Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Ask Slashdot: How To Diagnose Traffic Throttling and Work Around It?

timothy posted about a year ago | from the watch-where-the-soap-bubbles-emerge dept.

Censorship 251

Aguazul2 writes "I live in Peru and use OpenVPN to connect to my own Linux VPS in the UK for non-live TV. Recently the VPN connection has slowed to a crawl (5% previous rate). Further investigation shows that all connections to my VPS from Peru (even HTTP) are equally slow, whilst the rest of the 'net seems fine. My VPS host says they do no traffic shaping, and connections from Germany to the VPS are fast. This leaves the NSA and Telefonica (Movistar) as suspects. Could the NSA be slowing all VPNs to/from South America because of Snowden and Greenwald? A traceroute shows traffic going through domains with NYC in their name — are my packets being indefinitely detained in transit? Or maybe it is Telefonica and their Sandvine traffic management? Either way this certainly isn't network neutrality, especially on an 'unlimited' plan. Is there a way to tell for certain who is throttling me? If Telefonica have throttled traffic to/from that one IP address, what options do I have to work around it? It seems that separate connections are throttled independently, so can I multiplex over many UDP ports without having to hack OpenVPN myself? This is really frustrating, especially with two untrustworthy parties on the route. I wonder, is this kind of mess the future of the internet?"

Sorry! There are no comments related to the filter you selected.

I use longer words (4, Funny)

For a Free Internet (1594621) | about a year ago | (#44661551)

Try breaking free of the binary straightjacket. I transmit all my data in ternary and it is untraceable and unstoppable. This gives me unlimitered bandwidsh to post my brilliant world-changing essays and thoughts on Slashdort, the Facebook of the Internet!

Re:I use longer words (0, Insightful)

Anonymous Coward | about a year ago | (#44661753)

Once again, mods have no sense of humour.

Re:I use longer words (4, Insightful)

WindBourne (631190) | about a year ago | (#44661857)

Actually, we think that the original poster is the one without a sense of humor.

I scoffe at your "homor"! (2, Insightful)

For a Free Internet (1594621) | about a year ago | (#44661875)

My ideas about compotore technology and social revolution and FREEDOM are so advanced, so revolutionary, that most people on Slashdort mistake them for "jorkes." Wrong! I am totally serial.

Re:I scoffe at your "homor"! (5, Funny)

Anonymous Coward | about a year ago | (#44661991)

Who gave a slashdot account to that computer trained to tell jokes?

NSA (5, Insightful)

Dan East (318230) | about a year ago | (#44661563)

I've had a client I provide consulting for suggest that their poor connectivity is also in some way due to the NSA. People need to understand that it is paramount to the NSA that they are covert. They do not need to do real-time processing of the data: that is only necessary for filtering. It suffices for them to simply capture raw data for later analysis or decryption as necessary. Of course capturing data does not result in any slowdown or other noticeable effects. It does not make any sense whatsoever for the NSA to be slowing or otherwise blocking connectivity, as that is counterproductive to the acquisition of intelligence data.

It's just amusing to me to see NSA as the scapegoat of the day for any quirk anyone experiences related to computers or connectivity in general.

Re:NSA (5, Funny)

houstonbofh (602064) | about a year ago | (#44661661)

It's just amusing to me to see NSA as the scapegoat of the day for any quirk anyone experiences related to computers or connectivity in general.

No one ever got fired for buying... I mean blaming the NSA. :)

Re:NSA (5, Funny)

larry bagina (561269) | about a year ago | (#44661789)

Unless you're an NSA whistleblower [wikipedia.org] , in which case you are fired and prosecuted.

Re:NSA (4, Insightful)

noh8rz10 (2716597) | about a year ago | (#44661925)

WOW is this what the world is coming to? anywhere in the world, when there's a bad internet connection, the first question is "is the NSA throttling me?" HINT: the NSA won't throttle you, they'll spy on everything you do.

Re:NSA (1)

jones_supa (887896) | about a year ago | (#44662019)

I think the submitter's theory was that the NSA man-in-the-middle data capturing would slow down the connection.

an incorrect theory, because port mirroring (5, Interesting)

raymorris (2726007) | about a year ago | (#44662049)

That may have been their theory, or it may have been they wondered if US gov was intentionally slowing VPN connections from that part of the world.

If the theory was that capturing data would slow it down, the answer is "no". For that, you'd use port mirroring. Where a switch or router would normally take data in on one line and output it on another, you set it to accept data on the one line and output it on TWO others simultaneously. The data still flows at the same speed. It just flows to two locations separately - the intended recipient and the government.

Re:an incorrect theory, because port mirroring (0)

Anonymous Coward | about a year ago | (#44662107)

Well, actually...

SOMETIMES, it does slow it down, or at least increases the latency (and at high bandwidth the increased delay results in lower speed unless the protocol takes this into account).

If you were communicating locally (to someone else who is in the same area as you, for instance using VoIP), your traffic need not go through the router at the central office which is typically where the tap happens. It is inefficient to trombone traffic, so the carriers tend not to unless they have to. But, if they put a tap on you, then they have to force all traffic through the central office---even local area traffic---and you might then notice that your latency went up by a few ms.

Of course if they tap all traffic routinely, then the latency is always higher than it needs to be and no-one notices.

Re: NSA (0)

Anonymous Coward | about a year ago | (#44662183)

Why blame the NSA when it's the FBI that holds the domestic surveillance brief?

Re:NSA (0)

Anonymous Coward | about a year ago | (#44662357)

Depends upon what u mean by "fired"!

Re:NSA (5, Informative)

hedwards (940851) | about a year ago | (#44661717)

Indeed.
But, even in China where they do filter the internet, there isn't any real throttling that goes down, the main thing I saw when I was there was abysmal latency. It would have the effect of killing of websites that weren't blocked, when the website was expecting to load dozens of scripts from various other servers. Each one would have up to 2.5 seconds of latency attached. And yes, that is seconds, not often, but there were a few times when my ping was measurably with a human timer.

More likely, this is some sort of broken link somewhere along the way that's resulting in the traffic being slowed.

Re:NSA (0)

Anonymous Coward | about a year ago | (#44662017)

Some ISPs may be using Phorm-like transparant proxies to rewrite some scripts, so they can overwrite other ad servers with their ads. This can cause latency, provided they can intercept an unencrypted stream.

Re:NSA (5, Interesting)

whoever57 (658626) | about a year ago | (#44661739)

People need to understand that it is paramount to the NSA that they are covert.

Indeed. When working for a company that sold telecom and networking IP blocks, we received more than one request for the receive part ONLY of an Ethernet MAC. The companies that enquired did not make test equipment, but were known for secrecy and selling to the US government. What possible reason does such a company have for an Ethernet MAC that receives only?

Re:NSA (5, Informative)

_merlin (160982) | about a year ago | (#44662117)

In finance we use them for performance monitoring and debugging. You have machines with CDMA or GPS time sources logging packets captured from passive taps on each side of your switches, routers, servers, etc. It lets you produce very accurate and detailed latency statistics. Also when things go wrong you have an exact record of everything that went in or out on the network to help you reproduce and fix it. Admittedly we don't actually get NICs with the transmit functionality removed, but the passive taps prevent anything transmitted from going anywhere, so we get a similar effect.

Re:NSA (4, Interesting)

ron_ivi (607351) | about a year ago | (#44661751)

It suffices for them to simply capture raw data

Lol. You have no idea what suffices for them.

And even if "capture raw data" suffices - if the bandwidth to their traffic caputring room [wikipedia.org] is at capacity, they very well may tell the upstream switches to slow down so they can "capture [all] raw data".

Until there's enough transparency; it's at least as reasonable to blame the NSA for using lots of bandwidth to cause conjestion as it is to blame all those movie-pirates for using all the bandwidth.

Re:NSA (4, Interesting)

hacker (14635) | about a year ago | (#44661829)

They do not need to do real-time processing of the data: that is only necessary for filtering.

That may be true for passive surveillance (http traffic, emails, IMs), but most-definitely not for VPNs, as in this specific case.

You absolutely need to trap the packets in real time in order to actually break the VPN connection open so you can get at the actual payload (cleartext, post-decrypted) data within the stream. The initial cryptographic handshake has to be captured, in order for them to peel it open and get inside.

You can't do that days later, when all you have is an encrypted stream of bits.

Re:NSA (1, Redundant)

jamesh (87723) | about a year ago | (#44661869)

They do not need to do real-time processing of the data: that is only necessary for filtering.

That may be true for passive surveillance (http traffic, emails, IMs), but most-definitely not for VPNs, as in this specific case.

You absolutely need to trap the packets in real time in order to actually break the VPN connection open so you can get at the actual payload (cleartext, post-decrypted) data within the stream. The initial cryptographic handshake has to be captured, in order for them to peel it open and get inside.

You can't do that days later, when all you have is an encrypted stream of bits.

They only need to know that the citizen is using an encrypted VPN. This implies that they have something to hide and are therefore a suspect, and actual evidence no longer matters.

Re:NSA (2)

noh8rz10 (2716597) | about a year ago | (#44661929)

what is an encrypted VPN? I thought all VPNs were encrypted?

Re:NSA (1)

Anonymous Coward | about a year ago | (#44661993)

u can have a tunnel without encryption if u don;t need the overhead

Re:NSA (0)

Anonymous Coward | about a year ago | (#44662073)

Please type properly.

Re:NSA (3, Insightful)

dubbreak (623656) | about a year ago | (#44662089)

You can type in full words with very little overhead.

Re:NSA (2)

M. Baranczak (726671) | about a year ago | (#44662177)

He's using a new form of encryption. I bet even the NSA won't be able to crack that one.

Re:NSA (5, Insightful)

Anonymous Coward | about a year ago | (#44662201)

Yeah, NSA tech guy, we really don't think you should be listening in on our business plan and buying up stock before we announce the acquisition...
Lotta non-poilitical reasons why a person might want to encrypt communications. I do have something to hide AND I'm not doing anything wrong.

Re:NSA (5, Insightful)

girlintraining (1395911) | about a year ago | (#44661885)

It does not make any sense whatsoever for the NSA to be slowing or otherwise blocking connectivity, as that is counterproductive to the acquisition of intelligence data.

That's generally true. The NSA is competent. But not all government agencies are... and not all of those agencies work for the United States either. So I can't conclusively tell you (nor can anyone else) that it isn't the result of some law enforcement action that's causing your internet connection to behave strangely. What I can tell you, is that it's pretty unlikely.

The more likely explanation is QoS being implimented that targets either based on IP, subnet, port, or content. Content-aware QoS is pretty rare, but it is out there. Alternatively, it could be a misconfigured router, or an oversaturated link. Traceroute and measuring the latency during TCP handshakes to various ports both to the destination of interest and elsewhere would help identify this. Lastly, it may not even be network-related; it could be the server itself that is slow, or the application it is running on. In today's 'cloud all the things!' service model, there are all kinds of weird performance glitches due to complex interactions within the cluster. For example... several data centers bought the (server) farm during the last addition of a leap second, as circuit breakers tripped out due to sudden load spikes.

The fact is, without a lot more information from the OP, this question simply can't be answered. It could be one of dozens of different things... all we can do is give odds on the likelihood of what it might be... and I'd put the NSA pretty far down the list. The 'NSA Effect' is the same thing happening now in the media that caused people to beat the crap out of random muslims out of 9/11, or jerkwads in Florida to shoot black kids -- perception and media attention creates a new social reality. Social reality is not based in actual reality, however... but it's stuff like this that gives rise to all kinds of prejudices -- racism, sexism, religious persecution... it's ironic that the NSA's surveillance policies are based on such faulty logic ... and now they are the victim of it as well. Ah, but I digress... short answer: Your router doesn't need a tin foil hat.

Re:NSA (1)

kilodelta (843627) | about a year ago | (#44661889)

The reality is that every hop adds it's own latency to the mix. This could be part of the problem with the NSA doing what it does.

Re:NSA (5, Informative)

Em Adespoton (792954) | about a year ago | (#44662085)

But the NSA isn't in the business of routing data; it's in the business of mirroring data. This means that you get something like:

source
        |
router A
        |
router B --> NSA
        |
router C
        |
destination

So if router B is up to the task of sending the signal down a fixed path as well as whatever BGP indicates, there should be no slowdown. If it isn't, that's going to be a constant issue, not something that varies. It's either good enough for the volume of data it is exposed to, or it isn't. There's no analysis happening at the router, and the NSA isn't doing stateful inspection.

More likely a QoS issue by some stateful router in the hop chain, or even a corrupted BGP table.

Re:NSA (-1)

Anonymous Coward | about a year ago | (#44661891)

thanks
http://turkfilmiizle.org/

Re:NSA (2)

icebike (68054) | about a year ago | (#44661927)

It does not make any sense whatsoever for the NSA to be slowing or otherwise blocking connectivity, as that is counterproductive to the acquisition of intelligence data.

Normally I would agree with you, but since "THEY" (the generic they) are forcing Presidential planes to land, detaining boyfriends, seizing electronics, what makes you so sure some arm of the US government isn't deliberately slowing or blocking binary transfer streams in an attempt to stop Snowdens 400gigabyte cache of information from spreading ?

(I suspect his Peru ISP is lying to him, but still I consider the possibility of intentional interference).

Re:NSA (1)

bill_mcgonigle (4333) | about a year ago | (#44662077)

deliberately slowing or blocking binary transfer streams in an attempt to stop Snowdens 400gigabyte cache of information from spreading ?

For some reason, my torrents on Comcast (CentOS, Fedora, Mint) are running at full speed, except for those three. transmission-daemon FWIW.

Re:NSA (5, Funny)

arekin (2605525) | about a year ago | (#44661985)

Hi, my facebook wont load and is showing more adds when it does. Do you think this could be the NSA snooping on my facebook and pushing me to buy audiobooks that will contain subliminal messages to hate Snowden and freedom?

Re:NSA (4, Insightful)

Antique Geekmeister (740220) | about a year ago | (#44662051)

Given that they did, in fact, cause poor connectivity for critical west coast trunk connections at AT&T with the "bent fiber optic" taps installed in Room 641A, it seems that interfering with a typical customer's bandwidth is not their highest priority. While there are ways in many environments to tap data surreptitiously and at full bandwidth, such setups are often quite expensive and instead done with less sophisticated, possibly slower devices and bandwidth throttled to allow full data capture.

I've certainly seen this in industry when monitoring a network problem, where we throttled the bandwidth so our monitors could keep up and analyze who was abusing our systems.

You are all major assholes (1, Interesting)

TrollstonButterbeans (2914995) | about a year ago | (#44662055)

| It suffices for them to simply capture raw data

Ok, so the same people that say it can't be piracy because no one was deprived of their DVD give a free pass to "The NSA is capturing the data"??

They didn't capture the data, because if they did then when did they release it? It wasn't like they were tagging an antelope and then let it go at some later time. Why do you give a stamp of approval that the "NSA captures data" as if they held it hostage at Gitmo and wouldn't let the datas go unimpeded.

It isn't like they detained the data without a warrant and won't release it --- they let it go freely. You guys are acting like they are backing up your data stream like some fat dude that is clogging the toilet ... and you woun;dn't let this terminology pass with "piracy" because that involves depriving someone of their property ....

Re:NSA (2)

sacrilicious (316896) | about a year ago | (#44662157)

it is paramount to the NSA that they are covert.

Not any more.

Re:NSA (1)

Aguazul2 (2591049) | about a year ago | (#44662185)

it is paramount to the NSA that they are covert.

Not any more.

Yes, exactly. How long before passive monitoring becomes active manipulation of streams. "Wouldn't it be great", they say, "if we could stop the terrorist communications from arriving". "Wouldn't it be great if we could stop the Guardian sending all our secrets to/from South America". I know the difference between passive monitoring and messing with packets, but I don't think I'm being too paranoid to think that some part of US cyber defence might think it a good idea to slow down VPNs as an 'emergency measure'. Well, probably it is my ISP but still.

Passive monitoring is all that is necessary (3, Informative)

Anonymous Coward | about a year ago | (#44661579)

You are seriously lacking basic data telecommunications experience. All government tapping is span port based. This means that it is passive, not active, so there is no latency involved.

Re:Passive monitoring is all that is necessary (1)

xate (784379) | about a year ago | (#44661599)

span port or port mirroring? i don't knows muchs abouts switchers buts i thinks spannin is something else

Re:Passive monitoring is all that is necessary (1)

Anonymous Coward | about a year ago | (#44661825)

One can mirror/span ports. There are also direct wire-level (layer 1) taps that one can plug between devices that mirror the signal exactly on the raw electrical pulse tier. There is zero latency with this device, although they tend to be fairly specialized.

Hook it up, clap a machine with tcpdump and a large storage array that can handle the sustained I/O, and slurp away. I'm sure it is much more sophisticated than this, likely with DPI filters and such.

Seriously, the NSA is not going to actively interfere with someone's traffic. They tend to be observers, not enforcers. Now, ISPs, on the other hand, have a real reason to throttle encrypted traffic (they can't sell encrypted tunnel traffic to ad agencies.)

Re:Passive monitoring is all that is necessary (1)

skids (119237) | about a year ago | (#44662091)

It's hypothetically possible that ISPs might be influenced to route traffic to physically pass through a NOC where taps are in place, the extra hops causing latency.

Though I do think OP is jumping the gun just a bit.

Passive monitoring is NOT all that is necessary (0)

Anonymous Coward | about a year ago | (#44662307)

All government tapping is span port based. This means that it is passive, not active, so there is no latency involved.

All of it's passive? That's ridiculous. Web browsers and command-line SSH clients are the only things I use that even tell me when they're suspicious about a MitM. Everything else just uses "encryption" like it's some kind of magic, never bothering to look at the key fingerprints, compare to last time, look it up, etc. Think for a moment, and you'll see there's a lot of plaintext to be gained, by anyone who can bear the expensive of active tapping.

And if users put up with things getting mysteriously slower, then the expense might not be so high.

Could be a peering/ISP contract dispute (0)

Anonymous Coward | about a year ago | (#44661591)

When innocent people are getting the shaft, greed is frequently the culprit.

Traffic Intercept and VPN (5, Informative)

AaronW (33736) | about a year ago | (#44661617)

Years ago I worked on a broadband remote access server and one requirement we got was to support lawful traffic interception. Basically all law enforcement wanted was a copy of all of the packets. Packets are not slowed down or stopped by this process.

In my case the hardware was just not capable of doing what was needed but there was plenty of off the shelf hardware that could be installed in the network to provide the filtering and packet mirroring needed.

It is possible that one of the VPN's upstream providers is running into congestion. One of the best ways I have found is to use traceroute. At one time I was getting unusable Internet connectivity through AT&T after they acquired my local cable modem network from @Home. It took them many months to discover that throttling all aggregate upstream traffic to 128Kbps is a bad idea. As much as people bitch and moan about Comcast, it is lightyears better than anything I got through AT&T. In this case, traceroute clearly showed where packets were getting delayed and dropped, which was one of the routers inside AT&T.

Unfortunately, for a VPN this is much more difficult since the Internet hops are hidden via the tunnel.

There are many different ways to tunnel traffic. If the tunnel is Microsoft's PPTP protocol then it's not very secure. If on the other hand it is using IPSec then it should be a lot more secure. There are also other tunneling protocols that do not specify any encryption, i.e. MPLS.

Re:Traffic Intercept and VPN (0)

Anonymous Coward | about a year ago | (#44661719)

Unfortunately, for a VPN this is much more difficult since the Internet hops are hidden via the tunnel.

OpenVPN is SSL, he can just traceroute the ip of the vpn server.
That only shows problems due to congestion and such, not intentional stuff.
Traceroute is very limited in what it can show.

-HasH @ TrYPNET.net

Re:Traffic Intercept and VPN (2)

skids (119237) | about a year ago | (#44662081)

Paratrace (or whatever its descendents might be called these days) might yield a bit more accurate information. Both rely on interim hops playing by ICMP rules. Many of the highly utilized hops have at least throttled ICMP responses to conserve CPU, so you need to be careful to not just firehose test packets.

OP might probably calm down and remember not to attribute to malice what can be explained by stupidity. A simple change in fragmentation, buffering depth, or the ever misguided per-flow fairness AQM that pops up from time to time could have drastic effects on an SSL tunnel.

Re:Traffic Intercept and VPN (3, Interesting)

whoever57 (658626) | about a year ago | (#44661723)

At one time I was getting unusable Internet connectivity through AT&T after they acquired my local cable modem network from @Home. It took them many months to discover that throttling all aggregate upstream traffic to 128Kbps is a bad idea. As much as people bitch and moan about Comcast, it is lightyears better than anything I got through AT&T.

When AT&T was providing cable Internet to me, there was a time when my IPSEC VPN did not work. The VPN apparently connected, but data traffic never made it though. Other people complained, but AT&T claimed they were doing nothing to VPNs. Using tcpdump at both ends, I could see that the media (udp/500) was not getting though while the AH and ESP packets (required to set up the connection) were getting though. Clearly AT&T was blocking VPNs, but in such a way that it would not be obvious to the average user what was wrong. Pure evil.

Re:Traffic Intercept and VPN (1)

BitZtream (692029) | about a year ago | (#44661777)

Unfortunately, for a VPN this is much more difficult since the Internet hops are hidden via the tunnel.

No they aren't, you just trace route to the VPN host.

If the tunnel is PPTP, thats probably why it sucks, PPTP is horrible without perfect low latency connections. ... When did MPLS become a tunneling protocol instead of a switching protocol? You can't exactly use it outside of your own network. I guess you could technically piggy back it on top of some other protocol, but thats like running iSCSI over SCSI, which you connect to over iSCSI.

Re:Traffic Intercept and VPN (2)

wvmarle (1070040) | about a year ago | (#44661955)

In the end what OP wants to be answered, is the question whether his provider throttles traffic. The odds are, provider does this.

To test, you don't need traceroute necessarily.

Are all connections to the VPS slow? Only VPN or also http, smtp, ssh, etc? Then there certainly is an issue on that specific connection.

Try to find another server within the same data centre to connect to (same route for the packets to get there), see what happens.

Find a server in a different location, same protocols, and see what happens.

Have someone test your server from a different location (or do this yourself using a proxy somewhere), see what happens.

If you can connect fast to other servers, and other people can connect fast to your server, then the problem is almost certainly intentional throttling of your IP by your provider. To confirm, try to move your server to another IP address (I'm aware this is easier said than done) - the connection should be better.

Except for the very last step, OP did this all already according to description. Conclusion should be quite clear, and a call to ISP complaining about this issue would be appropriate.

Re:Traffic Intercept and VPN (2)

Aguazul2 (2591049) | about a year ago | (#44662267)

Except for the very last step, OP did this all already according to description. Conclusion should be quite clear, and a call to ISP complaining about this issue would be appropriate.

Calling Telefonica is not a solution to anything, unfortunately. They can't even get billing right. They obviously do have some technical people somewhere, and mostly they do a pretty good job, because uptime is good and we haven't seen many problems otherwise. The customer-facing people though ... what can I say ... Until you learn how to make an official complaint and involve the regulator, you can't even get basic billing and contract problems solved. The chance of making progress with some obscure technical complaint is nil. They are also a monopoly in many parts of Peru.

I find... (1)

djupedal (584558) | about a year ago | (#44661637)

- that the (NSA?) taps are one-way feeds, not redirects/bounces. We just put up two local time-lapse job site camera feeds, and the already routes show one-way feeds from San Francisco, straight to Virginia. The feeds originate in the North West...

The Internet is a (messy) series of tubes (5, Informative)

Sarten-X (1102295) | about a year ago | (#44661641)

My office Internet connection recently went from about 30Mbps down to 1.5Mbps, then back to 50Mbps a month later. No explanation, and speed tests to our ISP all came through at full speeds. We only saw problems on routes going outside our city and headed west. There were also a few inaccessible sites, but those were in very specific local areas. Ultimately, the best guess anyone could come up with is that a network to the west of our city had some routing problems.

We weren't the only customers to complain about a slowdown, but our ISP couldn't really do much about it. The Internet is made up of many networks working together, and sometimes shit happens. I wouldn't jump so quickly to assume it's non-neutral throttling or the NSA, when it could just be a careless guy with a badly-aimed backhoe. Give it some time, see if it improves, and if not, it may be time to move your VPS.

As an aside, you're likely going through New York because that's how you're reaching Europe to get to your UK-based VPS. Many transatlantic cables end in New York City [cryptome.org] , mostly because the stock market pays dearly for the few nanoseconds of lower latency.

Re:The Internet is a (messy) series of tubes (0)

Anonymous Coward | about a year ago | (#44662009)

If the issue is specific local hubs and routers, it seems to me real time monitoring and distributed info about the problem areas would assist both local and remoter admins to diagnose and resolve the issues. This would assist the internet generally, not just particular users or regions.

JJ

Don't believe your provider... (1)

djupedal (584558) | about a year ago | (#44661647)

You're being throttled.

is the NSA taking candy away from kids too? (1, Interesting)

alen (225700) | about a year ago | (#44661673)

why would they care about your pirated or whatever TV?

a super secret US intelligence agency that employs some of the smartest mathmatecians in the world is going to care about people's pirated movies instead of tracking down our enemies so the military can kill them

Re:is the NSA taking candy away from kids too? (0)

Anonymous Coward | about a year ago | (#44661707)

you know, for a "super secret" agency, an awful lot of people know about them...

Re:is the NSA taking candy away from kids too? (4, Informative)

BLKMGK (34057) | about a year ago | (#44661863)

Did you not watch the video from the Dot Com mansion raid? lol

Re:is the NSA taking candy away from kids too? (0)

Anonymous Coward | about a year ago | (#44661879)

A super secret agency that employs some of the best GED having non-college going doofuses around?

Re:is the NSA taking candy away from kids too? (1)

ehack (115197) | about a year ago | (#44661897)

They have to track every byte of every peer to peer transaction, in case someone is using modified clients to communicate. $
Also, they are ordered to retain every single phone sex conversation between non US persons, in case blackmail material is required some decades later for commercial or diplomatic purposes.

Re:is the NSA taking candy away from kids too? (1)

wvmarle (1070040) | about a year ago | (#44661975)

They care about what you send over that connection. They do want to know. As long as you're watching the BBC, they won't care much.

But as soon as you switch to jihad-TV, they will care, and to know whether you do so, they'll have to keep on monitoring your BBC broadcast stream, to make sure you're not secretly switching networks. Or as soon as you switch to some encryption method resulting in them only seeing random bits, they also start to care about your connection.

And with the suspect j-word twice in this comment it'll likely be flagged and added to my dossier.

Re:is the NSA taking candy away from kids too? (1)

Aguazul2 (2591049) | about a year ago | (#44662279)

They care about what you send over that connection. They do want to know. As long as you're watching the BBC, they won't care much.

Well my VPN is encrypted so they don't know what I'm transferring, although I don't use it for anything sensitive. I guess if I turned off all the encryption and it was still throttled then that would eliminate the NSA as the culprits.

Re:is the NSA taking candy away from kids too? (1)

wvmarle (1070040) | about a year ago | (#44662363)

It won't eliminate the NSA. It only suggests that there is no man in the middle doing decryption/encryption. NSA won't work as MiM; that'd be too easy to detect; and that's also not necessary for listening to a signal (regardless of whether they can decrypt it).

Re:is the NSA taking candy away from kids too? (0)

Anonymous Coward | about a year ago | (#44661997)

Aren't some of the smartest computer engineers in the world employed to simply to figure out the best way to deliver targeted advertising to you that you can't skip or ignore?

Re:is the NSA taking candy away from kids too? (1)

WhatAreYouDoingHere (2458602) | about a year ago | (#44662005)

Evidence. You never know when you might need to bankrupt/incarcerate/whatever someone, anyone ... everyone!

Re:is the NSA taking candy away from kids too? (1)

sacrilicious (316896) | about a year ago | (#44662171)

why would they care about your pirated or whatever TV? a super secret US intelligence agency that employs some of the smartest mathmatecians in the world is going to care about people's pirated movies instead of tracking down our enemies so the military can kill them

I assume you mean't "*isn't* going to care". And you have some starry eyes, my friend... you seem to think that the NSA must be like a James Bond movie. But once corruption becomes the operating mindset (and it has), it all ends up being about the same thing: the non-equal concentration of wealth and power. And the movie industry is very wealthy and powerful.

Re:is the NSA taking candy away from kids too? (0)

Anonymous Coward | about a year ago | (#44662205)

Oh but they do care. Our security services didn't give a fuck when the Russians handed them the Tsarnaev brothers on a platter. They couldn't be bothered to watch them.

The NSA/CIA/FBI/CBP don't give a shit about security. Its all about maintaining the integrity of our economic Iron Curtain for the protection of local businesses. Particularly the MPAA. And I wouldn't be surprised if the Five Eyes were driven by similar motives. GCHQ is more concerned with losing their TV tax than stopping the next tube bombing. That's where I'd look for the choke point in the OP's connection.

Re:is the NSA taking candy away from kids too? (0)

Anonymous Coward | about a year ago | (#44662217)

Yup. Senator gets big bucks from entertainment industry and sits on the right committees, it could happen. Craven is as craven does.

From an ISP network engineer (5, Insightful)

Anonymous Coward | about a year ago | (#44661691)

If you are a US ISP, it is required that you have monitoring in place. If you don't want to hamper your entire infrastructure while doing so, you get a bunch of taps and install them all over your network. One very good provider for this is Gigamon. Taps do not add any latency in your traffic. They are completely invisible to all other network devices. Traffic shaping (throttling) is done by the source typically but can be done at the destination ISP. Basically, your connection is assigned a Package in the Shaper. The packages determine how fast each classification groups of traffic are allowed to go. Classifications are determined by whoever manages the shaper for that ISP. Shapers can also dynamically change the speed you are allowed to have for a classification group based on bandwidth used, time used, and volume of traffic.

If you are not throttled from Germany to your home but are from Peru to your home, chances are you are throttled from your ISP in Peru. It is typical for transits to cross borders, so your traffic going through NYC is normal. BGP (the routing protocol of the internet) determined that to be the best path. This is mostly managed, but is still fairly dynamically determined by the routing protocol.

Course of action: Switch ISPs, get a new IP address (if they are not very good at configuring a shaper this will work, otherwise not), try a proxy, stop using it for a day or more and it will go away (temporarily most likely). This is done dynamically in the shaper. There is not some dude with his finger on a 'throttle' button. Everything is automatic. Just figure out the how their throttling deterministic state diagram works and you can avoid throttling. Most likely they are throttling you because of your volume of use. It costs a lot for transit access and you are using more than most others by streaming through a vpn.

Re:From an ISP network engineer (1)

tlambert (566799) | about a year ago | (#44662027)

Switching ISPs is one option.

SSRR (Source Routing) will also work.

If you think it's because of the encryption, switch to using PPOE and see if the problem resolves itself.

Also, you can do TCP active probing to see which intermediate hop(s) actually have the slowdown; this is the same techniques used to detect black hole routes for when an ISP blocks ICMP packets, and you can use PMTU discovery.

Re:From an ISP network engineer (1)

Aguazul2 (2591049) | about a year ago | (#44662309)

Course of action: Switch ISPs, get a new IP address (if they are not very good at configuring a shaper this will work, otherwise not), try a proxy, stop using it for a day or more and it will go away (temporarily most likely). This is done dynamically in the shaper. There is not some dude with his finger on a 'throttle' button. Everything is automatic. Just figure out the how their throttling deterministic state diagram works and you can avoid throttling. Most likely they are throttling you because of your volume of use. It costs a lot for transit access and you are using more than most others by streaming through a vpn.

Thanks for the explanation and suggestions. The volume of use is not excessive, typically 20GB a month, 40GB max. But maybe the shaper is very sensitive, because the bandwidth peaks are quite high probably. So perhaps I could try and limit the peak bandwidth used to avoid triggering it as another option.

If it's for real - show us traceroute output (0)

Yomers (863527) | about a year ago | (#44661693)

Sorry, telepaths are currently on a vacation. Show us traceroute output from your home to VPS and from VPS to home IP.

Yeah, and not to offend you but just in case - please erase last digits of your home and VPS IP's before posting, or you may end up with no connectivity at all ;)

OMG NSA SPOOK SCARY! (1, Insightful)

BitZtream (692029) | about a year ago | (#44661695)

Seriously, get a grip. Your precious little VPN is something they do not give a single flying frak about.

IF they did, you would never know. Duping a packet to another port for the NSA costs you exactly 0 in latency. Its done in silicon, and its no different than a broadcast packet as far as the hardware is concerned, i.e. 0 performance penalty.

You're pointing fingers at people and you have no clue whats going on. I can say that safely from your post.

As they say, when in America ... when you sound of pounding hooves ... you don't look for Zebra's, you look for horses.

I suggest you look for a more sane reason, start by dropping your paranoia.

Re:OMG NSA SPOOK SCARY! (1)

Yomers (863527) | about a year ago | (#44661893)

Anyway it's just as easy to tap traffic after it exit VPN endpoint in UK, so your UK VPN does not hurt anyone, use it if it makes you content. It will always be slower - all your traffic will be routed trough your UK VDS, so latency to a given website will be sum of latency from your home to UK VDS and from UK VDS to a given website.

But yes, now you can watch BBC online - it will not let you with non UK IP. And to watch hulu you need US IP. And if you live in one of the countries in growing "Wanna Great Firewall like in China" club...
No, internet is not fragmented, no, no. Ok, maybe just a bit. For now.

Always yours, Captain Obvious.

Probably not sinister, but you never know... (4, Interesting)

Above (100351) | about a year ago | (#44661703)

I work in the ISP industry, and here's my $0.02...

The NSA (or other spies), not likely. Everything I have ever seen about what they do is passive monitoring. What that means is that somewhere there is a pretty dumb device (like an optical splitter) that takes one signal and makes two copies, one goes to the NSA, one on to its destination. In this arrangement there is no way for the NSA to inject data at all, including slowing it down. I am highly skeptical any government spying is the direct cause. It may be indirect, I'll come back to that in a minute.

Rate shaping is entirely possible, and would be most likely in your immediate provider. It's entirely common for residential consumer ISP's to employ products like Sandvine, or even more crude QOS controls to rate limit particular types of traffic (e.g. VPN or VOIP). Most won't admit to what they are doing as well.

Rate shaping is less likely, but possible at the country level. This is seen mostly in countries with strong government controls on technology (think Iran, China, North Korea). Egypt was doing it at one point in time. I'm not an expert on Peru, but I would not expect this problem in Peru.

Lastly, is plain old congestion. Likely your ISP has multiple paths to reach Europe, riding undersea cables. These are the most expensive assets an ISP owns, and often get congested before they get upgraded. It's entirely possible for instance there is one cable they use from South American to Western Europe that is congested, while another goes from South America to the US and is fine. You can probably map these routes out by traceroute, and may find that particular routes always show poor performance. This also happens, but to a lesser degree, where two ISP's meet. There can be peering disputes, or one customer may not order enough capacity from their vendor. Either way the result is full ports that degrade service for everyone passing through them.

Now, here's where the spies come back in. If a particular spy agency decrees "all new connections must have our spy apparatus on them" they can in fact be the delay to a new connection getting set up. It's not that they are delaying any packet traffic once it is up, but rather they are delaying the installation by not having their equipment ready on time for a new connection. I don't think this happens often, but I'm sure it does happen in some places.

So sadly, this is probably some plain old incompetence/bad luck. Someone either could not afford a timely upgrade, or didn't correctly order an upgrade early enough to get it installed before there was a problem, and there's now congestion somewhere. If it's not bad luck it's probably your provider deciding your particular type of traffic is "bad", and should be rate limited down.

Some suggestions (4, Informative)

EmperorArthur (1113223) | about a year ago | (#44661743)

Some more info would be appreciated. So, here's the basics of a few things you can do to make sure it really is the network*. First use iperf on the client and server. Test it on both the tunnel interface and the WAN interface. Second, use top via a separate ssh session. Make sure OpenVPN isn't eating all your CPU or memory. Lastly, what provider are you using? Lately the default Debian build that Edis.at gave me needs an ifconfig up/down every other day.

I've had a similar problem when using my own VPS as an HTTP proxy via OpenVPN. It turned out, the proxy application was crap. Allowing the machine to route packets and using it as a default gateway for all traffic fixed the problem, or at least worked around it.

Now. If it really is blocking, there are a couple of ways around it. The more complicated ones involve using some other VPN application. When dealing with more than one client, that rapidly becomes annoying. A simple one is using an SSH connection as a SOCKS proxy for your browser. It's not elegant, but it works. Another way is to mask your OpenVPN connection by encapsulating the UDP or TCP packets. Once again, SSH port forwarding works, but that's a TCP solution. socat was designed to do things like that, so it seems like a good choice. Finally, there's Ping Tunnel. It embeds traffic in ICMP packets.

Whoever is throttling you might detect one or more of these, but they're probably using some sort of signature based detection. Just about anything that requires a command line should get through.

Remember, since you are technically savvy enough to roll your own, you are the one percent. Good luck, and please let us know how it goes.

*I know you're probably familiar with all of these things. Just assume that I put this section here for those who aren't.

Re:Some suggestions (1)

Aguazul2 (2591049) | about a year ago | (#44662161)

Thanks for suggesting iperf -- I'd not tried it. I ran through their tests. Both TCP and UDP show about 400kbps on the WAN interface. Running 4 parallel connections for TCP also adds up to around 400kbps more or less, so more connections doesn't actually help, it seems. Over the tunnel I also get about 400kbps. I seem to get much less than 400kbps in practice but the order of magnitude from iperf is right. 'top' doesn't go below 99% idle. I'm running Debian stable. The only thing I have from the host is the kernel. Nothing changed around the time when the bandwidth drop started. I don't use a proxy, just route traffic as you say.

I appear to be in a throttled state right now for that IP address. Maybe they'll release the throttling at some point. Then the question is how not to trigger it again. If it is just bandwidth and IP address based, then whatever approach I take will not make a difference -- except Ping Tunnel maybe. I don't get through more than 20GB a month, though, it is not excessive. If it is signature-based, then yes maybe I can change something and not trigger it.

Wrappers would only be useful to evade signature detection, though. I already tried OpenVPN UDP, OpenVPN TCP and plain HTTP and they're all slow right now. I've kept a list of your suggestions to try if/when I'm unthrottled. Thanks for the ideas.

Re:Some suggestions (1)

EmperorArthur (1113223) | about a year ago | (#44662231)

Glad to help.

The reason why I think may of the wrappers will work is just because they aren't commonly used. Right now people can go pay for an OpenVPN service and download an installer that will do all the work for them. Like tor, OpenVPN is a big target.

The only other thing I can think of is ping times.* It might not look like it, but HTTP is horribly latency sensitive. After every web page is loaded, all the images and javascript are downloaded. Repeat for about a dozen times because javascript is horrible. So, try noscript, it might speed up your browsing. It certainly will make quite a few web pages less annoying.

*Once again, you probably already know this. Keep assuming that I'm just ranting for the noobs. We all were naive at some point. Then some helpful soul points us to TV Tropes [tvtropes.org] or 4chan [4chan.org] .

ask slashdot: (1)

Anonymous Coward | about a year ago | (#44661803)

sometimes when I wake up, there's white goo all over my penis. It wasn't there when I went to sleep! Do you think the NSA is breaking into my house and doing something to me?

Re:ask slashdot: (0)

Anonymous Coward | about a year ago | (#44661813)

Yes.

Re:ask slashdot: (4, Funny)

Sarten-X (1102295) | about a year ago | (#44661941)

No. That's the KGB. Since the alleged fall of the Soviet Union, they've had to run their operations under far more secrecy than ever before. Sometimes, this means they have to leave a job before they have a chance to clean up entirely.

In your case, you've become a test subject for the Soviet loyalists' conspiracy to sap and impurify all of our precious bodily fluids. They are attempting to steal your very essence, and it is your patriotic duty to resist them. Place loaded mousetraps around your bed to damage the stealth robots that are invading your sanctuary of slumber. To prevent their essence-extractor from invading your body, apply a liberal coating of cyanoacrylate to your penis before sleep. It may cause an unusual sensation, but that's far better than the empty fatigue the Communists will inflict.

The NSA is actually fully aware of this conspiracy, and you should assist their efforts to protect our precious bodily fluids. As it is clear that the Red Menace is most interested in corrupting your penis, you must aid the resistance research that is underway. As the NSA must also keep their research secret, no scientists will contact you directly, but you can still contribute to the noble cause by announcing publicly every time your penis functions normally, and especially whenever it does not. This is best accomplished by loudly shouting your results from an open second-story window, followed by displaying your penis for remote optical inspection. Be sure to announce that you are a subject of General Jack Ripper's studies.

The Soviet collapse was a sham, designed to lull the Americans into a false sense of security. The KGB have not given up, and neither can we. God willing, we will prevail, in peace and freedom from fear, and in true health, through the purity and essence of our natural fluids.

KEEP IT LOCAL!! (-1)

Anonymous Coward | about a year ago | (#44661835)

Do not go to UK !! Stay in your own country !! Seriously !! Or move to the UK !! Germany will take anyone !!

Tinfoil hat much? (0)

Anonymous Coward | about a year ago | (#44661861)

Seriously man, I thought I had a healthy level of paranoia but this is a+ comedy material here :D

WTF... (-1)

Anonymous Coward | about a year ago | (#44661953)

You're dumb as a box of rocks. Please fucking die already.

Re:WTF... (0)

Anonymous Coward | about a year ago | (#44662135)

It seems you ain't much smarter either. :D

I don't see how it isn't (1)

rsilvergun (571051) | about a year ago | (#44662061)

the ISPs will buy off Congress, meanwhile even suggesting we regulate the ISPs to enforce net neutrality is met with jeers about bureaucracy. Way I see it we're damned if we don't in that scenario, but I'm in the minority :(.

Traceroute is to mainly fix routing problems today (3, Informative)

Anonymous Coward | about a year ago | (#44662067)

Many ISP's perform what is known as ICMP rate limiting. Traceroute and Ping both use this ICMP protocol *i'm not going to get into semantics* where as you start traversing the internet past your internet service provider your pings and such to any point along the path have a high chance of being dropped due to this. The only way to see your actual latency is using a host-to-host ping. From your source destination to your final destination. Traceroute acts as sending a ping to each and every hop in between the source and final destination (assuming the TTL doesn't expire or somebody's carrier firewall just doesn't' start letting replies come back through, ie, multiple * * * responses but still able to reach your end destination), they are in no way obligated to reply properly and or in a timely fashion to your Ping request. During the early days of the internet we didn't have many of the problems that we have today and these tools worked flawlessly during this time and really could tell you where your latency is (these tools still function normally in a local lan if you are not doing any "crazy" firewalling tactics). This is no longer the case with ping an traceroute.

IN EXTREME CASES it may be possible to route around other carriers using private tunnels, It's not something your average joe will not likely be able to accomplish without multiple services across the country or paying for some sort of service to do so. AKA you are a business with $$$$. There are instances where it can be done, but are few and very far in between.

  If your ISP only has 1 way out to reach specific destinations which are having problems. Provide them traceroutes showing them good responses AND bad responses from when and where you are seeing the problem. The only thing a carrier is going to care about is your "average" response time in milliseconds, not your "maximum" response time.

Blame the NSA (1)

nurb432 (527695) | about a year ago | (#44662079)

Paranoid much? They only make copies of the data to process off-line, they don't insert themselves into the data stream to do it in real time.

Bounce through SSH or use Tor (1)

SurfTheWorld (162247) | about a year ago | (#44662097)

Use OpenVPN in TCP mode (rather than it's default UDP mode).

Then set up local ssh port forwards through a bounce host you know works well.

Instead of going from Peru --> UK instead go from Peru --> Localhost --> SSH bounce host in Germany --> UK.

Or try an onion network like Tor.

Obligatory Guide to Knowing Who Is Listening (1)

guttentag (313541) | about a year ago | (#44662189)

Martin Bishop: Sorry to waste your time, gentlemen. I don't work for the government.
Agent Wallace: We know. (flashes a badge) National Security Agency.
Martin Bishop: Oh. You're the guys I hear breathing on the other end of my phone.
Agent Wallace: No, that's the FBI. We're not chartered for domestic surveillance.
Martin Bishop: Oh I see. You just overthrow governments. Set up friendly dictators.
Agent Wallace: No, that's the CIA. We protect our government's communications. We try to break the other fella's codes. We're the good guys, Marty.
Martin Bishop: Gee, I can't tell you what a relief that is, Dick.

Courtesy of Sneakers [wikipedia.org] (1992) (video clip of the above here [youtube.com] )

Slow data (0)

Anonymous Coward | about a year ago | (#44662193)

My computer is very slow. Do you think I should plug it in?

WTF is wrong with yoe (0)

Anonymous Coward | about a year ago | (#44662203)

NO. The NSA is not interfering with you watching your videos, you fucking schizoid.

Why on earth is /. now posting the delusions of the mentally disturbed? FFS your video streaming slows and you think its sinister government agents? Get a fucking grip.

Misunderstanding PRISM (1)

longk (2637033) | about a year ago | (#44662227)

You're misunderstanding what PRISM supposedly does. (And you're not the only one.) PRISM does not cause any delays whatsoever - it's not a man-in-the-middle attack. It's simply a copy of all traffic on a fiber. Also an old fashioned "tap" on your Internet connection (usually port mirror at the ISP or Internet exchange) does not cause any delays.

Switch to a different VPS provider.

Reset your router buffers (0)

Anonymous Coward | about a year ago | (#44662251)

Disconnect all of the cables from your router (including power). Then shake it vigorously over your head. Reconnect and you'll be good to go. Repeat as needed.

Same problem! (0)

Anonymous Coward | about a year ago | (#44662297)

I've noticed the same thing. I play a lot of 1+1 lightning chess on freechess.org over Transatlantic connections, and several opponents have been complaining about my lag.

Freechess.org recently experienced a two-week downtime. I'm now led to believe it was the NSA installing some backdoor technology on the servers.

My most serious worry is that the NSA has gotten a whiff of my steganographic IP-over-lightning-chess tunnel and might be able to unscramble my security-through-obscurity encoding scheme.

(Note to opponents on freechess.org: I don't resign desperate positions because my steganographic scheme suffers unless the game terminates from the server end.)

Ridiculous, but ... (1)

dbIII (701233) | about a year ago | (#44662365)

Could the NSA be slowing all VPNs to/from South America because of Snowden and Greenwald?

Such a thing would be ridiculous and childish - however things like the diversion of an aircraft that didn't even have Snowdon on it show that the NSA is being ridiculous and childish. Instead of toy soldiers and a way to funnel money out to friends in the private sector the task should be either handed over to military professionals with a focus on things that matter or abandoned entirely. Collecting more data than can be sorted let alone interpreted is a waste of time that just provides a false sense of security.

Discourage encryption? (1)

FishOuttaWater (1163787) | about a year ago | (#44662371)

If I was a law enforcement agency, I would certainly consider slowing down VPN's just to discourage people from using them. So much the easier for me to snoop.

Aside from all the speculative debate, a solution (0)

Anonymous Coward | about a year ago | (#44662403)

On Github there's actually a pull request for OpenVPN connection obfuscation. It's shown to help prevent shaping from DPI hardware/software setups.
https://github.com/OpenVPN/openvpn/pull/7
Also, if you don't feel like recompiling OpenVPN with the new patch, I'd switch VPNs to one in another datacenter. Run OpenVPN over TCP on port 443.

-A VPN Service Provider

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?