An Untold Story of Middleboxes in Cellular Networks Zhaoguang Wang1, Zhiyun Qian1, Qiang Xu1, Z. Morley Mao1, Ming Zhang2 1University of Michigan 2Microsoft Research 1{zgw, zhiyunq, qiangxu, zmao}@umich.edu [email protected] ABSTRACT 1. INTRODUCTION The use of cellular data networks is increasingly popular as net- Data cellular networks have undergone tremendous growth in re- work coverage becomes more ubiquitous and many diverse user- cent years due to the increasing popularity of mobile devices such contributed mobile applications become available. The growing as smartphones, tablets, and eBook readers. Their ever-growing cellular traffic demand means that cellular network carriers are fac- coverage and capacity have enabled a wave of flashy mobile appli- ing greater challenges to provide users with good network perfor- cations ranging from gaming and video to social networking. In mance and energy efficiency, while protecting networks from po- contrast to their Internet counterparts, cellular networks bear more tential attacks. To better utilize their limited network resources constraints due to the scarcity of physical resources in network in- while securing the network and protecting client devices the car- frastructure and mobile devices as well as the complexity in manag- riers have already deployed various network policies that influence ing these resources. Cellular carriers usually deploy various types traffic behavior. Today, these policies are mostly opaque, though of middleboxes to make efficient use of these precious resources they directly impact application designs and may even introduce and protect them from potential attacks. For instance, many carri- network vulnerabilities. ers use NAT (Network Address Translation) to provide data service We present NetPiculet, the first tool that unveils carriers’ NAT to millions of users over a limited public IP address space. They and firewall policies by conducting intelligent measurement. By also deploy firewalls to isolate mobile users from rampant mali- running NetPiculet on the major U.S. cellular providers as well as cious activities (e.g., worms and DoS attacks) on the Internet. deploying it as a smartphone application in the wild covering more Today, cellular network middleboxes and mobile applications are than 100 cellular ISPs, we identified the key NAT and firewall poli- independently managed by two groups of entities: cellular opera- cies which have direct implications on performance, energy, and se- tors (e.g., AT&T, T-Mobile) and application developers. The lat- curity. For example, NAT boxes and firewalls set timeouts for idle ter group is often unaware of the middlebox policies enforced by TCP connections, which sometimes cause significant energy waste operators while the former has limited knowledge about the ap- on mobile devices. Although most carriers today deploy sophisti- plication behavior and requirements. Such knowledge mismatch cated firewalls, they are still vulnerable to various attacks such as could potentially impair application performance, aggravate energy battery draining and denial of service. These findings can inform consumption, or even introduce security vulnerabilities. One illus- developers in optimizing the interaction between mobile applica- trative example is that a carrier sets an aggressive timeout value tions and cellular networks and also guide carriers in improving to quickly recycle the resources held by inactive TCP connections their network configurations. in the firewall, unexpectedly causing frequent disruptions to long- lived and occasionally idle connections maintained by applications such as push-based email and instant messaging. Categories and Subject Descriptors Prior work has studied middleboxes on the Internet by character- C.2.3 [Computer-Communication Networks]: Network Opera- izing NAT properties such as mapping type and filtering rule [22, tions 15, 20, 18, 21], and proposed various schemes to perform NAT traversal. It is unclear whether the NAT box behavior remains the General Terms same or the NAT traversal schemes are still applicable in cellu- lar networks. Other work quantified the end-to-end performance Measurement, performance, security degradation (e.g., lower throughput or larger transaction delay) in- duced by middleboxes [13]. In addition to performance, energy Keywords consumption is another critical perspective in the cellular network context. However, no previous studies have investigated how mid- NAT, firewall, middlebox, TCP performance, cellular data network dleboxes affect energy consumption on mobile devices. Several re- search efforts revealed that cellular infrastructure and mobile hand- sets are vulnerable to various types of DoS attacks [35, 37, 26]. Permission to make digital or hard copies of all or part of this work for However, they did not investigate the feasibility of launching these personal or classroom use is granted without fee provided that copies are attacks when the targets are behind middleboxes. not made or distributed for profit or commercial advantage and that copies In this study, we design and implement NetPiculet, a measure- bear this notice and the full citation on the first page. To copy otherwise, to ment tool for accurately and efficiently identifying middlebox poli- republish, to post on servers or to redistribute to lists, requires prior specific cies in cellular networks. We focus on firewalls and NAT boxes, permission and/or a fee. SIGCOMM’11, August 15–19, 2011, Toronto, Ontario, Canada. which are widely deployed by many cellular carriers. Although a Copyright 2011 ACM 978-1-4503-0797-0/11/08 ...$10.00. carrier may employ many policies, we focus on those that directly impact mobile users and their applications in terms of important properties including connectivity, performance, energy consump- tion, and security. Informed by our findings, we propose new tech- niques and modifications to applications to better cope with exist- Piculet Client ing policies. We also offer concrete suggestions on policy changes Piculet Server Cellular Core for carriers to improve the experience and protection of their mo- Internet Network bile users as well as robustness of their network infrastructure in Middle box response to attacks. We released NetPiculet on Android Market in January 2011 and Middle box attracted 393 unique mobile users within merely two weeks. Lever- aging the data from these users, we report our findings from 107 Figure 1: Physical view of the NetPiculet system cellular carriers around the world. In particular, we studied the Count Technology Continent IP address policies of two large nation-wide U.S. carriers in more depth and by # of UMTS EVDO EU AS NA SA AU AF Public Private Both1 corroborated our findings carefully with controlled experiments. Carriers 97 10 46 26 20 11 2 2 25 72 10 Due to security and privacy concerns, we anonymize their names Users 246 148 113 35 231 11 2 2 73 316 52 and label them as Carrier A and Carrier B. We summarize our key 1 Some carriers assign both public and private IP addresses findings as follows: 2 A single user is observed to have public IP or private IP at different times Table 2: Properties of the studied carriers • In some cellular networks, a single mobile device can en- counter more than one type of NAT, likely due to load bal- ancing. We also discovered some NAT mappings increment addresses. However, they also directly impact end-to-end perfor- external port number with time which was not documented mance, connectivity, energy consumption, and security. Popular in any prior NAT study. Accordingly, we develop new NAT mobile P2P applications, e.g., Fring [5] and Tango [6] for video traversal techniques to handle both cases. chatting, use NAT traversal to establish direct connections between • Four cellular networks are found to allow IP spoofing, which peers behind NAT. Correctly determining the NAT mapping type provides attack opportunities by punching holes on NATs and filtering policy is crucial for the success of NAT traversal. Fire- and firewalls “on behalf of” a victim from inside the net- walls attempt to block unwanted traffic by detecting anomalous works, and thus directly exposing the victim to further at- traffic patterns. Such behavior, however, may tamper with TCP’s tacks from the Internet. control and feedback mechanism, resulting in longer transaction delay and higher energy consumption. Furthermore, firewalls in • Eleven carriers are found to impose a quite aggressive time- cellular networks must accommodate a diverse and large set of mo- out value of less than 10 minutes for idle TCP connections, bile devices and applications. Such flexibility may come at the potentially frequently disrupting long-lived connections main- expense of security, leaving opportunities for mindful attackers. tained by applications such as push-based email. The result- Our goal is to develop a tool that can help application design- ing extra radio activities on a mobile device could use more ers gain insight into NAT and firewall policies in cellular networks than 10% of battery per day compared to those under a more and make targeted improvements to applications. It can also help conservative timeout value (e.g., 30 minutes). carriers fine-tune their middlebox policies to attain better user ex- • One of the largest U.S. carriers is found to configure fire- perience and security. A few technical challenges remain. First, walls to buffer out-of-order TCP packets for a long time, the middlebox policies in a cellular network can be quite complex likely