The Good, the Bad,

By Lisa Vaas  |  Posted 2007-08-07 Print this article Print

the Net Neutrality Detector"> Net neutrality in a nutshell: Some advocates have warned that broadband providers will use their control over the "last mile" to discriminate between content providers, particularly competitors. Net neutrality advocates also predict that telecom companies will seek to impose a tiered service model as a means of profiting from their control over the pipeline as opposed to demand for particular content or services. Some say that providers are already practicing hostility toward Net neutrality. Kaminsky wants those providers to know that people now can detect what theyre up to. This is something he stumbled upon when dissecting browser behavior for the DNS binding design flaw.
"Now that Im understanding what we can make a browser do, we can make very controlled HTTP requests with a browser," he said.
Normally, a browser makes a request thats structured, standardized and doesnt have much flexibility. Plug-in technologies such as Flash, however, are providing people with arbitrary TCP sockets. Theyre blank, Kaminsky said. HTCP—TCP with headers that describe whats going on—means people can put on any headers they want, or leave out whatever they want. This flexibility is very interesting, Kaminsky said, in its ability to detect what he called provider hostility—i.e., if a service provider is stuttering, or serving up a given resource at stumble rates, intentionally. In a nutshell, a speed test against "transparent"—easily detectable—proxies used by some consumer networks will directly yield information about hostility. To detect hostile providers, first people need to filter out the differences. They have to download from two separate sites. Just because ones slow and ones fast doesnt mean a providers hostile, though. People need two data sets to come from the same site, with the same server, and with the only difference being that the providers network sees it as the persons site as opposed to someone elses. Of course, people can just issue a request to wherever they want, such as, "Please send me a movie from Viacom. Also, send me a movie from YouTube." "If it comes faster from one vs. the other, youll know the network is being hostile to the site" from which its slowly delivering the movie, Kaminsky said. However, networks can realize people are trying to test their speed. Just for the purpose of the test, people therefore might get served everything fast. The question Kaminsky had was, is it possible to make a hostility test thats undetectable? Heres what he needed: To spoof sites on the Internet, to know what these sites would see, to respond as if he was those sites, and to keep those real sites from interfering with his interference. Click here to read more about Google hiring hackers. "I dont want them to be able to tell," he said. "Am I able to make a system" that couldnt tell? Is it possible to build a hostility detection system that uses traffic indistinguishable from real-world traffic? "The answer is yes," he said. "And its totally messed up how Im doing it." The answer to fashioning a Net neutrality detection tool boils down to "old-school packet stuntage," Kaminsky said. "Say I want to pretend Im some site I want to speed test," he said. "I dont want the test to come from me, [rather, I want it to come] from their site. Theyll download something from me [and the] entire infrastructure will think its coming from MySpace or YouTube or wherever I want." What would normally prevent this is an HTTP session runs over TCP. What protects random people from injecting into the stream is they dont know the stream sequence. They cant know it. Right? "Oh, wait," Kaminsky said. "Theres an ActiveX plugin called PacketX and its a sniffer that emits JavaScript events on each packet. A packet sniffer for your Web browser. Did you see what I did? I just wrote an entire tunneling layer in JavaScript." Kaminsky said he laughed for two hours when he came up with it. Hes calling it "Inspector Pakket," like "Inspector Gadget." "Now I can have some fun," he said. "What was keeping me out was not knowing sequence numbers. If I can sniff packets on the client, I can totally know the sequence numbers. So, number one, I can totally spoof the IP of YouTube or CNN or whatever when sending traffic to the client, because I know what sequence numbers to use. "Im sending traffic to the client. The client is acknowledging my traffic, but not to me, to the server. The server would normally say, Why are you talking to me? I dont have a session open with you, go away, heres some resets, and it would be game over for me. But everyones deployed a firewall saying, You dont have a session, I dont have to talk to you. It wont talk to me, and I can just go ahead." Page 3: The Good, the Bad, the Net Neutrality Detector

Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel