Taxing the Queue: Hindering Middleboxes From Unauthorized Large-Scale Traffic Relaying

When employed by online content providers, access-control policies can be evaded whenever clients masquerade behind a middlebox (MB) that meets the policies. An MB, commonly being the gateway of a virtual private network (VPN), typically contacts the content provider on behalf of the clients it colludes with, and relays the provider's outbound traffic to those clients. We propose a solution to hinder MBs from unauthorized relaying of traffic to a large number of clients. To the best of our knowledge, this is the first work to address this problem. Our solution increases the cost of collusion by leveraging client puzzles in a novel way, and uses network properties to help the content provider detect if its outbound traffic is being further relayed beyond a transport-layer connection. Our evaluation shows that the number of colluding clients follows a hyperbolic decay with the rate of creation of puzzles and the time required to solve a puzzle-both factors are influenced by the content provider, but grows almost linearly with the MB's computational resources.