[throwbsidbdk]

What makes these so easy to detect that they're this secretive about it? There has to be obvious clues in the TCP/IP stack. 4g modems are opaque and proprietary so it's unlikely the fear of discovery lies there.

If I had to guess, they're probably detectable from TCP/IP, easily, in user land.

How? Just thinking about it, fragmented packets could be a possibility. If fragments are sent in the wrong order you need to reassemble them to find the proper destination. This requires keeping a fragment state table on the device doing the transparent forwarding. I've seen many transparent proxies that just drop these packets instead.