Your ISP and You: Measuring Network Conflicts


Nicholas Weaver
UC Berkeley

Wednesday, November 19, 2008
4:30 pm

402 Walter Library

Gone are the days when the network simply transmitted packets. We are now living in the world where the network operator's interests may diverge from the interest of the user or content provider. For example, network operators may be legally required to detect and censor certain information, modify web-pages in transit to insert advertisements, or decide that certain communication is unallowed. Some of these conflicts arise from external constraints, some from simple profit motive, and some from inherent economic competition between ISPs and content providers. We have developed and deployed detection mechanisms for two such conflict-related interefernces. The first, web tripwires, is a small Javascript program which allows the content provider to detect if an HTTP page has changed in-flight. This succeeded in detecting not only active advertisement injection but client programs which transform the HTTP, enterprise gateways which insert protective code, and even instances of malcode using ARP-cache poisoning. The second is a network-level detector for injected RSTs that can run at any symmetric network monitoring point. By manually correlating alerts we were able to develop fingerprints for various injectors, which not only was able to detect and fingerprint different ISP's performing P2P disruption but also discovered the use of RSTs to block spam bots and mail viruses and insights into the multi-component composition of the "great firewall" of china.


Nicholas Weaver is a researcher at the International Computer Science Institute in Berkeley, specializing in network attacks, intrusion detection, and malcode, after having received his PhD from Berkeley in Computer Architecture in 2003. He also possesses a very devious mind.