Utkarsh Goel, Moritz Steiner, Mike P. Wittie, Martin Flack, Stephen Ludin

Passive and Active Measurements Conference 2016

Heraklion, Crete, Greece

Detecting Cellular Middleboxes Using Passive Measurement Techniques

TCP Terminating Proxies in Cellular Networks

Split TCP Proxy

End-to-End TCP Connection

2

Motivation• CDN providers interested in detecting TCP terminating Web proxies deployed by

cellular carriers.- Optimize TCP connections for proxies, instead of mobile devices.- Monitor Web performance with proxies.

• Active measurement techniques allow for detection of Web proxies.- Require access to clients’ devices- Time consuming and data-intensive

3

Motivation

• CDN providers do not have access to client devices to run active experiments.- Access to HTTP logs recorded by CDN servers.- TCP logs containing connection characteristics.- User requested JavaScript code.

• Could proxies be detected by only Passive network measurements?- using any of the above data- Would the results be as accurate as active measurements?

4

Turns out that,

• Yes, we can.

• Three passive measurement techniques:

- Latency

- Packet Loss

- Parameters in TCP SYN (ICW, MSS, TCP Timestamp)

5

Data Collection Methodology• Client-side

- Akamai’s Real User Monitoring (RUM) system- Injects JavaScript into requested webpage HTML- Measures TCP connection setup time- Reports back to Akamai RUM servers

• Server-side- Akamai’s CDN servers also estimate TCP latency- Report data back to Akamai RUM servers- Log HTTP and TCP connection details, including loss.

6

Client vs Server Estimated Latency

Split TCP Proxy

7

Client vs Server Estimated Latency

Comparison of Client and Server side latencies indicate presence of proxies8

E2E vs Server-side Latency

Split TCP Proxy

End-to-End TCP Connection

9

Latency?

HTTP vs HTTPS Latency on Server

Server-side latency differences for HTTP and HTTPS traffic could detect proxies10

Close look into T-Mobile’s data

11

Domain and Location Specific Latency

Monitor use of cellular proxies specific to domain and locations12

Web proxies for IPv6 Traffic

Monitor use of proxies for IPv4 and IPv6 infrastructure

13

TCP Split for HTTPS Traffic

Detect proxies to monitor whether HTTPS traffic is split

14

Packet Loss - HTTP vs HTTPS

0 10 20 30 40 50 60 70

0.6

0.7

0.8

0.9

1.0

Packet Loss (%)

CD

F of

TC

P C

onne

ctio

nsHTTP - AT&THTTPS - AT&THTTP - VerizonHTTPS - VerizonHTTP - SprintHTTPS - SprintHTTP - T-MobileHTTPS - T-Mobile

15

Packet Loss – France Telecom

0 10 20 30 40 50 60 70

0.6

0.7

0.8

0.9

1.0

Packet Loss (%)

CD

F of

TC

P C

onne

ctio

nsHTTP - BouyguesHTTPS - BouyguesHTTP - France TelecomHTTPS - France TelecomHTTP - SFRHTTPS - SFR

16

Parameters in TCP SYN• TCP SYN Characteristics of Cellular Proxies differ from mobile devices

- Initial Congestion Window- Maximum Segment Size- TCP Timestamp in TCP Options header

• All TCP SYN packets for HTTP (Port 80) had same TCP SYN parameters

• TCP SYN parameters varied for HTTPS (Port 443)- HTTP and HTTPS packets were sent from two different machines

17

What about accuracy?Sdf

DH: Delayed Handshake

Comparison with Xu et al.’s work “Investigating Transparent Web Proxies in Cellular Networks” [PAM 2015]

18

Takeaways

• Passive network measurements techniques offer the same level of accuracy as expensive active network experiments.

• Server operators could accurately use their HTTP and TCP logs to detect the presence of TCP terminating proxies in cellular networks

• Our work offers a peek into performance analysis of cellular networks worldwide from Akamai’s perspective.

19

Thank you

Questions?

Utkarsh Goel

utkarsh.goel@cs.montana.edu