Java Security Manager SocketPermission very slow resolve, connect

Question

This issue has had me scratching my head for a few days now. For sites on a certain network (which happens to be a DDOS migitation provider), security management checkConnect calls seem to be taking a very, very long time in comparison to other sites.

Is there any way that sites on this network can be thrawting the security manager's access checks? Is there a configuration that I am not aware of? Am I going (more) insane?

Here is a test case that demonstrates...

package com.test;

import java.net.Socket;
import java.util.ArrayList;
import java.util.List;

public class SSCCE
{

static class StatCounter
{
    boolean security;
    String host;
    long avg;
    long total;
    int iterations;

    StatCounter(String host)
    {
        this.host = host;
    }

    @Override
    public String toString()
    {
        return host + "\t\titerations (" + iterations + ")\t\tavg (" + avg + ")\t\tsecurity (" + security + ")";
    }

    void inc(long time)
    {
        ++iterations;
        total += time;
    }

    void avg()
    {
        avg = total / (long)iterations;
    }

    void reset()
    {
        total = 0;
        iterations = 0;
    }
}

static String[] hosts = new String[]
{
    "google.com",
    "youtube.com",
    "oracle.com",
    "random.org",
    "phpbb.com",
    "staminus.net", 

    // MUCH Higher Latency with site below (only with security manager enabled?)
    "blacklotus.net"
};

public static void main(String[] argv) throws Throwable
{
    int iterations = Integer.parseInt(argv[0]);
    List<StatCounter> counters = new ArrayList<StatCounter>(hosts.length);
    for(String host : hosts)
    {
        counters.add(new StatCounter(host));
    }
    System.out.println("Running Without Security");
    for(int i = 0; i < iterations; ++i)
    {
        for(StatCounter counter : counters)
        {
            long then = System.currentTimeMillis();
            new Socket(counter.host, 80).close();
            counter.inc(System.currentTimeMillis() - then);
        }
    }
    for(StatCounter counter : counters)
    {
        counter.avg();
        System.out.println(counter);
        counter.reset();
        counter.security = true;
    }
    System.setProperty("java.security.policy", "sscce.policy");
    System.setSecurityManager(new SecurityManager());

    System.out.println("\n\nRunning With Security");

    for(int i = 0; i < iterations; ++i)
    {
        for(StatCounter counter : counters)
        {
            long then = System.currentTimeMillis();
            new Socket(counter.host, 80).close();
            counter.inc(System.currentTimeMillis() - then);
        }
    }

    for(StatCounter counter : counters)
    {
        counter.avg();
        System.out.println(counter);
    }

}
}

Policy File

grant
{
 permission java.net.SocketPermission "google.com:80", "connect";
 permission java.net.SocketPermission "youtube.com:80", "connect";
 permission java.net.SocketPermission "oracle.com:80", "connect";
 permission java.net.SocketPermission "random.org:80", "connect";
 permission java.net.SocketPermission "phpbb.com:80", "connect";
 permission java.net.SocketPermission "staminus.net:80", "connect";
 permission java.net.SocketPermission "blacklotus.net:80", "connect";
};

Run with java com.test.SSCCE

Example Output

Running Without Security
google.com      iterations (4)      avg (65)        security (false)
youtube.com     iterations (4)      avg (61)        security (false)
oracle.com      iterations (4)      avg (104)       security (false)
random.org      iterations (4)      avg (101)       security (false)
phpbb.com       iterations (4)      avg (143)       security (false)
staminus.net        iterations (4)      avg (137)       security (false)
blacklotus.net      iterations (4)      avg (137)       security (false)


Running With Security
google.com      iterations (4)      avg (261)       security (true)
youtube.com     iterations (4)      avg (64)        security (true)
oracle.com      iterations (4)      avg (103)       security (true)
random.org      iterations (4)      avg (100)       security (true)
phpbb.com       iterations (4)      avg (882)       security (true)
staminus.net        iterations (4)      avg (303)       security (true)
blacklotus.net      iterations (4)      avg (4669)      security (true)

I'd really appreciate any input, thanks.

• Console output with java.security.debug=all http://pastebin.com/wNcAhSy2

As far as I can see, everything looks good (except for what is seemingly network latency!)

Answer 1

I've finally tracked down the root cause of this phenomenon by reverse engineering the JRE system libraries with additional debugging information. I was able to trace the cause of the delay down to the native method

java.net.Inet4AddressImpl.getHostByAddr([B)Ljava.lang.String

It turns out resolving the host in question from its IP address fails for an unknown reason and after timing out, the calling method tries another route to return a valid hostname. I have checked this with several web-based reverse lookup tools and it seems that there is most likely an issue with blacklotus.net (or perhaps a feature to prevent reverse lookups?)

I hope this helps anyone else that encounters an odd-ball case like this. T-minus 36 hours, case closed.