Probing the internet’s hidden middleboxes

Using a suite of reproducible test scenarios on an open-source software base, KAUST researchers have provided users with an easy-to-use tool to debug the hidden traffic manipulations in internet connections^[1].

“Computer networks are opaque – many things happen to the data we fetch from and send to the internet without users knowing, and misconfigurations can happen,” says Ilies Benhabbour, a doctoral researcher. “We wanted to help regular internet users debug their network, and at the same time help administrators improve their security posture by ensuring that no gap exists in their infrastructure.”

Data transmitted over the internet rarely goes from one endpoint to another without being modified or manipulated, usually for good and useful reasons, but without the user’s knowledge. This could include redirecting requests to a local data cache to minimize long-distance transfers, preventing access to blacklisted websites, or blocking cyberattacks through the use of firewalls.

These network elements, known as “middleboxes”, are integral to the secure and efficient functioning of the internet, but their functions are largely invisible.

Focusing specifically on middleboxes that enforce filtering policies on network traffic to websites, Benhabbour, with fellow student Alya Alshaikh, and lab head Marc Dacier, developed a diagnostic test suite on the open-source software base NoPASARAN that can be run by any user.

“NoPASARAN is a distributed framework that allows users to register their devices to perform tests with other machines that are already registered,” says Benhabbour. “The idea is to create a collaborative environment where people can join to debug their own connection.”

Although various tools and platforms have been developed to test specific types of middlebox interference, they are generally highly specialized, do not scale well, or are no longer actively maintained.

Benhabbour and Dacier introduced an open-source, scalable platform for developing and distributing network testing tools in 2022^[2]. The distributed platform consists of ‘nodes’ – computers with the software installed and assigned roles such as master, coordinator, or worker – that are orchestrated to work together to run test campaigns. When a test is run, workers send probes over a data channel that are received by other workers to infer network path properties.

The researchers demonstrated their platform by testing access to a list of domains that are likely to be blocked due to being potentially associated with scams. In this case, they used a publicly available list of 330 cryptocurrency-related domains and IP addresses. Using a network of eight machines (nodes), they examined how middleboxes in this network intercepted DNS and HTTP traffic.

“Our testing revealed discrepancies in how website whitelisting was performed, and we were able to directly assist the network administrator with their security posture related to a recent modification of the network topology,” says Benhabbour. “With this work, we show that it is indeed possible for normal people to understand their internet connection, using a tool that, unlike other platforms, can be built on by adding new tests. The tool is open-source and available to anyone who is interested in trying it.”