<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom"><title>Peakhour.IO - Fingerprinting</title><link href="https://www.peakhour.io/" rel="alternate"></link><link href="https://www.peakhour.io/feeds/tag/fingerprinting.atom.xml" rel="self"></link><id>https://www.peakhour.io/</id><updated>2026-06-19T00:00:00+10:00</updated><entry><title>Fingerprints Are Evidence, Not Identity</title><link href="https://www.peakhour.io/blog/fingerprints-are-evidence-not-identity/" rel="alternate"></link><published>2026-06-19T00:00:00+10:00</published><updated>2026-06-19T00:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2026-06-19:/blog/fingerprints-are-evidence-not-identity/</id><summary type="html">&lt;p&gt;Browser and network fingerprints are useful security evidence, but they should not be treated as proof of a person's identity.&lt;/p&gt;</summary><content type="html">&lt;p&gt;The word "fingerprint" can create the wrong expectation.&lt;/p&gt;
&lt;p&gt;In security, a browser or network fingerprint is not the same as a human fingerprint. It does not prove who a person is. It does not remove uncertainty. It should not be treated as a permanent identity for a customer.&lt;/p&gt;
&lt;p&gt;A fingerprint is evidence. Sometimes it is strong evidence. Sometimes it is weak, common, stale, or deliberately manipulated. Its value comes from how it is combined with route, behaviour, account state, network context, credential risk, and the action being requested.&lt;/p&gt;
&lt;p&gt;That distinction is more than wording. It affects how security teams design controls, explain decisions, and avoid overblocking legitimate users.&lt;/p&gt;
&lt;h2&gt;What Network Fingerprints Can Tell You&lt;/h2&gt;
&lt;p&gt;&lt;a href="/learning/fingerprinting/what-is-network-fingerprinting/"&gt;Network fingerprinting&lt;/a&gt; compares connection and protocol evidence. TCP behaviour, TLS handshakes, JA3 or JA4-style representations, HTTP/2 settings, header shape, MTU, proxy indicators, ASN, and path characteristics can all help classify the client or infrastructure behind a request.&lt;/p&gt;
&lt;p&gt;That can be useful during credential stuffing, scraping, scanning, API abuse, or Layer 7 attack pressure. Attackers may rotate IP addresses, but parts of the client stack or automation framework can remain consistent. Grouping requests by network evidence can make rate limiting, bot detection, and investigation more precise than IP-only rules.&lt;/p&gt;
&lt;p&gt;But the fingerprint is still not identity.&lt;/p&gt;
&lt;p&gt;Common browsers can share similar network shapes. Mobile networks and carrier-grade NAT can make unrelated users appear close together. VPNs and residential proxies can distort source context. Browser and library updates can change fingerprints overnight. Hashing can make signals portable while hiding useful detail. Attack tools can also try to imitate normal clients.&lt;/p&gt;
&lt;p&gt;The right conclusion from a suspicious network fingerprint is not "we know who this is". It is "this request deserves a different level of confidence".&lt;/p&gt;
&lt;h2&gt;What Browser Fingerprints Can Add&lt;/h2&gt;
&lt;p&gt;&lt;a href="/learning/fingerprinting/what-is-browser-fingerprinting/"&gt;Browser fingerprinting&lt;/a&gt; adds evidence from the application layer and, where appropriate, browser-side checks. Headers, client hints, JavaScript-visible properties, rendering behaviour, storage behaviour, timezone, language, permissions, and API availability can help decide whether a request looks like the browser it claims to be.&lt;/p&gt;
&lt;p&gt;This matters because many attacks try to borrow the appearance of ordinary browser traffic. Automation frameworks, emulators, headless browsers, anti-detect browsers, and scripted API clients can all present a user-agent string that looks plausible. Browser evidence helps compare the claim with the rest of the request.&lt;/p&gt;
&lt;p&gt;Again, the useful output is confidence, not identity. A browser fingerprint might support a challenge. It might support a lower rate limit. It might explain why a session changing an email address needs step-up verification. It might help &lt;a href="/products/bot-management/"&gt;bot management&lt;/a&gt; separate obvious automation from normal traffic.&lt;/p&gt;
&lt;p&gt;It should not become a claim that one technical pattern equals one person.&lt;/p&gt;
&lt;h2&gt;The Comparison Matters&lt;/h2&gt;
&lt;p&gt;Peakhour's page on &lt;a href="/learning/fingerprinting/browser-fingerprinting-vs-network-fingerprinting/"&gt;browser fingerprinting vs network fingerprinting&lt;/a&gt; makes the operational split clear. Network fingerprints usually come from passive connection and protocol evidence. Browser fingerprints often involve request and browser-side evidence. They answer related but different questions.&lt;/p&gt;
&lt;p&gt;A strong decision often needs both.&lt;/p&gt;
&lt;p&gt;A request claiming to be a normal browser should look broadly consistent across TLS, HTTP/2, headers, JavaScript-visible browser properties, proxy context, route behaviour, and account history. If the browser looks normal but the network path resembles a known automation cluster, that is useful. If the network path looks ordinary but the browser evidence is inconsistent or missing on a sensitive route, that is useful too.&lt;/p&gt;
&lt;p&gt;The mismatch is the signal. The response still depends on consequence.&lt;/p&gt;
&lt;p&gt;A suspicious request to a public asset route might only need logging. The same evidence on login, password reset, stored-card checkout, account email change, admin access, or an expensive API route may justify a challenge, tighter limit, temporary hold, or review.&lt;/p&gt;
&lt;h2&gt;How to Use Fingerprints Responsibly&lt;/h2&gt;
&lt;p&gt;Fingerprints work best when they are attached to an explainable decision. A security event should show the route, account or token context where relevant, source network evidence, browser evidence, policy action, response code, and review outcome. That gives operators a way to understand and correct decisions.&lt;/p&gt;
&lt;p&gt;Peakhour's guide to &lt;a href="/learning/fingerprinting/network-fingerprint-signals-and-security-decisions/"&gt;network fingerprint signals and security decisions&lt;/a&gt; frames the choices properly: allow, log, challenge, rate limit, block, or review. A fingerprint should help choose among those actions. It should not replace judgement.&lt;/p&gt;
&lt;p&gt;Responsible use also means accepting uncertainty. Fingerprints collide. They drift. They can be spoofed. Some privacy tools intentionally reduce or alter browser signals. Some legitimate users have unusual configurations. Some high-risk requests have only partial evidence.&lt;/p&gt;
&lt;p&gt;That uncertainty does not make fingerprints useless. It means they should be one layer in a wider control set.&lt;/p&gt;
&lt;p&gt;For account and API security, the practical question is not "can this fingerprint identify a person?" It is "does this evidence change the confidence we should place in this request?"&lt;/p&gt;
&lt;p&gt;If the answer is yes, use it carefully. Increase scrutiny on sensitive actions. Reduce friction where evidence is clean. Preserve enough context for review. Avoid pretending that a technical fingerprint is a human identity.&lt;/p&gt;
&lt;p&gt;That is the more accurate model, and it leads to better security decisions.&lt;/p&gt;
&lt;p&gt;For a protocol-level example, see &lt;a href="/blog/fingerprint-is-a-cohort-not-a-client/"&gt;A network fingerprint is a cohort, not a client&lt;/a&gt;. It compares the information retained by JA3, JA4 and Cisco Mercury and explains why a matching TLS value can still cover many applications and users.&lt;/p&gt;</content><category term="API Security"></category><category term="API Security"></category><category term="Fingerprinting"></category><category term="Bot Management"></category><category term="Account Protection"></category><category term="Network Fingerprinting"></category><category term="Browser Fingerprinting"></category></entry><entry><title>Account Security Without Tracking People</title><link href="https://www.peakhour.io/blog/privacy-respecting-account-security-risk-signals/" rel="alternate"></link><published>2026-06-19T00:00:00+10:00</published><updated>2026-06-19T00:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2026-06-19:/blog/privacy-respecting-account-security-risk-signals/</id><summary type="html">&lt;p&gt;Safer logins do not require treating people as products. Account defence should use minimised, purpose-bound risk signals and proportionate decisions.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Account security needs evidence. A login request is not just a username and password; it has a route, client context, browser behaviour, network path, timing, session history, credential risk, and follow-on actions. Without some of that context, defenders are left with blunt controls: block too much, challenge everyone, or trust too easily.&lt;/p&gt;
&lt;p&gt;The privacy problem starts when security teams confuse evidence with identity.&lt;/p&gt;
&lt;p&gt;A risk signal should help answer a narrow operational question: should this login, password reset, email change, API call, or checkout step be allowed, challenged, rate limited, blocked, logged, or reviewed? It should not become a general-purpose profile of a person.&lt;/p&gt;
&lt;p&gt;That distinction matters. Good &lt;a href="/solutions/use-case/contextual-security/"&gt;contextual security&lt;/a&gt; is not surveillance dressed up as account protection. It is purpose-bound telemetry used to make proportionate security decisions.&lt;/p&gt;
&lt;h2&gt;Minimise the Signal Set&lt;/h2&gt;
&lt;p&gt;Security teams should start with the action they are protecting.&lt;/p&gt;
&lt;p&gt;A login attempt may need credential risk, source network context, browser consistency, known client status, failed-attempt history, and session age. A password reset may need different evidence. A checkout using stored payment details may need another set again. There is rarely a good reason to collect every possible signal for every route.&lt;/p&gt;
&lt;p&gt;This is especially important with browser and device evidence. &lt;a href="/learning/fingerprinting/what-is-browser-fingerprinting/"&gt;Browser fingerprinting&lt;/a&gt; can include headers, client hints, JavaScript-visible properties, rendering behaviour, storage behaviour, timezone, language, and other consistency checks. Those signals can be useful for detecting automation, anti-detect browsers, session abuse, and high-risk account changes. They can also be privacy-sensitive if collected broadly or retained without a clear purpose.&lt;/p&gt;
&lt;p&gt;The practical standard should be simple: collect what is needed for the account defence decision, attach it to that decision, and avoid turning uniqueness into the goal.&lt;/p&gt;
&lt;h2&gt;Use Evidence Over Identity&lt;/h2&gt;
&lt;p&gt;A security system does not need to know who a person "really" is to make a better login decision. It often only needs to know whether the request looks consistent with the account, route, browser, network path, and recent behaviour.&lt;/p&gt;
&lt;p&gt;That is where &lt;a href="/solutions/use-case/verified-browser-trust/"&gt;verified browser trust&lt;/a&gt; fits. The point is not to label a human being. The point is to decide whether a browser-like request has returned enough trustworthy evidence to proceed on a sensitive path. If the evidence is weak, the system can choose a proportionate response: log, challenge, rate limit, step up authentication, or send the event for review.&lt;/p&gt;
&lt;p&gt;Network evidence should be handled the same way. &lt;a href="/learning/fingerprinting/network-fingerprint-signals-and-security-decisions/"&gt;Network fingerprint signals&lt;/a&gt; can help distinguish ordinary browser traffic from automation, proxy paths, unusual client stacks, or inconsistent request shapes. But a network signal is not a person. It is one piece of evidence attached to a request.&lt;/p&gt;
&lt;p&gt;That framing reduces overreach. It also improves operations because decisions remain reviewable. If a customer is challenged, support and security teams should be able to see the route, risk signals, and policy reason without needing a vague black-box identity claim.&lt;/p&gt;
&lt;h2&gt;Be Careful With Behavioural Analytics&lt;/h2&gt;
&lt;p&gt;Behavioural analytics can help detect account compromise, especially when a session changes sharply from normal account usage. A customer who normally logs in from one region and browses slowly may deserve extra scrutiny if the same account suddenly logs in from unfamiliar infrastructure, changes email, redeems stored value, and checks out quickly.&lt;/p&gt;
&lt;p&gt;But behavioural systems have limits.&lt;/p&gt;
&lt;p&gt;Some users are sporadic. Some travel. Some use privacy tools. Some share devices. Some change browsers or phones. Some only visit when there is a problem. If there is not enough history, the system should admit that uncertainty rather than pretending the baseline is stronger than it is.&lt;/p&gt;
&lt;p&gt;That is where adaptive security is useful. Low-confidence evidence does not always justify a hard block. It might justify logging, a lower rate limit, a step-up challenge on a sensitive action, or a temporary hold on a risky change.&lt;/p&gt;
&lt;p&gt;The aim is not perfect recognition. It is better decision-making under uncertainty.&lt;/p&gt;
&lt;h2&gt;Make Retention and Purpose Part of the Design&lt;/h2&gt;
&lt;p&gt;Privacy-respecting account security is not only about which signals are collected. It is also about how long they are kept, where they are used, and who can inspect them.&lt;/p&gt;
&lt;p&gt;Useful practices include:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Tie telemetry to account defence purposes such as login risk, bot detection, account recovery, checkout abuse, and API misuse.&lt;/li&gt;
&lt;li&gt;Prefer route-specific evidence over broad user profiling.&lt;/li&gt;
&lt;li&gt;Keep raw signals only where they are needed for detection, audit, or investigation.&lt;/li&gt;
&lt;li&gt;Store decision evidence in a way operators can review.&lt;/li&gt;
&lt;li&gt;Avoid using security telemetry for unrelated marketing or behavioural targeting.&lt;/li&gt;
&lt;li&gt;Tune controls so low-risk users are not repeatedly challenged without cause.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Peakhour should not pretend that account security can happen with no fingerprints, no telemetry, and no judgement. Modern attacks abuse valid credentials, residential proxy paths, automation frameworks, API routes, and post-login workflows. Defenders need evidence.&lt;/p&gt;
&lt;p&gt;The privacy-respecting position is narrower and stronger: collect the right evidence for the security decision, minimise it, keep it purpose-bound, and treat fingerprints as confidence signals rather than personal identity.&lt;/p&gt;
&lt;p&gt;That is how account security can become safer without turning every login into tracking for its own sake.&lt;/p&gt;</content><category term="API Security"></category><category term="API Security"></category><category term="Account Protection"></category><category term="Contextual Security"></category><category term="Privacy"></category><category term="Fingerprinting"></category><category term="Risk-Based Authentication"></category></entry><entry><title>The Invisibility Cloak</title><link href="https://www.peakhour.io/blog/bots-residential-proxies-anti-detect-browsers/" rel="alternate"></link><published>2025-09-01T00:00:00+10:00</published><updated>2025-09-01T00:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2025-09-01:/blog/bots-residential-proxies-anti-detect-browsers/</id><summary type="html">&lt;p&gt;Learn how attackers combine residential proxies and anti-detect browsers to evade detection and how modern security tools can fight back.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Every time you connect to a website, you leave behind a "digital fingerprint." This is not a physical fingerprint, but a set of signals from your device and browser. Security tools analyse this fingerprint—which includes your IP address, browser type, operating system, supported fonts, and even subtle characteristics of your network connection (&lt;a href="/blog/tls-fingerprinting/"&gt;TLS fingerprinting&lt;/a&gt;)—to distinguish legitimate users from malicious bots.&lt;/p&gt;
&lt;p&gt;For years, this was a reliable way to spot automated threats. Bots often had clumsy, inconsistent fingerprints that made them easier to identify. Today, attackers can combine tools that mimic real users closely enough to weaken many traditional defences. The two most important components of this modern "invisibility cloak" are &lt;a href="/products/residential-proxy-detection/"&gt;residential proxies&lt;/a&gt; and anti-detect browsers.&lt;/p&gt;
&lt;h2&gt;What Are Residential Proxies?&lt;/h2&gt;
&lt;p&gt;A residential proxy is an intermediary server that uses an IP address assigned by an Internet Service Provider (ISP) to a real home internet connection. When a bot routes its traffic through a residential proxy, its requests appear to originate from a genuine home user, not a data centre.&lt;/p&gt;
&lt;p&gt;These proxy networks are large, often containing millions of IP addresses sourced from around the globe. How are these IPs obtained? Often through questionable means:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Malware and Botnets&lt;/strong&gt;: Unsuspecting users' devices are infected with malware that turns them into proxy endpoints.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;SDKs in Free Apps&lt;/strong&gt;: Some free applications (often VPNs or mobile apps) include code that enrols the user's device into a proxy network in exchange for using the app, often without the user's full knowledge or consent.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;By rotating through this large pool of legitimate-looking IPs, attackers can launch large-scale attacks that are difficult to separate from normal traffic. To a website's security system, a distributed attack from a residential proxy network looks like thousands of individual customers from different locations.&lt;/p&gt;
&lt;h2&gt;What Are Anti-Detect Browsers?&lt;/h2&gt;
&lt;p&gt;While residential proxies mask the attacker's network location, anti-detect browsers are designed to spoof the rest of the digital fingerprint. These specialised browsers allow an attacker to create and manage thousands of unique browser profiles, each with a customised and consistent fingerprint.&lt;/p&gt;
&lt;p&gt;An anti-detect browser can control and randomise every detail a website uses for identification, including:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Browser type and version (e.g., Chrome, Firefox, Safari)&lt;/li&gt;
&lt;li&gt;Operating system (Windows, macOS, iOS, Android)&lt;/li&gt;
&lt;li&gt;Screen resolution, fonts, and plugins&lt;/li&gt;
&lt;li&gt;Time zone and language settings&lt;/li&gt;
&lt;li&gt;Subtle browser characteristics like Canvas and WebGL rendering&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;With a few clicks, an attacker can make a single machine in one country appear as thousands of unique users on different devices and operating systems from all over the world.&lt;/p&gt;
&lt;h2&gt;The Combined Threat: A Perfect Storm for Attacks&lt;/h2&gt;
&lt;p&gt;When attackers combine residential proxies with anti-detect browsers, they cover both the network and browser layers that many controls rely on. The residential proxy provides a legitimate IP address, and the anti-detect browser provides a consistent, human-looking browser fingerprint.&lt;/p&gt;
&lt;p&gt;This combination makes attacks like large-scale credential stuffing, content scraping, and inventory scalping much harder to distinguish from legitimate user traffic. Each malicious request appears to be from a unique person on a standard device, using a normal home internet connection.&lt;/p&gt;
&lt;h2&gt;Why Traditional Defenses Fail and What to Do About It&lt;/h2&gt;
&lt;p&gt;This level of sophistication weakens traditional security measures:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;IP Blocklists and Reputation Services&lt;/strong&gt;: These struggle when attackers are using a constantly rotating pool of millions of legitimate residential IP addresses. Our own research shows that even the best IP intelligence services &lt;a href="/blog/anti-fraud-residential-proxy-detection/"&gt;fail to detect the vast majority of residential proxy traffic&lt;/a&gt;.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Basic Browser Fingerprinting&lt;/strong&gt;: Anti-detect browsers are specifically designed to defeat these checks by providing a consistent and realistic fingerprint.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;To combat this combined threat, organisations need a modern approach to bot detection that looks beyond the surface:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;Advanced Network Fingerprinting&lt;/strong&gt;: Instead of just looking at the IP address, modern solutions analyse the underlying characteristics of the network connection itself (like the TLS/JA3 fingerprint). These signatures can often identify the underlying automation tool or proxy network, even when the IP address appears legitimate.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Behavioural Analysis&lt;/strong&gt;: Advanced systems model normal user behaviour—such as mouse movements, typing speed, and page navigation—to identify the subtle, non-human patterns of automation that even sophisticated bots can't perfectly mimic.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Hardware and Rendering Fingerprinting&lt;/strong&gt;: While anti-detect browsers can spoof software-level details, faking the underlying hardware is far more difficult. Advanced techniques, such as those used in &lt;a href="/learning/fingerprinting/what-is-google-picasso/"&gt;Google's Picasso&lt;/a&gt;, analyse how a device renders graphics (e.g., Canvas and WebGL), processes audio, and performs CPU-intensive tasks. This creates a hardware fingerprint based on the unique characteristics of the GPU, audio stack, and CPU clock speed. This fingerprint can reveal inconsistencies between the claimed browser profile and the actual hardware being used. When combined with network fingerprinting and residential proxy detection, this becomes a strong signal for identifying a single machine attempting to impersonate many different users.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Dedicated Residential Proxy Detection&lt;/strong&gt;: Specialised techniques are required to identify traffic coming from residential proxy networks. This is a critical signal, as very few legitimate users have a reason to route their traffic this way.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Attackers using residential proxies and anti-detect browsers are harder to identify, but they still leave signals. Network characteristics, hardware fingerprints, and the behavioural tells of automation give security teams a better chance of separating the bot from the user it is trying to resemble.&lt;/p&gt;</content><category term="Security"></category><category term="Browser Fingerprinting"></category><category term="Fingerprinting"></category><category term="Residential Proxies"></category><category term="Bot Management"></category><category term="TLS Fingerprinting"></category><category term="Credential Stuffing"></category></entry><entry><title>How MTU Fingerprinting Identifies VPNs and Mobile Users</title><link href="https://www.peakhour.io/blog/mtu-fingerprinting-vpn-mobile-detection/" rel="alternate"></link><published>2025-01-15T14:00:00+11:00</published><updated>2025-01-15T14:00:00+11:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2025-01-15:/blog/mtu-fingerprinting-vpn-mobile-detection/</id><summary type="html">&lt;p&gt;Learn how MTU fingerprinting reveals VPN usage, mobile connections, and network technologies through TCP handshake analysis. Discover practical SQL techniques for dynamic network intelligence.&lt;/p&gt;</summary><content type="html">&lt;p&gt;For traffic analysis, it helps to know how a user reached the service. Are they on a home network, a mobile connection, or a VPN? Deep packet inspection is invasive, but TCP handshake metadata can still carry useful context about the Maximum Transmission Unit (MTU) a connection appears to be using. By analysing those inferred MTU values, we can build "fingerprints" that point to the underlying network technology carrying the connection.&lt;/p&gt;
&lt;p&gt;This article looks at how common technologies affect MTU values and shows how a SQL query can turn that data into useful network labels.&lt;/p&gt;
&lt;h2&gt;What is MTU and Why Does it Change?&lt;/h2&gt;
&lt;p&gt;The Maximum Transmission Unit (MTU) is the largest data packet, or frame, that a network-connected device can transmit. On standard Ethernet networks, this value is typically 1500 bytes. Larger payloads have to be split into chunks that fit that limit.&lt;/p&gt;
&lt;h3&gt;Encapsulation and Tunneling&lt;/h3&gt;
&lt;p&gt;The value starts to shift when tunnelling protocols are involved, including those used by VPNs and mobile networks. These protocols wrap the original data packet inside another packet, a process called encapsulation. The outer packet has its own headers for routing and management.&lt;/p&gt;
&lt;p&gt;This encapsulation "steals" space from the original 1500 bytes available on the physical network. If a tunnelling protocol adds 60 bytes of headers, for example, the maximum size for the &lt;em&gt;original&lt;/em&gt; data packet is now 1440 bytes (&lt;code&gt;1500 - 60&lt;/code&gt;).&lt;/p&gt;
&lt;h3&gt;The Problem with Fragmentation&lt;/h3&gt;
&lt;p&gt;What happens if a device tries to send a 1500-byte packet through this 1440-byte tunnel? The packet has to be broken into smaller pieces, a process called fragmentation. It works, but it is inefficient. Fragmentation consumes CPU resources on the router performing it, adds header overhead to each fragment, and requires the receiving device to reassemble the pieces. The result is lower speed and higher latency.&lt;/p&gt;
&lt;p&gt;To avoid that penalty, operating systems and network devices reduce the MTU of the connection to account for the tunnel's overhead. The amount of the reduction follows from the tunnelling protocol in use. That predictable drop is the basis for MTU fingerprinting.&lt;/p&gt;
&lt;h2&gt;A Guide to Common MTU Values&lt;/h2&gt;
&lt;p&gt;Different technologies add different overheads, which produces distinct MTU values.&lt;/p&gt;
&lt;h3&gt;WireGuard&lt;/h3&gt;
&lt;p&gt;WireGuard is a modern VPN known for its efficiency, but it still adds overhead.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;IPv4 Overhead&lt;/strong&gt;: 60 bytes (20-byte IPv4 header + 8-byte UDP header + 32-byte WireGuard header).&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;IPv6 Overhead&lt;/strong&gt;: 80 bytes (40-byte IPv6 header + 8-byte UDP header + 32-byte WireGuard header).&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;On a standard 1500-byte network, that produces predictable MTU values:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;code&gt;1500 - 60 = 1440 bytes&lt;/code&gt; (WireGuard over IPv4)&lt;/li&gt;
&lt;li&gt;&lt;code&gt;1500 - 80 = 1420 bytes&lt;/code&gt; (WireGuard over IPv6)&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;There is a special case with ISPs that use DS-Lite (Dual-Stack Lite) to carry IPv4 traffic over an IPv6 network. This adds another 40-byte IPv6 header, reducing the MTU further.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;code&gt;1420 - 40 = 1380 bytes&lt;/code&gt; (WireGuard over DS-Lite)&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;OpenVPN&lt;/h3&gt;
&lt;p&gt;OpenVPN is another common VPN solution, but its fingerprint is less tidy. Instead of setting a static interface MTU, OpenVPN often uses a feature called &lt;code&gt;mssfix&lt;/code&gt;. This dynamically adjusts the Maximum Segment Size (MSS) value within the TCP headers of encapsulated packets to prevent fragmentation.&lt;/p&gt;
&lt;p&gt;The MSS is the MTU minus the IP and TCP header sizes (typically 40 bytes for IPv4). The exact MSS value, and therefore the effective MTU, depends on OpenVPN's configuration, including the transport protocol (UDP or TCP), cipher, MAC algorithm, and compression. As noted by security researcher ValdikSS, these unique MSS values can be used to fingerprint a connection with high precision. For example, a common configuration might result in an MSS of 1369, which corresponds to an effective MTU of 1409 (&lt;code&gt;1369 + 40&lt;/code&gt;).&lt;/p&gt;
&lt;p&gt;For general analysis, connections with an MTU around &lt;strong&gt;1400&lt;/strong&gt; or &lt;strong&gt;1380&lt;/strong&gt; bytes often indicate OpenVPN or other VPN usage, especially when seen with other factors.&lt;/p&gt;
&lt;h3&gt;Mobile Networks (LTE &amp;amp; 5G)&lt;/h3&gt;
&lt;p&gt;Mobile networks also modify MTU values. When your phone connects to the internet, its data is tunnelled through the carrier's network using the GPRS Tunnelling Protocol (GTP). This encapsulation adds its own layer of headers.&lt;/p&gt;
&lt;p&gt;As detailed by Nick vs Networking, the typical overhead for GTP traffic over an Ethernet transport network is &lt;strong&gt;50 bytes&lt;/strong&gt;:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;14 bytes for the Ethernet header&lt;/li&gt;
&lt;li&gt;20 bytes for the outer IPv4 header&lt;/li&gt;
&lt;li&gt;8 bytes for the UDP header&lt;/li&gt;
&lt;li&gt;8 bytes for the GTP header&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;For a mobile carrier using a standard 1500-byte MTU on its transport network, the maximum MTU available to the user's device is &lt;strong&gt;1450 bytes&lt;/strong&gt; (&lt;code&gt;1500 - 50&lt;/code&gt;).&lt;/p&gt;
&lt;p&gt;Mobile devices don't guess this value; they are explicitly told what MTU to use by the network during the connection setup process (via Protocol Configuration Options). Mobile operators have two choices to avoid fragmentation:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;Increase Transport MTU&lt;/strong&gt;: Enable jumbo frames (for example, 1600 bytes or more) on their internal network to accommodate the 50-byte overhead and still provide a full 1500-byte MTU to the user.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Lower Advertised MTU&lt;/strong&gt;: Advertise a lower MTU to the user's device. This is why values such as &lt;strong&gt;1450&lt;/strong&gt; are common. Some operators may configure a more conservative MTU, such as &lt;strong&gt;1300 bytes&lt;/strong&gt;, to maintain stability across all parts of their network.&lt;/li&gt;
&lt;/ol&gt;
&lt;h3&gt;Other Common Values&lt;/h3&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Standard Ethernet&lt;/strong&gt;: The baseline is &lt;strong&gt;1500 bytes&lt;/strong&gt;.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;PPPoE&lt;/strong&gt;: Common for DSL connections, adds 8 bytes of overhead, resulting in an MTU of &lt;strong&gt;1492 bytes&lt;/strong&gt;.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;IPv6 Minimum&lt;/strong&gt;: The IPv6 specification mandates a minimum MTU of &lt;strong&gt;1280 bytes&lt;/strong&gt;, so this value is also a significant marker.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Analysis with SQL&lt;/h2&gt;
&lt;p&gt;With this context, we can analyse network logs to classify user connections. The following SQL query buckets and attributes MTU values from a large dataset, turning raw numbers into meaningful labels.&lt;/p&gt;
&lt;p&gt;The query works in several stages:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;Extract Data&lt;/strong&gt;: It parses the MTU from a fingerprint string in the logs.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Bucket MTUs&lt;/strong&gt;: It uses a &lt;code&gt;CASE&lt;/code&gt; statement to group MTUs. Specific known values, such as 1500, 1440, 1420, and 1380, go into their own buckets. Jumbo frames (&amp;gt;1500) are grouped into 100-byte buckets, and everything else is grouped into 20-byte buckets.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Attribute Buckets&lt;/strong&gt;: In the final &lt;code&gt;SELECT&lt;/code&gt;, another &lt;code&gt;CASE&lt;/code&gt; statement translates those numeric buckets into human-readable descriptions based on the fingerprints we've identified.&lt;/li&gt;
&lt;/ol&gt;
&lt;h3&gt;The Query&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;&lt;span class="c1"&gt;-- Bucketing logic and attribution informed by research from:&lt;/span&gt;
&lt;span class="c1"&gt;-- https://ripx80.de/posts/06-wg-mtu/ (WireGuard)&lt;/span&gt;
&lt;span class="c1"&gt;-- https://medium.com/@ValdikSS/detecting-vpn-and-its-configuration-and-proxy-users-on-the-server-side-1bcc59742413 (OpenVPN)&lt;/span&gt;
&lt;span class="c1"&gt;-- https://nickvsnetworking.com/mtu-in-lte-5g-transmission-networks-part-1/ (Mobile Networks)&lt;/span&gt;
&lt;span class="k"&gt;WITH&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;base_data&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;AS&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="k"&gt;SELECT&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="n"&gt;toInt32OrNull&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;splitByChar&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;:&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;splitByChar&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;,&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;synner_fingerprint&lt;/span&gt;&lt;span class="p"&gt;)[&lt;/span&gt;&lt;span class="mi"&gt;1&lt;/span&gt;&lt;span class="p"&gt;])[&lt;/span&gt;&lt;span class="mi"&gt;4&lt;/span&gt;&lt;span class="p"&gt;])&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;AS&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;mtu&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="n"&gt;toInt32OrNull&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;splitByChar&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;:&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;splitByChar&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;,&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;synner_fingerprint&lt;/span&gt;&lt;span class="p"&gt;)[&lt;/span&gt;&lt;span class="mi"&gt;1&lt;/span&gt;&lt;span class="p"&gt;])[&lt;/span&gt;&lt;span class="mi"&gt;5&lt;/span&gt;&lt;span class="p"&gt;])&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;AS&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;wsize&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="n"&gt;toInt32OrNull&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;splitByChar&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;:&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;splitByChar&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;,&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;synner_fingerprint&lt;/span&gt;&lt;span class="p"&gt;)[&lt;/span&gt;&lt;span class="mi"&gt;2&lt;/span&gt;&lt;span class="p"&gt;])[&lt;/span&gt;&lt;span class="mi"&gt;1&lt;/span&gt;&lt;span class="p"&gt;])&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;AS&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;scale&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;tls&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;handshake_rtt_us&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;tcp&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;min_rtt_us&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;&amp;gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;65000&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;AS&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;is_high_latency&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="k"&gt;FROM&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;logs&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;client_logs&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="k"&gt;WHERE&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;time&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;&amp;gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;2025-07-01&amp;#39;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;AND&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;shielded&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;0&lt;/span&gt;
&lt;span class="p"&gt;),&lt;/span&gt;
&lt;span class="n"&gt;main_aggs&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;AS&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="k"&gt;SELECT&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="k"&gt;CASE&lt;/span&gt;
&lt;span class="w"&gt;            &lt;/span&gt;&lt;span class="k"&gt;WHEN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;mtu&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;1500&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;THEN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;1500&lt;/span&gt;
&lt;span class="w"&gt;            &lt;/span&gt;&lt;span class="k"&gt;WHEN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;mtu&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;1440&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;THEN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;1440&lt;/span&gt;
&lt;span class="w"&gt;            &lt;/span&gt;&lt;span class="k"&gt;WHEN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;mtu&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;1420&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;THEN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;1420&lt;/span&gt;
&lt;span class="w"&gt;            &lt;/span&gt;&lt;span class="k"&gt;WHEN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;mtu&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;1380&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;THEN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;1380&lt;/span&gt;
&lt;span class="w"&gt;            &lt;/span&gt;&lt;span class="k"&gt;WHEN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;mtu&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;&amp;gt;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;1500&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;THEN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;1501&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;+&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;intDiv&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;mtu&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;1501&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;100&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;*&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;100&lt;/span&gt;
&lt;span class="w"&gt;            &lt;/span&gt;&lt;span class="k"&gt;ELSE&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;intDiv&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;mtu&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;20&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;*&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;20&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="k"&gt;END&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;AS&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;mtu_bucket&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="n"&gt;countIf&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;is_high_latency&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;AS&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;high_latency_count&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="n"&gt;countIf&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="k"&gt;not&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;is_high_latency&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;AS&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;normal_latency_count&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="n"&gt;round&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="k"&gt;avg&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;wsize&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;*&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;pow&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="mi"&gt;2&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;scale&lt;/span&gt;&lt;span class="p"&gt;)))&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;AS&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;avg_real_wsize&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="k"&gt;FROM&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;base_data&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="k"&gt;WHERE&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;mtu&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;IS&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;NOT&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;NULL&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;AND&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;wsize&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;IS&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;NOT&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;NULL&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;AND&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;scale&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;IS&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;NOT&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;NULL&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="k"&gt;GROUP&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;BY&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;mtu_bucket&lt;/span&gt;
&lt;span class="p"&gt;),&lt;/span&gt;
&lt;span class="n"&gt;top_wsizes&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;AS&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="k"&gt;SELECT&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="n"&gt;mtu_bucket&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="n"&gt;groupArray&lt;/span&gt;&lt;span class="p"&gt;((&lt;/span&gt;&lt;span class="n"&gt;wsize&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;cnt&lt;/span&gt;&lt;span class="p"&gt;))&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;AS&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;top_wsizes&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="k"&gt;FROM&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="k"&gt;SELECT&lt;/span&gt;
&lt;span class="w"&gt;            &lt;/span&gt;&lt;span class="k"&gt;CASE&lt;/span&gt;
&lt;span class="w"&gt;                &lt;/span&gt;&lt;span class="k"&gt;WHEN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;mtu&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;1500&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;THEN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;1500&lt;/span&gt;
&lt;span class="w"&gt;                &lt;/span&gt;&lt;span class="k"&gt;WHEN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;mtu&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;1440&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;THEN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;1440&lt;/span&gt;
&lt;span class="w"&gt;                &lt;/span&gt;&lt;span class="k"&gt;WHEN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;mtu&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;1420&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;THEN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;1420&lt;/span&gt;
&lt;span class="w"&gt;                &lt;/span&gt;&lt;span class="k"&gt;WHEN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;mtu&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;1380&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;THEN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;1380&lt;/span&gt;
&lt;span class="w"&gt;                &lt;/span&gt;&lt;span class="k"&gt;WHEN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;mtu&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;&amp;gt;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;1500&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;THEN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;1501&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;+&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;intDiv&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;mtu&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;1501&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;100&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;*&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;100&lt;/span&gt;
&lt;span class="w"&gt;                &lt;/span&gt;&lt;span class="k"&gt;ELSE&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;intDiv&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;mtu&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;20&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;*&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;20&lt;/span&gt;
&lt;span class="w"&gt;            &lt;/span&gt;&lt;span class="k"&gt;END&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;AS&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;mtu_bucket&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;            &lt;/span&gt;&lt;span class="n"&gt;wsize&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;            &lt;/span&gt;&lt;span class="k"&gt;count&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;AS&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;cnt&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;            &lt;/span&gt;&lt;span class="n"&gt;row_number&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;OVER&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;PARTITION&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;BY&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;mtu_bucket&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;ORDER&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;BY&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;cnt&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;DESC&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;AS&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;rn&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="k"&gt;FROM&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;base_data&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="k"&gt;WHERE&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;mtu&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;IS&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;NOT&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;NULL&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;AND&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;wsize&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;IS&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;NOT&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;NULL&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;AND&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;scale&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;IS&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;NOT&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;NULL&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="k"&gt;GROUP&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;BY&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;mtu_bucket&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;wsize&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="k"&gt;WHERE&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;rn&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;&amp;lt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;5&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="k"&gt;GROUP&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;BY&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;mtu_bucket&lt;/span&gt;
&lt;span class="p"&gt;),&lt;/span&gt;
&lt;span class="n"&gt;top_scales&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;AS&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="k"&gt;SELECT&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="n"&gt;mtu_bucket&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="n"&gt;groupArray&lt;/span&gt;&lt;span class="p"&gt;((&lt;/span&gt;&lt;span class="k"&gt;scale&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;cnt&lt;/span&gt;&lt;span class="p"&gt;))&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;AS&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;top_scales&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="k"&gt;FROM&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="k"&gt;SELECT&lt;/span&gt;
&lt;span class="w"&gt;            &lt;/span&gt;&lt;span class="k"&gt;CASE&lt;/span&gt;
&lt;span class="w"&gt;                &lt;/span&gt;&lt;span class="k"&gt;WHEN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;mtu&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;1500&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;THEN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;1500&lt;/span&gt;
&lt;span class="w"&gt;                &lt;/span&gt;&lt;span class="k"&gt;WHEN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;mtu&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;1440&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;THEN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;1440&lt;/span&gt;
&lt;span class="w"&gt;                &lt;/span&gt;&lt;span class="k"&gt;WHEN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;mtu&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;1420&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;THEN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;1420&lt;/span&gt;
&lt;span class="w"&gt;                &lt;/span&gt;&lt;span class="k"&gt;WHEN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;mtu&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;1380&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;THEN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;1380&lt;/span&gt;
&lt;span class="w"&gt;                &lt;/span&gt;&lt;span class="k"&gt;WHEN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;mtu&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;&amp;gt;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;1500&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;THEN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;1501&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;+&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;intDiv&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;mtu&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;1501&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;100&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;*&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;100&lt;/span&gt;
&lt;span class="w"&gt;                &lt;/span&gt;&lt;span class="k"&gt;ELSE&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;intDiv&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;mtu&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;20&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;*&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;20&lt;/span&gt;
&lt;span class="w"&gt;            &lt;/span&gt;&lt;span class="k"&gt;END&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;AS&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;mtu_bucket&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;            &lt;/span&gt;&lt;span class="k"&gt;scale&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;            &lt;/span&gt;&lt;span class="k"&gt;count&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;AS&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;cnt&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;            &lt;/span&gt;&lt;span class="n"&gt;row_number&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;OVER&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;PARTITION&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;BY&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;mtu_bucket&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;ORDER&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;BY&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;cnt&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;DESC&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;AS&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;rn&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="k"&gt;FROM&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;base_data&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="k"&gt;WHERE&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;mtu&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;IS&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;NOT&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;NULL&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;AND&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;wsize&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;IS&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;NOT&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;NULL&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;AND&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;scale&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;IS&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;NOT&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;NULL&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="k"&gt;GROUP&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;BY&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;mtu_bucket&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;scale&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="k"&gt;WHERE&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;rn&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;&amp;lt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;5&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="k"&gt;GROUP&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;BY&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;mtu_bucket&lt;/span&gt;
&lt;span class="p"&gt;)&lt;/span&gt;
&lt;span class="k"&gt;SELECT&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="k"&gt;CASE&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="k"&gt;WHEN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;mtu_bucket&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;IN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="mi"&gt;1500&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;1440&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;1420&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;1380&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;THEN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;toString&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;mtu_bucket&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="k"&gt;WHEN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;mtu_bucket&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;&amp;gt;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;1500&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;THEN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;concat&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;toString&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;mtu_bucket&lt;/span&gt;&lt;span class="p"&gt;),&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;-&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;toString&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;mtu_bucket&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;+&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;99&lt;/span&gt;&lt;span class="p"&gt;))&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="k"&gt;ELSE&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;concat&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;toString&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;mtu_bucket&lt;/span&gt;&lt;span class="p"&gt;),&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;-&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;toString&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;mtu_bucket&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;+&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;19&lt;/span&gt;&lt;span class="p"&gt;))&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="k"&gt;END&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;AS&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;mtu_range&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="k"&gt;CASE&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="k"&gt;WHEN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;mtu_bucket&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;1500&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;THEN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;Standard Ethernet&amp;#39;&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="k"&gt;WHEN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;mtu_bucket&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;1480&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;THEN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;Likely PPPoE (e.g., 1492)&amp;#39;&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="k"&gt;WHEN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;mtu_bucket&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;1460&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;THEN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;Likely DS-Lite/GRE Tunnel&amp;#39;&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="k"&gt;WHEN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;mtu_bucket&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;1440&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;THEN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;Likely Mobile LTE/5G (e.g., 1450) / WireGuard over IPv4&amp;#39;&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="k"&gt;WHEN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;mtu_bucket&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;1420&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;THEN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;WireGuard over IPv6&amp;#39;&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="k"&gt;WHEN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;mtu_bucket&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;1400&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;THEN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;Likely OpenVPN / Mobile&amp;#39;&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="k"&gt;WHEN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;mtu_bucket&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;1380&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;THEN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;Likely OpenVPN / WireGuard over DS-Lite / Mobile&amp;#39;&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="k"&gt;WHEN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;mtu_bucket&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;1300&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;THEN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;Likely Mobile LTE/5G configured&amp;#39;&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="k"&gt;WHEN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;mtu_bucket&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;1280&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;THEN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;IPv6 Minimum&amp;#39;&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="k"&gt;WHEN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;mtu_bucket&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;&amp;gt;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;1500&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;THEN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;Jumbo Frame&amp;#39;&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="k"&gt;ELSE&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;Other&amp;#39;&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="k"&gt;END&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;AS&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;mtu_attribution&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="n"&gt;high_latency_count&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="n"&gt;normal_latency_count&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="n"&gt;round&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;high_latency_count&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;high_latency_count&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;+&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;normal_latency_count&lt;/span&gt;&lt;span class="p"&gt;),&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;2&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;AS&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;high_latency_ratio&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="n"&gt;top_wsizes&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="n"&gt;top_scales&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="n"&gt;avg_real_wsize&lt;/span&gt;
&lt;span class="k"&gt;FROM&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;main_aggs&lt;/span&gt;
&lt;span class="k"&gt;LEFT&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;JOIN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;top_wsizes&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;USING&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;mtu_bucket&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;span class="k"&gt;LEFT&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;JOIN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;top_scales&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;USING&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;mtu_bucket&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;span class="k"&gt;WHERE&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;high_latency_count&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;+&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;normal_latency_count&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;&amp;gt;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;10000&lt;/span&gt;
&lt;span class="k"&gt;ORDER&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;BY&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;mtu_bucket&lt;/span&gt;
&lt;span class="k"&gt;LIMIT&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;50&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;FORMAT&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;Vertical&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;h2&gt;Why Jumbo Frames Matter&lt;/h2&gt;
&lt;p&gt;Jumbo frames (MTU values greater than 1500 bytes) are a useful edge case in MTU fingerprinting. These frames, typically ranging from 9000-9216 bytes, are primarily used in high-performance computing environments, data centres, and enterprise networks where throughput optimisation is important.&lt;/p&gt;
&lt;p&gt;When we detect jumbo frame MTUs in our analysis, they often indicate:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Enterprise Users&lt;/strong&gt;: Corporate networks frequently enable jumbo frames for internal communications&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Data Centre Traffic&lt;/strong&gt;: Cloud services and CDNs often use jumbo frames between their infrastructure&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;High-Performance Applications&lt;/strong&gt;: Video streaming, large file transfers, and backup operations can benefit from larger frame sizes&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Network Misconfiguration&lt;/strong&gt;: Jumbo frames sometimes appear because of network equipment misconfiguration&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;The presence of jumbo frames can help distinguish consumer and enterprise traffic, adding useful context for traffic classification and security analysis.&lt;/p&gt;
&lt;h2&gt;Practical Use Cases and Applications&lt;/h2&gt;
&lt;p&gt;MTU fingerprinting is useful across several security and operational domains:&lt;/p&gt;
&lt;h3&gt;Security Applications&lt;/h3&gt;
&lt;p&gt;&lt;strong&gt;VPN Detection for Compliance&lt;/strong&gt;: Organisations can identify employees bypassing corporate network policies with personal VPNs, supporting compliance with data governance requirements.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Bot Traffic Classification&lt;/strong&gt;: Automated traffic from residential proxy networks often shows consistent MTU patterns that differ from genuine residential users, improving bot detection.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Threat Intelligence Enhancement&lt;/strong&gt;: Correlating MTU patterns with other indicators helps build broader threat profiles and improves attack attribution.&lt;/p&gt;
&lt;h3&gt;Network Operations&lt;/h3&gt;
&lt;p&gt;&lt;strong&gt;Performance Optimisation&lt;/strong&gt;: Understanding the MTU distribution of your user base helps optimise content delivery and reduce fragmentation-related performance issues.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Infrastructure Planning&lt;/strong&gt;: MTU analysis reveals the underlying network technologies your users employ, informing CDN placement and capacity planning decisions.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Quality of Service&lt;/strong&gt;: Different MTU patterns correlate with connection quality, enabling proactive support for users on constrained networks.&lt;/p&gt;
&lt;h3&gt;Business Intelligence&lt;/h3&gt;
&lt;p&gt;&lt;strong&gt;Market Analysis&lt;/strong&gt;: Geographic and demographic patterns in MTU distribution reveal technology adoption trends and market characteristics.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;User Experience Optimisation&lt;/strong&gt;: Identifying users on mobile or constrained networks enables adaptive content delivery and interface optimisation.&lt;/p&gt;
&lt;h2&gt;Dynamic Analysis vs Static IP Databases&lt;/h2&gt;
&lt;p&gt;MTU fingerprinting is a dynamic signal, which makes it useful alongside static IP reputation databases. It has several practical advantages:&lt;/p&gt;
&lt;h3&gt;Real-Time Adaptation&lt;/h3&gt;
&lt;p&gt;Static IP databases go stale. A residential IP address might be flagged as malicious based on historical activity, but MTU fingerprinting analyses the current network configuration. This dynamic approach captures the infrastructure being used at the moment of connection, providing more accurate and timely intelligence.&lt;/p&gt;
&lt;h3&gt;Circumvention Resistance&lt;/h3&gt;
&lt;p&gt;Attackers can rotate IP addresses or use clean residential proxies to bypass static blacklists. It is harder to manipulate the network characteristics that influence MTU values, because MTU is determined by the underlying network infrastructure.&lt;/p&gt;
&lt;h3&gt;Granular Classification&lt;/h3&gt;
&lt;p&gt;Where IP databases provide binary classifications (malicious/benign), MTU fingerprinting offers more detail on the specific technologies and configurations in use. This granularity enables more sophisticated risk assessment and response strategies.&lt;/p&gt;
&lt;h3&gt;Reduced False Positives&lt;/h3&gt;
&lt;p&gt;Static databases often flag legitimate users sharing IP addresses with malicious actors, which is common with residential ISPs and mobile carriers. MTU fingerprinting focuses on network behaviour rather than IP reputation, reducing false positive rates while maintaining security effectiveness.&lt;/p&gt;
&lt;h3&gt;Infrastructure Transparency&lt;/h3&gt;
&lt;p&gt;MTU analysis reveals the network path and technologies involved in a connection, providing transparency that static IP databases cannot match. This visibility enables more informed security decisions and a better understanding of threat actor capabilities.&lt;/p&gt;
&lt;h2&gt;Conclusion&lt;/h2&gt;
&lt;p&gt;MTU fingerprinting turns network metadata into useful context about the infrastructure behind a connection. Unlike static databases that rely on historical reputation, this dynamic analysis technique provides real-time insight into network technologies, user behaviours, and potential security threats.&lt;/p&gt;
&lt;p&gt;By understanding MTU patterns, security teams can identify VPN usage, classify mobile traffic, detect residential proxy abuse, and optimise network performance. Its resistance to circumvention and low false-positive rates make it a useful addition to modern security architectures.&lt;/p&gt;
&lt;p&gt;As network technologies continue to evolve, MTU fingerprinting provides a stable way to understand and classify traffic based on fundamental network characteristics rather than short-lived indicators. That makes it a practical signal for network security and operations.&lt;/p&gt;</content><category term="Bots"></category><category term="Threat Detection"></category><category term="Fingerprinting"></category><category term="Networking"></category><category term="Residential Proxies"></category><category term="TLS Fingerprinting"></category><category term="DDoS"></category></entry><entry><title>Anti-Detect Browsers</title><link href="https://www.peakhour.io/blog/anti-detect-browsers-application-security-threat/" rel="alternate"></link><published>2025-01-15T10:00:00+11:00</published><updated>2025-01-15T10:00:00+11:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2025-01-15:/blog/anti-detect-browsers-application-security-threat/</id><summary type="html">&lt;p&gt;Anti-detect browsers represent one of the most sophisticated threats facing modern web applications and APIs. Learn how these tools work, why they pose a significant threat to application security, and how modern security platforms can detect and mitigate their use.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Anti-detect browsers matter to defenders because they attack the assumptions behind browser trust. Many bot and fraud controls look for consistency between the browser, network, session, and behaviour. Anti-detect tooling is designed to make automated or repeated activity look more like separate ordinary browser sessions.&lt;/p&gt;
&lt;p&gt;This article is not a guide to using those tools. The defensive question is simpler: when a browser tries to look ordinary, what can still be observed safely, and how should that evidence affect a request decision?&lt;/p&gt;
&lt;h2&gt;Why They Create Risk&lt;/h2&gt;
&lt;p&gt;Anti-detect browsers are often discussed as a browser-fingerprinting problem, but the risk is wider than that. The same traffic may also involve residential proxies, credential lists, automation, and API requests that never run browser-side checks. A login attempt, account creation flow, product scrape, checkout request, or mobile API call may look valid at the protocol level while still being part of an automated campaign.&lt;/p&gt;
&lt;p&gt;The hard part is that some signals are genuinely ambiguous. A changed browser, a new device, a shared network, or a privacy tool does not prove abuse. A defensive system has to treat those observations as risk inputs, not as standalone verdicts.&lt;/p&gt;
&lt;h2&gt;Browser Consistency Is Evidence, Not Identity&lt;/h2&gt;
&lt;p&gt;Anti-detect tooling tries to make browser-reported attributes look internally consistent. That weakens simple checks that only ask whether the browser appears plausible. Defenders need a broader view: does the claimed browser line up with the network stack, TLS and HTTP behaviour, session history, cookie continuity, route sequence, response-code pattern, and recent account behaviour?&lt;/p&gt;
&lt;p&gt;That does not mean a fingerprint identifies a person. Fingerprints classify software, client behaviour, and connection characteristics. They can help separate likely automation from ordinary traffic, but they need to be combined with route, account, proxy, and behavioural context. The result should be a risk classification with evidence attached, not an unexplained block.&lt;/p&gt;
&lt;h2&gt;Residential Proxies Change the Decision&lt;/h2&gt;
&lt;p&gt;Residential proxies are a common companion signal because they make requests appear to come from consumer networks. That creates a false-positive problem. Real customers also use shared residential, mobile, office, carrier-grade NAT, and public Wi-Fi networks. Blocking every suspicious or shared source would damage legitimate traffic.&lt;/p&gt;
&lt;p&gt;The safer approach is to use &lt;a href="/products/residential-proxy-detection/"&gt;residential proxy detection&lt;/a&gt; as one input in the decision. A proxy signal on a public content page may be logged. The same signal on repeated login failures, account creation, checkout abuse, or sensitive APIs may justify a challenge, rate limit, or block. Context changes the action.&lt;/p&gt;
&lt;h2&gt;The API Gap&lt;/h2&gt;
&lt;p&gt;Browser-side checks are weakest where the browser is not present. Mobile apps, partner integrations, token routes, and direct API clients may not expose the same JavaScript or browser evidence that a web page does. Attackers do not need a convincing browser if the target workflow accepts valid-looking API requests.&lt;/p&gt;
&lt;p&gt;That is why anti-detect risk belongs in the wider &lt;a href="/solutions/application-security/"&gt;application security&lt;/a&gt; model. API routes need method, schema, authentication, token, request cadence, response-code, account, and bot context. If the only signal available is an IP address, the decision will be too blunt.&lt;/p&gt;
&lt;h2&gt;Observable Signals Defenders Can Use&lt;/h2&gt;
&lt;p&gt;The useful evidence is usually the mismatch between what the request claims to be and how it behaves over time. A browser may look plausible on one request, but the wider pattern can still show automation: repeated attempts across accounts, route sequences that normal users do not follow, cache-miss pressure on expensive pages, unusual response-code loops, or browser and network characteristics that drift in ways ordinary clients rarely do.&lt;/p&gt;
&lt;p&gt;&lt;a href="/products/bot-management/"&gt;Bot Management&lt;/a&gt; works best when it combines these signals rather than chasing a single magic detector. IP intelligence, proxy classification, network and browser fingerprints, route-aware rates, API state, WAF findings, and behaviour should all feed the same action vocabulary: allow, challenge, rate limit, block, log, or review.&lt;/p&gt;
&lt;h2&gt;Safer Defensive Response&lt;/h2&gt;
&lt;p&gt;The defensive response should be proportionate. High-confidence exploit traffic can be blocked quickly. Uncertain browser or proxy evidence may be better challenged, rate limited, or logged until the pattern is clearer. Sensitive routes should have tighter policy than public content. Account-impacting actions should preserve enough evidence for review.&lt;/p&gt;
&lt;p&gt;This is especially important for support teams. If a real customer is challenged or blocked, operators need to see which signal drove the action and which route was involved. Without that record, anti-bot policy becomes a black box.&lt;/p&gt;
&lt;h2&gt;Final Thoughts&lt;/h2&gt;
&lt;p&gt;Anti-detect browsers are a practical problem because they reduce the value of simple browser checks. They do not make traffic invisible. They leave request-path evidence in network behaviour, route sequences, account activity, API usage, proxy signals, and response patterns.&lt;/p&gt;
&lt;p&gt;The right goal is not to identify a person from a fingerprint or to block every unusual browser. The goal is to classify risk with enough context to choose a safe action at the edge, then keep the evidence available for tuning and review.&lt;/p&gt;</content><category term="Bots"></category><category term="Bot Management"></category><category term="Threat Detection"></category><category term="Application Security"></category><category term="Browser Fingerprinting"></category><category term="Fingerprinting"></category><category term="DevSecOps"></category></entry><entry><title>Google Chrome's "IP Protection" vs Apple Private Relay</title><link href="https://www.peakhour.io/blog/apple-private-relay-vs-google-ip-protection/" rel="alternate"></link><published>2023-10-25T13:00:00+11:00</published><updated>2023-10-25T13:00:00+11:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2023-10-25:/blog/apple-private-relay-vs-google-ip-protection/</id><summary type="html">&lt;p&gt;An exploration of Google Chrome's new "IP Protection" feature and a comparison with Apple's iCloud Private Relay.&lt;/p&gt;</summary><content type="html">&lt;h2&gt;Google Chrome's "IP Protection" vs. Apple's iCloud Private Relay&lt;/h2&gt;
&lt;p&gt;Google and Apple are both pushing browser-level privacy features that reduce how much a website can infer from a user's
IP address. Google's recent announcement of its "IP Protection" feature for Chrome follows Apple's iCloud Private Relay,
but the two approaches are not the same.&lt;/p&gt;
&lt;h2&gt;Apple's iCloud Private Relay: A Closer Look&lt;/h2&gt;
&lt;p&gt;In 2021, Apple introduced iCloud Private Relay for paid iCloud+ subscribers. The feature encrypts traffic from the user's
device and routes internet requests through two separate relays. The intention is to stop any single party, including
Apple, from building a comprehensive user profile from IP address, location, and browsing activity.&lt;/p&gt;
&lt;p&gt;However, this feature is specific to Apple's Safari browser. It is not a full VPN; it is a browser-centric service that
protects Safari traffic on iOS, iPadOS, and macOS. The user's internet requests are routed first through an Apple server,
then through a partner network like Akamai, Cloudflare, or Fastly, before reaching the intended destination. This dual-hop
design means neither party has a complete view of both the user's IP address and the browsing destination.&lt;/p&gt;
&lt;h2&gt;Google's "IP Protection": Playing Catch-up?&lt;/h2&gt;
&lt;p&gt;Google's "IP Protection" for Chrome appears to be an answer to Apple's initiative. By masking users' IP addresses using
proxy servers, Google aims to preserve user privacy while keeping essential web functions working. Unlike Apple's
solution, which is limited to Safari, Google's feature potentially has wider application within the Chrome ecosystem.&lt;/p&gt;
&lt;p&gt;However, Google's solution is still early, with phased implementation and limited domain application. Apple has already
integrated and offered iCloud Private Relay to its users; Google is still testing its feature.&lt;/p&gt;
&lt;h2&gt;Can Apple Allow Google's Feature on Chrome?&lt;/h2&gt;
&lt;p&gt;Given the competitive nature of the technology industry, it remains uncertain whether Apple will allow Google's IP
Protection feature on Chrome for Apple devices. With iCloud Private Relay already in place, Apple may see Google's
feature as redundant or conflicting with its privacy objectives.&lt;/p&gt;
&lt;h2&gt;The Bigger Picture: Ad Tracking and Platform Control&lt;/h2&gt;
&lt;p&gt;Both companies present these changes as privacy improvements, but the platform context matters. Hiding IP addresses does
not remove ad tracking, and privacy features can also reinforce platform control. By making privacy protections part of
their own browsers and ecosystems, Google and Apple can reduce some third-party visibility while keeping users inside
platforms they operate and measure.&lt;/p&gt;
&lt;p&gt;Apple's iCloud Private Relay and Google's "IP Protection" both improve some aspects of user privacy, with different
approaches and coverage. As Google plays catch-up to Apple in this area, users should understand what these features do
and what they leave in place. The goal should be genuine online privacy, and as we've discussed in our article on &lt;a href="https://www.peakhour.xyz/blog/tls-fingerprinting/"&gt;TLS fingerprinting&lt;/a&gt;, network-based fingerprinting
is becoming increasingly important for protecting services in this changing environment.&lt;/p&gt;</content><category term="Security"></category><category term="Residential Proxies"></category><category term="API Security"></category><category term="Account Protection"></category><category term="GDPR"></category><category term="Fingerprinting"></category><category term="Bot Management"></category></entry><entry><title>JA4 and JA4+ Network Fingerprinting</title><link href="https://www.peakhour.io/blog/overview-of-ja4-network-fingerprinting/" rel="alternate"></link><published>2023-10-25T13:00:00+11:00</published><updated>2023-10-25T13:00:00+11:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2023-10-25:/blog/overview-of-ja4-network-fingerprinting/</id><summary type="html">&lt;p&gt;How JA4 constructs a TLS client fingerprint, what JA4+ names, and which details sorting and hashing discard.&lt;/p&gt;</summary><content type="html">&lt;p&gt;JA4+ is the name FoxIO uses for a family of network fingerprinting methods. JA4 itself is the TLS ClientHello method. It
builds on lessons from JA3, but the wider family also contains separate methods for servers, HTTP, certificates, TCP,
SSH and other observations.&lt;/p&gt;
&lt;h2&gt;JA4 and JA4+&lt;/h2&gt;
&lt;p&gt;JA4 produces an &lt;code&gt;a_b_c&lt;/code&gt; value. Its readable &lt;code&gt;a&lt;/code&gt; section records selected connection properties and counts. The &lt;code&gt;b&lt;/code&gt; and
&lt;code&gt;c&lt;/code&gt; sections are truncated SHA-256 values derived from normalised ClientHello fields. Analysts can compare selected
components, such as &lt;code&gt;JA4_ac&lt;/code&gt;, when the complete fingerprint is too narrow for the question being asked. Other JA4+
methods have their own inputs and specifications; they should not be treated as extra fields inside core JA4.&lt;/p&gt;
&lt;p&gt;JA4+ consists of various components:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;JA4&lt;/strong&gt;: TLS Client&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;JA4S&lt;/strong&gt;: TLS Server Response&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;JA4H&lt;/strong&gt;: HTTP Client&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;JA4L&lt;/strong&gt;: Light Distance/Location&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;JA4X&lt;/strong&gt;: X509 TLS Certificate&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;JA4SSH&lt;/strong&gt;: SSH Traffic&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;For a more thorough breakdown, the &lt;a href="https://blog.foxio.io/ja4-network-fingerprinting-9376fe9ca637"&gt;JA4 blog&lt;/a&gt; provides
the announcement and describes the fingerprints.&lt;/p&gt;
&lt;p&gt;JA4+ brings useful improvements, but a few aspects and quirks deserve closer attention.&lt;/p&gt;
&lt;h2&gt;What sorting changes&lt;/h2&gt;
&lt;p&gt;JA4 sorts cipher identifiers and most extension identifiers before hashing them. This was especially useful after
Chrome began permuting TLS extension order. Sorting puts those permutations back into one cohort. It also discards the
order as evidence. That is the trade-off: a more stable identifier retains less information about how the ClientHello
was serialised.&lt;/p&gt;
&lt;p&gt;Where investigation matters, retain the raw JA4 form as well as the compact value. &lt;code&gt;JA4_r&lt;/code&gt; exposes the normalised
cipher, extension and signature-algorithm lists, which makes a difference easier to inspect.&lt;/p&gt;
&lt;p&gt;The &lt;a href="https://www.peakhour.io/blog/tls-fingerprinting/"&gt;overview of TLS fingerprinting&lt;/a&gt; provides a more in-depth explanation of how a TLS signature is formed.&lt;/p&gt;
&lt;p&gt;Chrome's change was intended to stop servers and middleboxes from depending on one fixed extension order. In our
&lt;a href="/blog/tls-extension-randomisation/"&gt;extension-randomisation analysis&lt;/a&gt;, the number of order-sensitive TLS fingerprints
rose sharply after the rollout. Sorting reduced that artificial fragmentation. It did not make the resulting value a
client identity, and it did not preserve every distinction in the original handshake.&lt;/p&gt;
&lt;h2&gt;JA3 and Mercury took different paths&lt;/h2&gt;
&lt;p&gt;Before digging further into JA4+'s features and limitations, it helps to separate two related lineages. The
&lt;a href="https://github.com/salesforce/ja3"&gt;original JA3&lt;/a&gt; established a portable TLS fingerprint that was easy to share and
match. Cisco Mercury developed a richer protocol representation and a separate destination-context classification
system. Mercury is not a predecessor in the JA3-to-JA4 naming line. Our &lt;a href="/blog/two-lineages-tls-fingerprinting/"&gt;history of the two lineages&lt;/a&gt;
explains where their work overlaps and where it does not.&lt;/p&gt;
&lt;h2&gt;Implementation differences still matter&lt;/h2&gt;
&lt;p&gt;While sharing signatures through SHA is appealing, it has limits, most notably potential compatibility issues. As Fastly
&lt;a href="https://www.fastly.com/blog/the-state-of-tls-fingerprinting-whats-working-what-isnt-and-whats-next"&gt;noted&lt;/a&gt;, differences
in the implementation can be hidden behind the SHA hash, causing issues when searching for and correlating signatures
between different services. Record the implementation and version that generated a value; a shared format name does not
prove that two sensors handled every field identically.&lt;/p&gt;
&lt;h2&gt;Check the method, implementation and licence&lt;/h2&gt;
&lt;p&gt;The &lt;a href="https://github.com/FoxIO-LLC/ja4"&gt;official JA4+ repository&lt;/a&gt; contains the current specifications and implementations.
Check the licence for the individual method before adopting it: core JA4 is BSD-3-Clause, while most other JA4+ methods
use the FoxIO Licence and place additional conditions on commercial use.&lt;/p&gt;
&lt;p&gt;For a field-level example rather than a format summary, our &lt;a href="/blog/one-clienthello-ja3-ja4-mercury-lab/"&gt;same-ClientHello lab&lt;/a&gt;
records JA3, JA4, &lt;code&gt;JA4_r&lt;/code&gt; and Mercury NPF output from one packet and pins the implementations that generated them.&lt;/p&gt;</content><category term="Security"></category><category term="TLS Fingerprinting"></category><category term="Fingerprinting"></category><category term="Browser Fingerprinting"></category><category term="TLS"></category><category term="SOC 2"></category><category term="Threat Detection"></category></entry><entry><title>Google Chrome's "IP Protection" and Online Privacy</title><link href="https://www.peakhour.io/blog/google-chrome-ip-protection-and-online-privacy/" rel="alternate"></link><published>2023-10-24T13:00:00+11:00</published><updated>2023-10-24T13:00:00+11:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2023-10-24:/blog/google-chrome-ip-protection-and-online-privacy/</id><summary type="html">&lt;p&gt;An exploration of Google Chrome's new "IP Protection" feature, its promise of enhanced privacy.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Google plans to introduce an "IP Protection" feature in Chrome. The feature is intended to improve privacy by masking IP
addresses through proxy servers. It may also affect ad tracking and who controls access to online platforms.&lt;/p&gt;
&lt;h2&gt;Understanding IP Addresses and Google's Strategy&lt;/h2&gt;
&lt;p&gt;IP addresses can let websites follow user activity across platforms. Over time, that can build detailed profiles and
create real privacy concerns. Google's "IP Protection" is designed to reduce that signal by sending third-party traffic
through proxies, hiding user IPs. The feature will start as optional, then focus on domains thought to track users.&lt;/p&gt;
&lt;p&gt;At first, Google will use a dedicated proxy for its own domains. As testing continues, the system may change. Google is
also considering a 2-hop proxy system for better privacy, with an outside CDN handling the second proxy.&lt;/p&gt;
&lt;p&gt;Google wants to use proxy connection IPs to give users broad locations, not exact ones. It will test this on platforms
like Gmail and AdServices, in Chrome versions 119 to 225.&lt;/p&gt;
&lt;h2&gt;VPN Growth and Other Browsers&lt;/h2&gt;
&lt;p&gt;The growth of VPN use points to demand for online privacy. VPNs, like Google's IP Protection, hide user IP addresses.
Firefox and Opera have added VPN features to their browsers. Apple, known for user privacy, has worked with CDN
companies on similar privacy improvements.&lt;/p&gt;
&lt;p&gt;This change has trade-offs. Sending traffic through Google's, or others', servers can make it harder for security teams
to handle threats. Google has suggested fixes like checking users with the proxy and rate-limiting to tackle these
problems.&lt;/p&gt;
&lt;h2&gt;What It Means&lt;/h2&gt;
&lt;p&gt;Traditional safety tools like IP reputation and GeoIP methods are becoming less reliable. This change highlights the
role of network-based fingerprinting now. For more on this, read our article
on &lt;a href="https://www-staging.peakhour.xyz/blog/tls-fingerprinting/"&gt;TLS fingerprinting&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;While firms talk about hiding IP addresses, ad tracking is still common. These changes might also push users to certain
platforms. Even if users think they're safe, big tech's tracking tools can still watch them. That can give users a false
sense of safety. Real privacy still needs practical tools and clear public understanding.&lt;/p&gt;</content><category term="Security"></category><category term="Residential Proxies"></category><category term="Account Protection"></category><category term="API Security"></category><category term="DDoS"></category><category term="Fingerprinting"></category><category term="Bot Management"></category></entry><entry><title>Chrome's TLS Extension Randomisation Experiment</title><link href="https://www.peakhour.io/blog/tls-extension-randomisation/" rel="alternate"></link><published>2023-02-02T13:00:00+11:00</published><updated>2023-02-02T13:00:00+11:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2023-02-02:/blog/tls-extension-randomisation/</id><summary type="html">&lt;p&gt;Does TLS extension randomisation assist in hiding Chrome?&lt;/p&gt;</summary><content type="html">&lt;p&gt;&lt;a href="/blog/tls-fingerprinting/"&gt;Transport Layer Security (TLS) fingerprinting&lt;/a&gt; is a commonly used
technique for identifying client processes. To reduce the
risk of server and middlebox fingerprinting of Chrome's current
ClientHello and to make the TLS ecosystem more resilient to changes,
Google Chrome ran an experiment to randomise a portion of
the TLS fingerprint. This experiment was included in Chrome version 108,
which was released on December 8, 2022. You can read the status of the
current experiment on the &lt;a href="https://chromestatus.com/feature/5124606246518784"&gt;chrome status site&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;The aim of this experiment was to make it more difficult for server
implementers to fingerprint Chrome and assume specific implementation
behaviour from a fixed extension order. By randomly ordering
extensions (subject to the pre_shared_key constraint in the RFC),
Chrome hoped to reduce the risk of server and middlebox fixating on
details of its current ClientHello.&lt;/p&gt;
&lt;p&gt;&lt;img alt="unique-tls-fingerprints-over-time" src="/static/images/blog/tls-unsorted-extensions.png"&gt;&lt;/p&gt;
&lt;p&gt;&lt;em&gt;The above graph correlates to the Chrome experiment and subsequent
release of the feature. The number of unique TLS signatures dramatically
increased.&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;From Peakhour data, we can see a large number of unique
fingerprints appearing since the date of the experiment, making it
very difficult to identify the Chrome network stack by a TLS
fingerprint alone. However, &lt;a href="https://hnull.org/2022/12/01/sorting-out-randomized-tls-fingerprints/"&gt;an analysis&lt;/a&gt; by
David McGrew,
a Cisco Fellow, cast doubt on the effectiveness of this experiment. In his
article, McGrew proposed a lexicographical sorting of TLS extensions and
found that 98.8% of signatures were unique after sorting. He argues that
the canonical ordering of the TLS extensions in the TLS fingerprint can
achieve nearly the same level of entropy as randomising them and still
be effective at client identification. Furthermore, he claims that the
RFC should be amended to state that extensions SHOULD be sent in an
ordered fashion in the ClientHello packet. McGrew also highlights the
potential dangers of allowing unordered extension lists, as it could
create a \"subliminal channel\" that could be used for tracking or
transmitting information. Let's now graph, over the same period, the number
of TLS signatures with TLS extension sorting.&lt;/p&gt;
&lt;p&gt;&lt;img alt="unique-tls-fingerprints-sorted-extensions-over-time" src="/static/images/blog/tls-sorted-extensions.png"&gt;&lt;/p&gt;
&lt;p&gt;&lt;em&gt;The above graph correlates to David's assertion that sorting TLS
extensions has minimal impact on TLS fingerprinting.&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;It appears that David's assertion is correct: sorting TLS extensions has
minimal impact on the number of unique TLS fingerprints. Let's now look
at in-the-wild Chrome 109 data:&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;&lt;strong&gt;Hashed sorted TLS Fingerprint&lt;/strong&gt;&lt;/th&gt;
&lt;th&gt;&lt;strong&gt;Unique unsorted TLS fingerprints&lt;/strong&gt;&lt;/th&gt;
&lt;th&gt;&lt;strong&gt;Browser&lt;/strong&gt;&lt;/th&gt;
&lt;th&gt;&lt;strong&gt;Version&lt;/strong&gt;&lt;/th&gt;
&lt;th&gt;&lt;strong&gt;% of clients&lt;/strong&gt;&lt;/th&gt;
&lt;th&gt;&lt;strong&gt;% of hits&lt;/strong&gt;&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;3241796329&lt;/td&gt;
&lt;td&gt;2&lt;/td&gt;
&lt;td&gt;Chrome Mobile WebView&lt;/td&gt;
&lt;td&gt;109&lt;/td&gt;
&lt;td&gt;6.14&lt;/td&gt;
&lt;td&gt;1.01&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;3313291307&lt;/td&gt;
&lt;td&gt;8566&lt;/td&gt;
&lt;td&gt;Chrome&lt;/td&gt;
&lt;td&gt;109&lt;/td&gt;
&lt;td&gt;1.83&lt;/td&gt;
&lt;td&gt;1.54&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;1537819294&lt;/td&gt;
&lt;td&gt;26587&lt;/td&gt;
&lt;td&gt;Chrome Mobile&lt;/td&gt;
&lt;td&gt;109&lt;/td&gt;
&lt;td&gt;6.05&lt;/td&gt;
&lt;td&gt;4.64&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;3944870384&lt;/td&gt;
&lt;td&gt;1&lt;/td&gt;
&lt;td&gt;Chrome Mobile iOS&lt;/td&gt;
&lt;td&gt;109&lt;/td&gt;
&lt;td&gt;4.31&lt;/td&gt;
&lt;td&gt;5.35&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;3241796329&lt;/td&gt;
&lt;td&gt;51594&lt;/td&gt;
&lt;td&gt;Chrome Mobile&lt;/td&gt;
&lt;td&gt;109&lt;/td&gt;
&lt;td&gt;16.9&lt;/td&gt;
&lt;td&gt;14.43&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;1537819294&lt;/td&gt;
&lt;td&gt;121346&lt;/td&gt;
&lt;td&gt;Chrome&lt;/td&gt;
&lt;td&gt;109&lt;/td&gt;
&lt;td&gt;15.66&lt;/td&gt;
&lt;td&gt;20.7&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;3241796329&lt;/td&gt;
&lt;td&gt;156405&lt;/td&gt;
&lt;td&gt;Chrome&lt;/td&gt;
&lt;td&gt;109&lt;/td&gt;
&lt;td&gt;35.52&lt;/td&gt;
&lt;td&gt;37.79&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;&lt;em&gt;It's interesting that the experiment does not run on WebView.&lt;/em&gt;&lt;/p&gt;
&lt;h2&gt;Final Thoughts&lt;/h2&gt;
&lt;p&gt;While Chrome's experiment may have reduced the risk of
server and middlebox fingerprinting of Chrome's current ClientHello, it
seems that randomising TLS extensions alone is not enough to
prevent TLS fingerprinting, and may be a useful indicator that
it is The Real Chrome.&lt;/p&gt;
&lt;p&gt;This experiment became one of the reasons newer formats normalise extension order. Our &lt;a href="/blog/one-clienthello-ja3-ja4-mercury-lab/"&gt;JA3, JA4 and Mercury lab&lt;/a&gt; shows exactly where each format keeps, sorts or discards ClientHello detail. The accompanying &lt;a href="/blog/two-lineages-tls-fingerprinting/"&gt;history of the two TLS fingerprinting lineages&lt;/a&gt; explains why Cisco Mercury and JA4 made related but different design choices.&lt;/p&gt;
&lt;p&gt;The remaining research question is whether discarded order ever helps distinguish an imitator or evasive client. &lt;a href="/blog/tls-fingerprint-canonicalisation-attacker-variation/"&gt;Does TLS fingerprint canonicalisation hide useful attacker variation?&lt;/a&gt; defines the labelled corpus and holdout study needed to answer it without confusing uniqueness with detection accuracy.&lt;/p&gt;</content><category term="Security"></category><category term="TLS Fingerprinting"></category><category term="TLS"></category><category term="Browser Fingerprinting"></category><category term="Fingerprinting"></category><category term="API Security"></category></entry><entry><title>TLS Fingerprinting</title><link href="https://www.peakhour.io/blog/tls-fingerprinting/" rel="alternate"></link><published>2023-02-02T13:00:00+11:00</published><updated>2023-02-02T13:00:00+11:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2023-02-02:/blog/tls-fingerprinting/</id><summary type="html">&lt;p&gt;What is fingerprinting, and in particular TLS fingerprinting?&lt;/p&gt;</summary><content type="html">&lt;h2&gt;What is Fingerprinting?&lt;/h2&gt;
&lt;p&gt;Fingerprinting is a technique that may be used to identify the specific device, web browser,
and operating system making a request, regardless of what the client says in its user-agent header.
By helping organisations identify and characterise the attributes of a client's connection,
fingerprinting can improve network security and help protect against malicious traffic.&lt;/p&gt;
&lt;p&gt;Fingerprinting can also refer to techniques for following or uniquely identifying individual users across the web.
That is a separate set of techniques and is not discussed in this article.&lt;/p&gt;
&lt;p&gt;&lt;a href="/learning/fingerprinting/what-is-tls-fingerprinting/"&gt;Transport Layer Security (TLS) Fingerprinting&lt;/a&gt; determines the specific characteristics of a client's TLS
implementation by examining the initial TLS handshake packet, known as the "Client Hello." This packet
contains fields and parameters such as supported cipher suites, extensions, and the client's preferred order of
those parameters, which can be used to create a unique "fingerprint" of the client's TLS implementation.&lt;/p&gt;
&lt;h2&gt;Why is it used?&lt;/h2&gt;
&lt;p&gt;Fingerprinting has several uses, including &lt;a href="/products/bot-management/"&gt;bot protection&lt;/a&gt;, DDoS protection, and client
identification. By identifying and characterising the attributes of a client's connection,
fingerprinting can improve network security and help protect against malicious traffic.&lt;/p&gt;
&lt;h2&gt;How does TLS Fingerprinting work?&lt;/h2&gt;
&lt;p&gt;TLS Fingerprinting examines the initial TLS handshake packet, known as the "Client Hello".
The Client Hello packet is sent by the client during the initial phase of the TLS handshake, which establishes a secure
connection between the client and the server. It contains information about the client's preferred encryption methods,
extensions, and parameters, including:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Protocol Version: The version of the TLS protocol desired by the client.&lt;/li&gt;
&lt;li&gt;Random: A 32-byte random value generated by the client, used in key generation and derivation.&lt;/li&gt;
&lt;li&gt;Session ID: An optional session identifier for resuming a previous session.&lt;/li&gt;
&lt;li&gt;Cipher Suites: A list of supported encryption algorithms, ordered by preference.&lt;/li&gt;
&lt;li&gt;Compression Methods: A list of supported compression algorithms, ordered by preference.&lt;/li&gt;
&lt;li&gt;Extensions: Optional extensions that can negotiate additional parameters, such as Server Name Indication (SNI) and
   Elliptic Curve Supported (ECS).&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;The Client Hello packet is central to the operation and security of the TLS connection because it provides information
the server uses to select encryption algorithms and parameters. The packet also enables the client and server to
negotiate an appropriate encryption method for their communication. The Client Hello's variable
content, based on the TLS version, library, cipher suites, extensions, and settings supported by the client, makes it
a strong candidate for fingerprinting.&lt;/p&gt;
&lt;p&gt;Common components used to create a TLS fingerprint include:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Cipher Suites: The order of cipher suites supported by the client.&lt;/li&gt;
&lt;li&gt;Extensions: Supported extensions included in the Client Hello packet, such as SNI and ECS.&lt;/li&gt;
&lt;li&gt;TLS Point Formats: Encoding of cryptographic parameters in a format that can be transmitted as part of the TLS
   protocol, used in elliptic curve cryptography (ECC).&lt;/li&gt;
&lt;li&gt;TLS Curves: The specific elliptic curves used in ECC, a type of public-key cryptography used in the TLS protocol.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;TLS fingerprinting has been a topic of research for several years, with a number of tools and techniques developed
from that work. Notable examples include &lt;a href="/learning/fingerprinting/what-is-ja3-fingerprinting/"&gt;JA3&lt;/a&gt;, developed by John Althouse, Jeff Atkinson, and Josh Atkins of Salesforce,
which uses a hash of the client's SSL/TLS parameters as a unique identifier for tracking and analysing
SSL/TLS traffic. Another tool, Mercury by David McGrew and Blake Anderson, can be used to fingerprint client connections
and identify the device, operating system, and application making the connection.&lt;/p&gt;
&lt;p&gt;TLS fingerprinting has a variety of uses, including bot protection, DDoS protection, malware identification and
client identification. By enabling organisations to identify and characterise the attributes of a client's TLS
implementation, TLS fingerprinting can improve network security and help protect against malicious traffic.&lt;/p&gt;
&lt;p&gt;In production, TLS fingerprints are most useful when combined with &lt;a href="/products/ip-intelligence/"&gt;IP intelligence&lt;/a&gt; and &lt;a href="/products/residential-proxy-detection/"&gt;residential proxy detection&lt;/a&gt;, rather than treated as a standalone verdict.&lt;/p&gt;
&lt;h2&gt;Representation of a TLS Fingerprint&lt;/h2&gt;
&lt;p&gt;A TLS fingerprint is commonly represented as a string or hash that summarises the important components of the Client
Hello packet. The most common components used to create a TLS fingerprint include the supported cipher suites,
extensions, and TLS point formats. The cipher suites are represented as a list of hexadecimal values in the order
they are presented by the client, while extensions and point formats are represented as a list of hexadecimal values
or a unique identifier.&lt;/p&gt;
&lt;p&gt;Raw JA3 signatures are represented by the following fields, which are then hashed with MD5:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;SSLVersion, Cipher, SSLExtension, EllipticCurve, EllipticCurvePointFormat
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;An example raw signature is:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt; 771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49162-49161-49171-49172-156-157-47-53,0-23-65281-10-11-35-16-5-34-51-43-13-45-28-21,29-23-24-25-256-257,0
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;An MD5 hash is then applied, resulting in the final signature.&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;&lt;span class="mf"&gt;579&lt;/span&gt;&lt;span class="n"&gt;ccef312d18482fc42e2b822ca2430&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;Mercury signatures are represented by:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;&amp;quot;tls/1&amp;quot; (TLS_Version) (TLS_Ciphersuite) [ Extension* ]
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;An example signature is:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;tls/1/
(0303)
(130213031301c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff)
[
   (0000)
   (000a000c000a001d0017001e00190018)
   (000b000403000102)
   (000d0030002e040305030603080708080809080a080b080408050806040105010601030302030301020103020202040205020602)
   (0016)
   (0017)
   (0023)
   (002b0009080304030303020301)
   (002d00020101)
   (0033)
]
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;h2&gt;Hash Functions for Representing TLS Fingerprints&lt;/h2&gt;
&lt;p&gt;Hashing algorithms, such as MD5, are commonly used to create a unique representation of a TLS fingerprint.
These hash functions take the client's TLS parameters as input and produce a fixed-length output, which serves as
a unique identifier for the client. The hash value can be compared against a database of known TLS fingerprints to
help determine the identity of the client.&lt;/p&gt;
&lt;p&gt;Other techniques for representing TLS fingerprints include base64 encoding of the client's TLS parameters, such as in the
Mercury fingerprint.&lt;/p&gt;
&lt;h2&gt;Challenges with TLS fingerprinting&lt;/h2&gt;
&lt;p&gt;TLS fingerprinting is not a foolproof method for identifying clients and their attributes. It has several limitations
that need to be considered.&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;False Positives: TLS fingerprinting relies on the assumption that the client's Client Hello packet uniquely
   identifies a connecting process by its TLS implementation. However, it is possible for a client to alter the Client
   Hello packet by customising TLS parameters, which affects the Client Hello packet and can result in a false
   positive
   identification. This makes it important to use multiple methods for identifying clients. For example, Mercury takes
   into account destination ports to add additional context.&lt;/li&gt;
&lt;li&gt;False Negatives: While TLS fingerprinting can identify many different clients and their attributes, it is not capable
   of identifying all clients. Some clients may have a unique or unusual TLS implementation that cannot be accurately
   fingerprinted. Additionally, some clients may actively attempt to evade fingerprinting by customising
   TLS parameters or using tools to anonymise their connections.&lt;/li&gt;
&lt;li&gt;Forging of TLS Fingerprints: It is possible for attackers to deliberately forge or modify the information contained
   in their Client Hello packet to appear as a different client. This makes it difficult for fingerprinting tools to
   accurately identify the true identity of a client and can be used for malicious purposes, such as evading security
   measures or disguising the origin of an attack.&lt;/li&gt;
&lt;li&gt;Incomplete Data: TLS fingerprinting is limited by the information contained in the Client Hello packet, which may not
   contain all of the necessary data to accurately identify a client. For example, a client may not send a full list of
   supported cipher suites or extensions, may use a modified version of the TLS protocol that is not recognised by
   the fingerprinting tool, or the fingerprint may not be present in available databases.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Different fingerprinting implementations can result in different hashes for the same TLS connection, even though the
underlying SSL/TLS protocol remains unchanged. This happens due to the various algorithms, parameters, and
representations used by different fingerprinting tools.&lt;/p&gt;
&lt;p&gt;For instance, implementation differences when generating the TLS fingerprint may cause hashes found in public databases
to be inconsistent with a locally generated hash.&lt;/p&gt;
&lt;h2&gt;Final Thoughts&lt;/h2&gt;
&lt;p&gt;Be aware of the limitations and differences between fingerprinting implementations, and choose the right tool and
representation for your specific use case. Standardising the representation of fingerprints and using common hash
algorithms can help avoid confusion and improve interoperability between databases.&lt;/p&gt;</content><category term="Security"></category><category term="TLS Fingerprinting"></category><category term="Browser Fingerprinting"></category><category term="Fingerprinting"></category><category term="TLS"></category><category term="HTTP"></category><category term="DDoS"></category></entry></feed>