ditto: WAN Traffic Obfuscation at Line Rate
Abstract
Many large organizations operate dedicated wide area networks (WANs) distinct from the Internet to connect their data centers and remote sites through high-throughput links. While encryption generally protects these WANs well against content eavesdropping, they remain vulnerable to traffic analysis attacks that infer visited websites, watched videos or contents of VoIP calls from analysis of the traffic volume, packet sizes or timing information. Existing techniques to obfuscate Internet traffic are not well suited for WANs as they are either highly inefficient or require modifications to the communication protocols used by end hosts.
This paper presents ditto, a traffic obfuscation system adapted to the requirements of WANs: achieving high-throughput traffic obfuscation at line rate without modifications of end hosts. ditto adds padding to packets and introduces chaff packets to make the resulting obfuscated traffic independent of production traffic with respect to packet sizes, timing and traffic volume.
We evaluate a full implementation of ditto running on programmable switches in the network data plane. Our results show that ditto runs at 100 Gbps line rate and performs with negligible performance overhead up to a realistic traffic load of 70 Gbps per WAN link.
People
BibTex
@INPROCEEDINGS{meier2022ditto,
isbn = {1-891562-74-6},
doi = {10.14722/ndss.2022.24056},
year = {2022-04},
booktitle = {Network and Distributed Systems Security Symposium 2022 (NDSS '22)},
type = {Conference Paper},
author = {Meier, Roland and Lenders, Vincent and Vanbever, Laurent},
size = {17 p.},
abstract = {Many large organizations operate dedicated wide area networks (WANs) distinct from the Internet to connect their data centers and remote sites through high-throughput links. While encryption generally protects these WANs well against content eavesdropping, they remain vulnerable to traffic analysis attacks that infer visited websites, watched videos or contents of VoIP calls from analysis of the traffic volume, packet sizes or timing information. Existing techniques to obfuscate Internet traffic are not well suited for WANs as they are either highly inefficient or require modifications to the communication protocols used by end hosts.This paper presents ditto, a traffic obfuscation system adapted to the requirements of WANs: achieving high-throughput traffic obfuscation at line rate without modifications of end hosts. ditto adds padding to packets and introduces chaff packets to make the resulting obfuscated traffic independent of production traffic with respect to packet sizes, timing and traffic volume.We evaluate a full implementation of ditto running on programmable switches in the network data plane. Our results show that ditto runs at 100 Gbps line rate and performs with negligible performance overhead up to a realistic traffic load of 70 Gbps per WAN link.},
language = {en},
address = {Reston, VA},
publisher = {Internet Society},
title = {ditto: WAN Traffic Obfuscation at Line Rate},
Note = {29th Network and Distributed System Security Symposium (NDSS 2022); Conference Location: San Diego, CA, USA; Conference Date: April 24-28, 2022; Conference lecture held on April 25, 2022.}
}
Research Collection: 20.500.11850/545964