
  • Embodiments may provide a mechanism whereby a server client model is established and the DHT Data lives in a collection of centralized databases, be they relational databases or non-relational databases.
  • FIG. 2 explores the modified TLS handshake needed to successfully execute decoy routing which ensures that the IP Packet being emitted by a computer system is successful in evading censorship, ensures that a computer system intending to send an IP Packet is unable to be replayed in a Transmission Control Protocol (TCP) replay attack, ensures a computer system emitting an IP Packet cannot be used in a latency analysis, ensures a computer system emitting an IP Packet does not convey website fingerprinting, and ensures a computer system emitting an IP Packet can successfully thwart a denial of service (DoS) attack.
  • TCP Transmission Control Protocol
  • FIG. 1 presents a simple embodiment of a Decoy Routing System that does not depend on conspiring Autonomous Systems, and uses a DHT Routing Table to route an IP Packet.
  • a client computer system sending an IP Packet to 14 a DHT Node.
  • This IP Packet's arrow is colored red to indicate that the IP Packet appears to be routing towards the Overt Route 24 by way of 14 , 15 , 16 , 17 , 23 , and finally to 24 .
  • the Overt Route 24 is a destination in the Internet that the client computer system does not care to actually establish a network connection, but would be safe to connect to in the event that a censoring agent were to monitor the network connection.
  • the Covert Route 26 is the route the client computer system is actually intending to establish a network connection with.
  • the Internet is represented by 13 .
  • FIG. 1 is an embodiment of the Decoy Routing and DHT Routing Table without respect to the Autonomous Systems that the DHT resides in.
  • FIG. 3 addresses a multi Autonomous Systems embodiment of the resilient Decoy Routing without conspiring Autonomous Systems by instead using a DHT Routing Table method and apparatus.
  • FIG. 1, 22, 14, 15, 16, 17, 18, 19, 20 represent Nodes in a DHT.
  • the routing table is represented by the arrows between these elements.
  • FIG. 2 is an embodiment of the Decoy Routing System that does not depend on conspiring Autonomous Systems and uses a DHT Routing Table to route an IP Packet in which a censoring agent 25 is present and is inspecting 26 an outgoing IP Packet 12 with Overt and Covert routing information.
  • the DHT is configured in a manner in which there are nodes in multiple Autonomous Systems, as seen in 28 , 29 , 30 .
  • FIG. 1 and FIG. 3 both demonstrate an Overt Route 12 , 14 , 15 , 16 , 17 , 23 , 24 as well as a Covert Route 12 , 14 , 15 , 16 , 19 , 25 and the Covert Route Return 26 , 25 , 19 , 14 , 27 . It should be noted there is no return route for the Overt Route as the client does not actually intend to establish an actual network connection with the Overt Route.
  • FIG. 2 is an embodiment of a modified TLS handshake which encodes the mechanism by which the Decoy Routing operates.
  • the specific modifications detailed in FIG. 2 enable claims 2 , 3 , 4 , 5 , 6 .
  • FIG. 2 demonstrates the following scenario, a client computer system 19 sends a SYN to 20 a DHT Node.
  • the DHT Node 20 acknowledges 11 the SYN, Client computer ACK 12 the SYN previously sent, Client 19 sends a Modified ClientHello 14 to DHT Node 20 .
  • This modified ClientHello contains additional hidden information about how to actually route the packets once the handshake is established.
  • the Client 19 sends a Modified ClientKeyExchange with additional payload to DHT Node 20 .
  • DHT node 20 sends a normal ClientKeyExchange 15 back to Client 19 .
  • Client 19 sends a normal Finished to DHT Node 20 .
  • DHT Node 20 sends a modified Finished with payload back to Client 19 .
  • the client has acknowledgement that the Decoy Routing is activated. Normal data transfer can now begin. If a censor attempts to inspect this handshake, the censor will see a payload that is encrypted and XORed with the normal ClientHello and appended to ClientHello. It will appear to be random corruption or excess padding in the IP Packet.
  • the processes described herein, as well as any other aspects of the disclosure, may each be implemented by software, but may also be implemented in hardware, firmware, or any combination of software, hardware, and firmware. Instructions for performing these processes may also be embodied as machine- or computer-readable code recorded on a machine- or computer-readable medium.
  • the computer-readable medium may be a non-transitory computer-readable medium. Examples of such a non-transitory computer-readable medium include, but are not limited to, a read-only memory, a random-access memory, a flash memory, a CD-ROM, a DVD, a magnetic tape, a removable memory card, and optical data storage devices.
  • the computer-readable medium may be a transitory computer-readable medium.
  • the transitory computer-readable medium can be distributed over network-coupled computer systems so that the computer-readable code is stored and executed in a distributed fashion.
  • a transitory computer-readable medium may be communicated from one electronic device to another electronic device using any suitable communications protocol.
  • Such a transitory computer-readable medium may embody computer-readable code, instructions, data structures, program modules, or other data in a modulated data signal, such as a carrier wave or other transport mechanism, and may include any information delivery media.
  • a modulated data signal may be a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal.

Abstract

A Method and apparatus for resilient Decoy Routing without conspiring Autonomous Systems by instead using a DHT routing table is described. In one embodiment of the present invention, there would exist a set of Decoy Routing Nodes which would be connected via a DHT's routing table. This would enable decoy routing nodes to not depend on a predefined list. Traditionally, Decoy Routing depends upon either a pre-configured list of computer systems to connect to or is wholly dependent upon BGP to happen to route to friendly Autonomous Systems that understand the true intent of the packet being routed. This method and apparatus solves these problems by providing a means to use a dynamic routing table, provided by a DHT to ensure that a packet can be delivered to computer systems that understand how to do decoy routing. This approach further ensures that the routing table being used is one that is kept up to date automatically as a function of the DHT providing the routing table. Further, the methodology described ensures that evading censorship, defending against TCP replay attacks, latency analysis, website fingerprinting, and denial of service (DoS) attacks are successfully executed.

Description

    CROSS-REFERENCE TO RELATED CASES
  • This application claims the benefit of provisional U.S. Patent Application No. 62/841,456, filed May 1, 2019, titled “METHOD AND APPARATUS FOR RESILIENT DECOY ROUTING WITHOUT CONSPIRING AUTONOMOUS SYSTEMS (AS) VIA DISTRIBUTED HASH TABLE (DHT) ROUTING”; and is a continuation of and claims priority to U.S. patent application Ser. No. 16/865,155, filed May 1, 2020, which issued Apr. 5, 2022 as U.S. Pat. No. 11,297,104. The entire contents of the above-referenced applications and of all priority documents referenced in the Application Data Sheet filed herewith are hereby incorporated by reference for all purposes.
    • FIELD OF THE INVENTION
  • This invention relates to computer networks and, more specifically, to enabling the creation of a computer network capable of evading censorship; defend against TCP replay attacks, latency analysis, website fingerprinting, and denial of service (DoS) attacks by way of a modified decoy routing scheme through the use of a distributed hash table.
    • BACKGROUND
  • Since time immemorial, human beings have always sought to protect their privacy from adversarial parties. Today, human beings have many sophisticated technological solutions to safeguard privacy. Such measures include Public-Key Encryption, Elliptic Curve Cryptography, the Distributed Hash Table (DHT), Decoy Routing, and many more solutions. Decoy Routing traditionally relies on a group of Autonomous Systems having the ability to look at an Internet Protocol (IP) Packet (version 4 or version 6) in a non-standard way (Conspiring Autonomous Systems) to route from one Autonomous System to another on the Internet. The aim of Decoy Routing is to allow for an adversarial actor (spy) to see only overt route information and not the actual intended route which is encoded covertly. Presently, Decoy Routing, at the end of the day, still relies upon known servers to connect to. Current Decoy Routing schemes rely on injecting additional routing information into a Transport Layer Security (TLS) Handshake. The injected payload into the TLS Handshake is done using a stenographic encryption methodology. Specifically, the ClientHello, ClientKeyExchange, and Finished components of a TLS 1.2/1.3 Handshake are modified to contain additional covert information. TLS 1.2/1.3 is defined by RFC5246 and RFC8446. Traditionally, Border Gateway Protocol (BGP) has been used to route between Autonomous Systems. BGP is defined by RFC 4271. The Internet is a Network of Networks. Autonomous Systems are how the Internet organizes these networks. In effect, the Internet is actually a Network of Autonomous Systems. Inside each Autonomous System exists one or more networks. An Internet Service Provider (ISP) for example is at the highest level one such example of an Autonomous System. However, Autonomous Systems are not necessarily Internet Service Providers. A large corporation or a university might be assigned an Autonomous System Number (ASN) by a Regional Internet Registry (RIR) under the authority of the Internet Assigned Numbers Authority (IANA).
  • Further, Distributed Hash Tables (DHTs) have enabled a revolution in distributed systems architecture. DHTs have made possible such applications as peer-to-peer (P2P) file sharing, P2P file storage, and P2P communications platforms. Distributed Hash Tables all generally comprise the following components: a Keyspace, a Keyspace Partitioning Scheme (KPS), and an Overlay Network. A Keyspace is also known as the Key Value Pair (KVP). The KVP is a scheme by which the data (the value) can be referenced quickly by the Key (which is a hash, using a standard Hashing Algorithm, of the aforementioned data being stored). The KPS describes how the Keyspace is organized across one or more computing systems. An Overlay Network is simply a network that is built on top of another network. One important property of a DHT is its ability to route between Nodes to access the entire Keyspace across many Nodes. A Node simply being a computer system which is participating in a DHT and providing space to host, in general, part of a DHT's Keyspace. While the KPS defines how the Keyspace is partitioned, a DHT must also have a routing scheme as part of the KPS.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • An exemplary embodiment of the present invention is described herein with reference to the drawings, in which:
  • FIG. 1 shows an embodiment in which a client (Mobile Phone or Computer) is using a Decoy Routing scheme via a DHT Routing Table in a simple scenario (all DHT nodes residing inside a single Autonomous System).
  • FIG. 2 shows a diagram detailing how a TLS session lifecycle using the architecture described in FIG. 1.
  • FIG. 3 shows and embodiment in which a client (Mobile Phone or Computer) is using a Decoying routing scheme via a DHT Routing Table which resides inside a collection of separate Autonomous Systems; also a censor is unable to block the traffic.
    •  SUMMARY OF INVENTION
  • In one embodiment of the present invention, there exists a set of Decoy Routing Nodes which would be connected via a DHT Routing Table which would enable Decoy Routing Nodes to not depend on a manually created list.
  • Embodiments may provide a mechanism for the Decoy Routing to ensure that the connection list is always up to date by way of a DHT Routing which would drop dead connections and add new connections automatically to the DHT Routing table.
  • Embodiments may provide a mechanism whereby a server client model is established and the DHT Data lives in a collection of centralized databases, be they relational databases or non-relational databases.
    • DETAILED DESCRIPTION
  • Embodiments of a decentralized Decoy Routing System that do not depend on conspiring Autonomous Systems to route traffic in a covert manner are represented in FIG. 1 and FIG. 3. FIG. 2 explores the modified TLS handshake needed to successfully execute decoy routing which ensures that the IP Packet being emitted by a computer system is successful in evading censorship, ensures that a computer system intending to send an IP Packet is unable to be replayed in a Transmission Control Protocol (TCP) replay attack, ensures a computer system emitting an IP Packet cannot be used in a latency analysis, ensures a computer system emitting an IP Packet does not convey website fingerprinting, and ensures a computer system emitting an IP Packet can successfully thwart a denial of service (DoS) attack.
  • FIG. 1 presents a simple embodiment of a Decoy Routing System that does not depend on conspiring Autonomous Systems, and uses a DHT Routing Table to route an IP Packet. In this embodiment, we see 11 a client computer system sending an IP Packet to 14 a DHT Node. This IP Packet's arrow is colored red to indicate that the IP Packet appears to be routing towards the Overt Route 24 by way of 14, 15, 16, 17, 23, and finally to 24. The Overt Route 24 is a destination in the Internet that the client computer system does not care to actually establish a network connection, but would be safe to connect to in the event that a censoring agent were to monitor the network connection. The Covert Route 26 is the route the client computer system is actually intending to establish a network connection with. The Internet is represented by 13. FIG. 1 is an embodiment of the Decoy Routing and DHT Routing Table without respect to the Autonomous Systems that the DHT resides in. FIG. 3 addresses a multi Autonomous Systems embodiment of the resilient Decoy Routing without conspiring Autonomous Systems by instead using a DHT Routing Table method and apparatus. FIG. 1, 22, 14, 15, 16, 17, 18, 19, 20 represent Nodes in a DHT. The routing table is represented by the arrows between these elements.
  • FIG. 2 is an embodiment of the Decoy Routing System that does not depend on conspiring Autonomous Systems and uses a DHT Routing Table to route an IP Packet in which a censoring agent 25 is present and is inspecting 26 an outgoing IP Packet 12 with Overt and Covert routing information. In the FIG. 3 embodiment, the DHT is configured in a manner in which there are nodes in multiple Autonomous Systems, as seen in 28, 29, 30. FIG. 1 and FIG. 3 both demonstrate an Overt Route 12, 14, 15, 16, 17, 23, 24 as well as a Covert Route 12, 14, 15, 16, 19, 25 and the Covert Route Return 26, 25, 19,14, 27. It should be noted there is no return route for the Overt Route as the client does not actually intend to establish an actual network connection with the Overt Route.
  • FIG. 2 is an embodiment of a modified TLS handshake which encodes the mechanism by which the Decoy Routing operates. The specific modifications detailed in FIG. 2 enable claims 2, 3, 4, 5, 6. FIG. 2 demonstrates the following scenario, a client computer system 19 sends a SYN to 20 a DHT Node. The DHT Node 20 acknowledges 11 the SYN, Client computer ACK 12 the SYN previously sent, Client 19 sends a Modified ClientHello 14 to DHT Node 20. This modified ClientHello contains additional hidden information about how to actually route the packets once the handshake is established. After the DHT Node 20 sends a ServerHello 13 back to client 19, the Client 19 sends a Modified ClientKeyExchange with additional payload to DHT Node 20. DHT node 20 sends a normal ClientKeyExchange 15 back to Client 19. Client 19 sends a normal Finished to DHT Node 20. DHT Node 20 sends a modified Finished with payload back to Client 19. By sending this modified Finished, the client has acknowledgement that the Decoy Routing is activated. Normal data transfer can now begin. If a censor attempts to inspect this handshake, the censor will see a payload that is encrypted and XORed with the normal ClientHello and appended to ClientHello. It will appear to be random corruption or excess padding in the IP Packet.
  • The processes described herein, as well as any other aspects of the disclosure, may each be implemented by software, but may also be implemented in hardware, firmware, or any combination of software, hardware, and firmware. Instructions for performing these processes may also be embodied as machine- or computer-readable code recorded on a machine- or computer-readable medium. In some embodiments, the computer-readable medium may be a non-transitory computer-readable medium. Examples of such a non-transitory computer-readable medium include, but are not limited to, a read-only memory, a random-access memory, a flash memory, a CD-ROM, a DVD, a magnetic tape, a removable memory card, and optical data storage devices. In other embodiments, the computer-readable medium may be a transitory computer-readable medium. In such embodiments, the transitory computer-readable medium can be distributed over network-coupled computer systems so that the computer-readable code is stored and executed in a distributed fashion. For example, such a transitory computer-readable medium may be communicated from one electronic device to another electronic device using any suitable communications protocol. Such a transitory computer-readable medium may embody computer-readable code, instructions, data structures, program modules, or other data in a modulated data signal, such as a carrier wave or other transport mechanism, and may include any information delivery media. A modulated data signal may be a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal.
  • While there have been described systems, methods, and computer-readable media for resilient decoy routing without conspiring autonomous systems (AS) via distributed hash table (DHT) routing, it is to be understood that many changes may be made therein without departing from the spirit and scope of the disclosure. Insubstantial changes from the claimed subject matter as viewed by a person with ordinary skill in the art, now known or later devised, are expressly contemplated as being equivalently within the scope of the claims or other language of this disclosure. Therefore, obvious substitutions now or later known to one with ordinary skill in the art are defined to be within the scope of the defined elements.
  • Therefore, those skilled in the art will appreciate that the concepts of this disclosure can be practiced by other than the described embodiments, which are presented for purposes of illustration rather than of limitation.

Claims (6)

What is claimed is:
1. A method and apparatus for a computer system to connect to another computer system using a procedure which obscures the actual intended routing path from a third-party observer and is able to ensure routing by always having an accurate routing table which is provided for by way of a DHT.
2. The method of claim 1, wherein a computer system to connect to another computer system also ensures that the IP Packet being emitted by a computer system is successful in evading censorship.
3. The method of claim 1, wherein a computer system to connect to another computer system also ensures that a computer system intending to send an IP Packet is unable to be replayed in a Transmission Control Protocol (TCP) replay attack.
4. The method of claim 1, wherein a computer system to connect to another computer system also ensures a computer system emitting an IP Packet cannot be used in a latency analysis.
5. The method of claim 1, wherein a computer system to connect to another computer system also ensures a computer system emitting an IP Packet does not convey website fingerprinting.
6. The method of claim 1, wherein a computer system to connect to another computer system also ensures a computer system emitting an IP Packet can successfully thwart a denial of service (DoS) attack.
US17/714,061 2019-05-01 2022-04-05 Method and apparatus for resilient decoy routing without conspiring autonomous systems (as) via distributed hash table (dht) routing Abandoned US20220303311A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US17/714,061 US20220303311A1 (en) 2019-05-01 2022-04-05 Method and apparatus for resilient decoy routing without conspiring autonomous systems (as) via distributed hash table (dht) routing

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US201962841456P 2019-05-01 2019-05-01
US16/865,155 US11297104B2 (en) 2019-05-01 2020-05-01 Method and apparatus for resilient decoy routing without conspiring autonomous systems (AS) via distributed hash table (DHT) routing
US17/714,061 US20220303311A1 (en) 2019-05-01 2022-04-05 Method and apparatus for resilient decoy routing without conspiring autonomous systems (as) via distributed hash table (dht) routing

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US16/865,155 Continuation US11297104B2 (en) 2019-05-01 2020-05-01 Method and apparatus for resilient decoy routing without conspiring autonomous systems (AS) via distributed hash table (DHT) routing

Publications (1)

Publication Number Publication Date
US20220303311A1 true US20220303311A1 (en) 2022-09-22

Family

ID=73016767

Family Applications (2)

Application Number Title Priority Date Filing Date
US16/865,155 Active US11297104B2 (en) 2019-05-01 2020-05-01 Method and apparatus for resilient decoy routing without conspiring autonomous systems (AS) via distributed hash table (DHT) routing
US17/714,061 Abandoned US20220303311A1 (en) 2019-05-01 2022-04-05 Method and apparatus for resilient decoy routing without conspiring autonomous systems (as) via distributed hash table (dht) routing

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US16/865,155 Active US11297104B2 (en) 2019-05-01 2020-05-01 Method and apparatus for resilient decoy routing without conspiring autonomous systems (AS) via distributed hash table (DHT) routing

Country Status (1)

Country Link
US (2) US11297104B2 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050094640A1 (en) * 1998-08-19 2005-05-05 Howe Wayne R. Stealth packet switching
US20120311691A1 (en) * 2011-06-01 2012-12-06 Raytheon Bbn Technologies Corp. Systems and methods for decoy routing and covert channel bonding
US20130054832A1 (en) * 2011-08-31 2013-02-28 Brother Kogyo Kabushiki Kaisha Node device, information communication method and computer readable recording medium
US20160021224A1 (en) * 2003-11-12 2016-01-21 Wayne Richard Howe Stealth Packet Communications

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050094640A1 (en) * 1998-08-19 2005-05-05 Howe Wayne R. Stealth packet switching
US20160021224A1 (en) * 2003-11-12 2016-01-21 Wayne Richard Howe Stealth Packet Communications
US20120311691A1 (en) * 2011-06-01 2012-12-06 Raytheon Bbn Technologies Corp. Systems and methods for decoy routing and covert channel bonding
US20130054832A1 (en) * 2011-08-31 2013-02-28 Brother Kogyo Kabushiki Kaisha Node device, information communication method and computer readable recording medium

Also Published As

Publication number Publication date
US11297104B2 (en) 2022-04-05
US20200351305A1 (en) 2020-11-05

Similar Documents

Publication Publication Date Title
US11848961B2 (en) HTTPS request enrichment
US11683401B2 (en) Correlating packets in communications networks
US9237168B2 (en) Transport layer security traffic control using service name identification
US9848003B2 (en) Voice and video watermark for exfiltration prevention
US11895149B2 (en) Selective traffic processing in a distributed cloud computing network
CN114390049A (en) Application data acquisition method and device
Song et al. Decoupled application data enroute (DECADE) problem statement
US20220303311A1 (en) Method and apparatus for resilient decoy routing without conspiring autonomous systems (as) via distributed hash table (dht) routing
US9825942B2 (en) System and method of authenticating a live video stream
Moghaddam et al. Anonymizing masses: Practical light-weight anonymity at the network level
US20210226815A1 (en) Communications bridge
WO2023020606A1 (en) Method, system and apparatus for hiding source station, and device and storage medium
Jia et al. Anonymity in peer-assisted CDNs: Inference attacks and mitigation
Koch et al. Securing HTTP/3 Web Architecture in the Cloud
Nguyen Proposal for Peer-to-peer chat application using Hole-punching
Cormier et al. Approaches to Securing P2PSIP in MANETs
Nguyen A Literature Review about Peer to Peer Protocol
Yegin Internet Engineering Task Force (IETF) T. Reddy Request for Comments: 7376 R. Ravindranath Category: Informational Cisco
Reddy et al. Problems with Session Traversal Utilities for NAT (STUN) Long-Term Authentication for Traversal Using Relays around NAT (TURN)
Song et al. RFC 6646: DECoupled Application Data Enroute (DECADE) Problem Statement
Shirwadkar The World Wide Web in the Face of Future Internet Architectures
Klimek SK: Nové prístupy k optimalizácii P2P dátových prenosov
KR20180112511A (en) Method for processing host secretion, apparatus and system using the same
JP2015056803A (en) Communication method, external information processing unit, internal information processing unit, and program

Legal Events

Date Code Title Description
AS Assignment

Owner name: AMBIT INC., WASHINGTON

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:KANE, KEVIN P;MCELROY, ANDREW D;REEL/FRAME:059871/0486

Effective date: 20200501

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION