Sunday, June 18, 2006

Can I see or detect if my internet traffic is differentiated?

Answer to that question is, I don't think so. There is so much technical complexity involved, that except few geeks  who work right on computer networks, not many people can detect if their Internet traffic is ever discriminated.  That is one of the reasons, I guess,  why we need Net Neutrality as a law, so that the Telcos will never try to discriminate your traffic, though you are not quite aware of.

There is a post at Save The Internet, that alleges Cox Communications of blocking Craigslist for almost three months. The security company Authentium, who handles security for Cox Communications reportedly explained with technical details why users can not reach Craigslist website. It looks like there is problem with the computers that hosts the craigslist website. Here is the reply from rnapier, strongly suggesting that the behaviour is normal and as per the specification. .

Has anyone here actually read the response from Authentium? Far from “opaque,” it pretty clearly (if technically) explains the problem and why this has nothing to do with blacklists:

“The network packets coming from the Craigslist.org web site were unusual in that they contained a zero-length TCP window that usually indicates a server is too busy to handle more data. The Authentium firewall driver responded by sending data only one byte at a time. This slowed down the web request and made the Craigslist.org web page load very slowly or not at all.”

From RFC 793  (which defines TCP/IP): ” Flow Control: TCP provides a means for the receiver to govern the amount of data sent by the sender. This is achieved by returning a “window” with
every ACK indicating a range of acceptable sequence numbers beyond the last segment successfully received. The window indicates an allowed number of octets that the sender may transmit before
receiving further permission.”

Returning a 0 means “please talk to me very slowly.” Literally it means “don’t talk to me at all” but because that’s nonsense, sites generally interpret it as “I’m overloaded; slow down.”

I’ve verified this response myself by connecting to craigslist:

15:52:00.751836 IP www.craigslist.org.http > lemming.ranjan.org.47734: S 1639327951:1639327951(0) ack 3799817961 win 0

Note the final “win 0″ that confirms exactly the problem that Authentium claims.

Summary: craigslist told Cox to please speak to it very slowly. Cox did, but for longer than craigslist explicitly requested. Fixing this for craigslist could break other sites, so some caution in shipping a fix is justified.

The fact that SaveTheInternet posted this as an “opaque” response without further comment raises a question of how much STI actually knows about how the Intenet works.

This brings out an interesting question. Will some geeks atleast, if not common users be able to detect  if any internet traffic is discriminated by any service provider at all? Is it always possible to detect so? It looks like from this post at Save the Internet, every body is confused and I don't have a comfort feeling that we can surely detect if ever some traffic is discriminated and it is done for normal or allowed reasons or not. I think, with such a naivette, that if net neutrality is enabled as law, may be no telco will try to do it. 

Update: Richard Bennet's blog posting "Know-nothing claims about site blocking" has lot more information and discussion about this issue. And also Richard Bennet and PBCLiberal commented on this blog that it is possible to detect if internet traffic is differentiated using existing tools, if you understand the internet protocols. For those of us who do not understand, we have to wait for somebody to write a simple tool to hint if there is any unusual stuff detected. See comments for more.

Tags: , , ,

5 comments:

  1. It's not that hard to determine traffic discrimination using tools that are freely available. I used Ethereal to determine that Craig's List is not setup correctly for TCP. You do it too, but you'd probably have to understand the rules for Internet protocols.

    Some enterprising dude could easily write a simple program to analyze traffic and look for suspicious patterns, just like they do for viruses. It's not impossible.

    ReplyDelete
  2. Let me restate the summary in the rnapier post:
    "Summary: craigslist told Cox to please speak to it very slowly. Cox did, but for longer than craigslist explicitly requested. Fixing this for craigslist could break other sites, so some caution in shipping a fix is justified."

    Notice the line "but for longer than craigslist explicitly requested?" Notice also that there's nothing in the body of the explanation that supports that conclusion in the summary?

    That's because this is a case of compound failure. Cox supplies a firewall with its cable internet service, and that firewall didn't work correctly (the release version still doesn't, there is a beta that does.) The working production version is scheduled for this summer.

    So this isn't really a case of "fixing this for Craigslist," its just a case of fixing it. For craigslist, whether they're in violation of the protocol standard is pretty much a judgement call, but what they're doing is wasteful of resources and just plain bad practice.

    The foes of net neutrality are absolutely frantic to blame somebody other than the big cable company even for part of the problem. That's why the summary includes a fact not in evidence. There is a problem at both ends of the cox-craigslist connection, and they both need to fix it.

    And yes, we will be able to at least get a clue about how downstream providers are handling our packets through remote systems that report to us and through places that have multiple internet connections on different providers. Hughes satellite is wonderful for this. You shoot right up at a satellite and come down hundreds of miles away in a totally distant subnetwork.

    ReplyDelete
  3. From PBCliberal, quoting me:
    Notice the line “but for longer than craigslist explicitly requested?” Notice also that there’s nothing in the body of the explanation that supports that conclusion in the summary?


    I apparently skipped over a part of the explanation here. The window size is a *per-packet* window. You get a 0 window in this packet, then I should wait for an ACK before continuing, but I should always obey the window the last packet I received. The bug is that Authentium gets nailed into a 1-packet-at-a-time mode the first time it receives a zero window. They've admitted that it's a bug and are fixing it.

    But it's not a blacklist. It's just a bug. And craigslist could fix it on their end in the meantime if they chose to by modifying their window.

    Craigslist's packets aren't malformed, they're just a corner case. Weird corner cases happen on the internet all the time and network admins run around behind the scene to keep things working. In the past that was done by some guy in the NOC at one telco calling his counterpart at a competing telco and saying "Hey Bob, we've got a problem here; let's fix it." As network operations' issues have moved out of the NOC and into other parts of the company (PR, Legal, Executives), it's gotten harder to hold together this system that was originally based on a handful of guys "making it work."

    Calling every bug a conspiracy certainly isn't going to help foster the atmosphere of mutal cooperation that keeps our networks working.

    ReplyDelete
  4. Thank you so much all for explaining the situation and sharing so much information about the intricacies of the network.

    ReplyDelete
  5. [...] Can I see or detect if my internet traffic is differentiated? There is a post at Save The Internet, that alleges Cox Communications of blocking Craigslist for almost three months. The security company Authentium, who handles security for Cox Communications reportedly explained with technical details why users can not reach Craigslist website. It looks like there is problem with the computers that hosts the craigslist website. Here is the reply from rnapier, strongly suggesting that the behaviour is normal and as per the specification. . . . [...]

    ReplyDelete

NDTV.com : Fact or Allegation ? Just another twisted title for sensationalism

This is yet another example of NDTV.com’s sensationalism twisted titles. The title says, as if this was a fact, woman made to urinate in pub...