UPDATE (2017-08-02): This blog entry has been updated with additional information which documents actual transfer rates seen when targeting both a close US host and another domestic US host located on the opposite coast. The effect of using a VPN is also shown.
The bottom line is that the rate drops dramatically when packets have to transit large distances (even without factoring in the use of a VPN, or going trans Atlantic) – the transfer speeds dropped from 14 MB/s to 2MB/s.
Detailed test results are documented in the blog entry, The Need for Speed.
Some reviewers have asked about the use of “MB/s” as a measure of transfer speed. In the Guccifer 2.0 NGP/VAN Metadata Analysis report. “MB/s” refers to Mega Bytes per second where “Mega” is one million (1,000,000). Some reviewers have confused this notation with “Mb/s”, or mega bits per second often quoted by ISP’s. Those two measures of transfer can be confused with each other, and there are articles on the Internet that discuss this topic, for example here and here.
This handy calculator will let us do all sorts of what if comparisons and that particular “calculator” link will convert 22.6 MB/s (the estimated transfer rate cited in the report) into the following chart.
As you can see it is at about the 20% level of a 1 Gb/s local area network (LAN), which is typical of many enterprise/SOHO wired (LAN) networks, and as far as “carriers” go, some form of “optical link” will be required. For the gory details, see this Wikipedia article on Optical Carrier transmission rates.
In practice, actual transmission rates will fall well below the theoretical rates shown above, because packets transmitted over the Internet have to transit through many switches and must share bandwidth with other users. Further, copying multiple small files will increase the need for “hand-shaking” messages which further decreases the effective transmission speed. The only way to find the actual speeds that can be achieved is to run tests. The typical ISP provided “speed test” will show optimistic speeds, but they’re a start. The following graphic shows the result of a cable provider’s speed test.
In that test, we accessed one of the provider’s hosts that is about 20 miles away (as the crow flies). The 113.4 Mbits/s rate corresponds to a 14.2 MB/s rate – well below 23 Mb/s.
Here is another test, accessing a host that is on the opposite coast (3100 miles away).
We can see that increases in the distance traveled can have a major impact on the transmission speed. In this test, accessing a host on the opposite coast cut the download speed by a factor of 7.
ThreatConnect, a security firm, determined that Guccifer 2 used a commercial VPN service to mask his IP address. ThreatConnect’s analysis is described in a blog entry. Their key finding is summarized below (emphasis added).
Now, after further investigation, we can confirm that Guccifer 2.0 is using the Russia-based Elite VPN service to communicate and leak documents directly with the media. We reached this conclusion by analyzing the infrastructure associated with an email exchange with Guccifer 2.0 shared with ThreatConnect by Vocativ’s Senior Privacy and Security reporter Kevin Collier. This discovery strengthens our ongoing assessment that Guccifer 2.0 is a Russian propaganda effort and not an independent actor.
Let’s fire up the calculator again and ask it to compare our 22.6 MB/s transfer rate to that seen for peripherals.
The 23 MB/s transfer rate falls comfortably into the range of a USB 2.0 device. It is worth noting that the actual transfer rate will be further limited by capabilities of the USB flash drive electronics.
One more, disk drives.
Clearly, almost any disk drive can sustain 23 MB/s.
Caveat: we don’t know how accurate or current the data is that was used for that calculator. There are lots of variables to consider, such as overhead, and especially with public networks such as the Internet other factors need to be considered: contention, rate-limiting, and so on.
We are just trying to place the 22.6 MB/s rate in perspective, and add support for the conclusion that the initial copy operation was likely done locally, either with direct access to the system where the data is stored, or over a high speed LAN.
That is not the whole story, however. The file copy operations observed in this analysis were performed file-by-file. There is a lot more overhead, both in file transmission and file and directory creation for file-by-file transmission than would be seen in a best case, single big file scenario.