2013-detal-revealing
findings extracted from this paper
-
In 80% of measured paths (72 PlanetLab VPs × 5,000 Alexa targets), at least one intermediate router returns the full IP packet in ICMP time-exceeded replies (RFC1812-compliant), enabling per-hop detection of packet modifications. The majority of these full-ICMP routers reside in the network core rather than the access segment.
-
Middleboxes that randomize TCP sequence numbers do not update the sequence numbers inside TCP SACK blocks; tracebox found two PlanetLab VPs with stateful seq-number randomizers that cycled approximately every 20 seconds. When SACK blocks reference sequence numbers outside the current window, the Linux TCP stack waits for a full RTO instead of fast-retransmitting, producing up to 50% throughput degradation in controlled measurements.
-
Of 72 PlanetLab vantage points, 7 (~10%) automatically stripped or replaced TCP options (Multipath TCP, MD5, and Window Scale) with NOPs at the very first hop, and 2 VPs always altered TCP sequence numbers. These modifications occurred without any corresponding update to dependent fields, corrupting the TCP stream for higher-layer protocols.
-
tracebox can estimate middlebox location with an error of ≤4 hops in 61% of cases; errors above 13 hops (the length of ~60% of paths) are each below 1% individually. Of MSS-modifying middleboxes detected, 52% were located in the network core and only 2.7% close to the source vantage point.
-
tracebox identified a transparent HTTP proxy or IDS within a National Research Network (SUNET) that intercepted port-80 SYN probes but not port-21 SYN probes, producing shorter observed path lengths to port 80. It also found proxy misconfigurations causing forwarding loops for non-HTTP traffic, where ICMP replies alternated between two routers indefinitely.