|
|
= Tests =
|
|
|
# Tests
|
|
|
This page will be used to keep track of all the OONI probe tests.
|
|
|
|
|
|
Tests are divided into two main subcategories: '''Traffic manipulation''' and '''Content blocking'''. For network tampering detection tests there is no need to supply a list of assets or targets to be tested for blocking, in content censorship detection this is required.
|
|
|
Tests are divided into two main subcategories: **Traffic manipulation** and **Content blocking**. For network tampering detection tests there is no need to supply a list of assets or targets to be tested for blocking, in content censorship detection this is required.
|
|
|
|
|
|
Use the [wiki:doc/OONI/Tests/TestTemplate Test Template] for properly formatting the tests.
|
|
|
Use the [Test Template](./doc/OONI/Tests/TestTemplate) for properly formatting the tests.
|
|
|
|
|
|
== Traffic manipulation ==
|
|
|
## Traffic manipulation
|
|
|
|
|
|
* '''Two way Traceroute''' ([https://ooni.readthedocs.org/en/latest/tests/traceroute.html details]). [[BR]]This involves performing a multiprotocol, multi port traceroute towards a backend machine and back.
|
|
|
* **Two way Traceroute** ([details](https://ooni.readthedocs.org/en/latest/tests/traceroute.html)).
|
|
|
This involves performing a multiprotocol, multi port traceroute towards a backend machine and back.
|
|
|
|
|
|
|
|
|
* '''Header field manipulation''' ([wiki:doc/OONI/Tests/HeaderFieldManipulation details])[[BR]]By varying the capitalization and adding certain headers to layer 7 protocols it is possible to detect on the receiving end if the traffic has been tampered with.
|
|
|
* **Header field manipulation** ([details](./doc/OONI/Tests/HeaderFieldManipulation))
|
|
|
By varying the capitalization and adding certain headers to layer 7 protocols it is possible to detect on the receiving end if the traffic has been tampered with.
|
|
|
|
|
|
|
|
|
* '''HTTP Host''' ([https://ooni.readthedocs.org/en/latest/tests/http_host.html details]). [[BR]]This involves changing the Host header field of an HTTP request to that of the site one wishes to check for censorship.
|
|
|
* **HTTP Host** ([details](https://ooni.readthedocs.org/en/latest/tests/http_host.html)).
|
|
|
This involves changing the Host header field of an HTTP request to that of the site one wishes to check for censorship.
|
|
|
|
|
|
|
|
|
* '''Switzerland''' ([wiki:doc/OONI/Tests/Switzerland details])[[BR]]Compares batches of hashes of packet headers for streams between two clients, dynamically masks out headers based on common albeit benign munging, such as that due to NAT routers.
|
|
|
* **Switzerland** ([details](./doc/OONI/Tests/Switzerland))
|
|
|
Compares batches of hashes of packet headers for streams between two clients, dynamically masks out headers based on common albeit benign munging, such as that due to NAT routers.
|
|
|
|
|
|
|
|
|
|
|
|
== Content blocking ==
|
|
|
## Content blocking
|
|
|
|
|
|
* '''DNS tamper''' ([https://ooni.readthedocs.org/en/latest/tests/dnstamper.html details])[[BR]]This involves doing A record queries towards a set of test resolvers and comparing with a known good resolver to determine if there is tampering with the response.
|
|
|
* **DNS tamper** ([details](https://ooni.readthedocs.org/en/latest/tests/dnstamper.html))
|
|
|
This involves doing A record queries towards a set of test resolvers and comparing with a known good resolver to determine if there is tampering with the response.
|
|
|
|
|
|
|
|
|
* '''Keyword filtering''' ([wiki:doc/OONI/Tests/KeywordFiltering details])[[BR]]This involves sending an receiving data that contains certain keywords and matching for censorship. It is possible to use bisection method to understand what subset of keywords are triggering the filter.
|
|
|
* **Keyword filtering** ([details](./doc/OONI/Tests/KeywordFiltering))
|
|
|
This involves sending an receiving data that contains certain keywords and matching for censorship. It is possible to use bisection method to understand what subset of keywords are triggering the filter.
|
|
|
|
|
|
|
|
|
* '''Captive Portal''' ([wiki:doc/OONI/Tests/CaptivePortal details])[[BR]]This involves checking DNS resolution, comparing HTTP status codes content, and serial numbers for Start of Authority DNS records.
|
|
|
* **Captive Portal** ([details](./doc/OONI/Tests/CaptivePortal))
|
|
|
This involves checking DNS resolution, comparing HTTP status codes content, and serial numbers for Start of Authority DNS records.
|
|
|
|
|
|
|
|
|
* '''HTTP scan''' ([wiki:doc/OONI/Tests/HTTPScan details])[[BR]]This involves doing a full connection to the in question site. If the content does not match the expected result then a censored flag is raised.
|
|
|
* **HTTP scan** ([details](./doc/OONI/Tests/HTTPScan))
|
|
|
This involves doing a full connection to the in question site. If the content does not match the expected result then a censored flag is raised.
|
|
|
|
|
|
|
|
|
* '''Traceroute''' ([https://ooni.readthedocs.org/en/latest/tests/traceroute.html details])[[BR]]This involves doing TCP, UDP, ICMP traceroute for certain destination addresses if there are discrepancies in the paths with locations in the vicinities then a censorship flag is raised.
|
|
|
* **Traceroute** ([details](https://ooni.readthedocs.org/en/latest/tests/traceroute.html))
|
|
|
This involves doing TCP, UDP, ICMP traceroute for certain destination addresses if there are discrepancies in the paths with locations in the vicinities then a censorship flag is raised.
|
|
|
|
|
|
|
|
|
* '''RST packet detection''' ([wiki:doc/OONI/Tests/RSTPacketDetection details])[[BR]]This involves attempting to connect to a certain destination and checking if the client gets back a RST packet.
|
|
|
* **RST packet detection** ([details](./doc/OONI/Tests/RSTPacketDetection))
|
|
|
This involves attempting to connect to a certain destination and checking if the client gets back a RST packet.
|
|
|
|
|
|
|
|
|
* '''daphne''' ([wiki:doc/OONI/Tests/daphne details])[[BR]]Takes as input a censored SSL conversation and mutates it incrementally to figure out the fingerprint being detected.
|
|
|
* **daphne** ([details](./doc/OONI/Tests/daphne))
|
|
|
Takes as input a censored SSL conversation and mutates it incrementally to figure out the fingerprint being detected.
|
|
|
|
|
|
|
|
|
* '''Network latency''' ([wiki:doc/OONI/Tests/Networklatency details])[[BR]]This means checking if the latency of the connection to a certain server is congruent with its location. This method generally does not perform as well as the others as it requires the discrepancy to be very visible, but it has been used successfully in countries such as Lebanon.
|
|
|
* **Network latency** ([details](./doc/OONI/Tests/Networklatency))
|
|
|
This means checking if the latency of the connection to a certain server is congruent with its location. This method generally does not perform as well as the others as it requires the discrepancy to be very visible, but it has been used successfully in countries such as Lebanon.
|
|
|
|
|
|
|
|
|
* '''BridgeT''' ([wiki:doc/OONI/Tests/BridgeT details])[[BR]]Does a Tor Bridge reachability test and detects in what way a certain Tor bridge is being blocked.
|
|
|
* **BridgeT** ([details](./doc/OONI/Tests/BridgeT))
|
|
|
Does a Tor Bridge reachability test and detects in what way a certain Tor bridge is being blocked.
|
|
|
|
|
|
|
|
|
* '''DNS injection''' ([wiki:doc/OONI/Tests/DNSInjection details])[[BR]] The censor inspects all the DNS query by snooping the link, and injects a forged DNS reply for those blacklisted domain names, without suppressing the legitimate reply. Because the forged reply, with a spoofed source address of the queried DNS server(such as 8.8.8.8), arrives much earlier than the legitimate one, the querying client will accept the forged reply from the censor and drop the legitimate one. DNS injection is known used by Great Firewall of China. |
|
|
* **DNS injection** ([details](./doc/OONI/Tests/DNSInjection))
|
|
|
The censor inspects all the DNS query by snooping the link, and injects a forged DNS reply for those blacklisted domain names, without suppressing the legitimate reply. Because the forged reply, with a spoofed source address of the queried DNS server(such as 8.8.8.8), arrives much earlier than the legitimate one, the querying client will accept the forged reply from the censor and drop the legitimate one. DNS injection is known used by Great Firewall of China. |