Investigating Middlebox Deployment and Characteristics in Dutch Autonomous Systems

The Internet is composed of countless interconnected networks that work together to route, manage, and deliver traffic worldwide. But not all parts of its infrastructure are visible to users.

One such hidden part is "middleboxes", network devices like firewalls, IDS/IPS, and proxies that sit between endpoints. These devices play important roles in strengthening security, improving performance, and helping operators manage their networks at scale.

However, they can also alter traffic in ways that users, and even developers, might not expect. This invisible hand of middleboxes can complicate troubleshooting and protocol upgrades, raise questions about oversight and digital sovereignty, and ultimately challenge efforts to keep the Internet open, reliable, and secure.

Recently, my colleagues and I conducted an active measurement campaign across 989 Dutch Autonomous Systems (or ASes for short) and about 5.1 million IP addresses to validate how middleboxes affect infrastructure integrity and overall transparency.

After validating our results, we identified 310 middleboxes registered to Dutch ASes and physically located in the Netherlands.

We also uncovered an important jurisdictional nuance: 286 candidate middleboxes linked to Dutch ASes appeared to be located outside the Netherlands, spanning 34 countries. The top five were the United States (35.7%), Japan (8.0%), Great Britain (7.9%), Italy (5.9%), and Australia (5.9%).

Traceroute paths supported these geolocation results, often showing early exits from Dutch networks, higher hop counts, and transit through regional or international carriers. In other words, “Dutch” on paper does not always mean “in the Netherlands” in practice.

To see how middleboxes are deployed in practice, we grouped the ASes into four broad categories (Table 1).

When analysing these categories, we found that how they use middleboxes depends on what a network is trying to do and who it serves. For example:

• Digital infrastructure is the greatest user of middleboxes (about 88%), which makes sense because these networks carry traffic for many others and operate at scale. Within this category, we observed differences in deployment strategies. In Internet Service Providers (ISPs), middleboxes are typically placed close to the customer-facing edge and are geared toward perimeter security and traffic handling. On the other hand, hosting providers seem to use middleboxes with varying functionalities, primarily as operational tools to manage large volumes of connections and keep services stable under load. Internet Exchange Points (IXPs) showed the least overall interference, consistent with their role as neutral interconnection venues.
• Government and education networks are smaller but distinctive. Governmental ASes showed narrowly scoped, consistent modifications that align with policy enforcement. In education and research networks, we identified a small set of middleboxes with distinctive traffic-interference patterns and placement that differed from other categories. We also detected a few middleboxes in smaller research networks that exhibited legacy traffic handling that could still affect connection performance.
• Private-sector networks blend approaches. Commercial networks combine approaches; some deployments look like classic perimeter security, while others resemble traffic handling tweaks meant to improve performance or enforce local operational preferences. The key point in the private sector is variability in deployment. Because middlebox deployments are diverse and often tailored to local needs, strong documentation and governance are especially important for accountability, troubleshooting, and incident response.

To better understand what the detected middleboxes were and their potential exposure, we enriched our measurements with Censys and Shodan data on open ports, services, and vendor fingerprints. Coverage was partial; many devices had no usable listings, so the results should be read as an initial snapshot rather than a complete inventory.

We often found Internet-facing administration services (especially web management interfaces), and in some cases, remote-management protocols that can increase risk if misconfigured or left unsecured. Moreover, vendor attribution indicates a concentration among a small number of major suppliers (Table 2), many of them U.S.-based, with implications for dependency and digital sovereignty.

We also found signs of legacy software and protocols, as well as occasional higher-risk exposures (such as obsolete VPN or time-synchronization services), pointing to patching gaps or reliance on older infrastructure.

Overall, combining active measurement with external datasets helps make middleboxes visible as part of an actionable attack-surface view for inventory, hardening, and monitoring.

For network operators:

1. Inventory and treat middleboxes as critical infrastructure: keep an accurate asset register (including virtual appliances sharing IPs), document intended traffic-handling behavior, and routinely audit configurations and placement at network edges.
2. Reduce exposure and harden management surfaces: remove or restrict Internet-facing admin services (web consoles, SSH, SNMP), enforce strong authentication and access controls, and track patch levels and end-of-life status to avoid running outdated or unsupported software.
3. Detect and deter targeted reconnaissance: use periodic, focused scanning to validate what is reachable from the Internet.

For policymakers and regulators:

1. Improve transparency and accountability at critical chokepoints: encourage or require clear documentation of traffic-interfering devices/functions and their deployment locations, especially in public-sector and critical digital infrastructure networks.
2. Strengthen baseline assurance for procurement and operation: set expectations for secure configuration, vulnerability management, and end-of-life planning for security appliances and adjacent systems exposed at ingress points.
3. Address jurisdiction and supply-chain dependencies: incorporate vendor concentration and cross-border deployment realities into resilience and oversight frameworks so that legal accountability, management control, and security obligations remain enforceable.

You can read our full paper to learn more. We also welcome collaboration from researchers, policymakers, and technologists interested in measuring and improving Internet infrastructure.

Bulut Ulukapiis a PhD candidate at the University of Twente. His current research focuses on Internet measurement and improving the transparency of network infrastructure. He previously worked on malware/obfuscation analysis.

____________________________________________________________________________

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of the Internet Society.