TPRC45 has ended
Back To Schedule
Friday, September 8 • 4:43pm - 5:15pm
Investigating End-To-End Integrity Violations in Internet Traffic

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Internet applications are commonly implemented with the implicit assumption that network traffic is transported across the internet without modification; we refer to this end-to-end integrity. Put simply, most applications assume that the data they send will be received intact by the host they are communicating with (barring transient errors and normal packet loss). This expectation is encoded in the Federal Communications Commission (FCC) Open Internet Order, which states that Internet Service Providers (ISPs) should not impose “unreasonable interference” with customers' network traffic. However, it is increasingly common to find ISPs who deploy middleboxes that silently manipulate customers’ traffic in ways that impact security, privacy, and integrity.

Additionally, in late 2016, the FCC adopted a set of regulations with the goal of protecting consumer privacy (FCC 16-148). In brief, these regulations required Internet Service Providers (ISPs) to provide transparency and customer choice over how customers' “personally identifiable information” and “content of communications” are shared with third parties. In March 2017, both houses of Congress passed a bill that nullified these protections; it is expected that the President will sign this bill into law shortly. As a result, the issues of privacy and integrity of users' Internet traffic is of immediate importance to policymakers.

This paper presents evidence of multiple ISPs that modify customers’ traffic in-flight. We use a HTTP/S proxy service with millions of end hosts in residential networks to study the behavior of over 14,000 networks worldwide. Using this system, we route benign traffic via over 1.2 million hosts in these networks to test for end-to-end integrity. We find end-to-end integrity violations including hijacking of certain DNS responses — often sending users to pages with advertisements — by AT&T, Verizon, and Cox Communications (as well as a number of foreign ISPs). We also find content injection in web pages — often adding trackers or advertisements to web pages or censoring content — by a number of foreign ISPs.

Worse, we find that a number of hosts show evidence that their web requests are being monitored, suggesting the customer browsing data may be being sent to third parties. We find a number of foreign ISPs have large number of users whose traffic appears to be “duplicated”: when we ask a host to fetch a webpage on a server we control, we observe multiple web requests coming in from different locations on the internet. This observation indicates that users' browsing behavior is being transmitted to third parties, potentially without their knowledge or consent.

Given the increasing amounts of critical and privacy-sensitive information that is exchanged online, we recommend that regulators leverage active auditing technologies to inform and enforce current and future policies. Our methodology in particular can be deployed with low overhead and is scalable to millions of hosts and thousands of networks.


Marvin Sirbu

Carnegie Mellon University


Taejoong Chung

Postdoctoral Researcher, Northeastern University


David Choffnes

Assistant Professor, Northeastern University
Net neutrality, network measurement, QUIC, privacy Find me on Twitter: @proffnes

Alan Mislove

Northeastern University

Friday September 8, 2017 4:43pm - 5:15pm EDT
ASLS Hazel Hall - Room 329