How It Works - SlimeDog/NetworkInterceptor GitHub Wiki

How It Works

NetworkInterceptor installs a custom security-manager and a custom proxy-selector into the Java runtime environment, which monitor and (optionally) block outgoing network connection attempts. This allows server administrators easily to analyze the nature of connections made by plugins, and if they desire, prevent them.

⚠️ The proxy-selector method does not detect as many connection attempts as the security-manager method. For best results, the security-manager method should be enabled.

By default, connections are monitored and logged to the console. Optionally, connections may be logged to the intercept.log file, or to both the console and the intercept.log file.

Connection targets are listed in the configuration. Either FQDNs (for example, api.spigotmc.org) or IP addresses may be specified. Generally, IP addresses do not need to be listed in configuration, because (by default) they are automatically mapped to their related FQDNs. An IP address is considered related to an FQDN if it occurs within a configurable time after an FQDN with the identical stack trace.

Two processing modes are supported: allow and deny. If blocking is enabled,

• in allow mode, connections to specified targets will be allowed. Other connections will be blocked.
• in deny mode, connections to specified targets will be blocked. Other connections will be allowed.

In either mode, trusted plugins may be specified. All connections by trusted plugins are allowed.

Where possible, NetworkInterceptor identifies the plugins that trigger intercepts, based on the stack traces. There are a few caveats:

• This feature works best when the security-manager method is enabled.
• Intercepts logged before NetworkInterceptor is fully enabled cannot identify the triggering plugins.
• This feature does not work on Velocity, due to limitations of the Velocity stack traces.