An untold story of middleboxes in cellular networks

The use of cellular data networks is increasingly popular as network coverage becomes more ubiquitous and many diverse user-contributed mobile applications become available. The growing cellular traffic demand means that cellular network carriers are facing greater challenges to provide users with good network performance and energy efficiency, while protecting networks from potential attacks. To better utilize their limited network resources while securing the network and protecting client devices the carriers have already deployed various network policies that influence traffic behavior. Today, these policies are mostly opaque, though they directly impact application designs and may even introduce network vulnerabilities. We present NetPiculet, the first tool that unveils carriers' NAT and firewall policies by conducting intelligent measurement. By running NetPiculet on the major U.S. cellular providers as well as deploying it as a smartphone application in the wild covering more than 100 cellular ISPs, we identified the key NAT and firewall policies which have direct implications on performance, energy, and security. For example, NAT boxes and firewalls set timeouts for idle TCP connections, which sometimes cause significant energy waste on mobile devices. Although most carriers today deploy sophisticated firewalls, they are still vulnerable to various attacks such as battery draining and denial of service. These findings can inform developers in optimizing the interaction between mobile applications and cellular networks and also guide carriers in improving their network configurations.

[1]  Feng Qian,et al.  Characterizing radio resource allocation for 3G networks , 2010, IMC '10.

[2]  Adrian Perrig,et al.  NATBLASTER: Establishing TCP Connections Between Hosts Behind NATs ∗ , 2005 .

[3]  Markku Kojo,et al.  Forward RTO-Recovery (F-RTO): An Algorithm for Detecting Spurious Retransmission Timeouts with TCP and the Stream Control Transmission Protocol (SCTP) , 2005, RFC.

[4]  Martín Casado,et al.  Peering Through the Shroud: The Effect of Edge Opacity on IP-Based Client Identification , 2007, NSDI.

[5]  Jeffrey L. Eppinger TCP Connections for P2P Apps: A Software Approach to Solving the NAT Problem , 2005 .

[6]  Saikat Guha,et al.  Characterization and measurement of TCP traversal through NATs and firewalls , 2005, IMC '05.

[7]  Saikat Guha,et al.  NUTSS: a SIP-based approach to UDP and TCP network connectivity , 2004, FDNA '04.

[8]  Vern Paxson,et al.  Active mapping: resisting NIDS evasion without altering traffic , 2003, 2003 Symposium on Security and Privacy, 2003..

[9]  Deborah Estrin,et al.  Diversity in smartphone usage , 2010, MobiSys '10.

[10]  Boris Nechaev,et al.  Netalyzr: illuminating the edge network , 2010, IMC '10.

[11]  Vinod Yegneswaran,et al.  An Analysis of the iKee.B iPhone Botnet , 2010, MobiSec.

[12]  Hui Zang,et al.  Impact of paging channel overloads or attacks on a cellular network , 2006, WiSe '06.

[13]  Patrick P. C. Lee,et al.  On the Detection of Signaling DoS Attacks on 3G Wireless Networks , 2007, IEEE INFOCOM 2007 - 26th IEEE International Conference on Computer Communications.

[14]  Ellen W. Zegura,et al.  Performance of hashing-based schemes for Internet load balancing , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[15]  Randall R. Stewart,et al.  Improving TCP's Robustness to Blind In-Window Attacks , 2010, RFC.

[16]  J.K. Nurminen,et al.  Measurements on the Feasibility of TCP NAT Traversal in Cellular Networks , 2008, 2008 Next Generation Internet Networks.

[17]  Robert Beverly,et al.  Understanding the efficacy of deployed internet source address validation filtering , 2009, IMC '09.

[18]  Paramvir Bahl,et al.  Anatomizing application performance differences on smartphones , 2010, MobiSys '10.

[19]  Hao Chen,et al.  Exploiting MMS Vulnerabilities to Stealthily Exhaust Mobile Phone's Battery , 2006, 2006 Securecomm and Workshops.

[20]  Patrick D. McDaniel,et al.  On Attack Causality in Internet-Connected Cellular Networks , 2007, USENIX Security Symposium.

[21]  Van Jacobson,et al.  TCP Extensions for High Performance , 1992, RFC.

[22]  Bryan Ford,et al.  Peer-to-Peer Communication Across Network Address Translators , 2005, USENIX Annual Technical Conference, General Track.

[23]  Bruce B. Lowekamp,et al.  NAT Behavior Discovery Using STUN , 2006 .

[24]  Sally Floyd,et al.  Measuring interactions between transport protocols and middleboxes , 2004, IMC '04.

[25]  Mark Allman On the performance of middleboxes , 2003, IMC '03.