How it Works

Motivation

Netstinky checks your IP Address against a set of Blacklist Providers. These providers constantly monitor the traffic across the internet looking for networks that are misbehaving, such as by sending spam or connecting to known criminal networks. The results of these checks are stored in their databases in order to be queried by third-parties. While this information is public, it can be hard to reference and comes from multiple providers. NetStinky aggregates these providers and provides a quick and easy mechanism for checking your address for suspicious behavior.

The mobile app generates a network identifier that is a combination of your WiFi network name (SSID) and the hardware identifier (BSSID) of your modem/router. This identifier is then passed through a one-way hash (a SHA256 digest) to obscure the original information, but still provide a consistent identifier for the same network. The Netstinky service only ever sees the hashed version, so we will never know your network's name or hardware ID.

It is necessary to create a network identifier for a client network due to the widespread use of dynamic IP addresses for internet connections. As the IP address of your network could change at any time, this is not sufficient to uniquely identify your network and would therefore make it impossible to track changes to the state of your network. By generating the identifier based on the physical devices present in your network, we can be confident that your network identifier should not change frequently.

As the public IP address of your network may change at any time, there is a chance that you will inherit an address from another subscriber on your ISP that has previously been used for malicious purposes, and as such has been listed on a blacklist. By tracking the network identifier for a given network, we can infer if you have just inherited a bad IP address or if the malicious behaviour is continuing.

Flow diagram of a NetStinky query
Diagram showing the flow of information through the NetStinky services

Under the Hood

The mobile application sends an HTTP POST request to our service that contains the generated network identifier for the currently connected network. From this request we can see the public IP address that it came from and create a record of a client network that combines the IP address and network identifier.

Once the client network has been created, we launch a series of queries against our database of blacklist providers to determine if the IP address in question has shown any Indications of Compromise. We collate the results of these checks into a single format report which is returned to the application which contains the following information:

A record of these details are retained by our service in order to monitor the ongoing state of a client's network. We also track this information to generate metrics on remediation of compromise states (whether or not a network is remediated once a user is notified of an issue).

Once a network has been checked by the application, the application will periodically re-check the network to see if the compromise state has changed. The re-check results will be stored in the local application's database to provide a history of checks. The application will only generate a notification if the returned report includes an Indication of Compromise.