Slashdot Mirror
Encrypted Traffic No Longer Safe From Throttling
coderrr writes "New research could allow ISPs to selectively block or slow down your encrypted traffic even if they cannot snoop on your transmitted data. Italian researchers have found a way to categorize the type of traffic that is hidden inside an encrypted SSH session to around 90% accuracy. They are achieving this by analyzing packet sizes and inter-packet intervals instead of looking at the content itself. Challenges remain for ISPs to implement this technology, but it's clear that encrypting your traffic inside an SSH session or VPN connection is not a solution to protect net neutrality."
If the application is not time-critical, introducing random jitter would go some way to subverting this, no?
Leela: "Is all the work done by children?" Alien: "No, not the whipping."
You'd think that's how they're doing it, but it doesn't seem to be the case. Rogers customer here, and my SFTP (FTP over SSH) connections go at full-tilt, while BitTorrent has slowed down to a crawl (0-1 KB/sec) on my connection in the past (yes, using the latest uTorrent/Azureus Vuze client, with standard BT MSE/PE encryption enabled).
I don't know what's going on, but I suspect they've already figured out something that these Italian guys are researching now, and they've been able to identify BitTorrent from other encrypted traffic.
Actually, encrypted or not, the way the Sandvine (I think that was the name?) system used by Comcast worked was it just did a traffic analysis - If your upload connection was more than X% saturated for N seconds, the Sandvine appliance would start spoofed RST injection to kill off connections. The only way around this would be a full blown VPN that used an encrypted transport layer. (Encrypted BitTorrent, SSH, and nearly all encrypted protocols except the various VPN systems are an encrypted application stream over an unencrypted TCP session. Even some VPNs use an unencrypted TCP session to tunnel through, making them vulnerable to RST injection.)
retrorocket.o not found, launch anyway?
And in the next (or two) release of SSH implementations, this weakness will, no doubt, be fixed.
Professional cryptographers have known for decades that you don't just switch on your transmitter when you want to send a secret message - no matter how well encrypted it is. The mere fact of traffic is frequently a sizeable tell-tale itself. Instead, you keep your transmitter on 24*7 sending encrypted garbage, with the ability to interleave genuine messages when the need arises. I'm sure that in a short time, the SSH people will remove the ability to profile the transmission to glean anything usable from it.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
how would this work for gaming online? 16 different IP destinations and I play for hours on in. My understanding of Xbox Live is that it is P2P and if they throttle my Halo 3 game, I'm gonna get pwned even more than normal.
Can I bum a sig?
1. Not always true, depends on your provider. Having had various consumer and business packages in the past, most ISPs only push you to a business package if you:
a. Want a static IP
b. Want to run any kind of server
2. In the age of 20mbps consumer connections there is no need for someone who just needs legitimate heavier usage of the connection to not use it. I transfer 100's of gigs a month to and from datacenters around the country for my job. Granted I can get my company to help subsidize that but if I found out my ISP was throttling me I would more than likely take my business elsewhere. I would rather have my company pay for an expensive business package with another provider than give more money to a provider that actively wants to screw me over.
Contractors have an even bigger problem as they don't get their connections subsidized (trust me the tax refund isn't much).
So far my ISP has been pretty good, I called about bandwidth issues once or twice and when asked if I was downloading movies I explained to them what I do. When the rep realizes your just another guy trying to do his job you get all sorts of help.
"Don't mess with him, he taunts the happy fun ball."
Actually, strange you should suggest this, I was working on a small and rather generic package to tunnel data between hosts in this very way, constant rate/constant packet size tunneling, with empty data filled with random noise, and with non-packet-aligned encrypted data overlayed when there is data to actually send. I was going to call it tstunnel. Yes, it is somewhat of an extreme response to an extreme problem.
My ISP already throttles my connection by price. I've currently got 256/768 as that suits my needs. If they were to start throttling any more of my net access (I'm paying for unlimited at 256/768) I'd have their asses in court in a hurry for false advertising and violation of contract, which I have kept the hard copy of from the day I signed up for service.
I was one of the first adopters to get broadband when it became available 6 years ago in my area and according to the original contract (have hardcopy on file) they planned offering tierred service with it being a simple change in minimum speeds and thus not requiring a new contract. I also informed them that I'm worse then a squeaky wheel, I'm like a brake that's gone metal to metal since I'm semi-retired and disabled with plenty of time on my hands to pursue things every time they try to change my contract without consent.
Mod me up/Mod me down: I wont frown as I've no crown
1) Those plugins don't do very much uploading whereas bittorrent users do.
:).
:).
2) Those plugins that do "fetch ahead" tend to stick to fetching from the same few sites - they may make lots of connections but they are to the same few sites (ad webserver, content webserver, icon/widget server etc), and they stop at some point - otherwise your browser would be downloading the entire internet (and AFAIK they don't do that). And really they definitely don't upload much.
Personally I think the US ISPs are scumbags not because they throttle, but because it seems they took USD 200 billion and promised to deliver 45Mbps up/down.
But after taking that 200 billion, more than ten years later their users have still only got DSL and cable, and they're getting throttled.
Too bad most of the users don't appear to know how screwed they really got. They should ask for the ISPs to build the infrastructure NOW.
But I suppose given a big enough crime, you are more likely to get away with it
Cheat one person of money and it's jail time. Cheat 10 people and it's longer jail time. Cheat 100000 people, and you become a rich CEO and the board gives you a big fat bonus.
Kill one person you get a life sentence or death row. Kill 20 people, people start asking for you to be executed. Get thousands of people killed, who knows you might get elected president
Okay, before everyone starts their throttling engines for war please remember the following:
A: ISP's are not throttling data because of bandwidth, they are throttling because of latency. If you do not understand the difference, here is a simple way to look at it
A router can handle a million packets a second let say. Wether the packet is a size of 10 or a size of 1000 it still can only handle a million packets. Bandwidth is how many seats on the bus (or if all the buses had the same number of seats, how many lanes on the road), latency is how fast the bus is going. A router it a toll gate. Too many buses, regardless of how many seats, will bog down the toll gate. P2P is very chatty in the number of packets and depending on how it sliced the data, lots of big chunks, or a whole hella lot of small chunks. Either way the guy working the toll gate is going to go postal at some point.
B: Encryption, your rights online, data type, freedom, and all of that supurious crap we like to toss around means nothing when: "You sign a contract." While I am not a lawyer I am an informed customer (I read the small print). When you sign up for Internet service, regardless of what you feel, or in fact what your rights are, you can and do sign most of those away when you sign up for a commerical service. If they say that you cannot encrypt your P2P traffic and you do; thus losing your service... that is more then acceptable under most nations idea of contract law. You have no right to privacy if you sign a contract that gives them the right to look.
Keeping A & B in mind please feel free to march forward with your discussions but, the most important thing to remember, is point A. Telling people there is plenty of bandwidth has LITTLE IF ANYTHING to do with throttling as far as I can tell. I watched 3 hearing on CSPAN and not one rep from the big three telecoms mentioned BANDWIDTH as a reason, but I did hear 18 engineers talk about routers, MTU initiated fragments, and total packets per second capacities on core routers, and I did keep count of bandwidth vs. latency.
Bandwidth Mentioned: 34 times
Latency: 400+ times (I ran out of chicken scratch space on the page and gave up...)
Now I admit I did doze off after 30 minutes of an engineer trying to explain to a senate committee the difference between TCP and UDP but I am human after all.
Now certainly there is some complexity in latency and bandwidth in how they are related and from what I have heard fiber does take care of a lot of the latency issues (signal to noise ratio seemed to be a big talking point from some AT&T engiee who looked like Dracula) so feel free to toss that into the discussions.
But seriously, this whole filtering stuff has nothing to do with bandwith, so please, please, please, stop with the bad 3rd party reporting. We have already seen on /. that the ISPs aren't hurting for bandwidth.
Getting accurate information from the mainstream press on Internet filtering is like asking a caveman to fix your car... all he's gonna do is smash it with a rock.
-=[ Who Is John Galt? ]=-
No, it's not. But it could be a defense with the FCC/Congress or other regulatory agencies. Just wait until some Congresscritter can't VPN back into his office because of a policy like this -- that's when attention will start being paid to these issues.
Kind of like how nobody in power gave a shit about the Gestapo^WTSA until some Congressman/Senator had to take HIS shoes off or found HIMSELF on the no fly list.
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
The ultimate solution would be to ban last-mile owners from providing any services at all. No voice, no video, no data. They exist to provide copper and/or fiber to subscriber premises, and to operate central offices as colocation facilities. That's all. Nothing else.
Then, anyone who wants to provide services, simply colocates their head end equipment at the central offices in areas where they wish to provide service. At that point it doesn't matter whether they're offering video, voice, data, local or long distance, Internet or private lines, it just doesn't matter because the central office is shared between as many providers as will fit in the building.
We need to separate the last mile land-use monopoly from the services being provided. There should be no such thing as an ILEC.
Tired of FB/Google censorship? Visit UNCENSORED!
Huh, that's funny. My understanding, from talking with many people who work for a certain (unnamed) ISP, the biggest problem is streaming media, not bittorrent, and as such most users would NOT find metered internet to be cheaper at all.