Tunneling your way around ISP traffic manipulation

by Ryan Radia on May 22, 2008 · 2 comments

Stuck with limited ISP choices, broadband users are increasingly angry with the growing number of providers that poke around in their customers’ traffic. From resetting Bittorrent sessions to sniffing packets for URLs, more and more providers are wielding their power as the “man in the middle” to monitor and manipulate traffic in unpopular and possibly illegal ways. While these practices can be beneficial, tech-savvy consumers are understandably agitated. Congress is now considering legislation that would outlaw these ISP practices.

Instead of urging lawmakers to enact sweeping new laws that would often do more harm than good, broadband users should look to the recent emergence of commercial secure tunneling services. These services remind us that the marketplace is perfectly capable of resolving skirmishes without government getting involved.

Numerous companies have begun to offer encrypted tunnels using Virtual Private Networks (VPNs).  These networks have long been used for a variety of reasons, and are popular with network security experts because of how well they protect data from outside snooping.  By tunneling traffic through secure links, broadband users can break free from the constraints imposed by ISPs on certain types of traffic. Routing peer to peer applications through these tunnels makes them almost entirely indistinguishable from other types of traffic—even to stateful packet inspection tools like Sandvine that are undeterred by header encryption.

Tunneling traffic via encrypted, remote servers is also one of the toughest targets for ISPs. Many corporate users and university students connect to VPNs for necessary reasons, and there’s no easy way for an ISP to distinguish “legitimate” VPN traffic from the other kind. And with new secure tunneling firms popping up all the time, simply blocking the IP-address ranges of known tunnels is no solution. Absent a VPN Whitelist—highly infeasible given the growing number of VPNs in the wild—ISPs will soon realize that, no matter how much they invest in packet inspection tools like Sandvine and Phorm, informed users will always find a way to stay a step ahead.

Despite being the freest nation on earth, the United States has a spotty track record when it comes to Internet privacy and anonymity. Fortunately, VPN services can be based anywhere on the planet. Data retention laws (like the one pending in the current Congress) have little effect on the privacy of users who tunnel their traffic through a nation that doesn’t force ISPs to retain data. Gleaning useful intelligence from a VPN connection between the user and the exit node is impossible — even if your ISP captures every last byte you transmit, as long as your VPN service doesn’t retain data, government snoops or would-be hackers will be left with nothing but indecipherable garbage.

VPN services typically charge a small monthly fee, but not all of them cost money.  Some VPN services only offer PPTP encryption. That’s enough to deter casual snooping, but it can be cracked with some determination.  Other services offer more sophisticated IPSec or SSL based encryption that relies on the highly secure AES cipher.  All of the world’s supercomputers combined cannot crack data that has been properly encrypted via AES and a strong password. Of course, by using a VPN service, you are placing your trust in the tunneling service rather than your ISP—so verifying the service’s commitment to privacy and reliability is paramount.

Tunneling services can also circumvent region-locking techniques used by content portals like those offered by the major television networks. People living outside the United States often cannot access desired content because of exclusivity agreements with content owners. Portals typically block foreign residents by running a reverse DNS lookup on visitors’ IP addresses, which reveals the user’s country of origin.  But offshore VPN services conceal their users’ true location, causing users to appear as if they are located in the country in which the VPN server is based.

Like many other goods and services, VPNs can be used for good or evil. Some of the uses discussed here may even violate laws in certain nations or run astray of terms of service agreements. Despite the potential for misuse, the secure tunnel is a promising tool that will likely grow more popular as ISPs increasingly turn to deep packet inspection for both network management and profit-seeking purposes. 

will May 23, 2008 at 2:45 am

Good information, I have seen the light thanks.

Comments on this entry are closed.

{ 1 trackback }

Previous post:

Next post: