More on the NSA's Use of Traffic Shaping

"Traffic shaping" -- the practice of tricking data to flow through a particular route on the Internet so it can be more easily surveiled -- is an NSA technique that has gotten much less attention than it deserves. It's a powerful technique that allows an eavesdropper to get access to communications channels it would otherwise not be able to monitor.

There's a new paper on this technique:

This report describes a novel and more disturbing set of risks. As a technical matter, the NSA does not have to wait for domestic communications to naturally turn up abroad. In fact, the agency has technical methods that can be used to deliberately reroute Internet communications. The NSA uses the term "traffic shaping" to describe any technical means the deliberately reroutes Internet traffic to a location that is better suited, operationally, to surveillance. Since it is hard to intercept Yemen's international communications from inside Yemen itself, the agency might try to "shape" the traffic so that it passes through communications cables located on friendlier territory. Think of it as diverting part of a river to a location from which it is easier (or more legal) to catch fish.

The NSA has clandestine means of diverting portions of the river of Internet traffic that travels on global communications cables.

Could the NSA use traffic shaping to redirect domestic Internet traffic -- ­emails and chat messages sent between Americans, say­ -- to foreign soil, where its surveillance can be conducted beyond the purview of Congress and the courts? It is impossible to categorically answer this question, due to the classified nature of many national-security surveillance programs, regulations and even of the legal decisions made by the surveillance courts. Nevertheless, this report explores a legal, technical, and operational landscape that suggests that traffic shaping could be exploited to sidestep legal restrictions imposed by Congress and the surveillance courts.

News article. NSA document detailing the technique with Yemen.

This work builds on previous research that I blogged about here.

The fundamental vulnerability is that routing information isn't authenticated.

Posted on July 12, 2017 at 6:32 AM • 29 Comments


Clive RobinsonJuly 12, 2017 8:08 AM

@ Dirk Praet,

This is the problem I was talking about the other day, with regatds the limitations of the "garden path" system.

The problem is detecting what upstream nodes are doing to your traffic. If you think about it the likes of traceroute are not going to help as an adversary can differentiate it's behaviour and act in ways to make you believe it's not going on.

The only partial solution is to carefully measure timing, but this is dependent on you either knowing or calculating what the real round trip time should be. The likes of the NSA et al can slowly change the network timings by various tricks such that you get to see the average timings they want you to see...

It's a hard problem to solve and requires Onion style routing where nodes can be trusted.

noahJuly 12, 2017 8:17 AM

Aren't robust networks fundamentally vulnerable to this by their nature? Even without spoofing routing information, there are always multiple paths (which is what makes the internet robust.) Put too much traffic on one path, and packets are routed to another. You can get traffic to go wherever you want just by process of elimination.

Dirk PraetJuly 12, 2017 8:52 AM

@ Clive

It's a hard problem to solve and requires Onion style routing where nodes can be trusted.

Although Tor - unlike Freenet and I2P - doesn't allow explicit trusting of individual nodes, you can configure it to avoid nodes depending on their geo-location. But you have of course still no control whatsoever over the exchanges and routers your traffic goes through.

Clive RobinsonJuly 12, 2017 9:07 AM

@ noah,

Aren't robust networks fundamentally vulnerable to this by their nature?

Yes and No.

If you let the network decide your routing then "Yes", but if you decide the routing or circuit switching is used then "No" but your traffic path may block indefinitely.

The real issue though is "the underlying" physical network. IP is not generally the lowest layer in the networking stack even at the PC level you have Ethernet or token ring or something more modern doing the actual bit shifting. Thus even if you could define the "route" at the IP level the lower layers are out of your reach, by design.

As port mirroring is not a routing function and it duplicates data you again have no control over it...

Thus as long as the meta data is not protected then the SigInt agencies can do more than basic traffic analysis. IP networking has a basic requirment to have a minimum of routing information to reach the next node.

Thus you need to protect the metadata from node to node. This can be done with Onion Routing, which if set up correctly (unlike Tor) means all the attacker can see is constent streams of encrypted packets going between the nodes. As the streams are constant on a point to point basis it is difficult to glean any information as the encrypted packet into a node will differ from the encrypted packet leaving the node.

It's a subject that needs thought, however the likes of the Military have been doing parts of this effectively since the 1950's, so there are known solutions to some of the problems. And some people are actively thinking about comming up with other solutions.

ab praeceptisJuly 12, 2017 9:10 AM

Clive Robinson, Dirk Praet

"Onion style routing where nodes can be trusted." - I'd advise caution there. For a start I'd like to see a knowledgeably and well reflected definition of what is needed to trust a network node - incl. ours (we had plenty well justified discussions on many reasons not to trust ones PC, let alone mobile device).

I btw. also think that we would be well advised to be wary of complex mechanisms. Adding layers often looks seductive and promising but later usually turns out to be a curse instead of a blessing.

Simplicity and elegance is what we need. Unfortunately that requires a level of mastery for which the increasingly stupidized educational institution fail to build a solid basis.

Clive RobinsonJuly 12, 2017 9:25 AM

@ Dirk Praet,

But you have of course still no control whatsoever over the exchanges and routers your traffic goes through.

That will always be true, thus the need to make it pointless to do so, as well as warning users that the timing on their node to node times has changed.

If you have trusted nodes, then onion routing not only removes all but point to point metadata, it also totaly changes the data packet from the input to the output. Thus removing the ability to do direct packet to packet comparison to identify the actual source and sink nodes. Which means an attacker then has to look at length and/or timing information to try and correlate input to output data packets. There are techniques I've mentioned in the past to deal with those issues.

The problem then falls to ensuring if intermediate nodes can be trusted or better still mitigated if untrstworthy. I believe there are ways to do this but as with all worthwhile things in life the application of more than a little "Brain Grease" is required.

Clive RobinsonJuly 12, 2017 9:40 AM

@ ab praeceptis, Dirk Praet,

I btw. also think that we would be well advised to be wary of complex mechanisms. Adding layers often looks seductive and promising but later usually turns out to be a curse instead of a blessing.

Whilst that is often true there is an underlying problem. What is no intermediate node can be trusted? Which I would say is the case. You have to go to some kind of mitigation process to in effect draw a line above which you can work.

In a properly implemented onion routing protocol all the intermediate nodes know is what's in it's layer and the previous node. All it gets from decrypting it's layer is the destination to forward the layer it's just unwrapped. Thus the node would have to collude with all of the intermediate nodes in the chain. Thud the question of if there is a way to mitigate this, which is something I've been thinking about off and on for a while now.

War GeekJuly 12, 2017 11:30 AM

In the 90s this was simply BGP spoofing when the end points didn't already exist within the control of a US affiliated ISP. Notoriously in the late 90s, blocks of Chinese Mainland IPs were sporadically advertised out from whitebox windows (WindowsNT4! heh...) sitting in what was the UUNet hub in SFO4.

Trouble was that BGP is a bit like a blockchain currency where transaction info like AS/Network Block/Time could be logged and remain visible to third parties who could then cry foul when their traffic from Hong Kong to Shanghai suddenly developed ~300ms of additional latency from a (DS3 round trip across the pacific - oh yes...the days when copper ruled).

MPLS was a godsend for those same spooks...just make an invisible to layer3 - layer2 side trip to a different legal entity. Mysterious latency could still exist...though in the OC192+ world those latencies might not be all that noticeable...but no visible layer3 nodes exist anymore to make it possible for third parties to really know what happened.

Bob Dylan's Happy FeetJuly 12, 2017 12:06 PM

It is not only traffic shaping by the NSA. The FBI has been doing this for years in child pornography investigations. They go to a FLA (Foreign Law Enforcement Agency) and ask then to do something to an American citizen that they couldn't do themselves because of the 4th Amendment. The AFP (Australian Federal Police) have done significant work on behalf of the FBI. People made a big deal about the FBI running Playpen but it was actually the AFP that broke the case while working for the FBI, who then turned the data over to the FBI to run the server. This is the major reason that I am much more sanguine than most privacy advocates about the recent changes to Rule 41. It not as if the FBI wasn't actually doing those massive hack jobs anyway via some FLA; all Rule 41 really did as a practical matter was allow the FBI to bring some of that work in house rather than relying on a partnership with a FLA. This doesn't mean that I think the changes to Rule 41 were healthy but the practical consequences were never as dire as some people claimed.

One of the major problems right now is that counties routinely violate each others laws with a knowing wink. The FBI does dirty work in other countries at the behalf of their governments and those foreign governments do dirty work in our country on behalf of the our government and everyone looks the other way because CYBERCRIME. Playing jurisdictional games is nothing new to the American government.

cg22July 12, 2017 2:44 PM

Continental United States, clear from Seattle and San Francisco to Ft. Meade, Maryland, is a major internet hub for the entire world.

The two most important aggregated links are (1) from northern and western Europe to the U.S. East Coast, and (2) from eastern China, South Korea, Japan, Philippines, Vietnam etc. across the international date line to the West Coast of the United States.

The connections that avoid the continental U.S. do not seem to be as reliable and do not carry as much traffic.

July, 12July 12, 2017 4:46 PM

OT but money, Comcast, ATT, Verizon, etc., type traffic shaping issues
July 12, 2017- net neutrality stuff
(btw has anybody noticed that some major websites don’t seem to be displaying net neutrality stuff today)
Might this event be repeated soon? Isn't this an important battle?
Regarding lobbying, congress, at least some members, might be agnostic toward medium of message (email, fax, letter and so on; letters may need time to be scanned so possibly suboptimal for time constraints)
““Everything is read, every call and voice mail is listened to,” Isaiah Akin, the deputy legislative director for Oregon’s Senator Ron Wyden, told me. “We don’t discriminate when it comes to phone versus e-mail versus letter.”

July 12, 2007- war is hell stuff
unhappy anniversary revealed by Chelsea Manning in video,_2007_Baghdad_airstrike#cite_note-airstrike-aljazeera-56 points to youtube

JustMeJuly 12, 2017 5:06 PM

Thought I had read about the Inet hardware of China being fast enough to effectively "shape" by using speed to route large amounts of Inet traffic thru their hardware.
Please clarify if my memory has blurred my recollection on that event.

tyrJuly 12, 2017 7:37 PM

I seem to remember that Germany had built
a physical hub in New York as part of their
network to allow them to do domestic capture
using routing. The same documentary seemed
to think this was also used for reciprocal
captures by the 5 eyes. Just pass the traffic
over the physical network and take what you
need at a convenient point where the law is
OK with that behavior. Avoids all that untidy
squabble with constitutional lawyers.

The overview of considering data ephemeral
material without any physical location ignores
the reality that all of the Net is on junk
boxes of some type in meatspace with all the
inherent problems caused by not much in the
way of international laws that apply everywhere.

The UN Nuke ban law being a classic example of
the problems.

Pan Opticon July 12, 2017 8:13 PM

NSA does anything it can do.

They have been called by the FISA Court for hundreds of serious violations in the past without any noticeable curtailment or change in the way they operate. It's a post-Constitutional, extra judicial operation altogether. They are smart enough not to drag people off to the gulag which saves them from a vigorous populist reaction.

The good news is Congress is starting to figure out the monster they created is collecting, collating, slicing, dicing and dishing out their data too. Some say it's creating gridlock in DC because Congressmen are getting, rightfully, paranoid about their own sketchy activities, ...not just Team Trump...

VJuly 13, 2017 3:22 AM

The real world version of this would be:

You're cruising along on State Line Road. The neighboring police put orange cones on the road, forcing you into the other lane, then arrest you when you enter their jurisdiction.

Would a real world court put up with this? (Probably, alas.)

Come On This Is Barely NewsJuly 13, 2017 3:37 AM

Traffic Shaping is not hacking routers or abusing insecure routing protocols:

Every spy agency has sniffed signals on the internet since ever technically feasible:
the use Tor, use Signal mantra is still recommended to any privacy-aware individual. Use QubeOS to run - immutable - virtual machines on top of that.

US citizens and lawyers still arguing/relying on Amendments and Courts of Justice is the real news today.

SpazmoJuly 13, 2017 7:10 AM

I may be splitting a technical hair here, but my understanding of Traffic Shaping is very different than what is being described here. My classic understanding of Traffic Shaping is to use deep packet or stream inspection (DPI) to identify streams and traffic flows, then assign priority and queueing to better manage capacity. This gives all the streams a "profile" or "shape" when visually represented on a chart or graph as compared to the previously unmanaged cross-section. Perhaps these covert agencies want the public to associate their activities with something which is performed by most corporations or ISP's routinely so as to appear less ominous. What the NSA is actually doing is using DPI to automate the process of collecting and cataloging illegal indiscriminate wiretaps. You might take the rational of someone who has lost their soul/conscience as the following. The U.S. citizenry say torture and mass surveillance should be illegal. The government says they've been tasked with keeping the citizenry safe, therefore offshoring torture and mass surveillance to non-US soil is an acceptable "work around". Everybody wins. The government gets to paint their activities with a "grey" paintbrush, and the citizenry get to snuggle in the comfortable feeling that "Big Brother" is keeping the wolves at bay, as long as the dirty work doesn't happen in our own back yard.

markJuly 13, 2017 11:37 AM

Just an FYI: I, personally, know someone who is a fed, and works for No Such, and deals with networking and telecom as their job, and who I trust 100%. Their cmt on the report was "bullshit, don't believe everything you read."

On consideration... even with NSA's computer systems, they can't possibly have the bandwidth to shove a significant percentage of traffic through their routers.

Dirk PraetJuly 13, 2017 12:36 PM

@ mark

I, personally, know someone who is a fed ... and who I trust 100%.

Oh, you funny man.

RachelJuly 13, 2017 5:13 PM


'I know someone who is a fed...and I trust them 100%'

My reticular activation system expressed slightly different degrees of discernment:

' I know someone who is a fed...don't believe everything you read'

or more succintly

'I know someone who is a fed...bullshit'

CallMeLateForSupperJuly 14, 2017 6:48 AM

"(btw has anybody noticed that some major websites don’t seem to be displaying net neutrality stuff today)"

I did not notice *any* net neutrality-focused pranks on any of the sites I visit every day. Lots of stories about what evil Pai and ISPs want to do, and many empassioned cries e.g. "We're f__ked". Giggle home page displayed no art work and I could not "select" the search bar, but otherwise Giggle stuff worked as usual.

It occurred to me that perhaps all the protest stuff depended on JavasSript being enabled, and/or the "scorecardresearch[dot]com", "effectivemeasure[dot]net" and similar silliness being allowed.

@PrivacyBadger users
Visit, kill both of the above-mentioned thingies in PB, and then surf to a story or two. Admire the headache-inducing photo(s). Lovely.

Wesley ParishJuly 14, 2017 6:48 AM

My attention was caught by the following assertion:

One important legal principle, established by the U.S. Supreme Court, holds that that the Fourth Amendment does not apply to foreign individuals located outside U.S. territory.23

How interesting. A principle of international law is that if some state asserts something for long enough, and backs its assertions with sanctions, then that becomes what is known as customary law. I believe the United States during the Cold war made plenty of assertions on behalf of dissidents in the Soviet Union and Eastern European states members of the Warsaw Pact and in favour of their right to provacy even if they were not Soviet citizens and were being spied on by the various permutations of Soviet secret police.

In fact, I'll bet the Russian Federative Republic has heaps of such assertions on behalf of dissidents' rights to privacy and private communications, on file. Let's ask President Putin:

Your Excellency President Putin

If the above claim is true, and the Russian Federative Republic has on file heaps of US assertions on behalf of Soviet dissidents' rights to privacy and private communications from all and any of the former Warsaw Pact states members, please submit them to the relevant United Nations court, the International Court of Justice, and the relevant European court of human rights, and request a legal opinion from them as to the validity of said US Supreme Court claim, that foreign citizens are not protected from random warrantless surveillance, even when such surveillance results in their unjust murder by CIA drone.

Yours etc

Clive RobinsonJuly 14, 2017 10:39 AM

@ cg22,

The connections that avoid the continental U.S. do not seem to be as reliable and do not carry as much traffic.

ve a look at the other Five Eye choke points, specifically north of Aus, south of UK and near UK friendly Middle East countries...

I've been pointing thi out on the odd occasion when peoplr talk about Tor...

BrownwallJuly 14, 2017 12:59 PM

Why would people think the NSA directly manhandles this?
Just like ATT, longhaul will have secure MitM rooms also.
When you go across the pond, that fiber route provides a watch point. Nothing new.

Enter Cogent of D.C.

If you traceroute through the D.C., Virginia, Maryland area, guess what? Did you really think TOR was useful? Okay.

CutangleJuly 17, 2017 11:34 AM

ARP-poisoning will do this on the cheap. Go to a coffee shop, poison everybody's ARP tables, capture the traffic and route it where ever you want (e.g. to TOR if you are so inclined).

The use of the term "traffic shaping" is fairly unusual in this context (I was expecting a different paper). More often than not it refers to spreading packets or frames evenly on fast, long-haul links to prevent bursts that result in buffer overflows.

Jared HallJuly 19, 2017 9:40 AM

@Cutangle: ARP Poising affects the local network. If a malicious entity has access to the local network, then many problems with surveillance are solved already.

@Spazmo: You are correct from the client perspective, but not from the Spy Agency perspective. The Century Foundation's report defines the term, as the NSA uses it.

@mark: You are wrong on both your bullet points. The articles (both The Century Foundation and NSA's "Shaping 101" cited examples of BGP route spoofing, That's a technique that's been used forever. Methinks your friend doesn't know Jack, or in this case, Jared. In deference to your No Such friend, it may be that this type of activity is more in the CIA's purview. How the NSA and CIA interact at the Enterprise level is a mystery to me.

Furthermore, NSA domestic spying can be done at ATM level with PVC remapping. Most carriers participate in the FCC's *voluntary* requests for ATM routes for this purpose. Most telecom professionals knew about this long before Snowden and PRISM. I wrote an article about this. I'd venture to say that PRISM probably contains the world's largest collection of physical and logical circuit topologies. That's NSA-ish to me.

@Come On This Is Barely News: See my comment above re: @Spazmo. Funny how one man's DoS and Route Spoofing is another man's "Traffic Shaping"!

@All: The thing about telecom networks is that when the rubber hits the road, the same well-known, mapped-out physical networks are used. Even low-end commercial-grade routers (PAN, Fortinet, SonicWall, Cisco, Juniper, etc) do Deterministic/Performance-Based Policy Routing. Here you make routing decisions based upon characteristics such as end-to-end delay and jitter. Cisco has Performance Routing (PIR) which extends this to BGP via the BGP Local_Pref attribute. As an example, you would want your VoIP traffic to take local, terrestial routes. If, by using BGP (if it is even necessary) you can select the INGRESS route to a Target's network, you can then Flood or otherwise DOS those local routes. Policy/Performance Routing kicks in and sends those VoIP packets out the desired path. No rocket science necessary. As someone else posted earlier in this thread, as things get more *convenient* for the Network and Users, other unforeseen threats usually emerge.

Of course if you've got feet on the street, nothing beats a clamp-on fiber analyser and the Mark 1 eyeball. Reading NSA's paper, you gotta love the fictious country of "Geekistan". Overall, the paper is another example of over-classification. I notice that it is stamped Top Secret//COMINT//REL TO USA, USA, CAN, GBR, NZL. Why wouldn't they just use FVEY?

BrownwallJuly 19, 2017 12:59 PM

Somewhere in an overrated conspiracy lies a truth.

Is right on the proper use of traffic shaping... like an everyday body function.

Traffic shape what? A better term would be siphon and watch.
Search the EFF Carolyn Jewel ATT story and view the plausible thing:

She lost her job because she walked into the secure room to fix some bottlenecking? What is the chance that ATT doesn't tell employees about this, given CALEA knowledge and that line of thought? Hey, I can't get throughput, chief. Bring the NSA over here to fix their crap.

Geekistan cracks me up. Such strong words. I'm going to call the State Dept. latchkey for perverts and stalkers.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.