由于路由管控系统的建立,实时动态黑洞路由已成为最有效的封锁手段,TCP连接重置和DNS污染成为次要手段,利用漏洞的穿墙方法已不再具有普遍意义。对此应对方法是多样化协议的VPN来抵抗识别。这里介绍一种太简单、有时很朴素的“穷人VPN”。
朴素VPN只需要一次内核配置(Linux内核),即可永久稳定运行,不需要任何用户态守护进程。所有流量转换和加密全部由内核完成,原生性能,开销几乎没有。静态配置,避免动态握手和参数协商产生指纹特征导致被识别。并且支持NAT,移动的内网用户可以使用此方法。支持广泛,基于L2TPv3标准,Linux内核3.2+都有支持,其他操作系统原则上也能支持。但有两个局限:需要root权限;一个隧道只支持一个用户。
朴素VPN利用UDP封装的静态L2TP隧道实现VPN,内核XFRM实现静态IPsec。实际上IP-in-IP隧道即可实现VPN,但是这种协议无法穿越NAT,因此必须利用UDP封装。内核3.18将支持Foo-over-UDP,在UDP里面直接封装IP,与静态的L2TP-over-UDP很类似。
| $ LD_PRELOAD=$PWD/sendmsg.so dig twitter.com @8.8.8.8 | |
| ;; Warning: Message parser reports malformed message packet. <-- malformed 因为把压缩指针当作域名一部分了 | |
| ;; Question section mismatch: got twitter.com/RESERVED0/CLASS256 | |
| ; <<>> DiG 9.9.5-3-Ubuntu <<>> twitter.com @8.8.8.8 | |
| ;; global options: +cmd | |
| ;; Got answer: | |
| ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44722 | |
| ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 |
| #!/bin/bash | |
| # | |
| # GLASSHOLE.SH | |
| # | |
| # Find and kick Google Glass devices from your local wireless network. Requires | |
| # 'beep', 'arp-scan', 'aircrack-ng' and a GNU/Linux host. Put on a BeagleBone | |
| # black or Raspberry Pi. Plug in a good USB wireless NIC (like the TL-WN722N) | |
| # and wear it, hide it in your workplace or your exhibition. | |
| # | |
| # Save as glasshole.sh, 'chmod +x glasshole.sh' and exec as follows: |
| git log --shortstat --author "Karen Baker" --since "2 weeks ago" | grep "files\? changed" | awk '{files+=$1; inserted+=$4; deleted+=$6} END {print "files changed", files, "lines inserted:", inserted, "lines deleted:", deleted}' |
| # A Github Webhook endpoint that triggers Koji builds | |
| # | |
| # Add a Webhook to your repo and point it to where you run this. | |
| # | |
| # It builds packages when you add #kojibuild to the commit message. | |
| # If you add #scratch it will scratch build | |
| # | |
| # It assumes that you have a folder per package + version folder like: | |
| # jetty/8.1.9/jetty-8.1.9.spec | |
| # |
| """ | |
| This file contains code that, when run on Python 2.7.5 or earlier, creates | |
| a string that should not exist: u'\Udeadbeef'. That's a single "character" | |
| that's illegal in Python because it's outside the valid Unicode range. | |
| It then uses it to crash various things in the Python standard library and | |
| corrupt a database. | |
| On Python 3... well, this file is full of syntax errors on Python 3. But | |
| if you were to change the print statements and byte literals and stuff: |
| /* Flatten das boostrap */ | |
| .well, .navbar-inner, .popover, .btn, .tooltip, input, select, textarea, pre, .progress, .modal, .add-on, .alert, .table-bordered, .nav>.active>a, .dropdown-menu, .tooltip-inner, .badge, .label, .img-polaroid { | |
| -moz-box-shadow: none !important; | |
| -webkit-box-shadow: none !important; | |
| box-shadow: none !important; | |
| -webkit-border-radius: 0px !important; | |
| -moz-border-radius: 0px !important; | |
| border-radius: 0px !important; | |
| border-collapse: collapse !important; | |
| background-image: none !important; |
| #!/bin/bash | |
| set -e | |
| # Usage: | |
| # rsync_parallel.sh [--parallel=N] [rsync args...] | |
| # | |
| # Options: | |
| # --parallel=N Use N parallel processes for transfer. Defaults to 10. | |
| # | |
| # Notes: |
| DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE | |
| Version 2, December 2004 | |
| Copyright (C) 2011 YOUR_NAME_HERE <YOUR_URL_HERE> | |
| Everyone is permitted to copy and distribute verbatim or modified | |
| copies of this license document, and changing it is allowed as long | |
| as the name is changed. | |
| DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE |
