Classifiers Unclassified: An Efficient Approach to Revealing IP Traffic Classification Rules.

ABSTRACTA variety of network management practices, from bandwidth management to zero-rating, use policies that apply selectively to different categories of Internet traffic (e.g., video, P2P, VoIP). These policies are implemented by middleboxes that must, in real time, assign traffic to a category using a classifier. Despite their important implications for network management, billing, and net neutrality, little is known about classifier implementations because middlebox vendors use proprietary, closed-source hardware and software. In this paper, we develop a general, efficient methodology for revealing classifiers' matching rules without needing to explore all permutations of flow sizes and contents in our testbed environment. We then use it to explore implementations of two other carrier-grade middleboxes (one of which is currently deployed in T-Mobile). Using packet traces from more than 1,000,000 requests from 300 users, we find that all the devices we test use simple keyword-based matching rules on the first two packets of HTTP/S traffic and small fractions of payload contents instead of stateful matching rules during an entire flow. Our analysis shows that different vendors use different matching rules, but all generally focus on a small number of HTTP, TLS, or content headers. Last, we explore the potential for misclassification based on observed matching rules and discuss implications for subversion and net neutrality violations.