Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: How To Diagnose Traffic Throttling and Work Around It?

Posted by timothy on from the watch-where-the-soap-bubbles-emerge dept.

Aguazul2 writes "I live in Peru and use OpenVPN to connect to my own Linux VPS in the UK for non-live TV. Recently the VPN connection has slowed to a crawl (5% previous rate). Further investigation shows that all connections to my VPS from Peru (even HTTP) are equally slow, whilst the rest of the 'net seems fine. My VPS host says they do no traffic shaping, and connections from Germany to the VPS are fast. This leaves the NSA and Telefonica (Movistar) as suspects. Could the NSA be slowing all VPNs to/from South America because of Snowden and Greenwald? A traceroute shows traffic going through domains with NYC in their name — are my packets being indefinitely detained in transit? Or maybe it is Telefonica and their Sandvine traffic management? Either way this certainly isn't network neutrality, especially on an 'unlimited' plan. Is there a way to tell for certain who is throttling me? If Telefonica have throttled traffic to/from that one IP address, what options do I have to work around it? It seems that separate connections are throttled independently, so can I multiplex over many UDP ports without having to hack OpenVPN myself? This is really frustrating, especially with two untrustworthy parties on the route. I wonder, is this kind of mess the future of the internet?"

56 of 251 comments (clear)

  1. I use longer words by For+a+Free+Internet · · Score: 4, Funny

    Try breaking free of the binary straightjacket. I transmit all my data in ternary and it is untraceable and unstoppable. This gives me unlimitered bandwidsh to post my brilliant world-changing essays and thoughts on Slashdort, the Facebook of the Internet!

    --
    UNITE with the Campaign for a Free Internet because today, our future begins with tomorrow!
    1. Re:I use longer words by WindBourne · · Score: 4, Insightful

      Actually, we think that the original poster is the one without a sense of humor.

      --
      I prefer the "u" in honour as it seems to be missing these days.
    2. Re:I use longer words by Kjella · · Score: 2

      Ah, using the evil bit I see... don't move, unmarked black choppers will be with you shortly.

      --
      Live today, because you never know what tomorrow brings
  2. NSA by Dan+East · · Score: 5, Insightful

    I've had a client I provide consulting for suggest that their poor connectivity is also in some way due to the NSA. People need to understand that it is paramount to the NSA that they are covert. They do not need to do real-time processing of the data: that is only necessary for filtering. It suffices for them to simply capture raw data for later analysis or decryption as necessary. Of course capturing data does not result in any slowdown or other noticeable effects. It does not make any sense whatsoever for the NSA to be slowing or otherwise blocking connectivity, as that is counterproductive to the acquisition of intelligence data.

    It's just amusing to me to see NSA as the scapegoat of the day for any quirk anyone experiences related to computers or connectivity in general.

    --
    Better known as 318230.
    1. Re:NSA by houstonbofh · · Score: 5, Funny

      It's just amusing to me to see NSA as the scapegoat of the day for any quirk anyone experiences related to computers or connectivity in general.

      No one ever got fired for buying... I mean blaming the NSA. :)

    2. Re:NSA by hedwards · · Score: 5, Informative

      Indeed.
      But, even in China where they do filter the internet, there isn't any real throttling that goes down, the main thing I saw when I was there was abysmal latency. It would have the effect of killing of websites that weren't blocked, when the website was expecting to load dozens of scripts from various other servers. Each one would have up to 2.5 seconds of latency attached. And yes, that is seconds, not often, but there were a few times when my ping was measurably with a human timer.

      More likely, this is some sort of broken link somewhere along the way that's resulting in the traffic being slowed.

    3. Re:NSA by whoever57 · · Score: 5, Interesting

      People need to understand that it is paramount to the NSA that they are covert.

      Indeed. When working for a company that sold telecom and networking IP blocks, we received more than one request for the receive part ONLY of an Ethernet MAC. The companies that enquired did not make test equipment, but were known for secrecy and selling to the US government. What possible reason does such a company have for an Ethernet MAC that receives only?

      --
      The real "Libtards" are the Libertarians!
    4. Re:NSA by ron_ivi · · Score: 4, Interesting

      It suffices for them to simply capture raw data

      Lol. You have no idea what suffices for them.

      And even if "capture raw data" suffices - if the bandwidth to their traffic caputring room is at capacity, they very well may tell the upstream switches to slow down so they can "capture [all] raw data".

      Until there's enough transparency; it's at least as reasonable to blame the NSA for using lots of bandwidth to cause conjestion as it is to blame all those movie-pirates for using all the bandwidth.

    5. Re:NSA by larry+bagina · · Score: 5, Funny

      Unless you're an NSA whistleblower, in which case you are fired and prosecuted.

      --
      Do you even lift?

      These aren't the 'roids you're looking for.

    6. Re:NSA by hacker · · Score: 4, Interesting

      They do not need to do real-time processing of the data: that is only necessary for filtering.

      That may be true for passive surveillance (http traffic, emails, IMs), but most-definitely not for VPNs, as in this specific case.

      You absolutely need to trap the packets in real time in order to actually break the VPN connection open so you can get at the actual payload (cleartext, post-decrypted) data within the stream. The initial cryptographic handshake has to be captured, in order for them to peel it open and get inside.

      You can't do that days later, when all you have is an encrypted stream of bits.

    7. Re:NSA by girlintraining · · Score: 5, Insightful

      It does not make any sense whatsoever for the NSA to be slowing or otherwise blocking connectivity, as that is counterproductive to the acquisition of intelligence data.

      That's generally true. The NSA is competent. But not all government agencies are... and not all of those agencies work for the United States either. So I can't conclusively tell you (nor can anyone else) that it isn't the result of some law enforcement action that's causing your internet connection to behave strangely. What I can tell you, is that it's pretty unlikely.

      The more likely explanation is QoS being implimented that targets either based on IP, subnet, port, or content. Content-aware QoS is pretty rare, but it is out there. Alternatively, it could be a misconfigured router, or an oversaturated link. Traceroute and measuring the latency during TCP handshakes to various ports both to the destination of interest and elsewhere would help identify this. Lastly, it may not even be network-related; it could be the server itself that is slow, or the application it is running on. In today's 'cloud all the things!' service model, there are all kinds of weird performance glitches due to complex interactions within the cluster. For example... several data centers bought the (server) farm during the last addition of a leap second, as circuit breakers tripped out due to sudden load spikes.

      The fact is, without a lot more information from the OP, this question simply can't be answered. It could be one of dozens of different things... all we can do is give odds on the likelihood of what it might be... and I'd put the NSA pretty far down the list. The 'NSA Effect' is the same thing happening now in the media that caused people to beat the crap out of random muslims out of 9/11, or jerkwads in Florida to shoot black kids -- perception and media attention creates a new social reality. Social reality is not based in actual reality, however... but it's stuff like this that gives rise to all kinds of prejudices -- racism, sexism, religious persecution... it's ironic that the NSA's surveillance policies are based on such faulty logic ... and now they are the victim of it as well. Ah, but I digress... short answer: Your router doesn't need a tin foil hat.

      --
      #fuckbeta #iamslashdot #dicemustdie
    8. Re:NSA by noh8rz10 · · Score: 4, Insightful

      WOW is this what the world is coming to? anywhere in the world, when there's a bad internet connection, the first question is "is the NSA throttling me?" HINT: the NSA won't throttle you, they'll spy on everything you do.

    9. Re:NSA by icebike · · Score: 2

      It does not make any sense whatsoever for the NSA to be slowing or otherwise blocking connectivity, as that is counterproductive to the acquisition of intelligence data.

      Normally I would agree with you, but since "THEY" (the generic they) are forcing Presidential planes to land, detaining boyfriends, seizing electronics, what makes you so sure some arm of the US government isn't deliberately slowing or blocking binary transfer streams in an attempt to stop Snowdens 400gigabyte cache of information from spreading ?

      (I suspect his Peru ISP is lying to him, but still I consider the possibility of intentional interference).

      --
      Sig Battery depleted. Reverting to safe mode.
    10. Re:NSA by noh8rz10 · · Score: 2

      what is an encrypted VPN? I thought all VPNs were encrypted?

    11. Re:NSA by arekin · · Score: 5, Funny

      Hi, my facebook wont load and is showing more adds when it does. Do you think this could be the NSA snooping on my facebook and pushing me to buy audiobooks that will contain subliminal messages to hate Snowden and freedom?

      --
      Disagreeing with you does not make me a troll.
    12. Re:NSA by Antique+Geekmeister · · Score: 4, Insightful

      Given that they did, in fact, cause poor connectivity for critical west coast trunk connections at AT&T with the "bent fiber optic" taps installed in Room 641A, it seems that interfering with a typical customer's bandwidth is not their highest priority. While there are ways in many environments to tap data surreptitiously and at full bandwidth, such setups are often quite expensive and instead done with less sophisticated, possibly slower devices and bandwidth throttled to allow full data capture.

      I've certainly seen this in industry when monitoring a network problem, where we throttled the bandwidth so our monitors could keep up and analyze who was abusing our systems.

    13. Re:NSA by Em+Adespoton · · Score: 5, Informative

      But the NSA isn't in the business of routing data; it's in the business of mirroring data. This means that you get something like:

      source
              |
      router A
              |
      router B --> NSA
              |
      router C
              |
      destination

      So if router B is up to the task of sending the signal down a fixed path as well as whatever BGP indicates, there should be no slowdown. If it isn't, that's going to be a constant issue, not something that varies. It's either good enough for the volume of data it is exposed to, or it isn't. There's no analysis happening at the router, and the NSA isn't doing stateful inspection.

      More likely a QoS issue by some stateful router in the hop chain, or even a corrupted BGP table.

    14. Re:NSA by dubbreak · · Score: 3, Insightful

      You can type in full words with very little overhead.

      --
      "If you are going through hell, keep going." - Winston Churchill
    15. Re:NSA by _merlin · · Score: 5, Informative

      In finance we use them for performance monitoring and debugging. You have machines with CDMA or GPS time sources logging packets captured from passive taps on each side of your switches, routers, servers, etc. It lets you produce very accurate and detailed latency statistics. Also when things go wrong you have an exact record of everything that went in or out on the network to help you reproduce and fix it. Admittedly we don't actually get NICs with the transmit functionality removed, but the passive taps prevent anything transmitted from going anywhere, so we get a similar effect.

    16. Re:NSA by sacrilicious · · Score: 2

      it is paramount to the NSA that they are covert.

      Not any more.

      --
      - First they ignore you, then they laugh at you, then ???, then profit.
    17. Re:NSA by M.+Baranczak · · Score: 2

      He's using a new form of encryption. I bet even the NSA won't be able to crack that one.

    18. Re:NSA by Anonymous Coward · · Score: 5, Insightful

      Yeah, NSA tech guy, we really don't think you should be listening in on our business plan and buying up stock before we announce the acquisition...
      Lotta non-poilitical reasons why a person might want to encrypt communications. I do have something to hide AND I'm not doing anything wrong.

    19. Re:NSA by real-modo · · Score: 4, Funny

      Yes.

      Better stop using Facebook--in fact, the entire internet--now. Discuss this feeling of yours with your doctor, and then use all the free time you'll have to learn scrimshaw and grow tomatoes.

    20. Re:NSA by AK+Marc · · Score: 2
      Kim Dotcom identified NSA tapping before the raid on him due to his connection being re-routed to go through the tapping gear. If the NSA wanted to install gear just for him, it would never have been known. But he identified NSA tapping because they do, in practice, cause issues on lines they tap (outside the USA, in the USA, they get a secret warrant and the LI rules require the local phone company tap for them).

      It's just amusing to me to see NSA as the scapegoat of the day for any quirk anyone experiences related to computers or connectivity in general.

      It's just amusing to me to see people like you indicate it's impossible, when it's provably happened before, and nothing's been done to stop it from being done again.

      --
      Learn to love Alaska
    21. Re: NSA by maxwell+demon · · Score: 2

      Because the FBI is doing US domestic surveillance. The NSA is doing non-domestic surveillance. And I don't think Peru is part of the US.

      --
      The Tao of math: The numbers you can count are not the real numbers.
    22. Re:NSA by Tyr07 · · Score: 2

      Actually that's not entirely true. You're basing it on an entirely technical stand point of 'If I have control over this device, do I need it to slow down the internet as a side effect of me capturing their packets' The answer is no. The issue is when a targets traffic is not routed through the most ideal pathway and through devices you do not control to capture packets. Or the device itself does not have the ability to do it. An example would be a major node where a ton of traffic goes through, it may not be practical for routing reasons for it to sift and record a specific IP's traffic, or all etc. What you might be able to do, is route that specific IP's traffic somewhere else, which then records the packet and forwards it onto it's destination. Man in the middle attack. The problem you run into is that your network path is no longer optimal, which leaves you getting latency issues. Although not directly due to the recording of the packets, but due to the altered pathway to direct your traffic. If a recording server is in new york, and you live in california, and connect to a california service, you may notice a delay if it gets routed to new york first.

    23. Re:NSA by Kjella · · Score: 3, Interesting

      What possible reason does such a company have for an Ethernet MAC that receives only?

      Anything from a higher classified system that is to deliver data to a lower classified system, for example you need to get data from extremely sensitive military satellites to battle commanders in the field and it needs to happen in real time, you can't have total network separation. Then you generate a one-way feed where there is physically no possible way for anyone to connect to the feed and hack themselves backwards through routers into the satellites. And of course you put a ton of code review, surveillance and logging on the sending system to make sure it doesn't send more than it should, but that's not relevant to this discussion. So there's a lot of valid reasons for the military to buy this besides the NSA.

      --
      Live today, because you never know what tomorrow brings
    24. Re:NSA by AmiMoJo · · Score: 4, Interesting

      I seem to recall that Kim Dotcom realized he was being spied on long before the raids due to seeing his latency spike and seeing that traffic was being routed an odd way.

      I think you overestimate the NSA's competence. Snowden was a leak waiting to happen. Read Bruce Schneier's analysis.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    25. Re:NSA by heypete · · Score: 4, Informative

      You absolutely need to trap the packets in real time in order to actually break the VPN connection open so you can get at the actual payload (cleartext, post-decrypted) data within the stream. The initial cryptographic handshake has to be captured, in order for them to peel it open and get inside.

      You can't do that days later, when all you have is an encrypted stream of bits.

      I'm not sure I follow: how would capturing the cryptographic handshake help with "peeling open" the VPN connection? The handshake itself is secure: OpenVPN running in TLS mode (the most common mode) exchanges symmetric keys using an ephemeral Diffie-Hellman key exchange, with the key exchanged signed by the server's RSA key. Both client and server are authenticate to each other using certificates, so they can be sure that there's no man-in-the-middle. Unless one knows how to solve the Diffie-Hellman problem and one has a sensible configuration (i.e., sufficiently large DH parameters and RSA keys, good choice of symmetric cipher, etc.), capturing the cryptographic handshake doesn't really gain the attacker anything.

    26. Re:NSA by Aguazul2 · · Score: 2

      The 'NSA Effect' is the same thing happening now in the media that caused people to beat the crap out of random muslims out of 9/11, or jerkwads in Florida to shoot black kids -- perception and media attention creates a new social reality. Social reality is not based in actual reality, however... but it's stuff like this that gives rise to all kinds of prejudices -- racism, sexism, religious persecution... it's ironic that the NSA's surveillance policies are based on such faulty logic ... and now they are the victim of it as well. Ah, but I digress... short answer: Your router doesn't need a tin foil hat.

      The "NSA effect" introduces doubt. There is someone watching my traffic, and they would probably meddle with it if they could get away with it and had the resources. What if all 'suspicious' encrypted streams were slowed at various choke-points on the internet in the name of national security -- i.e. "if we can't see what you're sending then your traffic will be penalised"? Wouldn't they love to do that? What kind of internet would that be? I don't think that is entirely paranoia.

    27. Re:NSA by Jah-Wren+Ryel · · Score: 4, Informative

      Anything from a higher classified system that is to deliver data to a lower classified system,

      The projects I worked on called it a data diode.

      --
      When information is power, privacy is freedom.
    28. Re:NSA by hedwards · · Score: 2

      That's an easy assumption, but it's not correct. The sites that are blocked will just timed out because the DNS won't connect you, but most of the sites that I observed to be effected would load from time to time, they just took forever to load. And once they did load, there was nothing about China and nothing that they're usually blocking. Sites like the NYT do get blocked, but sites that just carry Chinese lessons and other innocuous content don't normally get blocked.

      The main reason for the latency is that China controls access to DNS servers and you're only supposed to use those DNS servers. So, they tend to be over crowded and sites can appear to be blocked, that are just located a long distance away.

    29. Re:NSA by jeff4747 · · Score: 2

      Traffic was slow on the drive home yesterday.

      Damn NSA!!

    30. Re:NSA by Antique+Geekmeister · · Score: 2

      In order to monitor effectively, they need to make sure the is no alternative route, or technology, for the data which they cannot also effectively monitor. This was precisely why they tapped the fiber at the AT&T facilyt in "Room 641" in San Francisco. It's also why telecom companies are forbidden, by law, from using technologies that do not have law enforcement monitoring capacity built in.

      So, in your diagram, that "router B" needs to be a core router which cannot evaded by alternative routing or load balancing, such as a security aware customer electing to use a slower, but more secure, router by manipulating their BGP tables. Such hand modification of BGP tables is quite commonplace, for economic and social reasons.

  3. Passive monitoring is all that is necessary by Anonymous Coward · · Score: 3, Informative

    You are seriously lacking basic data telecommunications experience. All government tapping is span port based. This means that it is passive, not active, so there is no latency involved.

    1. Re:Passive monitoring is all that is necessary by h4rr4r · · Score: 4, Informative

      SPAN port is the Cisco name for port mirroring.
      see
      http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml

  4. Traffic Intercept and VPN by AaronW · · Score: 5, Informative

    Years ago I worked on a broadband remote access server and one requirement we got was to support lawful traffic interception. Basically all law enforcement wanted was a copy of all of the packets. Packets are not slowed down or stopped by this process.

    In my case the hardware was just not capable of doing what was needed but there was plenty of off the shelf hardware that could be installed in the network to provide the filtering and packet mirroring needed.

    It is possible that one of the VPN's upstream providers is running into congestion. One of the best ways I have found is to use traceroute. At one time I was getting unusable Internet connectivity through AT&T after they acquired my local cable modem network from @Home. It took them many months to discover that throttling all aggregate upstream traffic to 128Kbps is a bad idea. As much as people bitch and moan about Comcast, it is lightyears better than anything I got through AT&T. In this case, traceroute clearly showed where packets were getting delayed and dropped, which was one of the routers inside AT&T.

    Unfortunately, for a VPN this is much more difficult since the Internet hops are hidden via the tunnel.

    There are many different ways to tunnel traffic. If the tunnel is Microsoft's PPTP protocol then it's not very secure. If on the other hand it is using IPSec then it should be a lot more secure. There are also other tunneling protocols that do not specify any encryption, i.e. MPLS.

    --
    This post is encrypted twice with ROT-13. Documenting or attempting to crack this encryption is illegal.
    1. Re:Traffic Intercept and VPN by whoever57 · · Score: 3, Interesting

      At one time I was getting unusable Internet connectivity through AT&T after they acquired my local cable modem network from @Home. It took them many months to discover that throttling all aggregate upstream traffic to 128Kbps is a bad idea. As much as people bitch and moan about Comcast, it is lightyears better than anything I got through AT&T.

      When AT&T was providing cable Internet to me, there was a time when my IPSEC VPN did not work. The VPN apparently connected, but data traffic never made it though. Other people complained, but AT&T claimed they were doing nothing to VPNs. Using tcpdump at both ends, I could see that the media (udp/500) was not getting though while the AH and ESP packets (required to set up the connection) were getting though. Clearly AT&T was blocking VPNs, but in such a way that it would not be obvious to the average user what was wrong. Pure evil.

      --
      The real "Libtards" are the Libertarians!
    2. Re:Traffic Intercept and VPN by wvmarle · · Score: 2

      In the end what OP wants to be answered, is the question whether his provider throttles traffic. The odds are, provider does this.

      To test, you don't need traceroute necessarily.

      Are all connections to the VPS slow? Only VPN or also http, smtp, ssh, etc? Then there certainly is an issue on that specific connection.

      Try to find another server within the same data centre to connect to (same route for the packets to get there), see what happens.

      Find a server in a different location, same protocols, and see what happens.

      Have someone test your server from a different location (or do this yourself using a proxy somewhere), see what happens.

      If you can connect fast to other servers, and other people can connect fast to your server, then the problem is almost certainly intentional throttling of your IP by your provider. To confirm, try to move your server to another IP address (I'm aware this is easier said than done) - the connection should be better.

      Except for the very last step, OP did this all already according to description. Conclusion should be quite clear, and a call to ISP complaining about this issue would be appropriate.

    3. Re:Traffic Intercept and VPN by skids · · Score: 2

      Paratrace (or whatever its descendents might be called these days) might yield a bit more accurate information. Both rely on interim hops playing by ICMP rules. Many of the highly utilized hops have at least throttled ICMP responses to conserve CPU, so you need to be careful to not just firehose test packets.

      OP might probably calm down and remember not to attribute to malice what can be explained by stupidity. A simple change in fragmentation, buffering depth, or the ever misguided per-flow fairness AQM that pops up from time to time could have drastic effects on an SSL tunnel.

      --
      Someone had to do it.
    4. Re:Traffic Intercept and VPN by Aguazul2 · · Score: 2

      Except for the very last step, OP did this all already according to description. Conclusion should be quite clear, and a call to ISP complaining about this issue would be appropriate.

      Calling Telefonica is not a solution to anything, unfortunately. They can't even get billing right. They obviously do have some technical people somewhere, and mostly they do a pretty good job, because uptime is good and we haven't seen many problems otherwise. The customer-facing people though ... what can I say ... Until you learn how to make an official complaint and involve the regulator, you can't even get basic billing and contract problems solved. The chance of making progress with some obscure technical complaint is nil. They are also a monopoly in many parts of Peru.

    5. Re:Traffic Intercept and VPN by puto · · Score: 2
      Have I got a story for you.

      When I was living in Colombia telefonica bought up much of the government run landline/internet business.

      I had telephone and DSL through them .768 down, 128 up for like 70 US a month. Then the government mandated that min speed for anyone was 2 meg, so we got a bump. But they throttled youtube and my vpn traffic.

      I did not mind to much because my office had a ten megabit fiber connection, so any thing that needed a heavy payload I just did at work. Though it did suck for streaming video.

      In 2000 I wired the family home for internet and while doing this I discovered that the phone line was only a single pair so I replaced it with 2 pair and dropped ethernet jacks to the bedrooms, the kitchen, dining room, and the living room.

      Fast forward to 2010 my internet and my home phone go to to shit, does not work for 2 weeks. They broke appointment after appointment.

      Finally a guy from Telefonica came over but I was not home, so I called the guard at my building and said to let him in, I was on my way.

      I get to the house and the guy has cut my standard phone cable and run lamp wire, about as think as a monster cable, to the jack where the dsl router was plugged in, and insult to injury has run the lamp wire around the entire room stapled to the walls. Also had pulled my baseboard off the wall.

      He had no equipment such as testers or even a lap top. And still nothing worked. At this point I took his bag of tools and tossed them both into the street. My wife was cracking up because she said I fit about 20 insults in 2 minutes of yelling.

      I call again, get someone reasonably intelligent, and they say "oh yeah, lightning hit the switch we will have someone right away". So I reconnect my wiring but leave his in place so they can see what a fuck up it was.

      They fix the switch, everything comes up working again. They send a supervisor over to see the damage and he is like "so what". And then he sees my two little netgear routers and says "now we have to charge you for a business connection because you have a router." I am beyond pissed. I explain to him that I have two internal networks, one for the rest of the family that is straight internet, and the other was connected to my vpn.

      Two days later vpn is not working. Router seems fine, I can connect to my vpn at work, but not at home. I switched equipment same thing. The dsl modem was also a 4 port switch, and all of a sudden only one port was working. I call em up and they tell that they have disabled the other ports and if I want them to re-enable it I have to pay for a business line.
      I call Telmex order their triple bundle they came to the house installed in three hours, and left me with a ten meg connection.

      2 days later the Telefonica manager shows up at my house asking why I was disconnecting service and I told him. I also said that I was not going to pay the contract fees nor the phone bill, because it had not worked for two weeks and showed him the damage. He got all snippy and said I would be turned over to a collection agency and if I wanted any restitution I would have to see them in court, and he said "los abogados aca cobran mucho). He did not realize that although I was born and raised in the states, and my spanish had a gringo accent, that I was actually Colombian, so he tried to get over on me. I said to him that I did not have a problem paying an attorney and I yelled out "Papa ven un momentico, hay alguien en la puerta quien quiere hablar con mi abogado." Yo dad, there is someone at the door who wants to speak to my attorney. Unfortunately for this guy my lawyer is also my father.

      I am the calmest guy in the world but they pissed me off.

      But this is typical of latin america, and if you grew up in the states it is hard to get used to the lack of rhyme and reason there.

      --
      The Revolution Will Not Be Televised
  5. The Internet is a (messy) series of tubes by Sarten-X · · Score: 5, Informative

    My office Internet connection recently went from about 30Mbps down to 1.5Mbps, then back to 50Mbps a month later. No explanation, and speed tests to our ISP all came through at full speeds. We only saw problems on routes going outside our city and headed west. There were also a few inaccessible sites, but those were in very specific local areas. Ultimately, the best guess anyone could come up with is that a network to the west of our city had some routing problems.

    We weren't the only customers to complain about a slowdown, but our ISP couldn't really do much about it. The Internet is made up of many networks working together, and sometimes shit happens. I wouldn't jump so quickly to assume it's non-neutral throttling or the NSA, when it could just be a careless guy with a badly-aimed backhoe. Give it some time, see if it improves, and if not, it may be time to move your VPS.

    As an aside, you're likely going through New York because that's how you're reaching Europe to get to your UK-based VPS. Many transatlantic cables end in New York City, mostly because the stock market pays dearly for the few nanoseconds of lower latency.

    --
    You do not have a moral or legal right to do absolutely anything you want.
  6. From an ISP network engineer by Anonymous Coward · · Score: 5, Insightful

    If you are a US ISP, it is required that you have monitoring in place. If you don't want to hamper your entire infrastructure while doing so, you get a bunch of taps and install them all over your network. One very good provider for this is Gigamon. Taps do not add any latency in your traffic. They are completely invisible to all other network devices. Traffic shaping (throttling) is done by the source typically but can be done at the destination ISP. Basically, your connection is assigned a Package in the Shaper. The packages determine how fast each classification groups of traffic are allowed to go. Classifications are determined by whoever manages the shaper for that ISP. Shapers can also dynamically change the speed you are allowed to have for a classification group based on bandwidth used, time used, and volume of traffic.

    If you are not throttled from Germany to your home but are from Peru to your home, chances are you are throttled from your ISP in Peru. It is typical for transits to cross borders, so your traffic going through NYC is normal. BGP (the routing protocol of the internet) determined that to be the best path. This is mostly managed, but is still fairly dynamically determined by the routing protocol.

    Course of action: Switch ISPs, get a new IP address (if they are not very good at configuring a shaper this will work, otherwise not), try a proxy, stop using it for a day or more and it will go away (temporarily most likely). This is done dynamically in the shaper. There is not some dude with his finger on a 'throttle' button. Everything is automatic. Just figure out the how their throttling deterministic state diagram works and you can avoid throttling. Most likely they are throttling you because of your volume of use. It costs a lot for transit access and you are using more than most others by streaming through a vpn.

  7. Probably not sinister, but you never know... by Above · · Score: 4, Interesting

    I work in the ISP industry, and here's my $0.02...

    The NSA (or other spies), not likely. Everything I have ever seen about what they do is passive monitoring. What that means is that somewhere there is a pretty dumb device (like an optical splitter) that takes one signal and makes two copies, one goes to the NSA, one on to its destination. In this arrangement there is no way for the NSA to inject data at all, including slowing it down. I am highly skeptical any government spying is the direct cause. It may be indirect, I'll come back to that in a minute.

    Rate shaping is entirely possible, and would be most likely in your immediate provider. It's entirely common for residential consumer ISP's to employ products like Sandvine, or even more crude QOS controls to rate limit particular types of traffic (e.g. VPN or VOIP). Most won't admit to what they are doing as well.

    Rate shaping is less likely, but possible at the country level. This is seen mostly in countries with strong government controls on technology (think Iran, China, North Korea). Egypt was doing it at one point in time. I'm not an expert on Peru, but I would not expect this problem in Peru.

    Lastly, is plain old congestion. Likely your ISP has multiple paths to reach Europe, riding undersea cables. These are the most expensive assets an ISP owns, and often get congested before they get upgraded. It's entirely possible for instance there is one cable they use from South American to Western Europe that is congested, while another goes from South America to the US and is fine. You can probably map these routes out by traceroute, and may find that particular routes always show poor performance. This also happens, but to a lesser degree, where two ISP's meet. There can be peering disputes, or one customer may not order enough capacity from their vendor. Either way the result is full ports that degrade service for everyone passing through them.

    Now, here's where the spies come back in. If a particular spy agency decrees "all new connections must have our spy apparatus on them" they can in fact be the delay to a new connection getting set up. It's not that they are delaying any packet traffic once it is up, but rather they are delaying the installation by not having their equipment ready on time for a new connection. I don't think this happens often, but I'm sure it does happen in some places.

    So sadly, this is probably some plain old incompetence/bad luck. Someone either could not afford a timely upgrade, or didn't correctly order an upgrade early enough to get it installed before there was a problem, and there's now congestion somewhere. If it's not bad luck it's probably your provider deciding your particular type of traffic is "bad", and should be rate limited down.

  8. Some suggestions by EmperorArthur · · Score: 4, Informative

    Some more info would be appreciated. So, here's the basics of a few things you can do to make sure it really is the network*. First use iperf on the client and server. Test it on both the tunnel interface and the WAN interface. Second, use top via a separate ssh session. Make sure OpenVPN isn't eating all your CPU or memory. Lastly, what provider are you using? Lately the default Debian build that Edis.at gave me needs an ifconfig up/down every other day.

    I've had a similar problem when using my own VPS as an HTTP proxy via OpenVPN. It turned out, the proxy application was crap. Allowing the machine to route packets and using it as a default gateway for all traffic fixed the problem, or at least worked around it.

    Now. If it really is blocking, there are a couple of ways around it. The more complicated ones involve using some other VPN application. When dealing with more than one client, that rapidly becomes annoying. A simple one is using an SSH connection as a SOCKS proxy for your browser. It's not elegant, but it works. Another way is to mask your OpenVPN connection by encapsulating the UDP or TCP packets. Once again, SSH port forwarding works, but that's a TCP solution. socat was designed to do things like that, so it seems like a good choice. Finally, there's Ping Tunnel. It embeds traffic in ICMP packets.

    Whoever is throttling you might detect one or more of these, but they're probably using some sort of signature based detection. Just about anything that requires a command line should get through.

    Remember, since you are technically savvy enough to roll your own, you are the one percent. Good luck, and please let us know how it goes.

    *I know you're probably familiar with all of these things. Just assume that I put this section here for those who aren't.

    --
    So lets pretend that we've just completed writing this code, as opposed to having just completed sabotaging it -Altera
  9. Re:is the NSA taking candy away from kids too? by BLKMGK · · Score: 4, Informative

    Did you not watch the video from the Dot Com mansion raid? lol

    --
    Build it, Drive it, Improve it! Hybridz.org
  10. pchar? by strombrg · · Score: 2

    You might be able to tell which hop is slow using something like pchar: http://stromberg.dnsalias.org/~strombrg/network-performance.html

  11. Re:ask slashdot: by Sarten-X · · Score: 4, Funny

    No. That's the KGB. Since the alleged fall of the Soviet Union, they've had to run their operations under far more secrecy than ever before. Sometimes, this means they have to leave a job before they have a chance to clean up entirely.

    In your case, you've become a test subject for the Soviet loyalists' conspiracy to sap and impurify all of our precious bodily fluids. They are attempting to steal your very essence, and it is your patriotic duty to resist them. Place loaded mousetraps around your bed to damage the stealth robots that are invading your sanctuary of slumber. To prevent their essence-extractor from invading your body, apply a liberal coating of cyanoacrylate to your penis before sleep. It may cause an unusual sensation, but that's far better than the empty fatigue the Communists will inflict.

    The NSA is actually fully aware of this conspiracy, and you should assist their efforts to protect our precious bodily fluids. As it is clear that the Red Menace is most interested in corrupting your penis, you must aid the resistance research that is underway. As the NSA must also keep their research secret, no scientists will contact you directly, but you can still contribute to the noble cause by announcing publicly every time your penis functions normally, and especially whenever it does not. This is best accomplished by loudly shouting your results from an open second-story window, followed by displaying your penis for remote optical inspection. Be sure to announce that you are a subject of General Jack Ripper's studies.

    The Soviet collapse was a sham, designed to lull the Americans into a false sense of security. The KGB have not given up, and neither can we. God willing, we will prevail, in peace and freedom from fear, and in true health, through the purity and essence of our natural fluids.

    --
    You do not have a moral or legal right to do absolutely anything you want.
  12. Re:I scoffe at your "homor"! by Anonymous Coward · · Score: 5, Funny

    Who gave a slashdot account to that computer trained to tell jokes?

  13. an incorrect theory, because port mirroring by raymorris · · Score: 5, Interesting

    That may have been their theory, or it may have been they wondered if US gov was intentionally slowing VPN connections from that part of the world.

    If the theory was that capturing data would slow it down, the answer is "no". For that, you'd use port mirroring. Where a switch or router would normally take data in on one line and output it on another, you set it to accept data on the one line and output it on TWO others simultaneously. The data still flows at the same speed. It just flows to two locations separately - the intended recipient and the government.

    1. Re:an incorrect theory, because port mirroring by ameyer17 · · Score: 3, Insightful

      But I wouldn't think the extra few ms of latency would slow the data flow by 95%. In fact, I don't think it'd even be noticeable to the naked eye except for exceptional circumstances like gaming.

  14. Traceroute is to mainly fix routing problems today by Anonymous Coward · · Score: 3, Informative

    Many ISP's perform what is known as ICMP rate limiting. Traceroute and Ping both use this ICMP protocol *i'm not going to get into semantics* where as you start traversing the internet past your internet service provider your pings and such to any point along the path have a high chance of being dropped due to this. The only way to see your actual latency is using a host-to-host ping. From your source destination to your final destination. Traceroute acts as sending a ping to each and every hop in between the source and final destination (assuming the TTL doesn't expire or somebody's carrier firewall just doesn't' start letting replies come back through, ie, multiple * * * responses but still able to reach your end destination), they are in no way obligated to reply properly and or in a timely fashion to your Ping request. During the early days of the internet we didn't have many of the problems that we have today and these tools worked flawlessly during this time and really could tell you where your latency is (these tools still function normally in a local lan if you are not doing any "crazy" firewalling tactics). This is no longer the case with ping an traceroute.

    IN EXTREME CASES it may be possible to route around other carriers using private tunnels, It's not something your average joe will not likely be able to accomplish without multiple services across the country or paying for some sort of service to do so. AKA you are a business with $$$$. There are instances where it can be done, but are few and very far in between.

      If your ISP only has 1 way out to reach specific destinations which are having problems. Provide them traceroutes showing them good responses AND bad responses from when and where you are seeing the problem. The only thing a carrier is going to care about is your "average" response time in milliseconds, not your "maximum" response time.

  15. Meanwhile in Britain by BeCre8iv · · Score: 2

    http://www.independent.co.uk/news/uk/home-news/time-for-a-change-as-mod-staff-run-up-40000-speaking-clock-bill-8782535.html
    Ministry of Defence (UK) employees spend £40000 on illicit use of the speaking clock.

    Down the hall, GCHQ is listening for free.

    --
    This perpetual motion machine Lisa made is a joke, it just keeps getting faster and faster. - Homer
  16. Re:I scoffe at your "homor"! by maxwell+demon · · Score: 5, Funny

    Didn't you know? Slashdot is a large Turing Test system. Most of the participants are AIs.

    Interestingly, the most promising test results are with the "First Post" trolls. Apparently nobody can imagine that an AI could be that stupid.

    --
    The Tao of math: The numbers you can count are not the real numbers.
  17. EFF's Switzerland Network Testing Tool by alanw · · Score: 3, Informative

    The OP mentions Sandvine: the EFF has a tool called Switzerland.

    Is your ISP interfering with your BitTorrent connections? Cutting off your VOIP calls? Undermining the principles of network neutrality? In order to answer those questions, concerned Internet users need tools to test their Internet connections and gather evidence about ISP interference practices. After all, if it weren't for the testing efforts of Rob Topolski, the Associated Press, and EFF, Comcast would still be stone-walling about their now-infamous BitTorrent blocking efforts.

    Developed by the Electronic Frontier Foundation, Switzerland is an open source software tool for testing the integrity of data communications over networks, ISPs and firewalls. It will spot IP packets which are forged or modified between clients, inform you, and give you copies of the modified packets.

    Switzerland is designed to detect the modification or injection of packets of data traveling over IP networks, including those introduced by anti-P2P tools from Sandvine (widely believed to be used by Comcast to interfere with BitTorrent uploads) and AudibleMagic, advertising injection systems like FairEagle, censorship systems like the Great Firewall of China, and other systems that we don't know about yet.