Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Networking Technology

How To Defeat VPN Location-Spoofing By Mapping Network Delays (thestack.com) 81

An anonymous reader writes: An interesting paper from a PhD student in Ontario outlines a system which in initial tests has proved 97% effective at unmasking geo-spoofing VPN users. The Client Presence Verification (CPV) system presented in the paper utilises analysis of delays in network packets in order to determine the user's location, disregarding the IP address geolocation information which currently underpins the efforts of content providers such as Netflix to prevent VPN users accessing content which is not licensed in their country. The detection system was tested at global network laboratory PlanetLab using 80 network nodes based in the U.S. and Canada.
This discussion has been archived. No new comments can be posted.

How To Defeat VPN Location-Spoofing By Mapping Network Delays

Comments Filter:
  • by DreamMaster ( 175517 ) on Tuesday February 16, 2016 @09:50AM (#51518643) Homepage

    I haven't RTFA yet, but If the analysis is solely based on network delays, then a VPN company could simply introduce randomized delays to all it's users, even the local ones. Then an analysing service wouldn't be able to definitively say whether any given user is geo-spoofing or not. The best they could say is that the connecting service is likely a VPN.

    • by Anonymous Coward

      sure but you can't spoof FTL, that is the point

      • Nobody can spoof FTL... It is impossible to move faster than light... everyone knows this...

        • by mysidia ( 191772 )

          Nobody can spoof FTL... It is impossible to move faster than light... everyone knows this

          VPN environments will get replaced with VPC environments (Virtual-Private Compute)

          They'll just move more and more elements of the protocol stack out to the external provider, until the spoofing can no longer be detected.

          The next step above VPN is using an Application-Layer Proxy or Tunnel instead, such as Wingate or a HTTP proxy.

          A step above that would be to run the web browser/software from the service provider

          • by MrDoh! ( 71235 )
            Aye, spin up an AWS instance in whatever region you need, run Chrome, and chrome remote the screen to your real machine/tablet/phone anywhere in the world. Heck, if Netflix is now running using AWS, it's probably a couple of racks over it needs to get to, decent ping rate! "It's already in the house!!!"
      • A problem with this is that some types of connections are slower than others when it comes to overall latency. With modern broadband, geosync satellite is the slowest, followed by DSL, followed by cable, with fttp being the fastest. How are they supposed to control for that? A VPN really doesn't add a whole lot of latency, and even if it did, they could just replace it with GRE to reduce that added latency (we don't really need encryption if we're just trying to geospoof since the sites we're trying to geos

      • Never underestimate the spoofing abilities of an Alcubierre drive station wagon full of tapes hurtling down the highway.

      • by nazsco ( 695026 )

        >97% detection rate

        with a probably 95% false positive rate on top.

        who the heck thinks slow network is a way to detect location is a good idea!?

    • by DarkOx ( 621550 )

      I would think the thing to do would not be to introduce randomized delays but rather to adopt a fairly pessimistic minimum latency to your client end points. If packets from a given client arrives closer together than the pessimistic latency the trailing packet should be held until that minimum time is reached. You probably want do this on sending to the client as well as that might still enable timing attacks otherwise. That wont effect performance much streaming media where the MTU will full most of th

    • by Lumpy ( 12016 )

      Or just use Comcast... They introduce random delays in their normal traffic due to how crappy their network is.

    • by sudon't ( 580652 )

      I haven't RTFA yet, but If the analysis is solely based on network delays, then a VPN company could simply introduce randomized delays to all it's users, even the local ones. Then an analysing service wouldn't be able to definitively say whether any given user is geo-spoofing or not. The best they could say is that the connecting service is likely a VPN.

      From TFP: "To achieve high accuracy, CPV mitigates Internet path asymmetry using a novel method to deduce one-way application-layer delays to/from the client’s participating device, and mines these delays for evidence supporting/refuting the asserted location."

      But, simply saying that the connection is through a VPN could be enough for some to refuse the connection. For instance, if content providers really got on Netflix and Hulu's ass about it, they might opt for this simpler solution of blocking VPN

  • False positives (Score:5, Interesting)

    by Stuarticus ( 1205322 ) on Tuesday February 16, 2016 @09:58AM (#51518681)
    False positives are a pretty major issue when you look at Netflix's user base, 97% effective isn't very good if you're going to refuse to serve content to over a million paying customers every day.
    • by Qzukk ( 229616 )

      According to this research, Comcast users are from Mars.

    • by wbr1 ( 2538558 )
      This. I know many people on slow rural DSL with terrible upstream speeds. Thier ping and jitter can be bad, but downstream is enough to support streaming. This is a whole class of users that would be branded with a false positive as VPN user if delay is the only factor.
      • by lowen ( 10529 )

        While I do have mod points, I need to post this. I regularly see 1,000ms ping RTT on my otherwise reasonably fast (7/.5) DSL service when I have a lot of upstream traffic, and that ping RTT is to the router's gateway, a single hop away. My boss, who is on a 50/5 cable service, has consistent 1,000ms ping RTT to his next-hop. RTT for other packets varies according to protocol and IP target, showing some QoS queueing going on.

        My DSL RTT to the next hop varies between a couple of ms to 1,000 ms depending o

    • by AmiMoJo ( 196126 )

      I wonder if it really is as high as 97%, even when accounting for ISPs that are heavily oversubscribed and offer massively variable packet latency.

    • 97% in a partially controlled environment the internet is not that consistent but even still 3% of Netflix reported 33.3 million subscribers is 999,000 even if only half are false positives and even if only half of those people decide to leave it's still a loss of over $20 million a year assuming they all have the basic $7.99 account.

      I imagine that when you start looking at rural dsl or satellite internet it will be much harder to tell based on latency and that number will go up.

    • 3% of someone else's paying customers? The MPAA is willing to make this sacrifice. ;-)

  • by Theovon ( 109752 ) on Tuesday February 16, 2016 @10:16AM (#51518825)

    People have pointed out that this is hard to make because you can’t make signals move FTL. Basically, you can send a packet, and by the rules of TCP, the ACK is generated at the destination, so while you could artificially lengthen the round-trip ping time, you can’t shorten it. But why not? How about we have the VPN buffer the TCP packets and break the rules. When a packet is received from Netflix, the VPN sends the ACK. When the user’s computer sends its ACK, the VPN consumes it. If there’s a chance of this being unreliable, them’s the breaks.

    • by silas_moeckel ( 234313 ) <silas@@@dsminc-corp...com> on Tuesday February 16, 2016 @10:22AM (#51518883) Homepage

      The satellite guys have done this forever. Moving the syn/ack to the VPN head end is a stock application at this point.

    • by Quince alPillan ( 677281 ) on Tuesday February 16, 2016 @11:21AM (#51519319)

      What you're talking about is a forward proxy. Forward proxy servers do this (and will even proxy SSL traffic).

      In the whitepaper, they're actually talking about making a new protocol that measures the one way distance time and compares it to their database of network speeds and distances to determine your location. Their solution is an application-level solution, which depends upon a Forward Proxy to know about the protocol and spoof it correctly.

      The problem with their solution is that network speeds are fluid and a computer with a problem (e.g. a local neighborhood node or a legitimately slow client that is delaying all traffic 20-30ms) can make their estimates wildly inaccurate. Even today, Cogent to Level 3 has a 197ms ping in LA. In the paper, they used average speeds for various known networks. This can be mitigated somewhat by measuring client traffic and only counting outliers (e.g. all traffic from a certain area being delayed the same, except for our rogue client) but it still doesn't mitigate the local computer problem.

      A second problem with their solution is that it only measures distance - a server in Miami, Florida accepting data from a client in Seattle, Washington is 2732 mi and the same distance (roughly) as Lima, Peru. This means that a client in Lima should pretend to be from Seattle when they connect to their combo VPN/Forward Proxy in Miami. Satellite customers are will almost always have extremely high latency because of the round trip between Earth and the Satellite, even if they're legitimately in the correct area.

      In addition, they were only able to make this accurate to about 400km, which means if you have a nearby beneficial country within that range, you can use a VPN in that country and they still won't know.

    • Or, alternatively, you can simply run the Netflix app on a virtual machine in the target country and then stream the video from the virtual desktop.
  • These people sure seem to think that IEEE Membership means something...

  • by Thanshin ( 1188877 ) on Tuesday February 16, 2016 @10:32AM (#51518971)

    97% to detect irregular behavior is completely useless unless the rate of regular and irregular behavior is reasonably balanced. In most commercial settings the rate is biased towards regular behavior by several orders of magnitude. In other words, thousands of times more more biased than 97:3.

    Therefore, this system will have orders of magnitude more false positives than positives. So the positives will just disappear inside a mass of angry customers.

    In short; the ratio of success has to be in the same order of magnitude as the ratio of irregular behavior. e.g.: for Netflix you'd need better than 99.99% precision.

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      And even then, you must consider that Netflix doesn't actually give a flying fuck about geospoofing as long as the number of people doing it consistently remains small and those people remain paying customers...

      Netflix has no reason to actually WANT to prevent or disallow these customers from consuming content this way--there's nothing to be gained by winning that fight and lots to lose.

      They're simply playing along so content owners don't start threatening to pull content. They're actually between a rock an

      • And even then, you must consider that Netflix doesn't actually give a flying fuck about geospoofing as long as the number of people doing it consistently remains small and those people remain paying customers...

        The most telling part of this whole saga is that the content providers themselves don't seem to have caught on to a basic economic detail: if people are consuming the content through the likes of Netflix, bypassing region restrictions, they (the content providers) get some money.

        If they manage to get Netflix to clamp down on out-of-region customers then those people will become former customers and will go back to piracy and the content providers will get no money at all.

        It is in the interest of the content

        • by mysidia ( 191772 )

          If they manage to get Netflix to clamp down on out-of-region customers then those people will become former customers

          The content creators want Netflix to PAY MORE to license the content in these extra countries.

          Regional restrictions are about generating more $$$ by allowing the content to be priced higher in other areas according to their local market conditions and to force companies that need worldwide usage to jump through many hoops and pay a heck of a lot more.

          • If they manage to get Netflix to clamp down on out-of-region customers then those people will become former customers

            The content creators want Netflix to PAY MORE to license the content in these extra countries.

            Regional restrictions are about generating more $$$ by allowing the content to be priced higher in other areas according to their local market conditions and to force companies that need worldwide usage to jump through many hoops and pay a heck of a lot more.

            The thing is they aren't going to get more, they are going to get nothing at all.

    • Re: (Score:3, Insightful)

      Typical base rate fallacy example. Suppose 1% of the users are VPN users. Suppose the service is 97% accurate at classifying VPNers as VPNers and regular users as regular users. What's the probability that a user is a regular user given that the system says he's a VPNer?

      Out of 10000 users, there are 100 VPN users. 97 of these will be recognized, 3 not.
      There are 9900 ordinary users. 9900*0.03=297 of these will be falsely flagged.

      So the probability of a positive being true is 97/(97+297) = 24.6%. The p
  • My average ping time over VPN is pretty similar to my ping rate over some in-home powerline adapters I have when they're doing okay but not great. Guess I'll have to rewire my entertainment area since someone wants to ruin the fun.
    • You make a good point about the a priori probabilities. If most customers are legit, then most customers who are flagged may be legit. ("97% accuracy " doesn't tell us if there are 3% false positives or 3% false negatives. There's a BIG difference. )

      However 97% from a single indicator is very useful because indicators can be combined. Consider you're looking at someone and classifying them as male or female. One thing you see is the length of their hair. You also see what kind of shirt their wearing, etc

  • All that time and effort spent on finding ways for corporate profiteers to artificially restrict the transmission of bits from point A to point B; and even if implemented, it will probably be circumvented in a minuscule fraction of the development time.

    Such a fucking waste.
    • Here, I must disagree. I'm a software developer and network engineer. Specifically, my particular software development specialty involves interacting intimately with the network layer. (I'm in the VoIP world.) These people are doing good work in relating characteristics of latency to distance and geolocation and along the way are learning a great deal about the various factors that influence latency and jitter in the real world across working, real world networks. While you may not enjoy the particular
  • by Anonymous Coward
    Why? Other than making VPN users miserable, why did Abdelrahman Abdou do this?
  • The Client Presence Verification (CPV) system presented in the paper utilises analysis of delays in network packets in order to determine the user's location, disregarding the IP address geolocation information which currently underpins the efforts of content providers such as Netflix to prevent VPN users accessing content which is not licensed in their country

    Maybe I'm missing something, but it looks to me that this can be defeated with randomized throttling of packet delivery and TCP accelerators that intercept/cache/send ACK packages on the client's behalf.

    • I am sure it can be defeated with enough effort... but the question is: When is it too hard for the masses to bother with it?

      • I am sure it can be defeated with enough effort... but the question is: When is it too hard for the masses to bother with it?

        All it takes is software (in this case, a delay analysis countermeasure) good enough to make it plausible to the masses. Consider DVD ripping. At the beginning, it was just too much of a hassle for the common person to get all the necessary pieces together. Now, there are full-feature applications that can do that at the click of a button. Or consider managing photographs on external storage. Picasa and the like makes it extremely simple for the common person.

        It will be too hard for the masses until som

  • Ok, so the next step in the game is a VPN with a built-in transparent TCP (or deeper) proxy at the VPN provider end. That'll take care of the latencies.

  • They limit content access to countries based on contract restrictions that they agree to when acquiring the distribution licenses.

    They are only going to implement these kind of thing if the content owners require so.

  • by Anonymous Coward

    It's not unmasking, it's detecting. Unmasking would reveal the actual source IP of the user. This method simply shows whether or not a user is likely using a VPN. There is a huge difference.

  • ... is what percentage of connections that were *NOT* using vpn were falsely detected as still being from another country? The article only claims that the tech can identify 97% of out-of-country vpn users as such, but says nothing about the accuracy of identifying actual in-country users. Is it higher? Is it lower? Article leaves it as completely unspoken
  • If people don't want to me pay for their services because I'm in a different country, I guess I'll have to resort to pirating the material instead.
  • If all they're looking at is latency, then watch out for anyone who over-uses their bandwidth and creates artificial lag through network congestion - this technology will label you a dirty international thief.

    I'm sure the farmers who wrote the constitution thought about this when they were writing up trade and copyright laws.....

I program, therefore I am.

Working...