Study on Defects of super Cannon (Great Cannon) TTL

Study on Defects of super Cannon (Great Cannon) TTL

 

 

Some time ago, Github suffered a massive DDoS attack, followed by fierce discussions behind The scenes. Then, American media accused China of possessing a cyber weapon-The super Cannon )". Is the cannon really so powerful as the legend? In this article, let's talk about some of the defects of the cannon.

What is a super cannon?

The Canadian citizenship laboratory has previously released a technical analysis report on the Super cannon. The report states that this is a national network traffic hijacking tool, which either directs traffic hijacking to the target or returns some spyware in the traffic, or use this large traffic to attack other targets.

That's the question. How did Cannon attack?

The attack is a man-in-The-middle attack. The Great Cannon hijacks The communication between The user and a Baidu server, so that The request sent by The user does not reach a Baidu server, instead, a malicious Js script is directly returned to the user. After the user's browser loads malicious Js, it will send a request to Github every two seconds.

The attack process is roughly as follows:

 

Figure 1

That is, because the TTL (time-to-live) in the returned packet uses this field in all packets in the network to indicate the packets that have passed several hops. Each time a vro sends a packet, this field is subtracted by one. When this field is zero, the packet will be discarded. To prevent The router from sending unlimitedly data packets resulting in an endless loop) value changes, so as to determine The attack method as man-in-The-middle hijacking, and further determine The location of The Great Cannon.

 

Figure 2

It is precisely because the TTL values of the following returned packages become inconsistent with those of the previous ones, which exposes that the returned package has been modified.

 

Figure 3

As shown in figure 3, once The initial TTL value X of The Great Cannon is not 64-A, The returned package will have different TTL values. The reasons for the TTL value change are as follows:

 

Figure 4

Because each user is located in a different location and The number of Route hops passing through The Great Cannon is also different, The Great Cannon does not know The distance between The user and The Great Cannon, to enable each user to receive the returned packet, set the TTL value to a large value.

In this way, once the user finds that the TTL value in the returned package is changed to an abnormal value, the returned package has been hijacked. After further research on The returned packet content, you can understand The attack methods and methods, and even guess The Great Cannon situation.

As shown in positive 3, to make the TTL values consistent, make X = 64-A. A is The distance between The Great Cannon and A Baidu server, and it is known. It can also be determined that the initial TTL value of the returned packet sent by a Baidu server is 64. This makes it easy to determine the value of X. Then, this value is used as The initial TTL value of The Great Cannon sent data packet to send The data packet to The user. In this way, on the user end, the returned packet is actually sent from a Baidu server, thus hiding the attack method.