Image by Kusal Darshana from Pixabay

Detecting Tethering using TCP TTL, Python, Php, MariaDB on AWS.

You might have come across Telecom companies providing connections with the caveat that the Data Bundle/Pack is NOT to be used for tethering i.e. the data should only be used on the device/handset and you cannot share your data with friends and family by enabling hotspotting on your handset.

And have you ever wondered how on earth would the Telecom Company identify the originated data being tethered? If you had this question pop up in your mind, then keep on reading.

A quick google on this topic would provide you with the possible ways on how to detect tethering. However, I would focus on using TCP Networks packet’s TTL value and how to read and process it with Python.

Analyze TCP packets for TTL

By Michel Bakni — Postel, J. (Septemper 1981) RFC 791, Internet Protocol, DARPA Internet Program Protocol Specification, The Internet Society, p. 11 DOI: 10.17487/RFC0791., CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=79949694

From the InternetProtocol RFC Specification, Time to Live (TTL) is a field which indicates the maximum time the datagram is allowed to remain in the internet system. This field is modified in internet header processing.

  • If this field contains the value zero, then the datagram must be destroyed.
  • The TTL value is to be decreased by at least one everytime it is processed by a network router (layer 3 device), before its forwarded to the next hop.

So when the data is originated from a mobile device, the packets would have a TTL value of 255(for example), however when the data is originated from a tethered device the TTL value would be 255 minus 1 i.e. 254, since the mobile handset would be acting as a layer 3 router.

This difference between the TTL values gives the clue that the data is directly from the device or being tethered.

TTL Values decrement at every hop.

The identification of data being tethered can be useful for other purposes as well.

a) Security

b) Different user experiences for a website

Now the fun part — Building an endpoint to detect tethered traffic.

Let’s simuate and put the theory to the test.

The journey of a TCP Packet and the diminishing TTL values across each hop/router.

The objective is to create an endpoint to display if the client is connected through a tethered connection.

Step 1:- Backend Python script to extract a) SourceIP b) SourcePort c) TTL from the TCP packets on a interface and store the SourceIp, SourcePort and the TTL values in a DB (MariaDB).

The SourceIP, SourcePort combo would be used to identify and coreelate the HTTP packets received at the webserver.

Step 1.5:- Build a lookup table with SourceIP and TTL values when browsing through 4g/5g network of a mobile operator.

Step 2:- Webserver — Php Code to read the SourceIp and SourcePort from the HTTP request and query the DB to read the TTL value.

If TTL value of the current request is less than the TTL value of any previous request then the request is most likely tethered.

PYTHON SCRIPT TO READ TCP Packet and store TTL Values.

Courtesy:- https://www.pythonsheets.com/notes/python-socket.html

PHP SCRIPT :- ACCEPT HTTP REQUEST & CHECK FOR TETHERING

DB SCRIPT TO STORE & CORRELEATE HTTP REQUEST with TCP PACKETS

How to test it quickly within an AWS Env?

  1. Deploy the Python script into an Linux based EC2 instance.

Note:- you might get tempted to deploy the code into a lambda function, but

a) Lambda Functions do not provide the sourcePort of the incoming request which is the key to correlate the tcp packet

b) I havn’t tried it myself to confirm if the python script would be given privs to read the interface.

2. Follow this link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/install-LAMP.html to install a LAMP stack on an ec2 instance.

3. Copy and paste the php code in the www folder.

4. Run the db script in the MariaDb or MysqlDb.

5. You are good to go.

Step 6. Hit your endpoint while being on 3g/4g network of your mobile.

Step 7. Enable mobile hotspot and connect another device.

Step3. Hit the same URL from the other device. You should see it says that you are tethering.

Caveats

This process is prone to errors and checks should be put in place accordingly. For example:-

a) A new router might be introduced within the client’s network. (For Telecom companies this is less of an issue since they control how the network is layed out and can accordingly update the TTL values).

b) You need to sample data from various ISPs/Telcos to be able to take any actions reliabily.

c) The code is only to simulate how to read and use the TCP packet’s TTL values. It’s in no way to be used for any Production scenarios.

Hope you enjoyed reading and feel free to put through your comments for any suggestions or correctness to this blog. Cheers.

--

--

--

Tech Enthusiast

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Why should I participate in a high-school hackathon?

Robot Framework, A Good Way to Start With Test Automation

Hackathon Voting Campaign

🌟IMPORTANT ANNOUNCEMENT: ANIMVERSE OFFICIALLY HAS NEW LOGO🌟

A Sparrow Scheduler Reproduction

The Challenge of Using SCPI Commands

Python Confusion

Design of VGIC in Cloud Hypervisor

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Irfan

Irfan

Tech Enthusiast

More from Medium

Setting WordPress up using Docker — Geneshki.com

A WordPress install screen

Installing and Setting up MongoDB on Linux

Running Redis with resilience in Linux containers on Windows — Part 4

(Serverless or Docker) Which host to choose?