Debugging With Netalyzr



Similar documents
Use Domain Name System and IP Version 6

Firewall Firewall August, 2003

Guideline for setting up a functional VPN

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

INTRODUCTION TO FIREWALL SECURITY

About Firewall Protection

Detecting Forged TCP Reset Packets

IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT

Firewalls. Pehr Söderman KTH-CSC

Recommendations for dealing with fragmentation in DNS(SEC)

Cisco Configuring Commonly Used IP ACLs

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Network Defense Tools

Chapter 4 Security and Firewall Protection

Security of IPv6 and DNSSEC for penetration testers

Linux MDS Firewall Supplement

Firewalls P+S Linux Router & Firewall 2013

Chapter 4 Firewall Protection and Content Filtering

Web. Services. Web Technologies. Today. Web. Technologies. Internet WWW. Protocols TCP/IP HTTP. Apache. Next Time. Lecture # Apache.

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

Introduction to Computer Security Benoit Donnet Academic Year

Network: several computers who can communicate. bus. Main example: Ethernet (1980 today: coaxial cable, twisted pair, 10Mb 1000Gb).

Exam 1 Review Questions

PowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions

Firewalls. Chapter 3

Flow Analysis Versus Packet Analysis. What Should You Choose?

Cisco ASA, PIX, and FWSM Firewall Handbook

N-CAP Users Guide Everything You Need to Know About Using the Internet! How Firewalls Work

TECHNICAL NOTE. Technical Note P/N REV 03. EMC NetWorker Simplifying firewall port requirements with NSR tunnel Release 8.

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Getting started with IPv6 on Linux

GregSowell.com. Mikrotik Security

Chapter 4 Firewall Protection and Content Filtering

Proxies. Chapter 4. Network & Security Gildas Avoine

H3C Firewall and UTM Devices DNS and NAT Configuration Examples (Comware V5)

Chapter 6 Virtual Private Networking Using SSL Connections

CSE543 - Computer and Network Security Module: Firewalls

IPv6 Hardening Guide for Windows Servers

Load Balancing. Final Network Exam LSNAT. Sommaire. How works a "traditional" NAT? Un article de Le wiki des TPs RSM.

CSC574 - Computer and Network Security Module: Firewalls

BorderWare Firewall Server 7.1. Release Notes

co Characterizing and Tracing Packet Floods Using Cisco R

Southwest Arkansas Telephone Cooperative Network Management Practices

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

SonicOS 5.9 One Touch Configuration Guide

CS Computer and Network Security: Firewalls

P and FTP Proxy caching Using a Cisco Cache Engine 550 an

Source-Connect Network Configuration Last updated May 2009

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

What communication protocols are used to discover Tesira servers on a network?

Firewall Server 7.2. Release Notes. What's New in Firewall Server 7.2

Kerio WinRoute Firewall Features Summary and Simple Setup Guide (for version 6.x)

Step-by-Step Configuration

Managing (VoIP) Applications DYSWIS

PANDORA FMS NETWORK DEVICE MONITORING

CS Computer and Network Security: Firewalls

Bypassing PISA AGM Theme Seminar Presented by Ricky Lou Zecure Lab Limited

CSCE 465 Computer & Network Security

Configuring SSL VPN on the Cisco ISA500 Security Appliance

Implementing Network Address Translation and Port Redirection in epipe

IPv4 and IPv6 Integration. Formation IPv6 Workshop Location, Date

Protocols. Packets. What's in an IP packet

Using IPM to Measure Network Performance

allow all such packets? While outgoing communications request information from a

Guardian Digital WebTool Firewall HOWTO. by Pete O Hara

How to protect your home/office network?

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

Load Balancing Router. User s Guide

OLD VULNERABILITIES IN NEW PROTOCOLS? HEADACHES ABOUT IPV6 FRAGMENTS

Load Balancer LB-2. User s Guide

Content Distribution Networks (CDN)

FIREWALLS & CBAC. philip.heimer@hh.se

Network Security. Routing and Firewalls. Radboud University Nijmegen, The Netherlands. Autumn 2014

Technical Support Information Belkin internal use only

Examining Proxies to Mitigate Pervasive Surveillance

Basic & Advanced Administration for Citrix NetScaler 9.2

Application Firewalls

Deploying in a Distributed Environment

PANDORA FMS NETWORK DEVICES MONITORING

SonicOS 5.9 / / 6.2 Log Events Reference Guide with Enhanced Logging

VPN Configuration Guide. Linksys (Belkin) LRT214 / LRT224 Gigabit VPN Router

Firewall Defaults and Some Basic Rules

MyPBX Security Configuration Guide

DEPLOYMENT GUIDE Version 1.1. DNS Traffic Management using the BIG-IP Local Traffic Manager

Telematics. 14th Tutorial - Proxies, Firewalls, P2P

Evading Infrastructure Security Mohamed Bedewi Penetration Testing Consultant

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

HW2 Grade. CS585: Applications. Traditional Applications SMTP SMTP HTTP 11/10/2009

Firewall Testing. Cameron Kerr Telecommunications Programme University of Otago. May 16, 2005

Chapter 4 Managing Your Network

LARGE-SCALE INTERNET MEASUREMENTS FOR DIAGNOSTICS AND PUBLIC POLICY. Henning Schulzrinne (+ Walter Johnston & James Miller) FCC & Columbia University

Network Terminology Review

Transcription:

Debugging With Netalyzr Christian Kreibich (ICSI), Nicholas Weaver (ICSI), Boris Nechaev (HIIT/TKK), and Vern Paxson (ICSI & UC Berkeley) 1

What Is Netalyzr?! Netalyzr is a comprehensive network measurement and debugging tool built as a Java Applet located at http://netalyzr.icsi.berkeley.edu! A suite of custom servers hosted primarily using Amazon EC2! Multiple properties checked! NAT properties: Presence. Port Renumbering, DNS proxies! IP properties: Blacklist membership! Network properties: Latency, Bandwidth, Buffering, IPv6 capability, Path MTU! Service properties: Outbound port filtering and proxies on a large list of services 2

What Is Netalyzr?! Further properties:! HTTP properties: Hidden HTTP proxies or caches. Correct operation of proxies and caches! DNS properties: Latency of lookups, glue policy, DNS wildcarding, name validation, DNS MTU, DNSSEC readiness! Host properties: Browser identity, Java version, clock accuracy! Over 120,000 executions to date! A technical report is available! Findings include path MTU holes and MTU-related ICMP failures, chronic overbuffering, DNS wildcarding, DNS MitM attacks from both malcode and ISPs 3

Netalyzr Requirements! Requires a Java capable Web Browser! Javascript highly useful! Some personal firewalls block unknown-port UDP by default! As do some corporate firewalls! Prevents latency, bandwidth, MTU, Fragmentation, UDP port filtering, and some DNS tests from operating! On a Mac, Allow incoming connections to the web browser if prompted! Some tests require trusting the applet! But even untrusted, most tests still operate within Java s Same Origin policy 4

Results Summary! After running the test suite, a single results page is displayed! Normal results are automatically compressed to reduce visual clutter! Can be expanded with the +/- icon! Anything interesting is highlighted in the top in orange or red depending on severity! Results URL can be cut & pasted for forwarding to others! Very useful for Mom-level debugging as well! An Under the Hood view exists:! Client side debugging transcript link: Pretty much everything we do is exported to the debugging output 5

Some Problem Areas Of Interest! Unknown outbound port filtering/proxies! Broken HTTP proxies & caches! Fragmentation! Path MTU issues! Blacklists! DNS Issues! Overbuffering 6

Unknown Outbound Port Filtering & Proxies...! To check for outbound filtering or proxies, Netalyzr connects to custom echo servers! Echo server returns IP/Port used for the connection! Response indicates status: Port Filtered Redirected through a proxy Terminated by application-aware proxy/filter Port unfiltered! Protocol aware filtering is acceptable if you know about it!! A lot of SIP-aware proxies running around! Firewalls commonly enforce DNS semantics! Save yourself a lot of grief: run an ssh server on port 443 back at your home institution 7

HTTP Proxies and Caches! Do they exist at all?! Either mandatory or configured in the web browser! Detected by sending requests which trip up proxies:! Including IP changes, header changes, illegal requests, repeated fetches of data with different cache-control, etc...! Far more likely to be known if on a corporate network! But can be annoyingly common at random hotspots etc! Do they cache or transcode data?! If they exist, they are quite commonly broken: Caching data which should not be cached! Can cause significant privacy leakages and web-site breakages 8

Do they improperly interpret the hostname?! An in-path HTTP proxy must not interpret the HTTP host header to decide where to route the request! Otherwise, this enables Java & Flash to grossly violate the same origin policy! But some in-path proxies are broken:! Test by generating a request to our web server, but the host field is for www.google.com! A broken proxy will reinterpret the request and forward it to Google!! Mildly bad on hotspot networks! Suggests that the administrators aren t keeping things upto-date! Really bad on corporate networks! Can often be used to pillage internal web sites using Java or Flash 9

Fragmentation Problems! Applet sends and receives fragmented UDP traffic! A ~2000B packet that has a small echo! A small request which generates a ~2000B response! About 8% can t send or receive fragments! Common cause: broken firewalls/nats! Stateless firewall rules that include a deny all for any unmatched packet! Without a rule that says all but the first fragment are allowed! Stupid NATs! Big problem for DNSSEC! DNSSEC effectively requires fragmented UDP traffic 10

Path MTU issues! Can Ethernet MTU - 1B packets be sent over UDP?! If not, you re probably running Linux: Linux does path MTU discovery for UDP, setting DF on UDP packets that fit onto the link s MTU...! Which then passes through a lower than Ethernet MTU link...! This is a Linux bug: " Workaround #1: Disable all path MTU discovery! " Workaround #2: Lower the interface s MTU to ~1400B! What is the path MTU from our server to the client! And are the ICMP too-big messages sent properly?! If not, the tunnel endpoint (eg, the other side of the VPN tunnel) or an intermediary firewall is broken. (unfortunately common) 11

Blacklists...! Netalyzr checks the external IP against multiple blacklists! Spamhaus PBL: Has someone designated this IP as not supposed to send email! Could result in SMTP problems! Spamhaus XBL: Has this IP been reported as exploited! If not on a shared hotspot, this should be investigated further! SORBS DUHL: Has the ISP reported this as a should be dynamic IP! Some mail servers use this to guide reception of SMTP! TOR exit node: Are you coming to us through Tor? 12

DNS Issues! DNS port randomization! If untrusted, just is a boolean result! If trusted, reveals the request ports used! DNS MTU! What is the advertised DNS MTU! What is the actual DNS MTU! If the actual MTU is less this can cause big problems with DNSSEC: Instead of immediately failing over to TCP when truncation is set, a large reply will take a timeout first! Commonly due to a no fragment or DNS == 512B firewall! DNS truncation! Can the resolver use TCP as well as UDP! Again, this is effectively necessary for DNSSEC 13

More DNS checks! Can the host directly query DNS?! If so, does DNS pass through a proxy or firewall?! If so, does the network allow EDNS requests of various sizes to pass?! Failures on this are due to common (old) firewall problems:! No EDNS == Firewall doesn t understand EDNS! EDNS medium & large fails == Firewall mistakenly assumes DNS = 512B! EDNS large fails == Network can t handle fragments 14

Overbuffering! Attempts to saturate first the uplink and then the downlink of the network! Measure the latency of packets when the system is quiet vs when the buffer is stressed! Causes the network to fail the Walk and chew gum test:! A full rate TCP flow (or multiple flows) will fill the buffer and cause interactive TCP sessions to experience massive lag! Only a few solutions:! Get the cable-modem/dsl modem vendors to design the buffers right! Get the NAT vendors to add remote active queue management! Pay for a higher tier of service! Just don t expect good websurfing or VoIP when running (BitTorrent, photo uploads, etc) 15

This Problem Is Chronic! Inside the Netalyzr 16Mb/s 4Mb/s Upload Bandwidth 1Mb/s 256Kb/s 64Kb/s 16Kb/s Uplink Buffer can introduce >1s delays. This is a big problem for P2P programs like BitTorrent 1KB 4KB 16KB 64KB 256KB 1MB 4MB 16 Inferred Buffer Capacity

We do consider further tests...! If a problem is significant/interesting, we ll consider adding new tests! DNS tests driven by DNSSEC deployment issues! Currently building a significant suite of IPv6 tests 17

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information