Netalyzr: Network Measurement as a Network Security Problem

September 9, 2011
Nicholas Weaver | International Computer Science Institute

Netalyzr, at http://netalyzr.net, is a widely used network measurement and debugging tool, with over 300,000 executions to date. Netalyzr is a signed Java applet coupled to a custom suite of test servers in order to detect and debug problems with DNS, NATs, hidden HTTP proxies, and other issues. Netalyzr has revealed many problems in the Internet landscape, ranging from broken NAT DNS resolvers, hidden caches and malfunctioning proxies, to deliberate ISP manipulations of DNS results, including some ISPs which used DNS to man-in-the-middle search properties like Yahoo, Google, and Bing. Although Netalyzr is a network measurement tool, writing it was a network security process, designed to detect unusual conditions by deliberately bending (or outright breaking) protocol specifications, using unintended features of Java, and a general dose of “sneaky”.

This talk discusses the design of Netalyzr, interesting cases observed during development, and highlights some of the interesting results including HTTP caches, hidden proxies, chronic overbuffering, and DNS misbehaviors, including the infrastructure behind the recently publicised ISP hijacking of search engines using DNS.

Speaker Details

Nicholas Weaver is a researcher at the International Computer Science Institute in Berkeley. His primary research focuses are on network measurement and network security, including bots, underground economics, and related issues. Among the developments he’s been involved with is the theory behind high-speed Internet worms, network hardware for Intrusion Detection, how much money spammers can make, and the Netalyzr Network Measurement tool.