How To Defeat VPN Location-Spoofing By Mapping Network Delays

An anonymous reader writes: An interesting paper from a PhD student in Ontario outlines a system which in initial tests has proved 97% effective at unmasking geo-spoofing VPN users. The Client Presence Verification (CPV) system presented in the paper utilises analysis of delays in network packets in order to determine the user's location, disregarding the IP address geolocation information which currently underpins the efforts of content providers such as Netflix to prevent VPN users accessing content which is not licensed in their country. The detection system was tested at global network laboratory PlanetLab using 80 network nodes based in the U.S. and Canada.

Seems trivial to mask

[DreamMaster]

I haven't RTFA yet, but If the analysis is solely based on network delays, then a VPN company could simply introduce randomized delays to all it's users, even the local ones. Then an analysing service wouldn't be able to definitively say whether any given user is geo-spoofing or not. The best they could say is that the connecting service is likely a VPN.

Re:

[Anonymous Coward]

sure but you can't spoof FTL, that is the point

Re:

[The-Ixian]

Nobody can spoof FTL... It is impossible to move faster than light... everyone knows this...

Re:Seems trivial to mask

[110010001000]

I don't live in my Mom's basement. I live in my Mom's Au Pair suite!

Re:

[antdude]

Prove it. :P

Re:

[ooloorie]

No, us space nutters simply don't care much either way. Overcoming the light speed limit isn't necessary for space exploration or colonizing the galaxy.

In any case, FTL travel is consistent with known physics; at this point, the question is merely whether it's practical.

Re:

[mysidia]

Nobody can spoof FTL... It is impossible to move faster than light... everyone knows this

VPN environments will get replaced with VPC environments (Virtual-Private Compute)

They'll just move more and more elements of the protocol stack out to the external provider, until the spoofing can no longer be detected.

The next step above VPN is using an Application-Layer Proxy or Tunnel instead, such as Wingate or a HTTP proxy.

A step above that would be to run the web browser/software from the service provider

Re:

[MrDoh!]

Aye, spin up an AWS instance in whatever region you need, run Chrome, and chrome remote the screen to your real machine/tablet/phone anywhere in the world. Heck, if Netflix is now running using AWS, it's probably a couple of racks over it needs to get to, decent ping rate! "It's already in the house!!!"

Re:

[AHuxley]

Yes AC, all the better VPN providers have to do is buy into the right ip ranges and hardware locations in the USA.
Huge blocks of ip's exist and so do interesting telco like options. A 100 optical link in New Zealand or the UK becomes a virtual copper connected user in a US state.
Every line test and request shows an average community of US users, a brand name and a US ip range. With a low "ms" ping to match the geographic location.
The magic will be in the interface between a city or rural network front

Re:Seems trivial to mask

[joshuao3]

<quote>Actually I think you are missing a completely different point. You don't have to speed up connections to match the speed of non-vpn traffic, you just have to slow everything down so that you can't be sure which is VPN and which is normal. </quote>

So... Comcast really had our best interests in mind after all?

Re:

[ArmoredDragon]

A problem with this is that some types of connections are slower than others when it comes to overall latency. With modern broadband, geosync satellite is the slowest, followed by DSL, followed by cable, with fttp being the fastest. How are they supposed to control for that? A VPN really doesn't add a whole lot of latency, and even if it did, they could just replace it with GRE to reduce that added latency (we don't really need encryption if we're just trying to geospoof since the sites we're trying to geos

Re:

[Thanshin]

Never underestimate the spoofing abilities of an Alcubierre drive station wagon full of tapes hurtling down the highway.

Re:

[Thanshin]

Well, it's for the client to choose which method is more convenient to him.. You can have your packets in time or without the cone of ultra-energetic particles that vaporizes your entire civilization.

Re:

[nazsco]

>97% detection rate

with a probably 95% false positive rate on top.

who the heck thinks slow network is a way to detect location is a good idea!?

Re:

[DarkOx]

I would think the thing to do would not be to introduce randomized delays but rather to adopt a fairly pessimistic minimum latency to your client end points. If packets from a given client arrives closer together than the pessimistic latency the trailing packet should be held until that minimum time is reached. You probably want do this on sending to the client as well as that might still enable timing attacks otherwise. That wont effect performance much streaming media where the MTU will full most of th

Re:

[Lumpy]

Or just use Comcast... They introduce random delays in their normal traffic due to how crappy their network is.

Re:

[sudon't]

I haven't RTFA yet, but If the analysis is solely based on network delays, then a VPN company could simply introduce randomized delays to all it's users, even the local ones. Then an analysing service wouldn't be able to definitively say whether any given user is geo-spoofing or not. The best they could say is that the connecting service is likely a VPN.

From TFP: "To achieve high accuracy, CPV mitigates Internet path asymmetry using a novel method to deduce one-way application-layer delays to/from the client’s participating device, and mines these delays for evidence supporting/refuting the asserted location."

But, simply saying that the connection is through a VPN could be enough for some to refuse the connection. For instance, if content providers really got on Netflix and Hulu's ass about it, they might opt for this simpler solution of blocking VPN

False positives

[Stuarticus]

False positives are a pretty major issue when you look at Netflix's user base, 97% effective isn't very good if you're going to refuse to serve content to over a million paying customers every day.

Re:

[Qzukk]

According to this research, Comcast users are from Mars.

Re:

[Lumpy]

No, it's just Comcast bounces all their internet traffic off of mars.

Re:

[wbr1]

This. I know many people on slow rural DSL with terrible upstream speeds. Thier ping and jitter can be bad, but downstream is enough to support streaming. This is a whole class of users that would be branded with a false positive as VPN user if delay is the only factor.

Re:

[lowen]

While I do have mod points, I need to post this. I regularly see 1,000ms ping RTT on my otherwise reasonably fast (7/.5) DSL service when I have a lot of upstream traffic, and that ping RTT is to the router's gateway, a single hop away. My boss, who is on a 50/5 cable service, has consistent 1,000ms ping RTT to his next-hop. RTT for other packets varies according to protocol and IP target, showing some QoS queueing going on.

My DSL RTT to the next hop varies between a couple of ms to 1,000 ms depending o

Re:

[AmiMoJo]

I wonder if it really is as high as 97%, even when accounting for ISPs that are heavily oversubscribed and offer massively variable packet latency.

Re:

[pr0fessor]

97% in a partially controlled environment the internet is not that consistent but even still 3% of Netflix reported 33.3 million subscribers is 999,000 even if only half are false positives and even if only half of those people decide to leave it's still a loss of over $20 million a year assuming they all have the basic $7.99 account.

I imagine that when you start looking at rural dsl or satellite internet it will be much harder to tell based on latency and that number will go up.

Re:

[radarskiy]

3% of someone else's paying customers? The MPAA is willing to make this sacrifice. ;-)

Mask this by violating TCP rules?

[Theovon]

People have pointed out that this is hard to make because you can’t make signals move FTL. Basically, you can send a packet, and by the rules of TCP, the ACK is generated at the destination, so while you could artificially lengthen the round-trip ping time, you can’t shorten it. But why not? How about we have the VPN buffer the TCP packets and break the rules. When a packet is received from Netflix, the VPN sends the ACK. When the user’s computer sends its ACK, the VPN consumes it. If there’s a chance of this being unreliable, them’s the breaks.

Re:Mask this by violating TCP rules?

[silas_moeckel]

The satellite guys have done this forever. Moving the syn/ack to the VPN head end is a stock application at this point.

Re:Mask this by violating TCP rules?

[Quince alPillan]

What you're talking about is a forward proxy. Forward proxy servers do this (and will even proxy SSL traffic).

In the whitepaper, they're actually talking about making a new protocol that measures the one way distance time and compares it to their database of network speeds and distances to determine your location. Their solution is an application-level solution, which depends upon a Forward Proxy to know about the protocol and spoof it correctly.

The problem with their solution is that network speeds are fluid and a computer with a problem (e.g. a local neighborhood node or a legitimately slow client that is delaying all traffic 20-30ms) can make their estimates wildly inaccurate. Even today, Cogent to Level 3 has a 197ms ping in LA. In the paper, they used average speeds for various known networks. This can be mitigated somewhat by measuring client traffic and only counting outliers (e.g. all traffic from a certain area being delayed the same, except for our rogue client) but it still doesn't mitigate the local computer problem.

A second problem with their solution is that it only measures distance - a server in Miami, Florida accepting data from a client in Seattle, Washington is 2732 mi and the same distance (roughly) as Lima, Peru. This means that a client in Lima should pretend to be from Seattle when they connect to their combo VPN/Forward Proxy in Miami. Satellite customers are will almost always have extremely high latency because of the round trip between Earth and the Satellite, even if they're legitimately in the correct area.

In addition, they were only able to make this accurate to about 400km, which means if you have a nearby beneficial country within that range, you can use a VPN in that country and they still won't know.

Re:

[Bengie]

You do make a good point, but they didn't mention how they measured the latency. Maybe the used a looking glass server. It's also not common to see high pings like that, but they do happen. I only notice them a few times a week while i'm looking. At one point I had my Internet quality graph pointed to my first Level 3 hop, and it was fine for several days before it decided to have wild ping swing and packetloss even though the Internet was fine. I am now stuck using 8.8.8.8 and 8.8.4.4 for monitoring, and t

Re:

[ooloorie]

Or, alternatively, you can simply run the Netflix app on a virtual machine in the target country and then stream the video from the virtual desktop.

Holy IEEE Membership, Batman!

[EmagGeek]

These people sure seem to think that IEEE Membership means something...

97% is not even close to commercially viable

[Thanshin]

97% to detect irregular behavior is completely useless unless the rate of regular and irregular behavior is reasonably balanced. In most commercial settings the rate is biased towards regular behavior by several orders of magnitude. In other words, thousands of times more more biased than 97:3.

Therefore, this system will have orders of magnitude more false positives than positives. So the positives will just disappear inside a mass of angry customers.

In short; the ratio of success has to be in the same order of magnitude as the ratio of irregular behavior. e.g.: for Netflix you'd need better than 99.99% precision.

Re:

[Anonymous Coward]

And even then, you must consider that Netflix doesn't actually give a flying fuck about geospoofing as long as the number of people doing it consistently remains small and those people remain paying customers...

Netflix has no reason to actually WANT to prevent or disallow these customers from consuming content this way--there's nothing to be gained by winning that fight and lots to lose.

They're simply playing along so content owners don't start threatening to pull content. They're actually between a rock an

Re:

[myowntrueself]

And even then, you must consider that Netflix doesn't actually give a flying fuck about geospoofing as long as the number of people doing it consistently remains small and those people remain paying customers...

The most telling part of this whole saga is that the content providers themselves don't seem to have caught on to a basic economic detail: if people are consuming the content through the likes of Netflix, bypassing region restrictions, they (the content providers) get some money.

If they manage to get Netflix to clamp down on out-of-region customers then those people will become former customers and will go back to piracy and the content providers will get no money at all.

It is in the interest of the content

Re:

[mysidia]

If they manage to get Netflix to clamp down on out-of-region customers then those people will become former customers

The content creators want Netflix to PAY MORE to license the content in these extra countries.

Regional restrictions are about generating more $$$ by allowing the content to be priced higher in other areas according to their local market conditions and to force companies that need worldwide usage to jump through many hoops and pay a heck of a lot more.

Re:

[myowntrueself]

If they manage to get Netflix to clamp down on out-of-region customers then those people will become former customers

The content creators want Netflix to PAY MORE to license the content in these extra countries.

Regional restrictions are about generating more $$$ by allowing the content to be priced higher in other areas according to their local market conditions and to force companies that need worldwide usage to jump through many hoops and pay a heck of a lot more.

The thing is they aren't going to get more, they are going to get nothing at all.

Re:

[Some nick or other]

Typical base rate fallacy example. Suppose 1% of the users are VPN users. Suppose the service is 97% accurate at classifying VPNers as VPNers and regular users as regular users. What's the probability that a user is a regular user given that the system says he's a VPNer?

Out of 10000 users, there are 100 VPN users. 97 of these will be recognized, 3 not.
There are 9900 ordinary users. 9900*0.03=297 of these will be falsely flagged.

So the probability of a positive being true is 97/(97+297) = 24.6%. The p

Nothing can go wrong

[HideyoshiJP]

My average ping time over VPN is pretty similar to my ping rate over some in-home powerline adapters I have when they're doing okay but not great. Guess I'll have to rewire my entertainment area since someone wants to ruin the fun.

good point, but multiple indicators are used

[raymorris]

You make a good point about the a priori probabilities. If most customers are legit, then most customers who are flagged may be legit. ("97% accuracy " doesn't tell us if there are 3% false positives or 3% false negatives. There's a BIG difference. )

However 97% from a single indicator is very useful because indicators can be combined. Consider you're looking at someone and classifying them as male or female. One thing you see is the length of their hair. You also see what kind of shirt their wearing, etc

What a waste of brainpower

[The Last Gunslinger]

All that time and effort spent on finding ways for corporate profiteers to artificially restrict the transmission of bits from point A to point B; and even if implemented, it will probably be circumvented in a minuscule fraction of the development time.

Such a fucking waste.

Re:

[PlainWhiteTrash]

Here, I must disagree. I'm a software developer and network engineer. Specifically, my particular software development specialty involves interacting intimately with the network layer. (I'm in the VoIP world.) These people are doing good work in relating characteristics of latency to distance and geolocation and along the way are learning a great deal about the various factors that influence latency and jitter in the real world across working, real world networks. While you may not enjoy the particular

Fuck Abdelrahman Abdou

[Anonymous Coward]

Why? Other than making VPN users miserable, why did Abdelrahman Abdou do this?

Randomization + TCP Accelerators

[luis_a_espinal]

The Client Presence Verification (CPV) system presented in the paper utilises analysis of delays in network packets in order to determine the user's location, disregarding the IP address geolocation information which currently underpins the efforts of content providers such as Netflix to prevent VPN users accessing content which is not licensed in their country

Maybe I'm missing something, but it looks to me that this can be defeated with randomized throttling of packet delivery and TCP accelerators that intercept/cache/send ACK packages on the client's behalf.

Re:

[The-Ixian]

I am sure it can be defeated with enough effort... but the question is: When is it too hard for the masses to bother with it?

Re:

[luis_a_espinal]

I am sure it can be defeated with enough effort... but the question is: When is it too hard for the masses to bother with it?

All it takes is software (in this case, a delay analysis countermeasure) good enough to make it plausible to the masses. Consider DVD ripping. At the beginning, it was just too much of a hassle for the common person to get all the necessary pieces together. Now, there are full-feature applications that can do that at the click of a button. Or consider managing photographs on external storage. Picasa and the like makes it extremely simple for the common person.

It will be too hard for the masses until som

Solution: proxy

[vojtech]

Ok, so the next step in the game is a VPN with a built-in transparent TCP (or deeper) proxy at the VPN provider end. That'll take care of the latencies.

Netflix does not care

[Ivan Stepaniuk]

They limit content access to countries based on contract restrictions that they agree to when acquiring the distribution licenses.

They are only going to implement these kind of thing if the content owners require so.

Not Unmasking

[Anonymous Coward]

It's not unmasking, it's detecting. Unmasking would reveal the actual source IP of the user. This method simply shows whether or not a user is likely using a VPN. There is a huge difference.

Missing from the article...

[mark-t]

... is what percentage of connections that were *NOT* using vpn were falsely detected as still being from another country? The article only claims that the tech can identify 97% of out-of-country vpn users as such, but says nothing about the accuracy of identifying actual in-country users. Is it higher? Is it lower? Article leaves it as completely unspoken

Pirating

[slashping]

If people don't want to me pay for their services because I'm in a different country, I guess I'll have to resort to pirating the material instead.

Feel sorry for satalite users

[evil9000]

If all they're looking at is latency, then watch out for anyone who over-uses their bandwidth and creates artificial lag through network congestion - this technology will label you a dirty international thief.

I'm sure the farmers who wrote the constitution thought about this when they were writing up trade and copyright laws.....