From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from idcmail-mo2no.shaw.ca (idcmail-mo2no.shaw.ca [64.59.134.9]) by huchra.bufferbloat.net (Postfix) with ESMTP id CD44F20001D for ; Fri, 26 Aug 2011 12:43:43 -0700 (PDT) Received: from pd5ml3no-ssvc.prod.shaw.ca ([10.0.153.148]) by pd6mo1no-svcs.prod.shaw.ca with ESMTP; 26 Aug 2011 14:41:30 -0600 X-Cloudmark-SP-Filtered: true X-Cloudmark-SP-Result: v=1.1 cv=K6fnQZae8TPX1i0cofjQtTsb/A4CHt4xfMPVU6P219U= c=1 sm=1 a=80PKBTd6Dj4A:10 a=QmdwtOVf3dEA:10 a=BLceEmwcHowA:10 a=wPDyFdB5xvgA:10 a=IkcTkHD0fZMA:10 a=xqWC_Br6kY4A:10 a=5cEFxojLHbSazGx3ptQdfQ==:17 a=VEM4DMpWAAAA:8 a=IbimcnOBAAAA:8 a=3dZX8JWgAAAA:8 a=b7SLfKwVAAAA:8 a=h16XC49j1zqAZxaV21QA:9 a=bMIDDdo-BnFLlq19UrYA:7 a=QEXdDO2ut3YA:10 a=Fw8iwiUKpeAA:10 a=TphoKWqS9HQA:10 a=dV4Ar6vtdhpxMmks:21 a=fSvmtwex81NSmsZT:21 a=HpAAvcLHHh0Zw7uRqdWCyQ==:117 Received: from unknown (HELO adm.pacdat.net) ([96.48.80.31]) by pd5ml3no-dmz.prod.shaw.ca with ESMTP; 26 Aug 2011 14:41:30 -0600 Received: from localhost ([::1]) by adm.pacdat.net with esmtp (Exim 4.76) (envelope-from ) id 1Qx3DV-0001QW-8W for bloat@lists.bufferbloat.net; Fri, 26 Aug 2011 13:41:29 -0700 From: richard To: bloat@lists.bufferbloat.net Date: Fri, 26 Aug 2011 13:41:29 -0700 Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.0.2 (3.0.2-3.fc15) Content-Transfer-Encoding: quoted-printable Message-ID: <1314391289.22760.48.camel@adm.pacdat.net> Mime-Version: 1.0 X-Spam_score: -1.0 X-Spam_score_int: -9 X-Spam_bar: - Subject: [Bloat] Interesting new study of wireless carrier "middle box" characteristics - buffering and strange TCP activities X-BeenThere: bloat@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: General list for discussing Bufferbloat List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Aug 2011 19:43:44 -0000 http://www.eecs.umich.edu/~qiangxu/paper/sigcomm11_wang.pdf includes creation of Android app "NetPiculet" to analyze this activity. sample: We released NetPiculet on Android Market in January 2011 and attracted 393 unique mobile users within merely two weeks. Leveraging the data from these users, we report our =EF=AC=81ndings from 10 7 cellular carriers around the world. In particular, we studied the policies of two large nation-wide U.S. carriers in more depth and corroborated our =EF=AC=81ndings carefully with controlled experi ments. Due to security and privacy concerns, we anonymize their names and label them as Carrier A and Carrier B. We summarize our key =EF=AC=81ndings as follows: =E2=80=A2 In some cellular networks, a single mobile device can encounter m= ore than one type of NAT, likely due to load balancing. We also discovered some NAT mappings increment external port number with time which was not documented in any prior NAT study. Accordingly, we develop new NAT traversal techniques to handle both cases. =E2=80=A2 Four cellular networks are found to allow IP spoo=EF=AC=81ng, whi= ch provides attack opportunities by punching holes on NATs and =EF=AC=81rewalls =E2=80=9Con behalf of=E2=80=9D a victim from inside th= e networks, and thus directly exposing the victim to further attacks from the Internet. =E2=80=A2 Eleven carriers are found to impose a quite aggressive timeout va= lue of less than 10 minutes for idle TCP connections, potentially frequently disrupting long-lived connections maintained by applications such as push-based email. The resulting extra radio activities on a mobile device could use more than 10% of battery per day compared to those under a more conservative timeout value (e.g., 30 minutes). =E2=80=A2 One of the largest U.S. carriers is found to con=EF=AC=81gure =EF= =AC=81rewalls to buffer out-of-order TCP packets for a long time, likely for the purpose of deep packet inspection. This unexpectedly interferes with TCP Fast Retransmit and Forward RTO-Recovery, severely degrading TCP performance triggered merely by a single packet loss. =E2=80=A2 At least one =EF=AC=81rewall of a major cellular ISP liberally ac= cept s TCP packets within a very large window of sequence numbers, greatly facilitating the traditional blind data injection attacks, endangering connections that transfer relatively large amount of data (e.g., streaming applications). =E2=80=A2 Some cellular network =EF=AC=81rewalls do not immediately remove the TCP connection state after a connection is closed, allowing attackers to extend his attack on a victim even after the victim has closed the connection to a malicious server. This also dramatically lengthens the NAT traversal time to a few minutes, given that the same TCP =EF=AC=81ve tuple cannot be reused quickly. original pointer from http://www.technologyreview.com/communications/38435/page1/ richard --=20 Richard C. Pitt Pacific Data Capture rcpitt@pacdat.net 604-644-9265 http://digital-rag.com www.pacdat.net PGP Fingerprint: FCEF 167D 151B 64C4 3333 57F0 4F18 AF98 9F59 DD73