Presentation is loading. Please wait.

Presentation is loading. Please wait.

Shane Alcock and Richard Nelson University of Waikato

Published byOswin Hunt Modified over 7 years ago

Similar presentations

Presentation on theme: "Shane Alcock and Richard Nelson University of Waikato"— Presentation transcript:

1 Shane Alcock and Richard Nelson University of Waikato
Measuring the Impact of the Copyright Amendment Act on New Zealand Residential DSL Users Shane Alcock and Richard Nelson University of Waikato

2 Background Copyright (Infringing File Sharing) Amendment Act 2011
New Zealand law aimed at online copyright infringement Came into effect on September 1, 2011 Operates on the “three strikes” principle Law received huge media coverage in New Zealand

3 Aims Determine the effect of the new law on user behaviour
Media reports tended to be contradictory One ISP reported a 10% decrease in P2P traffic Another just said that international traffic had declined A third claimed there was no noticeable impact All reports lacked any details on the measurement approach Perform a genuine measurement study! Use packet capture and analysis techniques Examine traffic both before and after the law came into effect Utilize traffic classification to identify P2P traffic

4 Data Sources Passive monitor located in the core of a medium size ISP
Capture all traffic for a subset of their customer base Headers + 4 bytes of packet payload Privacy issues prevent us from examining more payload Examined DSL subscribers only (~4000 users) Vast majority of New Zealand residential Internet is via DSL NZ fixed broadband population: 1.2 million (OECD estimate) Sample is 0.33% of population

5 Data Sources Three captures are used for the published study
7 days in January 2011 – before the CAA is active 8 days in September 2011 – immediately after the CAA 8 days in January – one year on from the first capture In this talk I'll also include some results from September 2012!

6 Software Packets are captured and processed using libtrace
Flows are classified using libprotoident Uses lightweight packet inspection to identify application protocols Requires only 4 bytes of packet payload Perfect for our data set! Supports over 200 unique application protocols Accuracy is better than open-source DPI libraries [1] [1] Libprotoident Technical Report, University of Waikato, 2011

7 Bytes Downloaded by Protocol

8 Bytes Downloaded by Category

9 Bytes Uploaded by Protocol

10 Bytes Uploaded by Category

11 Results Proportion of total downloaded traffic for each protocol
TCP BitTorrent fell but it still exceeded most protocols January 2011 Sept. 2011 January 2012 Sept. 2012 HTTP 68.7% 72.3% 70.9% 59.4% HTTPS 1.6% 4.0% 5.0% 9.0% BitTorrent TCP 8.0% 2.6% 3.1% 3.4% BitTorrent UDP 8.2% 6.2% 5.5% 9.9% Skype 1.3% 1.9% 1.8% 3.6% RTMP 3.0% 3.8% 2.1% Steam 1.5% 1.4% 0.8% SSL / TLS 1.0% 0.1% < 0.1% FTP Data 0.2% 0.4% 0.6% OpenVPN Teredo 0.3%

12 Conclusions Traffic downloaded using P2P protocols has decreased
Less than half the volume it was before the CAA came into effect Decline has persisted, but is starting to reverse TCP BitTorrent remains down but uTP is growing Need to stop thinking of BitTorrent as a TCP application P2P uploading has also decreased significantly

13 Conclusions Growth in HTTPS outstrips other application protocols
Many legitimate reasons for HTTPS increasing Online shopping Internet banking Secure login to social media sites 20% of Facebook traffic is HTTPS [1] Change in volume suggests it may be more than just the above 11 GBs per day to 57 GBs per day By contrast, BitTorrent TCP went from 54 GBs/day to 18 GBs/day [1] Gehlen et al, “Uncovering the Big Players of the Web”, TMA 2012

14 Conclusions Could the HTTPS growth be related to the CAA?
Downloading copyrighted content from foreign seedboxes HTTPS is a perfect protocol for this application Secure, encrypted Unlikely to be filtered or blocked by the ISP Movement from P2P to file hosting sites Rapidshare allows downloading over HTTPS

15 Conclusions FTP, Tunnels, VPNs, SSH have all grown substantially
Relative growth is very large, but starting values were quite small These protocols still contribute < 1% of downloaded traffic each Growth in Teredo suggests increased IPv6 support in end-hosts But not in the path between the hosts Growth in SSH, VPNs, RDP – using foreign hosts to avoid CAA? Further study is necessary

16 Caveats This study only looks at one New Zealand ISP
Other ISPs may be more or less popular with “heavy” P2P users Our results indicate a correlation rather than a causation Cannot be certain that the observed behaviour is due to the CAA Require a comparative analysis with other NZ and foreign ISPs Many potential avenues for further research! Can only theorise as to the causes of many changes Hoping to analyse the interesting protocols in more depth soon!

17 Web: http://www.wand.net.nz/projects/caa
The End Questions? Web:

18 Results Proportion of users that were using each protocol
Don't have reliable user stats for September 2012 :( January 2011 Sept. 2011 January 2012 HTTP 87.3% 90.4% 89.4% HTTPS 87.2% 90.1% BitTorrent TCP 8.5% 5.5% 5.2% BitTorrent UDP 27.4% 21.4% 20.8% Skype 35.0% 36.5% 38.9% RTMP 40.1% 51.5% 43.6% Steam 3.6% 4.0% 4.8% SSL / TLS 21.7% 15.9% 28.6% FTP Data 3.4% 4.4% 4.7% OpenVPN 0.1% 0.4% 0.3% Teredo 19.1% 24.7% 26.3%

19 Results Proportion of total uploaded traffic for each protocol
January 2011 Sept. 2011 January 2012 Sept. 2012 HTTP 19.1% 24.1% 19.7% 21.1% HTTPS 6.1% 15.7% 21.5% 22.7% BitTorrent TCP 21.0% 7.5% 9.0% 4.5% BitTorrent UDP 16.7% 11.0% 12.1% 14.1% Skype 13.9% 12.3% 13.0% RDP 1.4% 2.5% 2.2% 4.8% Xbox Live 2.7% 1.9% 1.2% SSL / TLS 1.8% 1.1% 0.1% eMule 0.7% 0.0% < 0.1% RTMP 0.2% 0.9% 0.8% 0.5% Teredo 0.4% 1.0% 2.1% 1.3%

20 Libprotoident Determines the application protocol for a flow
First four bytes of payload observed from server to client First four bytes of payload observed from client to server Size of the first payload-bearing packet sent from server to client Size of the first payload-bearing packet sent from client to server TCP / UDP ports used by both endpoints Only 4 bytes of packet payload is required Can use libprotoident in situations where DPI is not feasible Privacy, computation speed, storage Easier to get an organisation to agree to this type of capture

21 Libprotoident Example: matching OpenVPN
Both payloads must match the following: Third byte of payload must be either 0x38 or 0x40 Bytes 1 and 2 must be equal to (payload length - 2) If the payload size was 300 bytes, byte 1 must be 0x01 And byte 2 must be 0x2a Because: ( ) == 0x012a

22 Libprotoident Open source
Download: Protocol matching rules are freely available Many have been documented on the libprotoident wiki Easy to add rules for new protocols Feel free to contribute!

23 WAND Network Research Group
Department of Computer Science The University of Waikato Private Bag 3105 Hamilton, New Zealand

Download ppt "Shane Alcock and Richard Nelson University of Waikato"

Similar presentations

A First Look at Modern Enterprise Traffic

A First Look at Modern Enterprise Traffic
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
Predicting Tor Path Compromise by Exit Port IEEE WIDA 2009December 16, 2009 Kevin Bauer, Dirk Grunwald, and Douglas Sicker University of Colorado Client.

Predicting Tor Path Compromise by Exit Port IEEE WIDA 2009December 16, 2009 Kevin Bauer, Dirk Grunwald, and Douglas Sicker University of Colorado Client.
CSE534 – Fundamentals of Computer Networks Lecture 16: Traffic Shaping + Net Neutrality Created by P. Gill Spring 2014, updated Spring 2015.

CSE534 – Fundamentals of Computer Networks Lecture 16: Traffic Shaping + Net Neutrality Created by P. Gill Spring 2014, updated Spring 2015.
HIPAA Security Standards What’s happening in your office?

HIPAA Security Standards What’s happening in your office?
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Introduction1-1 Introduction to Computer Networks Our goal:  get “feel” and terminology  more depth, detail later in course  approach:  use Internet.

Introduction1-1 Introduction to Computer Networks Our goal:  get “feel” and terminology  more depth, detail later in course  approach:  use Internet.
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
Treatment-Based Traffic Signatures Mark Claypool Robert Kinicki Craig Wills Computer Science Department Worcester Polytechnic Institute

Treatment-Based Traffic Signatures Mark Claypool Robert Kinicki Craig Wills Computer Science Department Worcester Polytechnic Institute
Firewalls Presented By Hareesh Pattipati. Outline Introduction Firewall Environments Type of Firewalls Future of Firewalls Conclusion.

Firewalls Presented By Hareesh Pattipati. Outline Introduction Firewall Environments Type of Firewalls Future of Firewalls Conclusion.
Licentiate Seminar: On Measurement and Analysis of Internet Backbone Traffic Wolfgang John Department of Computer Science and Engineering Chalmers University.

Licentiate Seminar: On Measurement and Analysis of Internet Backbone Traffic Wolfgang John Department of Computer Science and Engineering Chalmers University.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
A global, public network of computer networks. The largest computer network in the world. Computer Network A collection of computing devices connected.

A global, public network of computer networks. The largest computer network in the world. Computer Network A collection of computing devices connected.
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.
KaZaA: Behind the Scenes Shreeram Sahasrabudhe Lehigh University

KaZaA: Behind the Scenes Shreeram Sahasrabudhe Lehigh University
Business Computing 550 Lesson 4. Fundamentals of Information Systems, Fifth Edition Chapter 4 Telecommunications, the Internet, Intranets, and Extranets.

Business Computing 550 Lesson 4. Fundamentals of Information Systems, Fifth Edition Chapter 4 Telecommunications, the Internet, Intranets, and Extranets.
Intranet, Extranet, Firewall. Intranet and Extranet.

Intranet, Extranet, Firewall. Intranet and Extranet.
Privacy-Preserving P2P Data Sharing with OneSwarm -Piggy.

Privacy-Preserving P2P Data Sharing with OneSwarm -Piggy.
NET NEUTRALITY A primer. Network Neutrality The promise of the Internet Means networks should be dumb Because for once, dumb is good: – Dumb networks.

NET NEUTRALITY A primer. Network Neutrality The promise of the Internet Means networks should be dumb Because for once, dumb is good: – Dumb networks.

Similar presentations

Ads by Google