Residential Broadband Internet Traffic: Characterization and Security Analysis

Abstract

Residential broadband Internet connectivity is a mature and popular service in many countries. Indeed, according to the Organization for Economic Co-operation and Development (OECD), there are more than 260 million broadband customers world-wide. Understanding the nature of residential traffic characteristics is imperative for network operators to design and develop future network configurations and architectures. However, the growing world-wide user population and the introduction of new services and applications continuously changes the way users use the Internet. Furthermore, users’ demands and expectations change as well. Therefore, traffic and security characteristics of residential networks have to be evaluated regularly. Yet, only few studies have examined the characteristics and security aspects of residential traffic, thus its makeup, dynamics, evolution, and variations remain underexamined. We, in this thesis, undertake such a study. We describe observations from more than 20,000 residential DSL customers in an urban area. To ensure privacy and confidentiality, all data is immediately anonymized. Our contribution is the characterization of several different aspects of residential broadband traffic: We characterize DSL sessions, prevalence and use of network address translation (NAT), and network usage in terms of application layer protocols. Furthermore, we investigate possible performance limitations and new devices that users employ to connect to the Internet. Finally, we analyze network security, security-awareness, and risky behavior in residential networks. DSL session characteristics, such as bandwidth utilization and online times, and NAT usage, e. g., the number of hosts connected per DSL lines, have implications for accurately provisioning access networks. Optimal access network architectures can increase customer satisfactions while decreasing complexity and cost. Likewise, the makeup of traffic, such as the application protocol mix, greatly influences the decisions of network operators and content providers on where to place popular servers and what kind of network connectivity and quality-of-service is required. Understanding performance limitations is another critical aspect of network studies. To optimize performance and quality-of-experience, current limitations need to be known and characterized so that one can develop new protocols or tune the default settings of current protocols to achieve better performance. In addition, the ever increasing minituarization has given rise to new classes of devices that users utilize to connect to the Internet. Mobile hand-held devices (MHDs, e. g., iPhones or BlackBerrys) are ubiquitous today. However, little is ii/x Residential Broadband Internet Traffic: Characterization and Security Analysis known about how they are used—especially at home. Understanding characteristics of such novel device traffic can help network operators to anticipate future networking demands. Furthermore, while conventional wisdom holds that residential users are responsible for much of today’s Internet insecurity, few systematic studies have examined whether such views in fact reflect reality. To tackle security problems, one needs to understand the prevalence of such problems and the factors that influence security problems and malicious activity. We, in this thesis, answer such questions. We introduce a tool that enables efficient retrospective traffic analysis. We also characterize DSL sessions and NAT usage. Surprisingly, we find that DSL-session run quite short in duration, with a median duration of only 20–30minutes. Furthermore, we show that NAT gateways are deployed on 90% of DSL lines and that more than 10% of DSL lines connect multiple, concurrently active, hosts. When we investigate application protocols, we find that HTTP dominates the application mix by volume, accounting for more than 57% of bytes, while peer-topeer (P2P) only contributes 14–25%. Around the turn of the century HTTP was the dominating protocol by byte volume. The advent of P2P networks changed that and P2P dominated the protocol mix. Our study indicates that today HTTP is again on the rise, while P2P is on the decline. To assess malicious activity, we develop a set of metrics and analyze the relationship between problems flagged by these metrics and security awareness (e. g., using anti-virus software). Furthermore, we compare our results with a rural community network in India. To our surprise, we find that both environments have similar levels of problematic behavior, in both cases indicating only a small fraction of malicious hosts. However, we also find that risky behavior is quite widespread and that security awareness steps, such as using anti-virus updates, do not correlate with a lower degree of malicious activity.