How To Defeat VPN Location-Spoofing By Mapping Network Delays

An anonymous reader writes: An interesting paper from a PhD student in Ontario outlines a system which in initial tests has proved 97% effective at unmasking geo-spoofing VPN users. The Client Presence Verification (CPV) system presented in the paper utilises analysis of delays in network packets in order to determine the user's location, disregarding the IP address geolocation information which currently underpins the efforts of content providers such as Netflix to prevent VPN users accessing content which is not licensed in their country. The detection system was tested at global network laboratory PlanetLab using 80 network nodes based in the U.S. and Canada.

Seems trivial to mask

[DreamMaster]

I haven't RTFA yet, but If the analysis is solely based on network delays, then a VPN company could simply introduce randomized delays to all it's users, even the local ones. Then an analysing service wouldn't be able to definitively say whether any given user is geo-spoofing or not. The best they could say is that the connecting service is likely a VPN.

Re:Seems trivial to mask

sure but you can't spoof FTL, that is the point

Re:Seems trivial to mask

[The-Ixian]

Nobody can spoof FTL... It is impossible to move faster than light... everyone knows this...

Re:Seems trivial to mask

Actually I think you are missing a completely different point. You don't have to speed up connections to match the speed of non-vpn traffic, you just have to slow everything down so that you can't be sure which is VPN and which is normal. Sure, nobody likes slowing down their own connection, but if you really want to hide your vpn usage from a system like this it would work. In one situation you could have multiple IP's from your ISP. You could just set one of them to be delayed regardless of whether the VPN is on or off, that way all connection attempts take a standardized time (or more in rare situations) to complete.

And anyway this method only stops direct VPN connections between an end user and the service. If the VPN is instead a sort of NAT system instead this method of detection wouldn't work. Since the service would only see a connection between it and a close VPN exit server and not the full tunnel between the service and the end-user. The VPN exit tunnel would use a form of NAT to man-in-the-middle the connections, thereby hiding the end-user's actual latency thus foiling this detection method. I'm not 100% sure but I believe a SOCKS proxy may act this way.

Re:Seems trivial to mask

[ArmoredDragon]

A problem with this is that some types of connections are slower than others when it comes to overall latency. With modern broadband, geosync satellite is the slowest, followed by DSL, followed by cable, with fttp being the fastest. How are they supposed to control for that? A VPN really doesn't add a whole lot of latency, and even if it did, they could just replace it with GRE to reduce that added latency (we don't really need encryption if we're just trying to geospoof since the sites we're trying to geospoof to always use TLS anyways) and you're adding the same amount of latency that say DSL would add vs cable.

Re:Seems trivial to mask

Uh, talking about yourself again?

Re:Seems trivial to mask

[AHuxley]

Yes AC, all the better VPN providers have to do is buy into the right ip ranges and hardware locations in the USA.
Huge blocks of ip's exist and so do interesting telco like options. A 100 optical link in New Zealand or the UK becomes a virtual copper connected user in a US state.
Every line test and request shows an average community of US users, a brand name and a US ip range. With a low "ms" ping to match the geographic location.
The magic will be in the interface between a city or rural network front and the global backend.

Re:Seems trivial to mask

[DarkOx]

I would think the thing to do would not be to introduce randomized delays but rather to adopt a fairly pessimistic minimum latency to your client end points. If packets from a given client arrives closer together than the pessimistic latency the trailing packet should be held until that minimum time is reached. You probably want do this on sending to the client as well as that might still enable timing attacks otherwise. That wont effect performance much streaming media where the MTU will full most of the time and jitter matters as much as anything. It will probably be okay for things like VOIP too if the value is help to something like 250ms and the VPN provider is well connected / peered on the output side.

This should have the effect of making all your VPN clients appear equally well connected to third parties. Yes there will be some throughput limitation introduced but the reason to use these services is for anonymity not performance.

Re:Seems trivial to mask

A problem with this is that some types of connections are slower than others...

LIE. All services, including Verizon FTTP, are exactly the same speed as 2400 baud modems.

Re:Seems trivial to mask

[110010001000]

I don't live in my Mom's basement. I live in my Mom's Au Pair suite!

Re:Seems trivial to mask

[joshuao3]

Actually I think you are missing a completely different point. You don't have to speed up connections to match the speed of non-vpn traffic, you just have to slow everything down so that you can't be sure which is VPN and which is normal.

So... Comcast really had our best interests in mind after all?

Re:Seems trivial to mask

[Thanshin]

Never underestimate the spoofing abilities of an Alcubierre drive station wagon full of tapes hurtling down the highway.

Re:Seems trivial to mask

Nor the destructive power...

Re:Seems trivial to mask

[Thanshin]

Well, it's for the client to choose which method is more convenient to him.. You can have your packets in time or without the cone of ultra-energetic particles that vaporizes your entire civilization.

Re: Seems trivial to mask

But that's only part of the point. You wouldn't be able to take delay away though. The application would still be able to go "Hey, the latency is higher than it aught to be, they are most likely not actually on that network / in that area".

An oversimplification, but you get my point?

Re:Seems trivial to mask

[Lumpy]

Or just use Comcast... They introduce random delays in their normal traffic due to how crappy their network is.

Re:Seems trivial to mask

[sudon't]

I haven't RTFA yet, but If the analysis is solely based on network delays, then a VPN company could simply introduce randomized delays to all it's users, even the local ones. Then an analysing service wouldn't be able to definitively say whether any given user is geo-spoofing or not. The best they could say is that the connecting service is likely a VPN.

From TFP: "To achieve high accuracy, CPV mitigates Internet path asymmetry using a novel method to deduce one-way application-layer delays to/from the client’s participating device, and mines these delays for evidence supporting/refuting the asserted location."

But, simply saying that the connection is through a VPN could be enough for some to refuse the connection. For instance, if content providers really got on Netflix and Hulu's ass about it, they might opt for this simpler solution of blocking VPNs. I'm kinda surprised they aren't already doing this.

Re:Seems trivial to mask

[ooloorie]

No, us space nutters simply don't care much either way. Overcoming the light speed limit isn't necessary for space exploration or colonizing the galaxy.

In any case, FTL travel is consistent with known physics; at this point, the question is merely whether it's practical.

Re:Seems trivial to mask

I am in the Middle East for work. I can tell you for a fact that Hulu blocks streaming because I am on a VPN into the US. Netflix,Sling and Amazon work like a charm.

Re:Seems trivial to mask

No; it is impossible for anything to move through spacetime faster than light, but spacetime itself can move faster than light.

Re:Seems trivial to mask

Yes, you obviously have not RTFA yet.

Re:Seems trivial to mask

[mysidia]

Nobody can spoof FTL... It is impossible to move faster than light... everyone knows this

VPN environments will get replaced with VPC environments (Virtual-Private Compute)

They'll just move more and more elements of the protocol stack out to the external provider, until the spoofing can no longer be detected.

The next step above VPN is using an Application-Layer Proxy or Tunnel instead, such as Wingate or a HTTP proxy.

A step above that would be to run the web browser/software from the service provider's datacenter, and just redirect the Keyboard/Screen output to the remote user.

Re:Seems trivial to mask

[nazsco]

>97% detection rate

with a probably 95% false positive rate on top.

who the heck thinks slow network is a way to detect location is a good idea!?

Re:Seems trivial to mask

[MrDoh!]

Aye, spin up an AWS instance in whatever region you need, run Chrome, and chrome remote the screen to your real machine/tablet/phone anywhere in the world. Heck, if Netflix is now running using AWS, it's probably a couple of racks over it needs to get to, decent ping rate! "It's already in the house!!!"

Re:Seems trivial to mask

[antdude]

Prove it. :P

False positives

[Stuarticus]

False positives are a pretty major issue when you look at Netflix's user base, 97% effective isn't very good if you're going to refuse to serve content to over a million paying customers every day.

Re:False positives

Combine it with geo-location and you'd might get a better figure.

Re:False positives

False positives are a pretty major issue when you look at Netflix's user base, 97% effective isn't very good if you're going to refuse to serve content to over a million paying customers every day.

It doesn't have to be over one day. You can run the report over multiple runs/trials of the 'customer'. With enough statistics you could probably get 99.999% of detecting someone.

As someone who uses these services, I hope someone slugs him in the mouth for not helping.

Cough *back to bittorrent* cough

Re:False positives

I guess they could just submit all flagged users to a more in-depth analysis, maybe by a human instead of a machine. 97% would be effective in lowering the number of hits to be manageable by a human. A service like Netflix wouldn't restrict itself to one mode of detection anyway, so that 97% would be in adjunct to whatever system(s) they are currently using.

Re:False positives

[Qzukk]

According to this research, Comcast users are from Mars.

Re:False positives

[wbr1]

This. I know many people on slow rural DSL with terrible upstream speeds. Thier ping and jitter can be bad, but downstream is enough to support streaming. This is a whole class of users that would be branded with a false positive as VPN user if delay is the only factor.

Re:False positives

[AmiMoJo]

I wonder if it really is as high as 97%, even when accounting for ISPs that are heavily oversubscribed and offer massively variable packet latency.

Re:False positives

[Lumpy]

No, it's just Comcast bounces all their internet traffic off of mars.

Re:False positives

[pr0fessor]

97% in a partially controlled environment the internet is not that consistent but even still 3% of Netflix reported 33.3 million subscribers is 999,000 even if only half are false positives and even if only half of those people decide to leave it's still a loss of over $20 million a year assuming they all have the basic $7.99 account.

I imagine that when you start looking at rural dsl or satellite internet it will be much harder to tell based on latency and that number will go up.

Re:False positives

> slow rural DSL

Don't you mean urban DSL? Most of the rural areas have newer wiring. Many cities are stuck with slow DSL, or even can't support it at all like parts of Seattle due to the early adopter problem. Here's my 0.15 Mbps results:

http://www.speedtest.net/my-result/3840461248

I live two blocks from the tallest building in Seattle, and this is the fastest connection I can get.

Re:False positives

[lowen]

While I do have mod points, I need to post this. I regularly see 1,000ms ping RTT on my otherwise reasonably fast (7/.5) DSL service when I have a lot of upstream traffic, and that ping RTT is to the router's gateway, a single hop away. My boss, who is on a 50/5 cable service, has consistent 1,000ms ping RTT to his next-hop. RTT for other packets varies according to protocol and IP target, showing some QoS queueing going on.

My DSL RTT to the next hop varies between a couple of ms to 1,000 ms depending on upstream traffic amount; determining my location based on that would be foolish.

Re:False positives

[radarskiy]

3% of someone else's paying customers? The MPAA is willing to make this sacrifice. ;-)

Mask this by violating TCP rules?

[Theovon]

People have pointed out that this is hard to make because you can’t make signals move FTL. Basically, you can send a packet, and by the rules of TCP, the ACK is generated at the destination, so while you could artificially lengthen the round-trip ping time, you can’t shorten it. But why not? How about we have the VPN buffer the TCP packets and break the rules. When a packet is received from Netflix, the VPN sends the ACK. When the user’s computer sends its ACK, the VPN consumes it. If there’s a chance of this being unreliable, them’s the breaks.

Re:Mask this by violating TCP rules?

[silas_moeckel]

The satellite guys have done this forever. Moving the syn/ack to the VPN head end is a stock application at this point.

Re:Mask this by violating TCP rules?

I have heard through the grapevine that the high speed trading fiber line providers introduce delays at the last mile by sending the signal through tens or hundreds of spools of fiber to introduce a delay. If you want the faster premium service they take you out of this loop and your service gets faster. So there is always a way albeit not always practical or affordable for most providers.

Re:Mask this by violating TCP rules?

[Quince+alPillan]

What you're talking about is a forward proxy. Forward proxy servers do this (and will even proxy SSL traffic).

In the whitepaper, they're actually talking about making a new protocol that measures the one way distance time and compares it to their database of network speeds and distances to determine your location. Their solution is an application-level solution, which depends upon a Forward Proxy to know about the protocol and spoof it correctly.

The problem with their solution is that network speeds are fluid and a computer with a problem (e.g. a local neighborhood node or a legitimately slow client that is delaying all traffic 20-30ms) can make their estimates wildly inaccurate. Even today, Cogent to Level 3 has a 197ms ping in LA. In the paper, they used average speeds for various known networks. This can be mitigated somewhat by measuring client traffic and only counting outliers (e.g. all traffic from a certain area being delayed the same, except for our rogue client) but it still doesn't mitigate the local computer problem.

A second problem with their solution is that it only measures distance - a server in Miami, Florida accepting data from a client in Seattle, Washington is 2732 mi and the same distance (roughly) as Lima, Peru. This means that a client in Lima should pretend to be from Seattle when they connect to their combo VPN/Forward Proxy in Miami. Satellite customers are will almost always have extremely high latency because of the round trip between Earth and the Satellite, even if they're legitimately in the correct area.

In addition, they were only able to make this accurate to about 400km, which means if you have a nearby beneficial country within that range, you can use a VPN in that country and they still won't know.

Re:Mask this by violating TCP rules?

Even today, Cogent to Level 3 has a 197ms ping in LA

That's because Level 3 throttles/deprioritizes ICMP traffic aimed at their equipment a lot heavier than most ISP's do. I used to work for a large ISP and we constantly got people griping about "high ping times to level 3 routers". It got really old having to explain that ICMP passing through their network is treated different than ICMP traffic going TO their routers, and if the endpoint you're pinging has an average latency of 50ms with no packet loss, then it really does not matter at all if your traceroutes show 500ms + latency/packet loss on the Level 3 routers along the path.

I really shouldn't have to explain this on Slashdot of all places, but apparently I still do.

Re:Mask this by violating TCP rules?

[Bengie]

You do make a good point, but they didn't mention how they measured the latency. Maybe the used a looking glass server. It's also not common to see high pings like that, but they do happen. I only notice them a few times a week while i'm looking. At one point I had my Internet quality graph pointed to my first Level 3 hop, and it was fine for several days before it decided to have wild ping swing and packetloss even though the Internet was fine. I am now stuck using 8.8.8.8 and 8.8.4.4 for monitoring, and those servers had a lot of jitter.

Re:Mask this by violating TCP rules?

[ooloorie]

Or, alternatively, you can simply run the Netflix app on a virtual machine in the target country and then stream the video from the virtual desktop.

Re:Mask this by violating TCP rules?

That's a lot of effort to go to just to watch some TV shows or movies. Perhaps I'll just use Show Box instead. Using a VPN to spoof your location isn't exactly legit to start with, so if the content producers or distributors make it too difficult to pay for what you want, why not skip the charade altogether?

I think Netflix knows this, which is why they don't make more than a token effort to block those using VPNs to access content from a different country, they just have to be seen to do something by those that license the content to Netflix, Netflix doesn't really want it to be very effective.

Odd Turn of Phrase

I found it odd the it was worded as a "... PHD student in Ontario ...", the I read the article and saw that the person was from Last Change U.

Re:evil farce mug portland coffin wig

True

Holy IEEE Membership, Batman!

[EmagGeek]

These people sure seem to think that IEEE Membership means something...

97% is not even close to commercially viable

[Thanshin]

97% to detect irregular behavior is completely useless unless the rate of regular and irregular behavior is reasonably balanced. In most commercial settings the rate is biased towards regular behavior by several orders of magnitude. In other words, thousands of times more more biased than 97:3.

Therefore, this system will have orders of magnitude more false positives than positives. So the positives will just disappear inside a mass of angry customers.

In short; the ratio of success has to be in the same order of magnitude as the ratio of irregular behavior. e.g.: for Netflix you'd need better than 99.99% precision.

Re:97% is not even close to commercially viable

And even then, you must consider that Netflix doesn't actually give a flying fuck about geospoofing as long as the number of people doing it consistently remains small and those people remain paying customers...

Netflix has no reason to actually WANT to prevent or disallow these customers from consuming content this way--there's nothing to be gained by winning that fight and lots to lose.

They're simply playing along so content owners don't start threatening to pull content. They're actually between a rock and a hard place, hence the "we're trying to prevent geospoofers from consuming content where they shouldn't. We won't let it happen again, honest!" thing.

Re:97% is not even close to commercially viable

[Some+nick+or+other]

Typical base rate fallacy example. Suppose 1% of the users are VPN users. Suppose the service is 97% accurate at classifying VPNers as VPNers and regular users as regular users. What's the probability that a user is a regular user given that the system says he's a VPNer?

Out of 10000 users, there are 100 VPN users. 97 of these will be recognized, 3 not.
There are 9900 ordinary users. 9900*0.03=297 of these will be falsely flagged.

So the probability of a positive being true is 97/(97+297) = 24.6%. The probability that he's a regular user is 75.4% which is not nearly good enough for Netflix.

Re:97% is not even close to commercially viable

[myowntrueself]

And even then, you must consider that Netflix doesn't actually give a flying fuck about geospoofing as long as the number of people doing it consistently remains small and those people remain paying customers...

The most telling part of this whole saga is that the content providers themselves don't seem to have caught on to a basic economic detail: if people are consuming the content through the likes of Netflix, bypassing region restrictions, they (the content providers) get some money.

If they manage to get Netflix to clamp down on out-of-region customers then those people will become former customers and will go back to piracy and the content providers will get no money at all.

It is in the interest of the content providers to do away with region restrictions but they just can't see this because thats how stupid they are.

Re:97% is not even close to commercially viable

[mysidia]

If they manage to get Netflix to clamp down on out-of-region customers then those people will become former customers

The content creators want Netflix to PAY MORE to license the content in these extra countries.

Regional restrictions are about generating more $$$ by allowing the content to be priced higher in other areas according to their local market conditions and to force companies that need worldwide usage to jump through many hoops and pay a heck of a lot more.

Re:97% is not even close to commercially viable

Typical base rate fallacy example. Suppose 1% of the users are VPN users. Suppose the service is 97% accurate at classifying VPNers as VPNers and regular users as regular users. What's the probability that a user is a regular user given that the system says he's a VPNer?

Out of 10000 users, there are 100 VPN users. 97 of these will be recognized, 3 not.

There are 9900 ordinary users. 9900*0.03=297 of these will be falsely flagged.

So the probability of a positive being true is 97/(97+297) = 24.6%. The probability that he's a regular user is 75.4% which is not nearly good enough for Netflix.

No.

Why are you assuming the accuracy for identifying actual VPN users is also the accuracy for identifying non-VPN users? Just because the detection algorithm claims to correctly identify 97% of VPN users, it does NOT follow that it will inaccurately identify 3% of non-VPN users.

Finding whatever characteristics of a VPN connection 97% of the time when they're actually present does NOT mean those characteristics will be found 3% of the time when they're known to not be present.

For example, when you're looking for a needle in a haystack, you may only have a 10% chance of finding it. But if it's not there, your chances of finding it are zero. You'd say you'd find a needle when one isn't present fully 90% of the time. That's ridiculous.

Re:97% is not even close to commercially viable

[myowntrueself]

If they manage to get Netflix to clamp down on out-of-region customers then those people will become former customers

The content creators want Netflix to PAY MORE to license the content in these extra countries.

Regional restrictions are about generating more $$$ by allowing the content to be priced higher in other areas according to their local market conditions and to force companies that need worldwide usage to jump through many hoops and pay a heck of a lot more.

The thing is they aren't going to get more, they are going to get nothing at all.

Nothing can go wrong

[HideyoshiJP]

My average ping time over VPN is pretty similar to my ping rate over some in-home powerline adapters I have when they're doing okay but not great. Guess I'll have to rewire my entertainment area since someone wants to ruin the fun.

What a waste of brainpower

[The+Last+Gunslinger]

All that time and effort spent on finding ways for corporate profiteers to artificially restrict the transmission of bits from point A to point B; and even if implemented, it will probably be circumvented in a minuscule fraction of the development time.

Such a fucking waste.

Re:What a waste of brainpower

[PlainWhiteTrash]

Here, I must disagree. I'm a software developer and network engineer. Specifically, my particular software development specialty involves interacting intimately with the network layer. (I'm in the VoIP world.) These people are doing good work in relating characteristics of latency to distance and geolocation and along the way are learning a great deal about the various factors that influence latency and jitter in the real world across working, real world networks. While you may not enjoy the particular aims that they're pursuing as a commercialization strategy, they have to get paid somehow... Meanwhile, the things that they learn about the causes of latency, jitter, and other aspects of service quality in packet networking can be USEFULLY utilized by everyone else in improving the network. Just a thought.

Re:What a waste of brainpower

Well Carlton is a third rate University at best.

Fuck Abdelrahman Abdou

Why? Other than making VPN users miserable, why did Abdelrahman Abdou do this?

Re:Fuck Abdelrahman Abdou

Because someone else would have.

And because it's far better to identify security flaws than to stick your fingers up your ass and pretend they don't exist.

Re: Fuck Abdelrahman Abdou

Security flaw? What security flaws did he discover?

Re:Fuck Abdelrahman Abdou

Because he's a miserable sand nigger?

Randomization + TCP Accelerators

[luis_a_espinal]

The Client Presence Verification (CPV) system presented in the paper utilises analysis of delays in network packets in order to determine the user's location, disregarding the IP address geolocation information which currently underpins the efforts of content providers such as Netflix to prevent VPN users accessing content which is not licensed in their country

Maybe I'm missing something, but it looks to me that this can be defeated with randomized throttling of packet delivery and TCP accelerators that intercept/cache/send ACK packages on the client's behalf.

Re:Randomization + TCP Accelerators

[The-Ixian]

I am sure it can be defeated with enough effort... but the question is: When is it too hard for the masses to bother with it?

Re:Randomization + TCP Accelerators

[luis_a_espinal]

I am sure it can be defeated with enough effort... but the question is: When is it too hard for the masses to bother with it?

All it takes is software (in this case, a delay analysis countermeasure) good enough to make it plausible to the masses. Consider DVD ripping. At the beginning, it was just too much of a hassle for the common person to get all the necessary pieces together. Now, there are full-feature applications that can do that at the click of a button. Or consider managing photographs on external storage. Picasa and the like makes it extremely simple for the common person.

It will be too hard for the masses until someone automates it for them.

Helping the industry, screwing over users

Thank you NOT, PhD student in Ontario.

good point, but multiple indicators are used

[raymorris]

You make a good point about the a priori probabilities. If most customers are legit, then most customers who are flagged may be legit. ("97% accuracy " doesn't tell us if there are 3% false positives or 3% false negatives. There's a BIG difference. )

However 97% from a single indicator is very useful because indicators can be combined. Consider you're looking at someone and classifying them as male or female. One thing you see is the length of their hair. You also see what kind of shirt their wearing, etc. Each of these indicators is only 90% accurate, but together they allow you to recognize male vs female correctly 99.5% of the time, and you know whem you're unsure.

Applying this to the current question, if their browser is set to prefer Russian, their latency and jitter is characteristic of Russia, their form of payment is typical of Russian vpn users, they're watching movies popular in Russia, etc, they might be in Russia or a neighboring country. Again, you can tell when you're getting conflicting indicators or borderline values, so you can compute the level of uncertainty.

Canada once more again showing it's true fascist

colours.

Thanks for more censorship, and authoritarian dictatorship, assholes.

Solution: proxy

[vojtech]

Ok, so the next step in the game is a VPN with a built-in transparent TCP (or deeper) proxy at the VPN provider end. That'll take care of the latencies.

Netflix does not care

[Ivan+Stepaniuk]

They limit content access to countries based on contract restrictions that they agree to when acquiring the distribution licenses.

They are only going to implement these kind of thing if the content owners require so.

Goodbye US municipal Wifi/WiMAX Networks

subject says it all

Not Unmasking

It's not unmasking, it's detecting. Unmasking would reveal the actual source IP of the user. This method simply shows whether or not a user is likely using a VPN. There is a huge difference.

Missing from the article...

[mark-t]

... is what percentage of connections that were *NOT* using vpn were falsely detected as still being from another country? The article only claims that the tech can identify 97% of out-of-country vpn users as such, but says nothing about the accuracy of identifying actual in-country users. Is it higher? Is it lower? Article leaves it as completely unspoken

Rasberry for Science award?

I nominate this bit of work for a Raspberry award, as it is something that has no benefit to science. A PhD which does not further the understanding of the universe or help mankind in anyway. Congratulations on making the world a little bit crappier!

Pirating

[slashping]

If people don't want to me pay for their services because I'm in a different country, I guess I'll have to resort to pirating the material instead.

Feel sorry for satalite users

[evil9000]

If all they're looking at is latency, then watch out for anyone who over-uses their bandwidth and creates artificial lag through network congestion - this technology will label you a dirty international thief.

I'm sure the farmers who wrote the constitution thought about this when they were writing up trade and copyright laws.....

Why.

None of this needs to exist.
It is equal to helping a prisoner rape another inmate.

Good idea but

Defeated by remote desktop