Researcher's Tool Catches Net Neutrality Cheaters 131
Sparrowvsrevolution writes "At the Black Hat security conference in Las Vegas Wednesday, researcher Dan Kaminsky announced he will release a free software tool for detecting when an Internet service provider is artificially slowing down or speeding up traffic to and from a website, a tool he is calling N00ter, or 'neutral router.' N00ter functions like a VPN, routing traffic through a proxy and disguising its source and destination. But instead of encrypting the traffic in both directions as VPNs do, it instead spoofs the traffic from a Web site to a user to make it seem to be coming from any Web site that the user wants to test. That traffic can be compared with a normal connection to the N00ter server without a spoofed IP address, to spot any artificial changes in speed."
Very cool tool (Score:3, Interesting)
Now if only, instead of asking the violent State to force ISPs to maintain a transparent internet, these people would form a voluntary 'Association of Net Neutral ISPs' so that people can vote with their money.
Re:Not what I expected (Score:2, Interesting)
Say Google is 50ms slower than Bing. Is this because of the ISP, or the routers and myriad server and path differentials between the ISP and Google, vs. the ISP and Bing? Can't tell, it's all conflated. We have to normalize the connection between the two sites, to measure if the ISP is using policy to alter QoS. Here's how we do this with n00ter.
Start with a VPN, that creates an encrypted link from a Client to a broker/concentrator. An IP at the Broker talks plaintext with Google and Bing, who replies to the Broker. The Broker now encrypts the traffic back to the Client.
Policy can't differentiate Bing traffic from Google traffic, it's all encrypted.
Now, lets change things up -- let's have the Broker push the response traffic from Google and Bing, completely in the open. In fact, lets have it go so far as to spoof traffic from the original sources, making it look like there isn't even a Broker in place. There's just nice clean streams from Google and Bing.
If traffic from the same host, being sent over the same network path, but looking like Google, arrives faster (or slower) than traffic that looks like it came from Bing, then there's policy differentiating Google from Bing.
Now, what if the policy is only applied to full flows, and not half flows? Well, in this case, we have one session that's a straight normal download from Bing. Then we have another, where the entire client->server path is tunneled as before, but the Broker immediately emits the tunneled packets to Bing *spoofing the Client's IP address*. So basically we're now comparing the speed of a full legitimate flow to Bing, with a half flow. If QoS differs -- as it would, if policy is only applied to full flows, then once again the policy is detected.
I call this client->server spoofing mode Roto-N00ter.
There's more tricks, but this is what N00ter's up to in a nutshell. It should work for anything IP based -- if you want to know if XBox360 traffic routes faster than PS3 traffic, this'll tell you.