Technical Discussion
  >> Technical Issues


Register (or login) on our website and you will not see this ad.


  Print Thread
Standard User NameOfTheDragon
(newbie) Sun 29-Apr-12 06:24:37
Print Post

Effect of unsolicited traffic on usage caps


[link to this post]
 
I wonder if anyone has done any experiments on the effect of unsolicited traffic - for example, a Denial of Service (DoS) attack - on a user's usage statistics. With many ISPs imposing fair use policies and mobile operators charging for data by the megabyte, I think this is an 'elephant in the room' that is being ignored. As I wrote in my recent blog article at http://www.tigranetworks.co.uk/blog/the-problem-with... I suspect that a victim of a DoS attack (or other unsolicited traffic) would have that data count against their monthly usage limit.

I'd like to see some tests carried out on a capped service, to see if an attack on that suscriber's ADSL connection can cause them to be capped under the fair use policy, or if unsolicited data sent to a mobile device gets added to the subscriber's bill. If that turns out to be the case, wouldn't that make a mockery of metering broadband usage?

Standard User mixt
(experienced) Sun 29-Apr-12 10:20:28
Print Post

Re: Effect of unsolicited traffic on usage caps


[re: NameOfTheDragon] [link to this post]
 
To some extent you are right, but AAISP (the ISP I am with) have thought about this already. Take a read here: http://aa.net.uk/kb-broadband-shaping.html

Specifically this:

Matching BRAS rate our end

We match the BRAS rate our end, limiting your line in the same way. This is in line with us not being the bottleneck as we set the rate the same as the BRAS. For 20CN, we even have a system to seamlessly change this rate without dropping your connection as soon as BT advise us of a BRAS rate change which can be hours after the line changes to a new sync speed. On 21CN the rate updates every time you connect.

We do this for two main reasons - (a) to allow load balancing if you have multiple lines - sending the right amounts of traffic to each line, and (b) handling attacks. If someone was to send, say, 500Mb/s to your line, we do not want 500Mb/s going to BT only to be thrown away by the BRAS - we limit the traffic we send to BT to what your line will take and so do not affect other customers if your line is attacked. We also use this as the benchmark for working out if you are being attacked so we can disconnect your line (talk to us on irc if you want more details on this). This limit also stops the discarded traffic in an attack counting against your chargeable usage.

So yes, if someone was to DDOS me just below my line rate, I would most likely be charged for all that traffic. I'd have to call them up about it. But, if the attack was so major that it started to exceed my line rate, and caused a notable blip on their network, they would most likely disconnect me to to mitigate the problem (a DDOS attack normally renders the end user connectivity useless anyway, so disconnecting is not making things any worse).

Not all ISPs will do what AAISP detail above, but they should, especially if they are metering traffic usage.

Now on <aaisp.net> (21CN+IPv6)
Previous ISPs: Virgin Media (50Mb/Cable), Be* Un Limited, ZeN
Is Linux routing your internet connection?
Need to make BIND geo-aware?

Edited by mixt (Sun 29-Apr-12 10:22:51)

Standard User Deadbeat
(knowledge is power) Sun 29-Apr-12 10:58:06
Print Post

Re: Effect of unsolicited traffic on usage caps


[re: NameOfTheDragon] [link to this post]
 
How likely is that something like D(D)oS'ing will affect a normal consumer connection? If any other unsolicited traffic is due to a users lack of security (Malware, wireless security etc) then that is their fault and they should pay.


Register (or login) on our website and you will not see this ad.

Administrator MrSaffron
(staff) Sun 29-Apr-12 13:13:12
Print Post

Re: Effect of unsolicited traffic on usage caps


[re: NameOfTheDragon] [link to this post]
 
First post and you are promoting your blog, and not a personal blog?

There is no suspect about it, any traffic across the connection would be charged.

Andrew Ferguson, andrew@thinkbroadband.com
www.thinkbroadband.com - formerly known as ADSLguide.org.uk
The author of the above post is a thinkbroadband staff member. It may not constitute an official statement on behalf of thinkbroadband.
Standard User qasdfdsaq
(newbie) Sun 29-Apr-12 13:40:31
Print Post

Re: Effect of unsolicited traffic on usage caps


[re: NameOfTheDragon] [link to this post]
 
I'm sorry, but while the impact of a DOS will typically counted towards a fixed-line broadband user's allowance, the use of a largely irrelevant and nonsensical example (mobile phones) has rendered much of that article complete rubbish.

You see, all mobile providers in the UK (barring very small niche services over L2TP tunnels) use carrier-grade NAT. All devices are on a private IP range and consequently it is impossible for anyone on the public internet to send any unsolicited data whatsoever to a mobile handset. Only other mobile devices on the same local subnet would be able to send unsolicited data, and even then this usually does not always work due to network operator firewalling, and in any case the data usage would be recorded against the sender's account too.

Not only that, many operators now pipe your data back to your home operator even while abroad, allowing your service provider to monitor your usage by the minute and inspect every single byte you transmit or receive if they wished to - though the above varies according to roaming arrangements. So again, the likelyhood of the above scenario - and the relevance of the mobile roaming example - is minute at best.

Now, back to fixed-line broadband, where you get a public IP address, this might actually happen. However the charges there are much lower, limits much higher, and as far as wholesale ISPs are concerned, everyone has to traffic shape at the handover anyway. Also given most residential IPs are dynamic, a simple reboot of the router and your problem is alleviated.

This brings us to the interesting conundrum of Virgin Media, whose customers are incidentally some of the juiciest targets for a hypothetical DOS or dDOS attack. Given their IP addresses are largely static (well, stick for months to years), and that they'll actually disconnect rather than slow you down for excessive use - *and* they have no clear threshold for "excessive" or any way of telling you how much you used... see where this is going? Add to that the fact that they supply a router that has very poor traffic accounting features, buffers excessively and frequently crashes when flooded...

Edited by qasdfdsaq (Sun 29-Apr-12 13:43:03)

Standard User qasdfdsaq
(newbie) Sun 29-Apr-12 13:42:13
Print Post

Re: Effect of unsolicited traffic on usage caps


[re: Deadbeat] [link to this post]
 
In reply to a post by Deadbeat:
How likely is that something like D(D)oS'ing will affect a normal consumer connection? If any other unsolicited traffic is due to a users lack of security (Malware, wireless security etc) then that is their fault and they should pay.

On the technical level (i.e. IP layer) that would actually be solicited traffic, even if not solicited by the actual user.
Standard User NameOfTheDragon
(newbie) Mon 30-Apr-12 23:22:13
Print Post

Re: Effect of unsolicited traffic on usage caps


[re: MrSaffron] [link to this post]
 
Hello Andrew. I'm sorry if my link offended anyone. Your tems of use state
we do not have a problem with users posting links to their web sites in signatures, or posts provided their posts are materially useful and are not simply seeking to promote their products

On that basis, I thought it would be OK to link to my blog. Effectively that is my personal blog. It happens to be on my company web site, I am a one-man-business, and for me, there is a continuum from personal to business, it is very hard to seperate the two. Yes, my blog is hosted by my company. I used to keep two seperate blogs but found that I just cross-posted everything to both, so I wrapped them both into one. I wouldn't waste my time trying to 'advertise' here. Been there, done that, and I know it is a complete waste of time and bandwidth. It is vanishingly unlikely that anyone will buy anything from my company as a result of a post in an online forum that is only tangentially related to what I do, so you needn't worry about me trying to spam your users wink

Standard User NameOfTheDragon
(newbie) Tue 01-May-12 00:03:04
Print Post

Re: Effect of unsolicited traffic on usage caps


[re: qasdfdsaq] [link to this post]
 
You make some interesting points. So you agree, in principle, that a DoS attack (for example) or other unsolicited traffic coudl in fact be counted towards a user's quota. I'm not familiar with the details of carrier grade NAT so I don't know how it differs from typical 'domestic grade' NAT, but for simplicity I'll take your word that it is impossible for unsolicited traffic to reach a mobile phone. We can then eliminate that scenario from the discussion (I'll update my blog post to reflect this, in due course). The point is valid as far as ADSL connections are concerned though.

I find it to be fairly typical that an ISP can tell you how much data you've used, but no level of detail on where it came from or whether you asked for it. So essentially then, it is true that we are all being held accountable for data that we might not have asked for.

Someone commented that a DoS attack on a consumer connection is not very likely, but the probability isn't really the point. If it _can_ happen, then it _will_ happen, eventually.

I'm not sure how traffic shaping is relevant since the effect of that would be to rate-limit the unsolicited data, not eliminate it. Providers who don't do traffic shaping also tend to have unlimited usage, this is the real point I'm getting at. Limiting broadband usage to anything other than what is possible at the headline speed is essentially a flawed premise, since it can never be proved that the consumer requested the data.

Its strange you should mention Virgin Media, they have figured in no small part in my thinking recently. I can categorically state that they do have clear definitions of what is 'excessive' for certain plans, they do in fact throttle traffic to 20% and they can tell you how much traffic you've received, although they can only give a per-diem total and no detail beyond that. I can't speak to the quality of their routers since they never provided it (the service I have dealt with originated with Cable & Wireless, then became NTL then Virgin).

Standard User qasdfdsaq
(learned) Tue 01-May-12 00:34:28
Print Post

Re: Effect of unsolicited traffic on usage caps


[re: NameOfTheDragon] [link to this post]
 
The general industry standard practice is on metered services, all data nomatter where it was sent to or from, or what kind of data it is, counts towards your allowance. There are variations by time of day or direction, but not type or destination. So yes, it is conceivably possible though highly unlikely.

As I said, the average home user's ADSL connection will have a dynamic IP, and presented with a slow/non functional connection most will simply reboot their router. This will get a new IP, and therefore thwart the (d)DOS attack within seconds, likely without even knowing about it; so the potential for long-term damage is very low.

Onto the side note of carrier NATs - it doesn't differ much from a domestic NAT other than it is done by the ISP using carrier grade equipment - i.e. software and hardware that can handle much higher connection rates and have enterprise features such as redundancy, load balancing and fail-over. Other than that, while a domestic NAT will allow the user to set port forwards, most ISP's NATs will not, so only outbound connections are possible.

Finally for Virgin Media. Your categorical statement is categorically wrong. They do not have clear definitions of excessive use, and have admitted so in the past. What you are referring to is their "heavy user" STM policy, which is completely separate from their excessive use FUP. The heavy user STM will reduce your speed to 25/50% when you exceed a set threshold (it has never been 20%), the excessive use policy will result in your disconnection when exceeding a variable and undisclosed threshold.

While it is true that the vast majority of ISPs can only give you a single total of data usage without any details of what was requested or from where, I contend the equipment they have in place is easily capable of reporting the latter but the functionality is not often used. For the same reason ISPs are resisting demands to make the same data available to the government, it is highly costly and economically unviable to proactively monitor every user's data usage to this level of detail just in case of the extremely unlikely possibly they might get DDoS'd.
  Print Thread

Jump to