Utkarsh Goel, Moritz Steiner, Mike P. Wittie, Martin Flack, Stephen Ludin
Passive and Active Measurements Conference 2016
Heraklion, Crete, Greece
Detecting Cellular Middleboxes Using Passive Measurement Techniques
TCP Terminating Proxies in Cellular Networks
Split TCP Proxy
End-to-End TCP Connection
2
Motivation• CDN providers interested in detecting TCP terminating Web proxies deployed by
cellular carriers.- Optimize TCP connections for proxies, instead of mobile devices.- Monitor Web performance with proxies.
• Active measurement techniques allow for detection of Web proxies.- Require access to clients’ devices- Time consuming and data-intensive
3
Motivation
• CDN providers do not have access to client devices to run active experiments.- Access to HTTP logs recorded by CDN servers.- TCP logs containing connection characteristics.- User requested JavaScript code.
• Could proxies be detected by only Passive network measurements?- using any of the above data- Would the results be as accurate as active measurements?
4
Turns out that,
• Yes, we can.
• Three passive measurement techniques:
- Latency
- Packet Loss
- Parameters in TCP SYN (ICW, MSS, TCP Timestamp)
5
Data Collection Methodology• Client-side
- Akamai’s Real User Monitoring (RUM) system- Injects JavaScript into requested webpage HTML- Measures TCP connection setup time- Reports back to Akamai RUM servers
• Server-side- Akamai’s CDN servers also estimate TCP latency- Report data back to Akamai RUM servers- Log HTTP and TCP connection details, including loss.
6
Client vs Server Estimated Latency
Split TCP Proxy
7
Client vs Server Estimated Latency
Comparison of Client and Server side latencies indicate presence of proxies8
E2E vs Server-side Latency
Split TCP Proxy
End-to-End TCP Connection
9
Latency?
HTTP vs HTTPS Latency on Server
Server-side latency differences for HTTP and HTTPS traffic could detect proxies10
Close look into T-Mobile’s data
11
Domain and Location Specific Latency
Monitor use of cellular proxies specific to domain and locations12
Web proxies for IPv6 Traffic
Monitor use of proxies for IPv4 and IPv6 infrastructure
13
TCP Split for HTTPS Traffic
Detect proxies to monitor whether HTTPS traffic is split
14
Packet Loss - HTTP vs HTTPS
0 10 20 30 40 50 60 70
0.6
0.7
0.8
0.9
1.0
Packet Loss (%)
CD
F of
TC
P C
onne
ctio
nsHTTP - AT&THTTPS - AT&THTTP - VerizonHTTPS - VerizonHTTP - SprintHTTPS - SprintHTTP - T-MobileHTTPS - T-Mobile
15
Packet Loss – France Telecom
0 10 20 30 40 50 60 70
0.6
0.7
0.8
0.9
1.0
Packet Loss (%)
CD
F of
TC
P C
onne
ctio
nsHTTP - BouyguesHTTPS - BouyguesHTTP - France TelecomHTTPS - France TelecomHTTP - SFRHTTPS - SFR
16
Parameters in TCP SYN• TCP SYN Characteristics of Cellular Proxies differ from mobile devices
- Initial Congestion Window- Maximum Segment Size- TCP Timestamp in TCP Options header
• All TCP SYN packets for HTTP (Port 80) had same TCP SYN parameters
• TCP SYN parameters varied for HTTPS (Port 443)- HTTP and HTTPS packets were sent from two different machines
17
What about accuracy?Sdf
DH: Delayed Handshake
Comparison with Xu et al.’s work “Investigating Transparent Web Proxies in Cellular Networks” [PAM 2015]
18
Takeaways
• Passive network measurements techniques offer the same level of accuracy as expensive active network experiments.
• Server operators could accurately use their HTTP and TCP logs to detect the presence of TCP terminating proxies in cellular networks
• Our work offers a peek into performance analysis of cellular networks worldwide from Akamai’s perspective.
19