Study on Defects of super Cannon (Great Cannon) TTL

Source: Internet
Author: User

Study on Defects of super Cannon (Great Cannon) TTL



Some time ago, Github suffered a massive DDoS attack, followed by fierce discussions behind The scenes. Then, American media accused China of possessing a cyber weapon-The super Cannon )". Is the cannon really so powerful as the legend? In this article, let's talk about some of the defects of the cannon.

What is a super cannon?

The Canadian citizenship laboratory has previously released a technical analysis report on the Super cannon. The report states that this is a national network traffic hijacking tool, which either directs traffic hijacking to the target or returns some spyware in the traffic, or use this large traffic to attack other targets.

That's the question. How did Cannon attack?

The attack is a man-in-The-middle attack. The Great Cannon hijacks The communication between The user and a Baidu server, so that The request sent by The user does not reach a Baidu server, instead, a malicious Js script is directly returned to the user. After the user's browser loads malicious Js, it will send a request to Github every two seconds.

The attack process is roughly as follows:


Figure 1

That is, because the TTL (time-to-live) in the returned packet uses this field in all packets in the network to indicate the packets that have passed several hops. Each time a vro sends a packet, this field is subtracted by one. When this field is zero, the packet will be discarded. To prevent The router from sending unlimitedly data packets resulting in an endless loop) value changes, so as to determine The attack method as man-in-The-middle hijacking, and further determine The location of The Great Cannon.


Figure 2

It is precisely because the TTL values of the following returned packages become inconsistent with those of the previous ones, which exposes that the returned package has been modified.


Figure 3

As shown in figure 3, once The initial TTL value X of The Great Cannon is not 64-A, The returned package will have different TTL values. The reasons for the TTL value change are as follows:


Figure 4

Because each user is located in a different location and The number of Route hops passing through The Great Cannon is also different, The Great Cannon does not know The distance between The user and The Great Cannon, to enable each user to receive the returned packet, set the TTL value to a large value.

In this way, once the user finds that the TTL value in the returned package is changed to an abnormal value, the returned package has been hijacked. After further research on The returned packet content, you can understand The attack methods and methods, and even guess The Great Cannon situation.

As shown in positive 3, to make the TTL values consistent, make X = 64-A. A is The distance between The Great Cannon and A Baidu server, and it is known. It can also be determined that the initial TTL value of the returned packet sent by a Baidu server is 64. This makes it easy to determine the value of X. Then, this value is used as The initial TTL value of The Great Cannon sent data packet to send The data packet to The user. In this way, on the user end, the returned packet is actually sent from a Baidu server, thus hiding the attack method.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.