Roland Meier (ETH Zürich), Vincent Lenders (armasuisse), Laurent Vanbever (ETH Zürich)
Many large organizations operate dedicated wide area networks (WANs) distinct
from the Internet to connect their data centers and remote sites through
high-throughput links. While encryption generally protects these WANs well
against content eavesdropping, they remain vulnerable to traffic analysis
attacks that infer visited websites, watched videos or contents of VoIP calls
from analysis of the traffic volume, packet sizes or timing information.
Existing techniques to obfuscate Internet traffic are not well suited for WANs
as they are either highly inefficient or require modifications to the
communication protocols used by end hosts.
This paper presents ditto, a traffic obfuscation system adapted to the
requirements of WANs: achieving high-throughput traffic obfuscation at line rate
without modifications of end hosts. ditto adds padding to packets and
introduces chaff packets to make the resulting obfuscated traffic independent of
production traffic with respect to packet sizes, timing and traffic volume.
We evaluate a full implementation of ditto running on programmable switches in
the network data plane. Our results show that ditto runs at 100 Gbps line rate
and performs with negligible performance overhead up to a realistic traffic load
of 70 Gbps per WAN link.