|
|
|
|
|
= Netalyzr =
|
|
# Netalyzr
|
|
|
|
|
|
[[TOC]]
|
|
|
|
|
|
|
|
== Checklist ==
|
|
|
|
|
|
|
|
=== Is the tool open source? ===
|
|
## Checklist
|
|
''No, but it's written in Java.''
|
|
|
|
=== Is the data collected made public? ===
|
|
|
|
''Not unless you count [http://netalyzr.icsi.berkeley.edu/map.html their map]. Data from a user's session, both clientside and serverside transcripts, are made available for download after the tests are completed. Before running the tests, a user may view [http://netalyzr.icsi.berkeley.edu/restore/id=example-session an example result], [http://netalyzr.icsi.berkeley.edu/transcript/id=example-session/side=client/sort=true clientside transcript], and [http://netalyzr.icsi.berkeley.edu/transcript/id=example-session/side=server serverside transcript].''
|
|
|
|
=== Is the data format that is used for publication easy to interact with? ===
|
|
|
|
''Is is sorted by timestamp, similarly to dmesg output. One thing that could make it easier to read in this format would be a translation between the client and server timestamps.''
|
|
|
|
|
|
|
|
=== Are the methodologies explained? ===
|
|
### Is the tool open source?
|
|
''The types of tests conducted are listed, and substantial effort is put into adding optional "more info" buttons which give explanations balanced for both laypersons and the technically-inclined.''
|
|
_No, but it's written in Java._
|
|
|
|
### Is the data collected made public?
|
|
|
|
_Not unless you count [their map](http://netalyzr.icsi.berkeley.edu/map.html). Data from a user's session, both clientside and serverside transcripts, are made available for download after the tests are completed. Before running the tests, a user may view [an example result](http://netalyzr.icsi.berkeley.edu/restore/id=example-session), [clientside transcript](http://netalyzr.icsi.berkeley.edu/transcript/id=example-session/side=client/sort=true), and [serverside transcript](http://netalyzr.icsi.berkeley.edu/transcript/id=example-session/side=server)._
|
|
|
|
### Is the data format that is used for publication easy to interact with?
|
|
|
|
_Is is sorted by timestamp, similarly to dmesg output. One thing that could make it easier to read in this format would be a translation between the client and server timestamps._
|
|
|
|
|
|
=== Is the tool to be used by the general public? ===
|
|
### Are the methodologies explained?
|
|
''Yes.''
|
|
_The types of tests conducted are listed, and substantial effort is put into adding optional "more info" buttons which give explanations balanced for both laypersons and the technically-inclined._
|
|
|
|
|
|
=== If so, is the user warned of possible risks that he may incur when running the tool? ===
|
|
### Is the tool to be used by the general public?
|
|
''No, however risks for most users are incredibly low.''
|
|
_Yes._
|
|
|
|
|
|
=== Does the data collected by the tool include potentially sensitive information? ===
|
|
### If so, is the user warned of possible risks that he may incur when running the tool?
|
|
''Yes.''
|
|
_No, however risks for most users are incredibly low._
|
|
|
|
|
|
=== What kind of tests does the tool perform? ===
|
|
### Does the data collected by the tool include potentially sensitive information?
|
|
''If the user's JVM security settings allow all tests to be run, the tests extensively test network settings, bandwidth, and configuration, as well as possible proxies and captive portals, MITMs for certain protocols, firewalls and gateway settings, existence of NAT and uPnP devices, kernel settings such as UDP buffer size and clock drift, and the configuration of local DNS resolvers.''
|
|
_Yes._
|
|
|
|
|
|
=== How accurate are the tests? ===
|
|
### What kind of tests does the tool perform?
|
|
''There appears to be minimal false positives, and information that could be erroneous is explained in the results.''
|
|
_If the user's JVM security settings allow all tests to be run, the tests extensively test network settings, bandwidth, and configuration, as well as possible proxies and captive portals, MITMs for certain protocols, firewalls and gateway settings, existence of NAT and uPnP devices, kernel settings such as UDP buffer size and clock drift, and the configuration of local DNS resolvers._
|
|
|
|
|
|
=== What claims does the tool make? ===
|
|
### How accurate are the tests?
|
|
''They claim to only collect the information which is displayed to the user in the results.''
|
|
_There appears to be minimal false positives, and information that could be erroneous is explained in the results._
|
|
|
|
|
|
=== Are the claims satisfied? ===
|
|
### What claims does the tool make?
|
|
''Yes.''
|
|
_They claim to only collect the information which is displayed to the user in the results._
|
|
|
|
|
|
=== How does the reporting system work? ===
|
|
### Are the claims satisfied?
|
|
''Several HTTP POSTs throughout the test procedure of the information to netalyzr.icsi.berkeley.edu. Both the web applet and the commandline client report in this way.''
|
|
_Yes._
|
|
|
|
|
|
=== Is confidentiality and integrity of data being reported maintained? ===
|
|
### How does the reporting system work?
|
|
''Not at all. Plaintext over the wire.''
|
|
_Several HTTP POSTs throughout the test procedure of the information to netalyzr.icsi.berkeley.edu. Both the web applet and the commandline client report in this way._
|
|
|
|
|
|
=== What are it's strengths? ===
|
|
### Is confidentiality and integrity of data being reported maintained?
|
|
''It's quite thorough in its tests of TCP, UDP, and DNS quirks.''
|
|
_Not at all. Plaintext over the wire._
|
|
|
|
|
|
=== What are it's weaknesses? ===
|
|
### What are it's strengths?
|
|
''Java. And the HTTP POSTs.''
|
|
_It's quite thorough in its tests of TCP, UDP, and DNS quirks._
|
|
|
|
|
|
== What tests it performes ==
|
|
### What are it's weaknesses?
|
|
|
|
_Java. And the HTTP POSTs._
|
|
|
|
|
|
|
|
## What tests it performes
|
|
|
|
|
|
=== HTTP ===
|
|
|
|
|
|
### HTTP
|
|
|
|
|
|
* Tries 0x20 hack on HTTP headers and checks raw response for identical capitalization
|
|
* Tries 0x20 hack on HTTP headers and checks raw response for identical capitalization
|
|
* checks for reordered HTTP headers
|
|
* checks for reordered HTTP headers
|
... | @@ -72,7 +72,7 @@ |
... | @@ -72,7 +72,7 @@ |
|
If a proxy was previously discovered, first queries the proxy directly, and checks the response headers, and also the "Last-Modified" and "ETag" response headers, then compares MD5sums.
|
|
If a proxy was previously discovered, first queries the proxy directly, and checks the response headers, and also the "Last-Modified" and "ETag" response headers, then compares MD5sums.
|
|
* Checks for strong and weak Etag validation. Etags can be used for tracking purposes.
|
|
* Checks for strong and weak Etag validation. Etags can be used for tracking purposes.
|
|
|
|
|
|
=== DNS ===
|
|
### DNS
|
|
|
|
|
|
* Checks DNS by requesting the inet adress of a domain (constructed from $nonce.<servername>.<tld>:<serverport>) by name on the locally configured DNS resolver, then requests IP of domain with domain's returned inet address. Domain's actual expected IP is hardcoded.
|
|
* Checks DNS by requesting the inet adress of a domain (constructed from $nonce.<servername>.<tld>:<serverport>) by name on the locally configured DNS resolver, then requests IP of domain with domain's returned inet address. Domain's actual expected IP is hardcoded.
|
|
* Checks DNS resolution for bogus domain ('return-false.abcd'), expects an UnknownHostException
|
|
* Checks DNS resolution for bogus domain ('return-false.abcd'), expects an UnknownHostException
|
... | @@ -169,7 +169,7 @@ |
... | @@ -169,7 +169,7 @@ |
|
"6park.com",
|
|
"6park.com",
|
|
"www.6park.com"
|
|
"www.6park.com"
|
|
* Does most of the above DNS checks over TCP
|
|
* Does most of the above DNS checks over TCP
|
|
* Makes CHAOS queries to attempt to discover anycast DNS root servers, see [https://www.isi.edu/~johnh/PAPERS/Fan11a/index.html this paper].
|
|
* Makes CHAOS queries to attempt to discover anycast DNS root servers, see [this paper](https://www.isi.edu/~johnh/PAPERS/Fan11a/index.html).
|
|
The list of hardcoded DNS root server IPs is:
|
|
The list of hardcoded DNS root server IPs is:
|
|
198.41.0.4 (Verisign)
|
|
198.41.0.4 (Verisign)
|
|
192.228.79.201 (BRoot)
|
|
192.228.79.201 (BRoot)
|
... | @@ -185,7 +185,7 @@ |
... | @@ -185,7 +185,7 @@ |
|
199.7.83.42 (ICANN)
|
|
199.7.83.42 (ICANN)
|
|
202.12.27.33 (U. of Tokyo)
|
|
202.12.27.33 (U. of Tokyo)
|
|
* Checks for NAT DNS resolvers, and for 2wire devices, if found, checks for MITMing of DNS queries
|
|
* Checks for NAT DNS resolvers, and for 2wire devices, if found, checks for MITMing of DNS queries
|
|
* Checks for DNS resolver port randomization, for more info see this commit in my [https://github.com/isislovecruft/ooni-probe/commit/7e9b952f92834e75c8171856d6440963c6531e15 dnstamper branch of ooni], specifically the DNSTamperResolver class.
|
|
* Checks for DNS resolver port randomization, for more info see this commit in my [dnstamper branch of ooni](https://github.com/isislovecruft/ooni-probe/commit/7e9b952f92834e75c8171856d6440963c6531e15), specifically the DNSTamperResolver class.
|
|
* Does a bunch of the same checks for IPv6 DNS
|
|
* Does a bunch of the same checks for IPv6 DNS
|
|
* Check if local DNS resolver (lDNSr) will accept exact, internal, and exteral glue entries. Check if lDNSr will try to resolve a CNAME for an NS
|
|
* Check if local DNS resolver (lDNSr) will accept exact, internal, and exteral glue entries. Check if lDNSr will try to resolve a CNAME for an NS
|
|
* Check if lDNSr passes 0x20 queries correctly
|
|
* Check if lDNSr passes 0x20 queries correctly
|
... | @@ -201,12 +201,12 @@ |
... | @@ -201,12 +201,12 @@ |
|
* Try to query an IPv6only DNS server
|
|
* Try to query an IPv6only DNS server
|
|
* Checks if SOA records can be retrieved
|
|
* Checks if SOA records can be retrieved
|
|
* Make queries to lDNSr for random hostnames which are as yet uncached, calculate median uncached lookup time, then re-request all of them again and calculate median cached lookup time
|
|
* Make queries to lDNSr for random hostnames which are as yet uncached, calculate median uncached lookup time, then re-request all of them again and calculate median cached lookup time
|
|
* Checks if lDNSr supports a sufficient ammount of DNS transactionID entropy, which lDNSr should be doing to avoid the [http://www.iss.net/security_center/reference/vuln/DNS_Cache_Poison_Subdomain_Attack.htm subdomain cache poisoning attack].
|
|
* Checks if lDNSr supports a sufficient ammount of DNS transactionID entropy, which lDNSr should be doing to avoid the [subdomain cache poisoning attack](http://www.iss.net/security_center/reference/vuln/DNS_Cache_Poison_Subdomain_Attack.htm).
|
|
* Checks if an external DNS proxy can be used, and if so, does all the previous DNS tests for that proxy
|
|
* Checks if an external DNS proxy can be used, and if so, does all the previous DNS tests for that proxy
|
|
* Checks if non-DNS UDP packets can be sent over port 53
|
|
* Checks if non-DNS UDP packets can be sent over port 53
|
|
|
|
|
|
|
|
|
|
=== Misc ===
|
|
### Misc
|
|
|
|
|
|
* Sends useragent, language, encoding, charset, agentID, nonce
|
|
* Sends useragent, language, encoding, charset, agentID, nonce
|
|
* Tries direct TCP/IPv4 and TCP/IPv6 connections on "$TCP_ECHO_PORT" (?), 21, 22, 25, 53, 80, 110, 135, 139, 143, 161, 443, 465, 465, 585, 587, 993, 995, 1194, 1723, 5060, 6681, 9001
|
|
* Tries direct TCP/IPv4 and TCP/IPv6 connections on "$TCP_ECHO_PORT" (?), 21, 22, 25, 53, 80, 110, 135, 139, 143, 161, 443, 465, 465, 585, 587, 993, 995, 1194, 1723, 5060, 6681, 9001
|
... | | ... | |