Post-incident Sumary

Hacker News Discussion

To summarize this post, I was seemingly throttled by AT&T for days. See the Original Post for the full write up.

While gathering data for this post and attempting solutions, I changed my LTE router’s APN, which caused it to re-authenticate to AT&T, and after I was re-authenticated I was no longer being throttled. One Hacker News user suggested that re-authenticating may have caused me to route through a different PGW (Packet Data Network Gateway) with a different traffic shaping policy.

I won’t know for certain unless AT&T responds directly to my request for more information.

The bottom of this post contains multiple updates from throughout the incident and beyond.

Original Post

When I’m living in my RV, wireless service providers are my primary source of connectivity. So when either AT&T or Verizon make major changes, I take notice.

I recently noticed that multiple websites are quite slow when browsing with my AT&T business plan, listed in AT&T Premier (business account management UI) as “Wireless Broadband Ultra for Router or Hotspt (sic)”. This is an “unlimited” 100Mbit plan with 50GB for Business Fast Track (prioritized) data. Being that I was far below the 50GB of monthly Fast Track data, my data should have had top priority, so I became suspicious. To be honest, I’ve never noticed a discernible difference between Fast Track and non-Fast Track data rates. This is all to say that I have no reason to believe that I’m being deprioritized due to usage.

Naturally, the first hing I did was conduct a speed test. I already knew from previous experience that for some reason, AT&T traffic to is throttled. Why AT&T wants bandwidth to appear lower than reality is a mystery to me, but I digress. has speed tests that AT&T has no special treatment for, and the nearest one to me was in Fremont, CA.

The speedtest revealed 21Mbps down and 4.5Mbps up – pretty reasonable in a relatively rural area like Durango, CO. Latency was ~130ms. That speed certainly wouldn’t explain why it took anywhere between 15 seconds and 2 minutes to load

So I opened up the “Network” tab in Firefox and could clearly see that dozens of resources from were taking multiple seconds to load. The problem clearly has something to do with Cloudfront.

Is Cloudfront having problems? That’s easy enough to verify; my Sierra Wireless RV55 CAT-12 LTE-A router also contains an unlimited Verizon Business SIM card that I can use to conduct tests on Cloudfront, independent of AT&T.

I noticed that one of Strava’s javascript resources clocked in at 1.68MB, making it a nice test subject for speed tests ( At the time of writing resolves to, so rest assured, we are dealing with Cloudfront.

After switching to Verizon, I could see that Cloudfront was having no problems. Our friend 827.js downloaded in just over 1 second at 1.4MB/s. I clearly saw earlier in the Firefox network tab that this resource took nearly 1 minute to load on AT&T.

While wget is not my goto for command line HTTP fetching, it displays transfer rates in a human friendly format by default, so I used the following as my test case: wget -O /dev/null -q --show-progress

So the problem isn’t Cloudfront, because Verizon was fast enough. It wasn’t blazing fast by any means, but I also didn’t have to wait 2 minutes to learn whether Strava awarded me King of the Moutain on a local trail (I wasn’t).

Maybe this is a global AT&T problem. That’s easy to test as well – my iPhone is also on the same AT&T business account as my data-only plan, so I turned on the iPhone hotspot and made it the router’s WAN device to make sure we’re changing a single variable at a time. I conducted another speed test, revealing 23Mbps down and 3Mbps up. Nothing surprising there – normal bandwidth fluctuations for a wireless device. How about our wget test? 1.7MB/s. The problem is clearly not all of AT&T wireless.

Let’s go back to the original configuration: connect directly to my AT&T data-only plan with my router and re-run the wget test. Maybe I was imagining things. I’m somewhat surprised to see the wget test with a transfer rate of ~30KB/s. I believe this rules out AT&T with a souring peering agreement somewhere between me and Cloudfront. My phone traffic to Cloudfront is unaffected; it’s only my data-only plan that is affected.

I now have a pretty clear picture of what is likely happening. Good old-fashion traffic shaping. Now that the router is connected directly to AT&T, the true test of traffic shaping is transfer rates while connected to a VPN. I’ll let the image speak for itself.

As of the time of writing, I’m unsure what is causing such a significant slowdown. It has rendered some websites effectively useless. Everything in this writeup indicates, to me, that AT&T is engaged in extremely aggressive traffic shaping for some plans, rendering many websites nearly unusable.

Do you have any ideas how to diagnose this problem further? Do you know the best way engage AT&T’s technical folks to take this seriously? Write me at att-traffic-shaping @ this domain. I’ll add updates here if anything changes, or I get a response on


Update #1 (19:03:09 UTC)

Here is a pcap file captured with sudo tcpdump host '' -w capture.pcap: capture.pcap

I’ve also attempted to disable/enable IPv6 on my local machine and my VPN connection to check for any differences. No differences were observed.

Update #2 (19:43:00 UTC)


Connected to AT&T iPhone via Wifi hotspot

traceroute                                                                                                                                                    130 ↵
traceroute to (, 30 hops max, 60 byte packets
 1  _gateway (  4.386 ms  4.280 ms  5.292 ms
 2 (  139.792 ms * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13 (  244.538 ms  369.608 ms  933.487 ms
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21 (  206.664 ms  206.643 ms  206.623 ms

Connected to router on AT&T business plan

traceroute to (, 30 hops max, 60 byte packets
 1  _gateway (  61.896 ms  61.950 ms  62.064 ms
 2 (  132.156 ms  132.775 ms  132.749 ms
 3 (  132.743 ms  132.718 ms  132.199 ms
 4  * * *
 5 (  148.138 ms  148.187 ms  148.162 ms
 6 (  148.361 ms  137.643 ms  142.401 ms
 7 (  146.657 ms  146.627 ms  149.389 ms
 8 (  149.369 ms  149.345 ms  216.643 ms
 9 (  149.302 ms  146.467 ms  149.256 ms
10 (  146.421 ms  149.211 ms  149.161 ms
11 (  143.819 ms  139.466 ms  139.378 ms
12 (  139.342 ms  139.314 ms  187.019 ms
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20 (  152.577 ms  140.190 ms  141.460 ms

Update #3 (21:54:03 UTC)

Here is a pcap file captured with sudo tcpdump host '' -w iphone-capture.pcap while tethered to my AT&T iPhone and fetching 827.js with wget -O /dev/null -q --show-progress : iphone-capture.pcap

Update #4 (23:39:00 UTC)

As my initial post mentioned, I had hoped to get some sort of resolution by posting to As of right now, that post has been marked as “Private”. This URL also 404s, unless I’m logged in under the account with which I posted it.

I can’t say whether this is normal practice on the bizcommunity forum, but I posted a followup post with a much more benign title, “Are all new posts here marked as private?”, which as of right now is not private and still accessible to the public.

Update #5 (23:54:00 UTC)

Hello reader, I’m another HN member trying to help get to the bottom of this! I’ve analyzed all the data provided and feel confident there is some kind of manipulation / throttling happening with Adriano’s AT&T business plan, but if anyone wants to correct my interpretation or provide other insights feel free to reach out to me on my blog!

We start by analyzing the packet capture from the throttled connection. There are a few takeaways from this:

  • TCP segment & window sizes have normal values.
  • There are almost no retransmissions or lost packets.
  • There appears to be ample room for the TCP stream to scale up to a much faster speed.
  • The TCP stream starts scaling up to 800Kbps before dramatically going down.
  • The TCP stream regularly blocks for 50-200ms intervals waiting for new data to arrive from cloudfront.
  • These blocks coincide with throughput scaling up to ~350Kbps.

All of the spikes in round trip time correspond to a segment of the stream where the client acknowladges receipt of new data and is forced to wait 50-200ms for any new data to arrive. This happens at a regular cadence that appears artificial in nature (i.e not regular network congestion) because the throughput chart stays within a well defined boundary.

If this were a problem with AT&T’s network or a side effect of LTE networks being inherently high latency we would expect to observe similair patterns over the iphone connection:

We can draw a few conclusions from these charts:

  • The iphone AT&T connection doesn’t exhibit the same RTT or throughput pattern despite having similair latency & network routing.
  • The throughput chart is indicative of a healthy TCP stream that slowly scales up the total bandwidth to make the most out of available network resources.
  • We are never waiting very long for fresh data to arrive.

In my opinion these patterns rule out any extraneous factors affecting the network and are indicative of intentional manipulation of the TCP stream. If AT&T were to occasionaly drop an incoming packet than the client would never send an acknowledgement to cloudfront and after a little while cloudfront would automatically retransmit that packet, on our client side packet capture we would observe this as a packet coming in with a big delay, if we were being rate limited we would expect to see these delayed packets coming in regularly around the time when we were starting to hit a threshold, it seems likely AT&T is dropping certain inbound packets once the incoming rate reaches around ~350Kbps.

Update #6 (00:43:00 UTC)

Refer to Update #4 above: I’m getting shut down on the AT&T bizcommunity site. My posts are being marked private, so I’ll save them here for posterity.

Forum Post 1: I’m apparently experiencing extremely aggressive AT&T traffic shaping

URL (was public):

The short of it is that I’m experiencing what appears to be aggressive traffic shaping by AT&T. Many sites are affected, because Cloudflare is one content delivery network for which AT&T is apparently shaping my traffic.

This is a business account. I have both cell phone devices and a data-only plan “Wireless Broadband Ultra for Router or Hotspt (sic)” on the account. Only the data-only plan is affected.

Because Cloudflare is such a large content delivery network, this affects millions of websites. A large percentage of the websites I’ve accessed over the last few days have been affected, forcing me to use a VPN to subvert the problem.

I’ve added more concrete data in a writeup on my personal website:

The data paint a fairly clear picture of traffic shaping.

[ GIF IMAGE FROM ABOVE HERE ] [ NOTE: resolves to Cloudflare, see the writeup on my site for details ]

I’d love to get a response from AT&T on the matter because this is a major performance degradation to the point that many websites are unusable. Is anyone else experiencing similar issues?

Cheers, AC

Forum Post 2: Are all new posts here marked as private?

URL (currently public):

I posted earlier today regarding a traffic shaping issue that I’m experiencing. The title of the post is “I’m apparently experiencing extremely aggressive AT&T traffic shaping”. When I came back to check for any responses, I see that my previous post is marked as “Private”, which I don’t believe was under my control, and certainly wasn’t my intention.

This post is a test to see whether posts are automatically flagged as private, or if someone took action on my last post to mark it as private.

[edit] As of 2023-04-16 23:37 UTC, this post is not Private like my previous post.

Response and followup to Forum Post 2

Notice the Private label on my response. So it looks to others like I impolitely never respond to their polite response.

Update #6 (2023-04-17 04:12:00 UTC)

This ended with the least satisfying end one could expect. Over on Hacker News kevin_nisbet recommended changing the APN on the device to see if there were any routing differences. I changed the APN to NXTGENPHONE, which I figured would work as a “generic LTE device”, per However, the router was not able to authenticate with the NXTGENPHONE APN, so I switched back to broadband.

After switching back and re-authenticating with the broadband APN, I’m no longer being throttled.

I’ll keep monitoring for future throttling and add any responses from the bizcommunity admins.

For now, we’re done here.

Update #7 (2023-04-17 13:43:00)

My original Forum Post 1 on the bizcommunity is still marked as private and not deleted. In a followup to Forum Post 2, I asked that my original post be made public so I can have a discussion with other business community members to see if they’re having similar problems.

My Response and followup to Forum Post 2 has been deleted by a forum moderator. I presume if they provide any explanation, it will be that I linked to an external site. In any case, despite claiming to have direct messaged me, I never received a direct message from anyone, and they didn’t seem to care that I didn’t receive it.

Update #8 (2023-04-17 14:30:00)

I figured it would be helpful to post some “post-incident” (I doubt it’s actually over) data for completeness.


traceroute                                                                                                                                                    130 ↵
traceroute to (, 30 hops max, 60 byte packets
 1  _gateway (  2.368 ms  2.292 ms  2.263 ms
 2 (  73.895 ms  85.170 ms  85.204 ms
 3 (  85.119 ms (  85.447 ms (  85.418 ms
 4 (  85.394 ms  85.370 ms  85.346 ms
 5 (  91.268 ms  91.242 ms  91.218 ms
 6 (  91.180 ms  76.697 ms  76.656 ms
 7 (  1477.110 ms  79.291 ms  93.815 ms
 8 (  93.796 ms  93.779 ms  93.762 ms
 9 (  377.948 ms (  237.357 ms  239.443 ms
10 (  239.426 ms  377.871 ms  239.644 ms
11 (  239.619 ms  239.602 ms (  307.318 ms
12 (  283.628 ms  283.597 ms  241.812 ms
13  * (  241.576 ms  241.701 ms
14  * (  1778.342 ms *
15 (  1776.152 ms  1776.096 ms *
16 (  1776.049 ms * (  238.541 ms
17  * * *
18  * * *
19  * * *
20  * * *
21  * (  336.093 ms *

We can see it’s taking a distinctly different route from Connected to router on AT&T business plan from Update #2. Current resolver is I imagine some of you will spot that this was routed to Hong Kong…from Durango, CO. The internet is a mysterious place.

Current DNS Resolution

host is an alias for has address has address has address has address has IPv6 address 2600:9000:2363:8e00:17:4613:2840:93a1 has IPv6 address 2600:9000:2363:1400:17:4613:2840:93a1 has IPv6 address 2600:9000:2363:a600:17:4613:2840:93a1 has IPv6 address 2600:9000:2363:9400:17:4613:2840:93a1 has IPv6 address 2600:9000:2363:2600:17:4613:2840:93a1 has IPv6 address 2600:9000:2363:ac00:17:4613:2840:93a1 has IPv6 address 2600:9000:2363:ec00:17:4613:2840:93a1 has IPv6 address 2600:9000:2363:3800:17:4613:2840:93a1

Note this is a completely different set of hosts from “during the incident”. I’m not sure that this new host list is in any way related to this being “post-incident”. Cloudflare runs a lot of POPs, and I’m not about to try to understand the interplay between my resolver and Cloudflare’s global DNS. It’s notable, in any case.

During incident DNS resolution

For reference, these are the host from “during the incident”. I can’t say with 100% certainty, but I believe I was using as a resolver at the time, and whether I was connected via iphone tether or LTE router, I received the same host list:

host is an alias for has address has address has address has address has IPv6 address 2600:9000:2199:8000:17:4613:2840:93a1 has IPv6 address 2600:9000:2199:e600:17:4613:2840:93a1 has IPv6 address 2600:9000:2199:c600:17:4613:2840:93a1 has IPv6 address 2600:9000:2199:b600:17:4613:2840:93a1 has IPv6 address 2600:9000:2199:d000:17:4613:2840:93a1 has IPv6 address 2600:9000:2199:6400:17:4613:2840:93a1 has IPv6 address 2600:9000:2199:f000:17:4613:2840:93a1 has IPv6 address 2600:9000:2199:400:17:4613:2840:93a1

Pcap data & analysis

Here is a pcap file captured with sudo tcpdump host '' -w post-incident-capture.pcap while my router is connected to my AT&T business plan and fetching 827.js with wget -O /dev/null -q --show-progress : post-incident-capture.pcap

Throughput and RTT graphs from Wireshark of the above pcap file

Update #9 (2023-04-17 15:39:00)

For posterity, since bizcommunity has deleted at least one post. I want to record my current comment awaiting response.

Update #10 (2023-04-20 17:17:00)

My connection continues not to be throttled, but I still want an answer from AT&T. On that front, they’ve been dragging their feet.

AT&T’s bizcommunity forum is comically poor. It’s not really what one thinks of as a forum. Nobody is having real conversations, and most posts are met by a canned response from the moderator saying “We want to help. Let’s meet in direct message on this…”. Handling everything in private eliminates the value in a forum. One person (maybe) gets helped, and everyone reading the post with the same problem is left wondering if the problem was ever solved.

In any case, this is AT&T’s latest “help” for me. They’ll only respond to my followup post that asks why my original post was marked as private. I still haven’t received a single response on the original post regarding the throttling problem, which links back to this post and all of its data.