The Internet has become the preferred mode of communication for people across the world. Many of these people routinely use electronic mail (e-mail), video chatting services such as those offered by Google or Skype, web or microblogs such as Twitter, various social media services such as Facebook, and file transfer systems in the course of their day. To communicate information over the Internet, the information is generally encoded into pieces of data—referred to as IP packets—and transmitted from one location on the Internet to another. There are several types of protocols that may be transmitted in IP packets. Examples include HTTP packets, voice-over-IP (VoIP) packets, SMTP packets, secure socket layer (SSL) packets and transport layer security (TLS) packets, each having its own particular format and associated communication protocol. It is generally the case that each location on the Internet is typically associated with a unique Internet Protocol (IP) address. By including at least this IP address in a destination IP address field within a packet, a router that encounters the packet before it has reached its destination may attempt to forward that packet onward to its destination location as specified by this destination IP address. The IP address of the source of the communication is provided in a source IP address field in the packet.
Communication networks generally include one or more gateways. Gateways are entrance points into and/or exit points from a communication network. Some networks have multiple gateways positioned at various strategic locations in the network. For example, a network may have a separate gateway at each boundary with a different network. In other words, for a packet to travel from one network to another, the packet typically must traverse through a gateway on the source network and through a second gateway on the destination network. Thus, gateways serve as funnels through which crossnetwork communications can be monitored, and potentially filtered/blocked.
Many entities, including system administrators on private networks may block, filter, redirect, intercept, or even modify traffic between clients on their networks and popular or controversial websites or other Internet-based services. Such entities are referred to herein as adversaries. Thus, an adversary is a network service provider that wishes to deny access from clients on its network to a given set of hosts or services in the Internet. A listing of this set of hosts or services is referred to as a “blacklist,” and the set of hosts and services is “blacklisted” as far as the adversary is concerned. A network with an adversary is referred to as a “restricted network,” while one without an adversary is generally referred to as an “unrestricted network.” Most often, adversaries are able to blacklist a set of destinations by leveraging the fact that the unique destination IP address to which a packet is to be delivered is visible (i.e., not hidden and/or encrypted) within the IP packet so that mid-stream routers are able to recognizes this IP address and route the packet appropriately. Because the destination IP address of a packet is visible, it is generally easy for an adversary to filter IP packets destined for a particular destination IP address that is blacklisted. Because communications from a restricted network to such sites would have to travel through a path including the adversary, it is relatively trivial for the adversary to filter data packets if the destination IP address in the packets indicated the packets were intended for these blacklisted hosts or sites based on the websites' IP addresses, and subsequently discard the filtered packets. This is referred to as IP filtering, and is routinely performed by adversaries across the Internet.
In other cases, such IP filtering is used to monitor communications without actually blocking them. For example, an entity on the Internet may monitor which IP addresses attempt to access various websites. This monitoring may be carried out to discover those who attempt to access restricted content, or merely to collect data to mine for commercial gain, for example to guide targeted marketing campaigns. Often times, it is desirable to be able to avoid such monitoring. That is, it may be desirable for an entity on a network that has an adversary that monitors or blocks IP packets to be able to transmit packets to a destination that would normally be blocked by the adversary or network monitor. It also would be desirable for entities to communicate with another entity without an adversary or network monitor being able to trace the communication back to its source. As used herein the term “covert destination” refers to a destination IP address which the source of the communication wishes to hide from an adversary or monitor. A covert destination need not be a secret Internet location, and transmitting packets of data to covert destination is not necessarily a part of a clandestine operation, other than with respect to the adversary or monitor or other entity tracking network traffic or communication flows on the Internet. Instead such destinations are referred to as covert destinations because a technique attempting to circumvent an adversary or monitor would generally require keeping the destination IP address hidden from the adversary
Existing techniques for avoiding IP filtering, including circumvention proxies and tunnels have many shortcomings. Essentially, each of these IP filtering circumvention tools make a packet appear as if it were intended for a destination IP address that is not blocked. Nevertheless, the intended destination IP address is visible within the IP packet. These routers, referred to as proxy servers, upon receipt of a packet, generate new packets using their own IP addresses as the source IP address and the actual covert destination IP address as the destination address. The proxy servers, upon receiving return communications, which have the covert destination IP address as the source IP address and proxy server's IP address as the destination address, forward the packets back to original source, replacing the source IP address with its own and the destination IP address with the original source's IP address. However, for many of these tools, a list of proxy server IP addresses is published or otherwise readily available, making it easy for an adversary to obtain and subsequently block the list of destination IP addresses. Furthermore, often times these IP addresses do not correspond to existing domain names on the Internet (e.g., google.com), making it even easier for an adversary to detect, enumerate and block these IP addresses. Tunneling tools attempt to create a secure communication channel (e.g., using encryption techniques) between two entities on the Internet over which encrypted packets of data can be sent, but are also associated with a visible list of IP addresses for a handful of servers to which the encrypted packets of data are sent. Examples include TLS, SSL, VPNs, and data over web requests (e.g., HTTPS).