How to distinguish the different man-made network faults in the domestic Internet environment

Intermediary transaction SEO diagnosis Taobao guest Cloud host technology Hall

As we all know, in the domestic Internet will encounter a variety of different man-made network failures, so that we can not normally visit many websites. However, because many people are not familiar with the network, many times will not be able to distinguish between different network failures, resulting in clearly network failure, but that is a server failure, or obviously a server failure, but it is considered a network failure situation. I think it is necessary to explain the characteristics of different network failures, and how to differentiate them and solve them.

In the domestic Internet environment, we often encounter network failures: DNS hijacking, DNS pollution, IP blockade, server firewall IP filtering, server downtime, TCP connection based on keyword reset, stateless TCP connection reset, SSL certificate filtering, SSL hijacking, HTTP session hijacking and other network failures. I'll explain the following in turn:

1. DNS Hijacking

DNS hijacking can cause us to visit some non-existent or unstable sites, access to the Telecommunications 114 search or visit Google but showed Baidu's homepage.

If you need to confirm that you are in a DNS hijacking environment, we can use the Windows self-contained Network Diagnostics Tool nslookup in Windows command line cmd to find a non-existent or unstable domain name for Network Diagnostics:

C:\>nslookup www.SomeRandomDomainName.com

server:ns-pd.online.sh.cn

address:202.96.209.133

Non-authoritative Answer:

Name:www.SomeRandomDomainName.com

address:218.83.175.155

We see that www.SomeRandomDomainName.com should be a non-existent domain name, the DNS server should tell us this domain name does not exist, but we see the DNS server told us that the domain name IP for 218.83.175.155 ( Different regions of 114 of the IP are different, the possible IP is not 218.83.175.155, but their own region of the 114 Search server IP address, and this IP is 114 of the IP search, which led us to visit this site in the browser is 114 search page.

If you need to solve the problem of DNS hijacking, you can transfer your own domain name resolution server to foreign countries, such as OpenDNS or Google DNS.

Once resolved, we use Nslookup to find this site again:

C:\>nslookup www.SomeRandomDomainName.com

Server:google-public-dns-a.google.com

address:8.8.8.8

Google-public-dns-a.google.com can ' t find www.SomeRandomDomainName.com:Non-existent domain

We see that the DNS server correctly told us that the domain name does not exist, we will not be hijacked to 114 search.

However, as stated in the last paragraph of the use of OpenDNS to resolve DNS domain name hijacking, "but for the hijacking of DNS pollution, the use of OpenDNS will not solve the problem". So next, I'll introduce DNS pollution.

2. DNS pollution

Because DNS hijacking can solve the problem by replacing the domain name resolution server as a foreign country, the system needs to use DNS pollution to block some domain names. In this way, even the use of foreign domain name servers do not get the correct IP server, so you can not access these servers. For example, now the famous micro-blogging ancestor Twitter homepage has been contaminated with DNS.

If you need to confirm that the domain name has been DNS pollution rather than other failures, first of all to understand that DNS hijacking is done by the domestic domain name server, so we have to replace the domain name server foreign can solve the problem; DNS pollution is done by the system, so even if the domain name server is changed, The system can still send a forged domain name resolution to replace the correct resolution result. So we can use a non-existent foreign IP as our domain name server to diagnose whether DNS hijacking or DNS pollution. We still use Nslookup for Network Diagnostics, choose a non-existent foreign IP of 144.223.234.234:

C:\>nslookup twitter.com 144.223.234.234

DNS Request timed out.

Timeout was 2 seconds.

Can ' t find server name in 144.223.234.234:timed out

Server:unknown

address:144.223.234.234

Name:twitter.com

address:93.46.8.89

We see that since 144.223.234.234 does not exist, there should be no return. But we got a wrong ip:93.46.8.89. Let's test the IP that was hijacked by DNS just now:

C:\>nslookup www.SomeRandomDomainName.com 144.223.234.234

DNS Request timed out.

Timeout was 2 seconds.

Can ' t find server name in 144.223.234.234:timed out

Server:unknown

address:144.223.234.234

DNS Request timed out.

Timeout was 2 seconds.

DNS Request timed out.

Timeout was 2 seconds.

Request to UnKnown Timed-out

We see that www.SomeRandomDomainName.com did not return results, so it was not contaminated by DNS.

To resolve DNS pollution, we can only use a variety of encryption agents for remote DNS resolution, VPN or exploit the system.

3, IP blockade

IP blockade here refers to the domestic foreign server IP added to the blacklist of the system, resulting in most regions and even the country can not directly access the server. Because the system is distributed, it is possible that some areas can be accessed and some areas are inaccessible. For example, now well-known cloud storage services Dropbox's homepage, is the IP blockade.

First, we set the domain name server abroad, excluding the problem of DNS hijacking. Then we diagnose whether the domain name of Dropbox is polluted by DNS:

C:\>nslookup www.dropbox.com 144.223.234.234

DNS Request timed out.

Timeout was 2 seconds.

Can ' t find server name in 144.223.234.234:timed out

Server:unknown

address:144.223.234.234

DNS Request timed out.

Timeout was 2 seconds.

DNS Request timed out.

Timeout was 2 seconds.

Request to UnKnown Timed-out

Apparently not contaminated by DNS. So then we can in the network environment without filtering ICMP protocol (some community broadband and some company's internal network filter ICMP protocol, cannot use tracert), We can use the Windows self-contained Network Diagnostics tool in Windows command line cmd tracert to do a network diagnostics is the Web site has been blocked by IP or other failures:

C:\>tracert-d www.dropbox.com

Tracing route to www.dropbox.com [174.36.30.70]

Over a maximum of hops:

1 ms MS-MS 58.35.240.1

2 ms Ms 58.35.240.1

3 ms Ms 124.74.20.45

4 ms Ms 124.74.209.137

5 ms Ms 61.152.86.58

6 * * Request timed out.

7 * * Request timed out.

8 * * Request timed out.

......

We see that the last IP for 61.152.86.58 (different regions of the IP is not the same), after the impassability, apparently in the vicinity of the 61.152.86.58 was the IP blockade. So let's open ip138 and find out who 61.152.86.58 is in control:

Your query ip:61.152.86.58

* Site main data: Shanghai Telecom

* Reference data: Shanghai Telecom

* Reference Data two: Shanghai Telecom

Obviously, the problem is here in Shanghai Telecom (where other regions may be local telecommunications) rather than Dropbox servers.

4, server firewall IP filtering and server downtime

The two points are written together because the external performance of the two cases is the same. But there is a big difference between the IP blockade. IP blockade of the last IP is China, and server firewall IP filtering and server when the last one can reach IP is foreign. For example, we take 75.101.142.137 to do experiments, previously deployed in the Alexa site, now this IP temporarily no server (can be seen as server downtime):

C:\>tracert-d 75.101.142.237

Tracing route to 75.101.142.237 over a maximum of hops

1 ms Ms 58.35.240.1

2 ms Ms 58.35.240.1

3 ms Ms 124.74.37.9

4 Ms 124.74.209.129 ms

5 ms-Ms 61.152.86.142

6 ms Ms 202.97.35.154

7 ms Ms 202.97.34.126

8 194 ms 195 ms 194 ms 202.97.51.138

9 171 Ms 170 ms 173 ms 202.97.50.54

215 Ms 179 MS 175 MS 63.146.27.133

One 279 Ms 280 ms 278 ms 67.14.36.6

* * Request timed out.

249 Ms 249 ms 244 MS 72.21.199.40

254 Ms 254 ms 254 MS 72.21.222.157

Ms 249 Ms 216.182.232.53

270 MS 270 ms 273 MS 216.182.224.22

272 MS 289 Ms 75.101.160.35

* * * Request timed out.

* * * Request timed out.

* * Request timed out.

We see the last one up to IP 75.101.160.35, and then let's check out who this IP is:

Your query ip:75.101.160.35

* Site main data: USA

* Reference data: United States

* Reference Data two: King Seattle Amazon, Washington, USA

Obviously, this is a server failure.

If IP blocking is to be resolved, we can only access these sites through encryption agents, VPNs, or exploits of the system.

5, based on the keyword TCP connection reset

The domestic system will record all content when people visit foreign websites through HTTP protocol. Once some of the more "sensitive" keywords appear, the TCP connection is forcibly disconnected, the IP is recorded for a period of time (1 minutes or so) and our browser will show "Connection reset". Then in this period of time (1 minutes or so), because we and the server's IP was taken to check the system records, we can not visit the site again. We have to stop visiting this site, and after that time again to visit the page without these keywords, we can visit the site again.

Because of these characteristics, it is also easier to determine whether a keyword based TCP connection reset is being made. If the browser shows "connection reset" and won't be able to access the site again for a period of time, after that time to visit a Web site without these keywords and access it, we are being reset by a keyword based TCP connection.

It is because the HTTP protocol is transmitted in plaintext that TCP connection resets based on keywords. So if the site supports HTTPS encrypted access, we can access the site via HTTPS to solve this problem. However, if the site does not support HTTPS access, we can only access it through an encryption agent, VPN, or exploit a system vulnerability. and the domestic system to deal with HTTPS is not no other means. In addition to the IP blockade, there are stateless TCP connection reset, SSL certificate filtering, SSL hijacking and other means, the following is described in turn.

6, stateless TCP connection Reset

Because HTTPS is the protocol for encrypting data transmission, the system cannot know what is transmitted through HTTPS protocol, but it does not allow people to access "harmful information" by using HTTPS, so the system can only monitor (the system only knows the HTTPS protocol to the website and does not know what it transmits) Access to the HTTPS protocol for the specified Web site, such as the HTTPS access method for Google Docs, forces the TCP connection to be disconnected. In this way, the HTTPS protocol for these sites cannot be used directly at home, and many people are forced to use the HTTP protocol so that all the content transmitted is recorded by the system.

The result of a stateless TCP connection reset is that the browser displays a "connection reset", except that any page that accesses the server will be reset. If you want to solve this problem, you can only rely on the encryption agent, VPN or exploit the system's vulnerabilities.

7. SSL Certificate filtering

As with stateless TCP connection resets, because HTTPS is the protocol for encrypting data transmission, the system cannot know what is being transmitted through HTTPS, but does not allow people to access "harmful information" with HTTPS, except for domain name contamination and stateless TCP connection resets to prevent the content from being censored, There is also a method of examining SSL certificate filtering. Because SSL certificates are transmitted in plaintext during HTTPS transport, you can monitor whether the SSL certificate is sent to the specified domain name. If so, the TCP connection is forced to disconnect and the browser displays "Connection reset". SSL certificate filtering occurs only when you use HTTPS to access a Web site.

SSL certificate filtering is relatively rare. If you need to solve this problem, you can only rely on the encryption agent, VPN or exploit the system's vulnerabilities.

8, SSL hijacking

Disconnecting HTTPS connections prevents people from accessing harmful information, but does not know what harmful information is being accessed. Based on this, the vulnerability to HTTPS (trusting all certification authority CAs) cnnic the application as a top-level certification authority (Root CA), allowing a fake certificate for man-in-the-middle attacks to crack the content of HTTPS transmissions.

If you are hijacked by SSL, it is difficult to find. When we visit foreign websites via HTTPS, we have to check every time that the certificate is issued by a domestic certification authority. If issued for a domestic certification authority, it is likely that SSL hijacking is possible and the continued access must be stopped immediately.

If you want to resolve SSL hijacking, we can go to the browser to prohibit such as CNNIC, such as domestic certification authority certificate (such as "CNNIC, I do not trust you"). But this does not completely solve the problem, if one day an unknown domestic certification authority involved in the SSL hijacking is difficult to find. Ultimately, we also need to rely on encryption agents or VPNs.

9. HTTP Session Hijacking

HTTP session hijacking is the modification of the normal HTTP return results, which can be added to ads, or even virus Trojans. And the general Internet is hijacked by HTTP session to add ads, it is likely to think that the site's own ads. HTTP session hijacking can be done because the HTTP protocol is transmitted in clear text. Moonlight Blog, "Telecom-class network pop-up ads", "get the evidence of the telecom malicious pop-up ads" and "who controls our browser?" There is also a detailed introduction to HTTP session hijacking. HTTP session hijacking is usually carried out by the ISP in order to push ads, but it does not rule out that this will be exploited by the system in the future.

To solve the HTTP session hijacking, Moonlight Blog also provides a solution to the idea-"unlock the ADSL pop-up ads method." Using a browser plugin to block ads can solve some of the problems and not completely solve the problem. If you want to solve HTTP session hijacking from the technical means, one way is to use the encryption agent and VPN access to all Web sites, including domestic, but also can not completely solve the problem, if the HTTP session hijacking is located near the server router, this method can not be resolved; Another approach is to hijack different HTTP sessions, and we'll hijack them back through the firmware of the router (WRT and tomato router firmware support customization, may be able to hijack the HTTP session back to the original data), or for different HTTP sessions hijacked, Use a different local application tier proxy server for advertising filtering.

In the domestic common man-made network failures are introduced, students can distinguish between different faults and to solve it?

Source: Reader contribution. Author Twitter: @davidsky2012, author of Google reader:https://www.google.com/reader/shared/lehui99

Original articles such as reprint, please specify: Reproduced from the Moonlight Blog [http://www.williamlong.info/]

This article link address: http://www.williamlong.info/archives/2195.html