Does VPN traffic stand out from other traffic to the ISP?

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
What does the ISP actually *see* when VPN
is trafficking his network?

I realize he sees "gibberish", but, can he
just look at that gibberish and say "that  
looks a lot like my subscriber is using VPN"?

Does VPN traffic stand out from other traffic?  

Re: Does VPN traffic stand out from other traffic to the ISP?
Hash: SHA256

Cordell James wrote:
Quoted text here. Click to load it

The ISP sees the encrypted packets stream, the TCP/IP packets headers, the  
packets sizes and the packets times.

With the above information and without any significant computational power  
it is possible to infer what kind of traffic is going through the VPN (e.g.  
http, POP, interactive terminal/vnc/rdp session).

Some VPN minimize/prevent this information leak by smoothing/flattening the  
packets sizes and times distributions, for example by constantly filling the  
channel with data to produce a constant rate of same sized packets. Dummy  
data is sent when there is no actual data to send.

Quoted text here. Click to load it

Yes and depending on the VPN software they may even be able to say "that  
looks a lot like a VNC transmitting HTTP/IMAP/vnc/whatever traffic.

Quoted text here. Click to load it

Yes. It is very easy to spot encrypted traffic among all the traffic and  
different kinds of encrypted traffic (e.g. https, ssh, vpn, openssl, tor,  
imaps, pops) have somewhat distinct handshake and early traffic patterns so  
it is possible to make an educated guess on what kind of encrypted traffic  
it is.

This kind of information leak can by minimized.

- - Fill the channel with dummy data and use traffic shaping to flatten the  
packets distribution while transmitting the dummy traffic with the least  
priority, so that your real traffic can get to the destination with minimal  

- - Multiplex/mix traffic in a single channel.

- - Use a less suspicious encryption channel (e.g. https) to encrypt a more  
suspicious encryption channel (e.g. vpn).

- - Use proxies with lots of encrypted traffic to obscure your own traffic.

- - Use proxy chaining, preferably in various countries.

- - Use tor to anonymize your traffic and also give you plausible deniability.

The above is more than enough to defeat a ISP level adversary but for  
nation/state level adversaries always remember that brute-force rubber-hose  
decryption is very effective and computationally free.

Version: GnuPG v1.4.10 (GNU/Linux)


Re: Does VPN traffic stand out from other traffic to the ISP?
interesting - just reading the thread....

Quoted text here. Click to load it

Site Timeline