How to defeat VPN location-spoofing by mapping network delays
Tue 16 Feb 2016
An interesting paper from a PhD student in Ontario outlines a system which in initial tests has proved 97% effective at unmasking geo-spoofing VPN users, such as Netflix customers who fake their geographic location in order to access catalogues outside of their country.
The Client Presence Verification (CPV) system presented in the paper [PDF] utilises analysis of delays in network packets in order to determine the user’s location, disregarding the IP address geolocation information which currently underpins the efforts of content providers such as Netflix to prevent VPN users accessing content which is not licensed in their country.
The detection system was tested at global network laboratory PlanetLab using 80 network nodes based in the U.S. and Canada. CPV works by identifying triangles of geographic space which are deduced from delays in network data throughput. A person attempting to fake their current location can use One Way Delays (OWDs) to manipulate the receiver’s estimation of geographical distance. However, a great deal of reciprocal information is exchanged between the user’s real location and the supplier’s point of service – delays which may not correspond with the IP address which a proxy or VPN service is volunteering to the provider.
The researchers, led by AbdelRahman Abdou, a PhD student in the Department of Systems and Computer Engineering at Carleton University in Ontario, succeeded in identifying ‘triangles’ of geographical information derived from the network delay space in test exchanges with geo-spoofing user clients – successfully rejecting 1,749 out of 1,803 attempts (97%) to fool the system.
The authors conclude: ‘The design of CPV provides several security and deployability advantages. It overcomes IP-hiding tactics typically carried out using middleboxes, since delays are measured over the client’s application layer. Additionally, CPV requires no clientside changes, and no extra software is needed; the client’s current browsing experience is retained as the verification process runs in the browser. These advantages and the real world evaluation results highlight CPV’s potential for practical adoption.’
This kind of delay-based proximity verification has been more intensively studied and experimentally applied in single-hop wireless networks than on the internet, since each server has different delay characteristics, and a determined geo-spoofer in a flexible computing environment has many more tricks at their disposal than just IP spoofing via a VPN, including manipulating timestamps on sent packets or synchronising server time inaccurately with the target server.
