Ask Slashdot: How To Diagnose Traffic Throttling and Work Around It?

Aguazul2 writes "I live in Peru and use OpenVPN to connect to my own Linux VPS in the UK for non-live TV. Recently the VPN connection has slowed to a crawl (5% previous rate). Further investigation shows that all connections to my VPS from Peru (even HTTP) are equally slow, whilst the rest of the 'net seems fine. My VPS host says they do no traffic shaping, and connections from Germany to the VPS are fast. This leaves the NSA and Telefonica (Movistar) as suspects. Could the NSA be slowing all VPNs to/from South America because of Snowden and Greenwald? A traceroute shows traffic going through domains with NYC in their name — are my packets being indefinitely detained in transit? Or maybe it is Telefonica and their Sandvine traffic management? Either way this certainly isn't network neutrality, especially on an 'unlimited' plan. Is there a way to tell for certain who is throttling me? If Telefonica have throttled traffic to/from that one IP address, what options do I have to work around it? It seems that separate connections are throttled independently, so can I multiplex over many UDP ports without having to hack OpenVPN myself? This is really frustrating, especially with two untrustworthy parties on the route. I wonder, is this kind of mess the future of the internet?"

is the NSA taking candy away from kids too?

[alen]

why would they care about your pirated or whatever TV?

a super secret US intelligence agency that employs some of the smartest mathmatecians in the world is going to care about people's pirated movies instead of tracking down our enemies so the military can kill them

Probably not sinister, but you never know...

[Above]

I work in the ISP industry, and here's my $0.02...

The NSA (or other spies), not likely. Everything I have ever seen about what they do is passive monitoring. What that means is that somewhere there is a pretty dumb device (like an optical splitter) that takes one signal and makes two copies, one goes to the NSA, one on to its destination. In this arrangement there is no way for the NSA to inject data at all, including slowing it down. I am highly skeptical any government spying is the direct cause. It may be indirect, I'll come back to that in a minute.

Rate shaping is entirely possible, and would be most likely in your immediate provider. It's entirely common for residential consumer ISP's to employ products like Sandvine, or even more crude QOS controls to rate limit particular types of traffic (e.g. VPN or VOIP). Most won't admit to what they are doing as well.

Rate shaping is less likely, but possible at the country level. This is seen mostly in countries with strong government controls on technology (think Iran, China, North Korea). Egypt was doing it at one point in time. I'm not an expert on Peru, but I would not expect this problem in Peru.

Lastly, is plain old congestion. Likely your ISP has multiple paths to reach Europe, riding undersea cables. These are the most expensive assets an ISP owns, and often get congested before they get upgraded. It's entirely possible for instance there is one cable they use from South American to Western Europe that is congested, while another goes from South America to the US and is fine. You can probably map these routes out by traceroute, and may find that particular routes always show poor performance. This also happens, but to a lesser degree, where two ISP's meet. There can be peering disputes, or one customer may not order enough capacity from their vendor. Either way the result is full ports that degrade service for everyone passing through them.

Now, here's where the spies come back in. If a particular spy agency decrees "all new connections must have our spy apparatus on them" they can in fact be the delay to a new connection getting set up. It's not that they are delaying any packet traffic once it is up, but rather they are delaying the installation by not having their equipment ready on time for a new connection. I don't think this happens often, but I'm sure it does happen in some places.

So sadly, this is probably some plain old incompetence/bad luck. Someone either could not afford a timely upgrade, or didn't correctly order an upgrade early enough to get it installed before there was a problem, and there's now congestion somewhere. If it's not bad luck it's probably your provider deciding your particular type of traffic is "bad", and should be rate limited down.

Re:Traffic Intercept and VPN

[whoever57]

At one time I was getting unusable Internet connectivity through AT&T after they acquired my local cable modem network from @Home. It took them many months to discover that throttling all aggregate upstream traffic to 128Kbps is a bad idea. As much as people bitch and moan about Comcast, it is lightyears better than anything I got through AT&T.

When AT&T was providing cable Internet to me, there was a time when my IPSEC VPN did not work. The VPN apparently connected, but data traffic never made it though. Other people complained, but AT&T claimed they were doing nothing to VPNs. Using tcpdump at both ends, I could see that the media (udp/500) was not getting though while the AH and ESP packets (required to set up the connection) were getting though. Clearly AT&T was blocking VPNs, but in such a way that it would not be obvious to the average user what was wrong. Pure evil.

Re:NSA

[whoever57]

People need to understand that it is paramount to the NSA that they are covert.

Indeed. When working for a company that sold telecom and networking IP blocks, we received more than one request for the receive part ONLY of an Ethernet MAC. The companies that enquired did not make test equipment, but were known for secrecy and selling to the US government. What possible reason does such a company have for an Ethernet MAC that receives only?

Re:NSA

[ron_ivi]

It suffices for them to simply capture raw data

Lol. You have no idea what suffices for them.

And even if "capture raw data" suffices - if the bandwidth to their traffic caputring room [wikipedia.org] is at capacity, they very well may tell the upstream switches to slow down so they can "capture [all] raw data".

Until there's enough transparency; it's at least as reasonable to blame the NSA for using lots of bandwidth to cause conjestion as it is to blame all those movie-pirates for using all the bandwidth.

Re:NSA

[hacker]

They do not need to do real-time processing of the data: that is only necessary for filtering.

That may be true for passive surveillance (http traffic, emails, IMs), but most-definitely not for VPNs, as in this specific case.

You absolutely need to trap the packets in real time in order to actually break the VPN connection open so you can get at the actual payload (cleartext, post-decrypted) data within the stream. The initial cryptographic handshake has to be captured, in order for them to peel it open and get inside.

You can't do that days later, when all you have is an encrypted stream of bits.

an incorrect theory, because port mirroring

[raymorris]

That may have been their theory, or it may have been they wondered if US gov was intentionally slowing VPN connections from that part of the world.

If the theory was that capturing data would slow it down, the answer is "no". For that, you'd use port mirroring. Where a switch or router would normally take data in on one line and output it on another, you set it to accept data on the one line and output it on TWO others simultaneously. The data still flows at the same speed. It just flows to two locations separately - the intended recipient and the government.

You are all major assholes

[TrollstonButterbeans]

| It suffices for them to simply capture raw data

Ok, so the same people that say it can't be piracy because no one was deprived of their DVD give a free pass to "The NSA is capturing the data"??

They didn't capture the data, because if they did then when did they release it? It wasn't like they were tagging an antelope and then let it go at some later time. Why do you give a stamp of approval that the "NSA captures data" as if they held it hostage at Gitmo and wouldn't let the datas go unimpeded.

It isn't like they detained the data without a warrant and won't release it --- they let it go freely. You guys are acting like they are backing up your data stream like some fat dude that is clogging the toilet ... and you woun;dn't let this terminology pass with "piracy" because that involves depriving someone of their property ....

Re:NSA

[Kjella]

What possible reason does such a company have for an Ethernet MAC that receives only?

Anything from a higher classified system that is to deliver data to a lower classified system, for example you need to get data from extremely sensitive military satellites to battle commanders in the field and it needs to happen in real time, you can't have total network separation. Then you generate a one-way feed where there is physically no possible way for anyone to connect to the feed and hack themselves backwards through routers into the satellites. And of course you put a ton of code review, surveillance and logging on the sending system to make sure it doesn't send more than it should, but that's not relevant to this discussion. So there's a lot of valid reasons for the military to buy this besides the NSA.

Re:NSA

[AmiMoJo]

I seem to recall that Kim Dotcom realized he was being spied on long before the raids due to seeing his latency spike and seeing that traffic was being routed an odd way.

I think you overestimate the NSA's competence. Snowden was a leak waiting to happen. Read Bruce Schneier's analysis.