How To Defeat VPN Location-Spoofing By Mapping Network Delays

An anonymous reader writes: An interesting paper from a PhD student in Ontario outlines a system which in initial tests has proved 97% effective at unmasking geo-spoofing VPN users. The Client Presence Verification (CPV) system presented in the paper utilises analysis of delays in network packets in order to determine the user's location, disregarding the IP address geolocation information which currently underpins the efforts of content providers such as Netflix to prevent VPN users accessing content which is not licensed in their country. The detection system was tested at global network laboratory PlanetLab using 80 network nodes based in the U.S. and Canada.

Seems trivial to mask

[DreamMaster]

I haven't RTFA yet, but If the analysis is solely based on network delays, then a VPN company could simply introduce randomized delays to all it's users, even the local ones. Then an analysing service wouldn't be able to definitively say whether any given user is geo-spoofing or not. The best they could say is that the connecting service is likely a VPN.

Re:Seems trivial to mask

[The-Ixian]

Nobody can spoof FTL... It is impossible to move faster than light... everyone knows this...

Re:Seems trivial to mask

[ArmoredDragon]

A problem with this is that some types of connections are slower than others when it comes to overall latency. With modern broadband, geosync satellite is the slowest, followed by DSL, followed by cable, with fttp being the fastest. How are they supposed to control for that? A VPN really doesn't add a whole lot of latency, and even if it did, they could just replace it with GRE to reduce that added latency (we don't really need encryption if we're just trying to geospoof since the sites we're trying to geospoof to always use TLS anyways) and you're adding the same amount of latency that say DSL would add vs cable.

Re:Seems trivial to mask

[AHuxley]

Yes AC, all the better VPN providers have to do is buy into the right ip ranges and hardware locations in the USA.
Huge blocks of ip's exist and so do interesting telco like options. A 100 optical link in New Zealand or the UK becomes a virtual copper connected user in a US state.
Every line test and request shows an average community of US users, a brand name and a US ip range. With a low "ms" ping to match the geographic location.
The magic will be in the interface between a city or rural network front and the global backend.

Re:Seems trivial to mask

[110010001000]

I don't live in my Mom's basement. I live in my Mom's Au Pair suite!

Re:Seems trivial to mask

[joshuao3]

Actually I think you are missing a completely different point. You don't have to speed up connections to match the speed of non-vpn traffic, you just have to slow everything down so that you can't be sure which is VPN and which is normal.

So... Comcast really had our best interests in mind after all?

Re:Seems trivial to mask

[Thanshin]

Never underestimate the spoofing abilities of an Alcubierre drive station wagon full of tapes hurtling down the highway.

Re:Seems trivial to mask

[Lumpy]

Or just use Comcast... They introduce random delays in their normal traffic due to how crappy their network is.

False positives

[Stuarticus]

False positives are a pretty major issue when you look at Netflix's user base, 97% effective isn't very good if you're going to refuse to serve content to over a million paying customers every day.

Mask this by violating TCP rules?

[Theovon]

People have pointed out that this is hard to make because you can’t make signals move FTL. Basically, you can send a packet, and by the rules of TCP, the ACK is generated at the destination, so while you could artificially lengthen the round-trip ping time, you can’t shorten it. But why not? How about we have the VPN buffer the TCP packets and break the rules. When a packet is received from Netflix, the VPN sends the ACK. When the user’s computer sends its ACK, the VPN consumes it. If there’s a chance of this being unreliable, them’s the breaks.

Re:Mask this by violating TCP rules?

[silas_moeckel]

The satellite guys have done this forever. Moving the syn/ack to the VPN head end is a stock application at this point.

Re:Mask this by violating TCP rules?

[Quince+alPillan]

What you're talking about is a forward proxy. Forward proxy servers do this (and will even proxy SSL traffic).

In the whitepaper, they're actually talking about making a new protocol that measures the one way distance time and compares it to their database of network speeds and distances to determine your location. Their solution is an application-level solution, which depends upon a Forward Proxy to know about the protocol and spoof it correctly.

The problem with their solution is that network speeds are fluid and a computer with a problem (e.g. a local neighborhood node or a legitimately slow client that is delaying all traffic 20-30ms) can make their estimates wildly inaccurate. Even today, Cogent to Level 3 has a 197ms ping in LA. In the paper, they used average speeds for various known networks. This can be mitigated somewhat by measuring client traffic and only counting outliers (e.g. all traffic from a certain area being delayed the same, except for our rogue client) but it still doesn't mitigate the local computer problem.

A second problem with their solution is that it only measures distance - a server in Miami, Florida accepting data from a client in Seattle, Washington is 2732 mi and the same distance (roughly) as Lima, Peru. This means that a client in Lima should pretend to be from Seattle when they connect to their combo VPN/Forward Proxy in Miami. Satellite customers are will almost always have extremely high latency because of the round trip between Earth and the Satellite, even if they're legitimately in the correct area.

In addition, they were only able to make this accurate to about 400km, which means if you have a nearby beneficial country within that range, you can use a VPN in that country and they still won't know.

Re:Mask this by violating TCP rules?

[ooloorie]

Or, alternatively, you can simply run the Netflix app on a virtual machine in the target country and then stream the video from the virtual desktop.

97% is not even close to commercially viable

[Thanshin]

97% to detect irregular behavior is completely useless unless the rate of regular and irregular behavior is reasonably balanced. In most commercial settings the rate is biased towards regular behavior by several orders of magnitude. In other words, thousands of times more more biased than 97:3.

Therefore, this system will have orders of magnitude more false positives than positives. So the positives will just disappear inside a mass of angry customers.

In short; the ratio of success has to be in the same order of magnitude as the ratio of irregular behavior. e.g.: for Netflix you'd need better than 99.99% precision.

Re:97% is not even close to commercially viable

And even then, you must consider that Netflix doesn't actually give a flying fuck about geospoofing as long as the number of people doing it consistently remains small and those people remain paying customers...

Netflix has no reason to actually WANT to prevent or disallow these customers from consuming content this way--there's nothing to be gained by winning that fight and lots to lose.

They're simply playing along so content owners don't start threatening to pull content. They're actually between a rock and a hard place, hence the "we're trying to prevent geospoofers from consuming content where they shouldn't. We won't let it happen again, honest!" thing.

Re:97% is not even close to commercially viable

[Some+nick+or+other]

Typical base rate fallacy example. Suppose 1% of the users are VPN users. Suppose the service is 97% accurate at classifying VPNers as VPNers and regular users as regular users. What's the probability that a user is a regular user given that the system says he's a VPNer?

Out of 10000 users, there are 100 VPN users. 97 of these will be recognized, 3 not.
There are 9900 ordinary users. 9900*0.03=297 of these will be falsely flagged.

So the probability of a positive being true is 97/(97+297) = 24.6%. The probability that he's a regular user is 75.4% which is not nearly good enough for Netflix.

Re:97% is not even close to commercially viable

[mysidia]

If they manage to get Netflix to clamp down on out-of-region customers then those people will become former customers

The content creators want Netflix to PAY MORE to license the content in these extra countries.

Regional restrictions are about generating more $$$ by allowing the content to be priced higher in other areas according to their local market conditions and to force companies that need worldwide usage to jump through many hoops and pay a heck of a lot more.

Re:What a waste of brainpower

[PlainWhiteTrash]

Here, I must disagree. I'm a software developer and network engineer. Specifically, my particular software development specialty involves interacting intimately with the network layer. (I'm in the VoIP world.) These people are doing good work in relating characteristics of latency to distance and geolocation and along the way are learning a great deal about the various factors that influence latency and jitter in the real world across working, real world networks. While you may not enjoy the particular aims that they're pursuing as a commercialization strategy, they have to get paid somehow... Meanwhile, the things that they learn about the causes of latency, jitter, and other aspects of service quality in packet networking can be USEFULLY utilized by everyone else in improving the network. Just a thought.