Tor Bug 4185 Testing and Report
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Great Firewall Tor Probing Circa 09 DEC 2011 | |
| -------------------------------------------- | |
| Author: Tim Wilde, Team Cymru, Inc. <twilde@cymru.com> | |
| Date: 06 JAN 2012 | |
| This analysis was performed during the week of 05 DEC 2011 - 09 DEC 2011, in | |
| an attempt to determine the extent and type of blocking and probing being | |
| performed by the Great Firewall of China (henceforth "GFW") against | |
| unpublished Tor bridges located outside of China, but accessed from within | |
| China. | |
| These results are considered valid at the time of their collection (05-09 DEC | |
| 2011), and no guarantees are provided to their continuing validity beyond | |
| that time, due to the changing nature of anti-circumvention techniques and | |
| technologies. | |
| This analysis was originated based on Tor trac ticket #4185. A github | |
| "gist" of the results, including this report, can be found at | |
| https://gist.github.com/da3c7a9af01d74cd7de7 | |
| Pre-Analysis Conditions, Goals, and Assumptions | |
| ----------------------------------------------- | |
| Prior to the initiation of this round of analysis, it had been determined | |
| that any Tor bridge outside of China that was connected to by a client | |
| within China would be blocked by the GFW, usually within a matter of | |
| minutes. Previous analysis revealed that the Tor connection initiated by | |
| the client resulted in a series of probes from a variety of other IPs within | |
| China (varying from connection to connection), and, within minutes of those | |
| probes, the client's connection to the bridge would be blocked and could not | |
| be re-initiated. Blocking all connections to the bridge except from the | |
| intended client was shown to allow the connection to persist successfully | |
| for > 48 hours, thus showing a direct connection between the probing and | |
| blocking. This previous analysis was performed ad-hoc without dedicated | |
| attention/resources, and the analysis described in this report was performed | |
| as a follow-up under more stringent conditions to attempt to determine the | |
| exact parameters of probing and blocking. | |
| The primary goals of this analysis were: | |
| 1) Determine the extent of GFW probing of Tor connections, and more broadly, | |
| SSL sessions in general; what triggers the probing, what time considerations | |
| are involved, etc. | |
| 2) Determine how the decision to block is made. | |
| 3) Determine a course forward for Tor to circumvent probing and blocking. | |
| It is assumed that, despite a significant series of probes originating from | |
| a single host, the GFW does not change behavior to prevent us from learning | |
| what they are doing. This assumption has been tested with a smaller set of | |
| tests from some other hosts and appears to hold true, but cannot be | |
| conclusively proven. | |
| During the previous analysis it was noted that blocking appeared to be | |
| performed against specific destination IP:port pairings; attempting to | |
| connect to a new port on a host after a previous connection had been blocked | |
| was successful, but provoked new probing and blocking in the same way as the | |
| previous port. It is assumed that this destination IP:port pairing is still | |
| in use in current techniques. | |
| Summary of Conclusions | |
| ---------------------- | |
| Goal #2 was found to be unachievable at the time of analysis, as it was not | |
| possible throughout our testing to provoke blocking. Testing of connections | |
| to "new" published Tor relays (exact dates for "new" not determined) showed | |
| that even published Tor relays were connectable from within China. Once | |
| this was determined, focus shifted to understanding the probing and how it | |
| could be avoided (goals #1 and #3). | |
| With respect to goal #1, our testing showed that the GFW appears to perform | |
| "garbage binary" probes of the non-China side of any connection from China | |
| to TCP port 443 that performs an SSL negotiation. This probe is performed | |
| in near-real-time after the connection is established, implying | |
| near-line-rate deep packet inspection (DPI) capabilities. TCP/443 | |
| connections that did not actually exchange an SSL handshake, such as using | |
| the obfsproxy obfs2 protocol, did not provoke probing. At this time the | |
| purpose of this probe is unknown; further details of its contents and | |
| speculation as to its purpose can be found later in this report. | |
| A second type of probing, which appears to be specifically aimed at Tor, was | |
| also detected. This probing appeared to occur using a client that actually | |
| spoke SSL, and, within the SSL session, the Tor protocol, and was not | |
| activated in real-time, but appeared to be triggered to occur at regular 15 | |
| minute past the hour intervals if its conditions were met. Analysis showed | |
| that the Tor SSL cipher list was at least one significant component of the | |
| detection mechanism that initiated this probing; a client modified to remove | |
| a sincle cipher from the list, when connecting to an unmodified unpublished | |
| bridge in the United States, did not trigger probing. The SSL "client | |
| hello" packet was determined as a direct cause of the probing; when just | |
| that data was sent to an open Tor bridge from within China using netcat, the | |
| probing was triggered on the expected 15 minute interval. | |
| A connection between a Chinese client and a US unpublished bridge node over | |
| the obfsproxy obfs2 protocol was able to successfully persist for several | |
| days, including numerous disconnects/reconnects, without provoking any type | |
| of probing. | |
| Recommendations | |
| --------------- | |
| In the immediate term, modifying the Tor SSL client hello to present a list | |
| of ciphers more closely (ideally identically) matching that of a common | |
| commodity web browser would bypass the current probe trigger. In general, | |
| the items in Proposal 179 remain valid and a wise choice; the same eye | |
| should be cast towards the client hello, and an attempt made to match it as | |
| closely to commodity web browsers as possible. With both sides of that | |
| equation implemented, it becomes much more difficult for any authoritarian | |
| regime to distinguish Tor traffic from standard SSL traffic, requiring | |
| significantly more effort to locate unpublished bridge nodes and connections | |
| to them. | |
| In the longer term, the two problems that need to be solved are: | |
| 1) Client-server negotiation that is uniquely identifiable in any way. | |
| 2) The ability of an arbitrary adversary to, given a suspected Tor server | |
| IP:port combination, connect to that IP:port combination and perform a | |
| negotiation using the Tor protocol, or anything that can be uniquely | |
| identified to a Tor protocol negotiation. | |
| Problem #1 can be solved by a transport that either looks identical on both | |
| sides to a standard HTTPS SSL session, or that looks like nothing | |
| identifiable at all, like the obfs2 protocol provided by obfsproxy. | |
| Problem #2 is somewhat more difficult. Tor proposal 190 combined with the | |
| ideas in [0] is one method that has some promise. The "shared secret" | |
| implementation of obfs2 in obfsproxy is another, as an adversary attempting | |
| to initiate an obfs2 connection without the right shared secret would be | |
| unable to get anything but noise back from the server. That noise, however, | |
| which the server currently emits immediately upon connection in the current | |
| implementation, may be trivially fingerprintable, as it is not entirely | |
| common in the wild. | |
| [0] http://archives.seul.org/or/dev/Nov-2011/msg00073.html | |
| Methodology | |
| ----------- | |
| A single system within China was used to initiate connections to a series of | |
| Tor bridges provisioned within the Amazon EC2 cloud computing product, | |
| within the United States. EC2 was utilized to allow for rapid changing of | |
| IPs while maintaining toolsets and datasets, to eliminate possible | |
| black/whitelisting of IPs by the GFW. All test sessions were monitored with | |
| full packet captures generated on the bridge nodes, and at several points in | |
| the process Tor debug logs were captured from the bridge as well. | |
| Reasonable efforts were made to ensure that each test used a unique | |
| connection tuple to prevent cross-contamination. | |
| General probe observations | |
| -------------------------- | |
| All probes came from a wide range of IP addresses within China. A sampling | |
| of these IPs as collected through our analysis can be found on the following | |
| github gist: | |
| https://gist.github.com/4320b75d398f2e1f074d | |
| This is by no means an exhaustive list; we have not yet undertaken to | |
| attempt a fuller collection of probing IPs. It is also possible that this | |
| list contains false positives; it is simply a list of all IPs (other than | |
| those of our test systems) geolocated to China that were observed connecting | |
| to our unpublished bridges during the testing cycle; random scanning | |
| activity could have snuck in, but the majority are due to active probes. | |
| Each probing "session" generally consisted of multiple probes from multiple | |
| different IPs within China. p0f (passive OS fingerprinting) data collected | |
| during the probes indicated that they generally originated from Linux | |
| systems, but there was some conflicting data in the source ports used by | |
| some probes, which appeared in ephemeral port ranges more commonly seen on | |
| Windows systems. This data is not conclusive in any way due to the | |
| uncertain nature of p0f and the ability to reconfigure source port ranges at | |
| will in modern operating systems. | |
| Garbage binary probes | |
| --------------------- | |
| Any connection from China to TCP/443 of a host in the US that exchanged an | |
| SSL handshake, no matter what the certificates looked like (self-signed, | |
| CA-signed, etc) provoked what we have termed the "garbage binary" probes | |
| ("garbage probes" for short) against the US host. The only exception to | |
| this seemed to be "old" hosts, which is to say, long-established hosts that | |
| have had HTTPS services running for an extended period of time. Connections | |
| to those hosts did not appear to provoke any type of scanning activity. | |
| The garbage probes occurred within moments of the SSL negotiation. In some | |
| cases, the data sent by these probes was identical, even from different | |
| source hosts and at different times. | |
| Notably, garbage probes did not occur in the case of TCP/443 connections | |
| that spoke simple plaintext or non-SSL binary protocols, such as obfs2. | |
| This indicates that DPI was taking place, likely at or near line-rate, to | |
| select which hosts should be probed. | |
| Once a host was probed, subsequent connections with the same destination | |
| outside of China did not provoke probes for approximately the next 10 | |
| minutes (measured from the final packet in a sequence of probes). After 10 | |
| minutes, a new SSL negotiation between the hosts would trigger a new round | |
| of probing. The "ignored" interval remained consistent through many rounds | |
| of testing. | |
| We have not attempted to exhaustively collect and compare the data sent in | |
| these probes, but what analysis we have performed does not provide any | |
| insight into their purpose or intent. It is possible that these probes are | |
| designed to provoke a response from a different category of server that | |
| operates on TCP/443 (and possibly other ports) and that the Chinese | |
| government is intending to block, but that is only speculation at this time. | |
| It is not clear if further analysis would be worthwhile at this time given | |
| that these probes do not, at the surface, appear to be directed specifically | |
| at Tor. The lack of currently active blocking resulting from any probes | |
| also makes it difficult to evaluate the effectiveness of any changes that | |
| might result from such analysis. | |
| Full SSL/Tor probes | |
| ------------------- | |
| Our testing demonstrated that the SSL client hello sent by a Tor client in | |
| China to a US-based unpublished bridge will consistently trigger probing of | |
| the bridge by Chinese hosts, consisting of fully-established TCP, SSL, and | |
| Tor-protocol connections. Analysis of debug logs from bridges in this | |
| testing showed behavior consistent with a Tor client configured with | |
| multiple bridge statements. It is also possible, but impossible to | |
| determine definitively at this time, that the probers were using custom | |
| software either written from scratch or adapted from the Tor sources to | |
| perform their probing. | |
| Specifically, the debug logs and pcaps showed that the prober connected, | |
| performed an SSL handshake, performed an SSL renegotiation, and then spoke | |
| the Tor protocol. When speaking the Tor protocol, the probers we captured | |
| built a one-hop circuit and sent a BEGIN_DIR cell, as would be expected from | |
| a proper Tor client. When the bridge replies to the BEGIN_DIR cell with its | |
| descriptor, the prober hangs up the connection. | |
| This probing consistently took place within a range of +3 minutes from a 15 | |
| minute past the hour interval (HH:00, HH:15, HH:30, HH:45) after a Tor | |
| client SSL client hello was sent from China to the US host. Multiple | |
| connections were made in each round of probing. The probing occurred | |
| consistently regardless of the TCP source and destination ports - if a Tor | |
| SSL client hello packet was sent, on the next 15 minute interval a full | |
| Tor-speaking probe could be expected, like clockwork. | |
| Conversely, when the Tor SSL client hello was modified by removing a single | |
| cipher from the cipher spec, full Tor connections from China to a US | |
| unpublished bridge could be established multiple times, and for extended | |
| durations, without provoking any probing. Removing the less-common | |
| ServerName SSL extension from the client hello, however, did not change the | |
| probing behavior, indicating that the probe is likely tied specifically to | |
| the cipher specs, not to the entire hello packet. Unfortunately we were not | |
| able to verify if sending a raw set of cipher specs only would trigger the | |
| probing; this test was not performed before time on the analysis ran out. | |
| The SSL cipher list probe trigger is further discussed in Tor trac ticket | |
| #4744. | |
| Server-side SSL cert impacts | |
| ---------------------------- | |
| Before isolating the SSL client hello as the provoker of probing, we | |
| performed a number of tests using a simple SSL server on the US side and | |
| openssl s_client, wget, and Firefox on the China side to attempt to locate | |
| server SSL certificate combinations that provoked probing. As discussed in | |
| the garbage probing section, it appears that any SSL negotiation, even with | |
| a fully legitimate CA-signed cert (and having used the correct hostname in | |
| the cert to access the host, etc), will trigger the garbage probing. On | |
| non-standard ports, though, none of these clients provoked any type of | |
| probing, garbage or real SSL, no matter what the server certificate looked | |
| like. As such it does not appear that the GFW is, today, keying on the | |
| server certificate presented to make probing decisions. | |
| Traceroute testing | |
| ------------------ | |
| Mike Perry posited that the prober IPs could be legitimate IPs within China | |
| that are hijacked (partially or entirely by the GFW to perform its probes, | |
| and suggested some traceroute testing to attempt to confirm or deny this | |
| hypothesis. After several false starts, we were able to successfully source | |
| TCP traceroute packets to a prober IP using the exact same | |
| sourceIP:sourcePort:destIP:destPort tuple that was being used for the probe, | |
| during the probe and after the probe. These results did not show a | |
| different route during the probe and after the probe as Mike expected if | |
| such hijacking were taking place, so it does not appear likely, though it | |
| has not been conclusively disproven. | |
| Additional Data | |
| --------------- | |
| A number of other files are available in the github gist that contains this | |
| report, including: | |
| * testcases.txt - a list of planned test cases for the project, plotted out | |
| both before and during the project. Not all cases were tested as some | |
| were deemed irrelevant when actual blocking could not be replicated, and | |
| due to other results found during testing. | |
| * results.txt - a log of results obtained from working within the test cases | |
| described above. Somewhat terse and difficult to interpret for anyone | |
| other than the author, but included for completeness. | |
| Interpretation/annotation available upon request to the author. | |
| * general-notes.txt - a series of general notes and a set of tentative | |
| conclusions formed on the final two days of testing. These notes have | |
| largely been distilled, cleaned up, and expanded upon within this report. | |
| * traceroute.txt - traceroute output from the traceroute testing phase | |
| described in a previous section. | |
| * cn.log - hotpot.py output of some "garbage probes" collected early on in | |
| the process. | |
| * client-hello.raw - the raw bytes representing a Tor client's SSL client | |
| hello sent via netcat to provoke full Tor/SSL probing. | |
| Additionally, trusted researchers / Tor developers are welcome to contact | |
| the author for access to the pcaps and debug logs collected during this | |
| testing. Due to senstive contents (IPs of probing systems, etc), we cannot | |
| release these publicly at this time. | |
| Acknowledgements | |
| ---------------- | |
| Thanks to Team Cymru, Inc. for providing approximately a week of the | |
| author's time dedicated to this analysis, as well as the funding for the | |
| Amazon EC2 bridges and facilitating the access within China. Thanks to | |
| George Kadianakis (asn) for his analysis assistance and help providing | |
| direction for the testing, as well as the handy hotpot tool. Thanks also to | |
| too many Tor developers and other contributors in #tor-dev to count or list, | |
| but I'll try: nickm, armadev, rransom, Sebastian, and mikeperry. Apologies | |
| to those I missed, it's not because you were unhelpful, I promise you! | |
| Revision History | |
| ---------------- | |
| 06 JAN 2012 - Initial draft published | |
| 07 JAN 2012 - Minor revisions and additions per feedback from George | |
| Kadianakis. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 2011-12-05 18:25:46.223838 | '' | |
| 2011-12-05 18:26:53.720946 | '\x80w\x01\x03\x01\x00N\x00\x00\x00 \x00\x009\x00\x008\x00\x005\x00\x00\x16\x00\x00\x13\x00\x00\n\x07\x00\xc0\x00\x003\x00\x002\x00\x00/\x03\x00\x80\x00\x00\x05\x00\x00\x04\x01\x00\x80\x00\x00\x15\x00\x00\x12\x00\x00\t\x06\x00@\x00\x00\x14\x00\x00\x11\x00\x00\x08\x00\x00\x06\x04\x00\x80\x00\x00\x03\x02\x00\x80\x00\x00\xff\x9dd\x83\xbfP\xdb/L\xd6\x88>\xfa\xbbs\x88\xbd\x0cN\xfd\x0f\x84\x8c\xad\x04x61\x99\x82\x01\x19|' | |
| 2011-12-05 18:26:57.973470 : 221.205.139.111:52880 | |
| 2011-12-05 18:26:57.973497 | '\xaa\x14f\x82\x97\xfb\xfc\xab\xf0\xed\xafY\x9e\xd62?[\xf8JU\xf5X\xc1\xfa\x1bZZ\x9a\xe6\xd0FBV\xfb\x9fbG#\xbb\xc2?\x8b\xa2\xe1ZY\xa6h\xee0 \xe9\xea\xd1\xfb\xb9\xe5s\x0c\xb0\xc4\x12BB\xbe%\x93\xb0_\xaf\xca\x97\xd8]\x90\x89\x1b\r\xe8\x11^<\x0bt\x10\xd6\xd8\x9a\xe3\xb0w1\x14\xa0\xb8^MK\x0e\xabz\xd7\xc2\xd1\xb3\xd1Z\xcd\xdd\xc1^<}\xe7/\x8c\xbe\x86\xa6!6\x1d\xd0I=\x08&\x89\xd23\xb4\xcb\x89\xf5\x9c=\xc6\xf6\x89\xa47f_\xb3N\x8d@\x8b\x92e+\xc7\x01\xfa\x8f=\x82\xb5FTg\xf9\x9e\xf0\xee:\xac\xb4\xaf\xb4\xd7\xe6\x1b6\x99hBX\xf2\xd3\xbc\x1d\x1a\xbd\x96)y\x97\xdd\xbej\xc37\x083%B^Yp\x13\xafV\xac\xe5o\x14\'\xc6\x85z\x03!\x93\xbf6\xbb8\xcd\x18v7\xdb\xac\xbe\x8dQ\xff\xeb)\xee\xfd\xd7E\xa9\xbc\xb3<c\xf8@\xdc\xfa\xdfo9\x94+\xf0a\xc1\xe5\x18\x9c\x91\xd5*aT\x94\x89B\x11a\x069\x9c8t\xfe13Z\xaa\x91\xc9c%sS\x064\xb7\x1dPHq\xf8\xa9\xc4\x8c\xb1\x85\x1c\x12\x8bT.\xc2G,ry\x86\x1d\n\xce\xfe\xad\xc0\xd0\xb2s\x87N\xc2N\xbe:\xf6\x02E\xa8\x87`9\x91\xb3fS\xf9\x12E\xf1\x17az\xe4\xde($\xaeY\x965\xa7\xd8\x82\xe4\x12\xf8\xe6\xd6 \xec6X}i>O\xe1O\x93\xd3\xe4s\xcc\xc8Q\xf3\xeb\xfe\xcc\x01\xb2s\xd8\xb4W\xea\xac\xbc@K\xa8\xf4"\xa4]_\xf3\xbe-\x06\x11\x11y\xdcXIP\xc2\xc7\x1c\xc3y\x0e\x1b\xacd\x05X\xa0\xc3\xa2H\xb8Dl\x94\xa2\xdeRO\xe3\xe1\xde\xdb\xbe\xb6%\x8d\xf7k' | |
| 2011-12-05 18:26:58.839414 : 218.10.51.83:1629 | |
| 2011-12-05 18:26:58.839469 | '\xd7s\x10\x05\x95\x86\xe6\x89ok\x07\xd2\x95\xab}\x16\x10\xc4\xc8F\xac|ax\x86d\xc6\x03\x19_=\xd1\x13W\x14\x8dG\x0e;Y.\'\xd2\x90\xa3\xab X\xb1w\x97\xe4e\xd8A=\xc7\xd0\xe4S\xc46\xcb\x86\xea9\x9bIz\xe0\xa8\xe7\xb7\x1b\x8c\xa8H\x1aK\xfdl\t\xdf\xa0\xb4\xd3\xcd\xe8r~\xd5\\u\xfa\xdb\xab\xad\xf5s\'U\x9a\x0e\x0c4\x993|3\xfc\xf8\x1e\x85\xd8\xbd9\xab\n!\x9d\x87vx\xfbp\xd2&\x9c\xc7\x18\xc2\x1c\xb1O\xa6eg\xd8`\x99UX\xb6\xd90s\x12[|\xb2\xf7\x83(\xee~\x17\xc0$\xb2\x87;\xf3"lB\xc7\xd0\xa8\x1f\xaf\xc1s\x07wL\xb6j\xdd\x11e\x8f\x87\xe76u\xe5\xcb5\t};C\xef\\\xae1\xa2\xfdX\xc0\xac\x19\xb33\x90\xfe\xe8y[\xf8]\xe9\xfeE\x9es\xa9i\'\xb1easT<\xa1\x84]\x9e\xdc\x9c\xcatO\xfc\x04\xcdd\xfb(\xdbY\x91\xd9\x1d/L\xc5\x98\xf1\xf5|Rh\xd0\r\t\xd3i\'/\x84p\xa3\xd3l&\xa0\xcf"G*\xf9\xd7\x03\x16\x07\xcdZ\x1e' | |
| 2011-12-05 18:26:59.704311 : 112.94.175.239:35960 | |
| 2011-12-05 18:26:59.704387 | '\xcb\x11E.\xf7I\x91Y\x92{\x00\x0f\xd0&\xc3\x1c\xe1Tq\xe3C\xf9\xd9\xfd\xeb}\x8c\xd2\xfc\xa5\xf9K\x9f\x8c*\x86\xdb\x1f\xe3\x19v\xd951\xb6Ep\xa4\xde\x1cJ\xd1S\x95\',\xa9\xdc\xba\x03y\xc0\xfc\xe7\x9b\x12\x1f\xee\x18k\xa5\xdb75H\xe8\x84\x97+2\xbb\xd1*\xaa\xef\xb1\xb3\t7\xaf4{\xa2\xbf\x05\xac>#\x9aU\x8e\xbe0D\xf3\xf7\xab\xf6\x0e\xd5\xa7H\xa6Pq\x95\x01$\x1d\xb6\xd3P1\xf4\x8e5 \xcbX: ew\xcf\xa8jFS\xdf\xd2\xa7\x86\x1bM\xd5\x0baU/}\x0c\x81L\xbb\xf4\xdap\x14\xa5G\xccE\xabD\x14\xd2-\xd8\xa4\r\xaaK\x12\xc4\x17gOw;}s\xc5\xfd\xbe\x81\xf1\x18p\x84=\xb6Q\x81\xe0\x14\x142@\xeb\xd5\xcb\x95\x9f]\xd95\xc3(+}$\x9dC\xa0\xdaC\x11r\xb2\x94\xae\xe7d/Gw\xc1x7\xac\xcc\x02\xc0k^\x99\x1f\xa0@I\x1ece`\x03?"\x130S\'\xdd:\x8a\x8b\x80\x81Lw\xb7wC88-\x96\xd0K6\x11\x93\xd2\xf2w\xb1\xf55\xd2\x87e%\xadB\xdd8M\xdc8\x98S\xee\x10\x95&G\xc1;\x96\x8bq&\x9d\xc2\x19\x14t\x8dIF\x14\xad\xea\xc1nGx\xba$\xaf\xd2v\x1d\xe1\x8bB\xa7L}\xbcWm\xe2\xf3\xaez\x87"\x86\xcf\xe7\x99\xfbQ\xd9\xe8\x97\xd0\xa3\xba\x7fu\xb0\x9b\xd5;]\xfb\x06Y\xb7\\E\x19\xcf\xf2\x12V\x94\x97\xa4{\xb0\x9f\xcb\t\x87b\xd9\xa9\x9c\xd7\x9dL' | |
| 2011-12-05 18:27:00.785398 : 113.58.246.59:19316 | |
| 2011-12-05 18:27:00.785443 | '\xcb\x11E.\xf7I\x91Y\x92{\x00\x0f\xd0&\xc3\x1c\xe1Tq\xe3C\xf9\xd9\xfd\xeb}\x8c\xd2\xfc\xa5\xf9K\x9f\x8c*\x86\xdb\x1f\xe3\x19v\xd951\xb6Ep\xa4\xde\x1cJ\xd1S\x95\',\xa9\xdc\xba\x03y\xc0\xfc\xe7\x9b\x12\x1f\xee\x18k\xa5\xdb75H\xe8\x84\x97+2\xbb\xd1*\xaa\xef\xb1\xb3\t7\xaf4{\xa2\xbf\x05\xac>#\x9aU\x8e\xbe0D\xf3\xf7\xab\xf6\x0e\xd5\xa7H\xa6Pq\x95\x01$\x1d\xb6\xd3P1\xf4\x8e5 \xcbX: ew\xcf\xa8jFS\xdf\xd2\xa7\x86\x1bM\xd5\x0baU/}\x0c\x81L\xbb\xf4\xdap\x14\xa5G\xccE\xabD\x14\xd2-\xd8\xa4\r\xaaK\x12\xc4\x17gOw;}s\xc5\xfd\xbe\x81\xf1\x18p\x84=\xb6Q\x81\xe0\x14\x142@\xeb\xd5\xcb\x95\x9f]\xd95\xc3(+}$\x9dC\xa0\xdaC\x11r\xb2\x94\xae\xe7d/Gw\xc1x7\xac\xcc\x02\xc0k^\x99\x1f\xa0@I\x1ece`\x03?"\x130S\'\xdd:\x8a\x8b\x80\x81Lw\xb7wC88-\x96\xd0K6\x11\x93\xd2\xf2w\xb1\xf55\xd2\x87e%\xadB\xdd8M\xdc8\x98S\xee\x10\x95&G\xc1;\x96\x8bq&\x9d\xc2\x19\x14t\x8dIF\x14\xad\xea\xc1nGx\xba$\xaf\xd2v\x1d\xe1\x8bB\xa7L}\xbcWm\xe2\xf3\xaez\x87"\x86\xcf\xe7\x99\xfbQ\xd9\xe8\x97\xd0\xa3\xba\x7fu\xb0\x9b\xd5;]\xfb\x06Y\xb7\\E\x19\xcf\xf2\x12V\x94\x97\xa4{\xb0\x9f\xcb\t\x87b\xd9\xa9\x9c\xd7\x9dL' | |
| 2011-12-05 18:30:43.346920 | '\x80w\x01\x03\x01\x00N\x00\x00\x00 \x00\x009\x00\x008\x00\x005\x00\x00\x16\x00\x00\x13\x00\x00\n\x07\x00\xc0\x00\x003\x00\x002\x00\x00/\x03\x00\x80\x00\x00\x05\x00\x00\x04\x01\x00\x80\x00\x00\x15\x00\x00\x12\x00\x00\t\x06\x00@\x00\x00\x14\x00\x00\x11\x00\x00\x08\x00\x00\x06\x04\x00\x80\x00\x00\x03\x02\x00\x80\x00\x00\xff\xcd]\x06\xb5S\xdb\x87\x8e\x06\x1a\x14\xfd\xf0\xd5;\x81\xf6(\xeaB\xb0)(&\x9d\xaf\xcc\xc0g2\x1a\xf4' | |
| 2011-12-05 18:30:46.450253 < 'foo\n' | |
| 2011-12-05 18:30:46.450253 > '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' | |
| 2011-12-05 18:30:56.230631 < 'bar\n' | |
| 2011-12-05 18:30:56.230631 > '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' | |
| 2011-12-05 18:30:57.130697 < 'baz\n' | |
| 2011-12-05 18:30:57.130697 > '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Tentative Conclusions 08 DEC 2011 | |
| --------------------------------- | |
| Based on the data so far, it appears that all TCP/443 connections out of | |
| China to previously-uncategorized hosts are subject to DPI, and, if an SSL | |
| handshake of any type is detected, subject to active probing. TCP/443 | |
| connections that do not speak obvious SSL (ie obfs2 protocol) do not appear | |
| to be probed. TCP/443 connections to "old" hosts (definition of "old" is | |
| very much unknown at this time) do not appear to cause probing. | |
| SSL connections to other TCP ports, including "SSL-expected" ports like | |
| TCP/993 and TCP/995, do not appear to initiate probing, no matter how | |
| provacative the certificates in use. This is a change from previous | |
| behavior; during investigation of #4185 in October 2011, Tor and other SSL | |
| connections on non-TCP/443 ports were definitely probed (and blocked). It | |
| appears that the GFW's SSL probing has been significantly changed since that | |
| time. Further investigation is still ongoing. | |
| Update 1640 UTC: A non-obfs2 Tor connection to a random high port | |
| (TCP/18457) on a virgin non-published bridge IP resulted in an SSL-connected | |
| scan that appeared to act as a Tor client (not yet confirmed from debug | |
| logs) several minutes after the initial connection was established (and | |
| reconnected several times). More than 10 minutes after the probing, the | |
| bridge IP:PORT had not yet been blocked. | |
| Update 2100 UTC: The full SSL-speaking (and tor-speaking) probes appear to | |
| happen consistently at roughly 15 minute-past-the-hour intervals (:00, :15, | |
| :30, :45). This is consistent to a range of +3 minutes through all of the | |
| samples we've collected so far (with only one outlier in the +3 minute | |
| range, all others within 1 minute of the 15 minute mark). | |
| Thus far we have been unable to provoke this type of probing using anything | |
| other than a full Tor connection. SSL connections to non-Tor servers, even | |
| those using Tor-like SSL certificates, have not been able to trigger it. | |
| The Tor connection does not need to be persistent to trigger the probing; a | |
| short connection just long enough to build a circuit, made only 2-3 minutes | |
| before a "scheduled" scan time, was enough to provoke a scan at the next | |
| interval. A similar duration circuit right after a previous "scheduled" | |
| scan time also provoked a scan at the next interval. | |
| An openssl s_client connection to an actual Tor server did NOT provoke a | |
| scan of this nature. | |
| TCP traceroute to an SSL/Tor-speaking prober during and after a probe does | |
| not yield any change. See traceroute.txt for a sample. Still pending: | |
| using the same sourceport with a handy iptables trick thanks to mikeperry. | |
| 09 DEC 2011 | |
| ----------- | |
| A connection to Tor 0.2.3.8 from a Tor 0.2.3.8 client with the ServerName | |
| SSL extension removed still provoked probing. | |
| A connection to Tor 0.2.3.8 from a Tor 0.2.3.8 client with a reduced SSL | |
| cipher list did NOT provoke probing. Further testing is in progress. | |
| The iptables trick did not work for traceroute with an identical | |
| sourceip:sourceport:destip:destport tuple; my suspicion is that conntrack | |
| gets in the way of the rewriting. Additional data added to traceroute.txt | |
| (see data for 60.13.132.232). | |
| Subsequent tweaking of the iptables trick returned the traceroute data for | |
| 113.58.244.209, which showed no difference between "during probe" and "after | |
| probe" in the short term. | |
| Observations | |
| ------------ | |
| * Probing will re-occur with new connection attempt to a previously probed | |
| (but not blocked) system if repeated after more than 10 minutes. New | |
| connections less than 10 minutes after a previous probe do not generate | |
| new probes, even if the SSL certs exchanged are changed. | |
| * The 10 minute timer appears to start from the time of the final probe in | |
| a sequence, not the first probe. | |
| * Probing occurs within moments of an SSL exchange that contains a | |
| "probable" cert / cert chain within the constraints of the time limit | |
| notes above. | |
| * Several probes are initiated in each instance of probing, from multiple | |
| hosts. | |
| Plans | |
| ----- | |
| * Use cronned */5 TCP ping to each port from inside CN to verify | |
| reachability |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 2) obfs2 transport (https://gitweb.torproject.org/obfsproxy.git) | |
| ---------------------------------------------------------------- | |
| Initial instance of obfs2 on TCP/443 generated one set of probes that | |
| did not conform to other probe methodologies. No repeats occurred with | |
| over two hours of operation and disconnects/reconnects. | |
| Subsequent use of obfs2 on a new TCP port did not provoke any probing | |
| with over an hour of operation and disconnects/reconnects as well as | |
| (failed, but intended to fail) openssl s_client and wget connection | |
| attempts. | |
| A longer duration obfs2 test back on TCP/443 on a fresh clean IP did not | |
| reveal any probing in over 24 hours of execution. | |
| 3) Tor-like-SSL (control) | |
| ------------------------- | |
| TCP/443: | |
| * hotpot.py: triggers probing, does not cause blockage. | |
| * server.pl: triggers probing, does not cause blockage. | |
| * unpublished tor 0.2.3.8 bridge: openssl s_client triggers probing, no block | |
| * unpublished tor 0.2.3.8 bridge: tor 0.2.3.4-alpha client triggers | |
| probing, no block | |
| * unpublished tor 0.2.3.5 bridge: tor 0.2.3.4-alpha client triggers | |
| probing, no block | |
| * unpublished tor 0.2.3.4 bridge: tor 0.2.3.4-alpha client triggers | |
| probing, no block | |
| * apache-wget: triggers probing, does not cause blockage. | |
| TCP/14392: | |
| * server.pl: no probing | |
| TCP/18457: | |
| * unpublished tor 0.2.3.8 bridge: openssl s_client does not trigger probing | |
| * unpublished tor 0.2.3.8 bridge: tor 0.2.3.4-alpha client triggers real SSL | |
| probing, with several minute delay (probing occurred at ~30 minutes past | |
| the hour) | |
| * The above two tests were performed in close proximity and can't be nailed | |
| down; further testing pending. Bridge IP for this test was 50.17.159.162. | |
| TCP/16415 | |
| * unpublished tor 0.2.3.8 bridge: tor 0.2.3.4-alpha client triggers real SSL | |
| probing 10 minutes after Tor connection established (probing occurred at | |
| ~45 minutes past the hour) | |
| * results replicated again, this time with scanning at :00 past the hour. | |
| 4) Self-signed cert | |
| ------------------- | |
| Certificate: | |
| Data: | |
| Version: 1 (0x0) | |
| Serial Number: | |
| 9f:46:4c:ab:e1:db:41:bb | |
| Signature Algorithm: sha1WithRSAEncryption | |
| Issuer: C=US, ST=Minnesota, L=Duluth, O=Joe Bloggs, LTD, CN=iscream.4dq.com/emailAddress=root@null.com | |
| Validity | |
| Not Before: Dec 7 16:22:02 2011 GMT | |
| Not After : Dec 6 16:22:02 2012 GMT | |
| Subject: C=US, ST=Minnesota, L=Duluth, O=Joe Bloggs, LTD, CN=iscream.4dq.com/emailAddress=root@null.com | |
| Subject Public Key Info: | |
| Public Key Algorithm: rsaEncryption | |
| Public-Key: (4096 bit) | |
| * apache-wget TCP/443: triggers probing | |
| 5) Real CA-issued cert | |
| ---------------------- | |
| Certificate: | |
| Data: | |
| Version: 3 (0x2) | |
| Serial Number: | |
| 0f:5b:4e:f2:f3:68:af:a5:83:a3:37:e1:15:7c:c8:b2 | |
| Signature Algorithm: sha1WithRSAEncryption | |
| Issuer: C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=PositiveSSL CA | |
| Validity | |
| Not Before: Dec 7 00:00:00 2011 GMT | |
| Not After : Dec 6 23:59:59 2012 GMT | |
| Subject: OU=Domain Control Validated, OU=PositiveSSL, CN=www.joebloggsltd.net | |
| Subject Public Key Info: | |
| Public Key Algorithm: rsaEncryption | |
| Public-Key: (4096 bit) | |
| * apache-wget TCP/443: triggers probing | |
| * apache-firefox TCP/443: triggers probing | |
| * apache-firefox to www.team-cymru.org: does not appear to trigger probing | |
| * apache-wget TCP/14952: no probing | |
| * apache-firefox TCP/14952: no probing | |
| 7) Firewall everybody but the intended user of the bridge. | |
| ---------------------------------------------------------- | |
| Clients in China provided access to a bridge that permitted access only to a | |
| set of explicitly whitelisted IPs were able to access the bridge for >48 | |
| hours without blockage. | |
| 8) Other protocols for reference (ssh, ftp, smtp, smtps) | |
| -------------------------------------------------------- | |
| * POP3S CA-signed cert: no probing | |
| * POP3S self-signed cert: no probing | |
| * POP3S tor-like cert: no probing | |
| 9) TCP connection/scan with no SSL handshake | |
| -------------------------------------------- | |
| hping -S -p 443 <test IP> and telnet <test IP> 443 both failed to generate | |
| scanning to a server which did generate scanning when connected via openssl | |
| s_client. | |
| 13) Relay with debug verbosity after SSL-based probing duplicated | |
| ----------------------------------------------------------------- | |
| Upon analysis of debug logs from a 0.2.3.8-alpha bridge, SSL-based probes | |
| from CN appear to be speaking the Tor protocol, similar to the behavior | |
| of a client with multiple bridges configured that is not actively using | |
| our bridge. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 1) Handshakes using OpenSSL and libnss | |
| 2) obfs2 transport (https://gitweb.torproject.org/obfsproxy.git) | |
| 3) Tor-like-SSL (control) | |
| 4) Self-signed cert | |
| 5) Real CA-issued cert | |
| 6) Vary responses of bridge to probing as well as initial handshake (independently if possible) | |
| 7) Firewall everybody but the intended user of the bridge. | |
| 8) Other protocols for reference (ssh, ftp, smtp, smtps) | |
| 9) TCP connection/scan with no SSL handshake | |
| 10) Connection into China-hosted bridge from outside of China, which side (if any) gets probed? | |
| 11) Handshakes using real Apache on the server side | |
| 12) Tor 0.2.1.x stable | |
| 13) Relay with debug verbosity after SSL-based probing duplicated | |
| 14) Determine how many negative probes it takes for the GFW to say "this is | |
| not worth probing anymore" (may prove difficult) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Sample traceroute to a prober during a probe: | |
| traceroute -T -O ack --sport=993 -n -p 6885 113.58.244.51 | |
| traceroute to 113.58.244.51 (113.58.244.51), 30 hops max, 40 byte packets | |
| 1 10.208.200.3 0.360 ms 0.314 ms 0.237 ms | |
| 2 10.1.18.13 0.447 ms 0.382 ms 0.389 ms | |
| 3 10.1.19.14 0.460 ms 0.369 ms 0.344 ms | |
| 4 216.182.232.50 0.686 ms 0.674 ms 0.439 ms | |
| 5 72.21.222.148 0.830 ms 0.931 ms 0.742 ms | |
| 6 72.21.220.52 1.152 ms 1.121 ms 1.191 ms | |
| 7 168.143.232.49 1.050 ms 0.921 ms 0.996 ms | |
| 8 129.250.3.118 2.783 ms 2.280 ms 2.733 ms | |
| 9 192.205.37.53 3.535 ms 3.189 ms 3.045 ms | |
| 10 12.122.134.134 76.622 ms 75.564 ms 76.007 ms | |
| 11 12.122.18.21 73.662 ms 71.409 ms 71.971 ms | |
| 12 12.122.31.85 71.701 ms 72.252 ms 71.765 ms | |
| 13 12.122.30.25 77.486 ms 75.511 ms 75.763 ms | |
| 14 12.122.30.30 70.226 ms 72.362 ms 71.562 ms | |
| 15 12.123.30.249 70.481 ms 70.040 ms 70.323 ms | |
| 16 12.122.129.145 73.380 ms 73.415 ms 73.626 ms | |
| 17 12.116.103.6 289.428 ms 289.163 ms 289.259 ms | |
| 18 219.158.4.177 280.133 ms 280.081 ms 279.180 ms | |
| 19 219.158.15.10 285.558 ms 277.110 ms 277.112 ms | |
| 20 219.158.23.242 295.061 ms 295.484 ms 295.082 ms | |
| 21 221.11.155.250 295.448 ms 295.591 ms 295.428 ms | |
| 22 221.11.160.14 298.747 ms 301.180 ms 301.139 ms | |
| 23 * * * | |
| 24 * * * | |
| 25 * * * | |
| 26 * * * | |
| 27 * * * | |
| 28 * * * | |
| 29 *^C | |
| After the probe: | |
| traceroute -T -O ack --sport=993 -n -p 6885 113.58.244.51 | |
| traceroute to 113.58.244.51 (113.58.244.51), 30 hops max, 40 byte packets | |
| 1 10.208.200.3 0.321 ms 0.230 ms 0.268 ms | |
| 2 10.1.18.13 17.777 ms 1.088 ms 0.384 ms | |
| 3 10.1.19.14 0.644 ms 0.541 ms 0.613 ms | |
| 4 216.182.232.50 0.743 ms 0.685 ms 0.745 ms | |
| 5 72.21.222.148 0.953 ms 0.975 ms 0.694 ms | |
| 6 72.21.220.52 1.193 ms 0.999 ms 1.186 ms | |
| 7 168.143.232.49 0.844 ms 1.032 ms 0.947 ms | |
| 8 129.250.3.118 2.337 ms 2.236 ms 2.241 ms | |
| 9 192.205.37.53 3.386 ms 3.232 ms 3.287 ms | |
| 10 12.122.134.134 75.566 ms 75.584 ms 75.913 ms | |
| 11 12.122.18.21 72.999 ms 71.614 ms 72.121 ms | |
| 12 12.122.31.85 72.872 ms 72.201 ms 72.168 ms | |
| 13 12.122.30.25 74.797 ms 76.056 ms 75.605 ms | |
| 14 12.122.30.30 73.746 ms 72.219 ms 71.538 ms | |
| 15 12.123.30.249 70.312 ms 70.102 ms 70.144 ms | |
| 16 12.122.129.145 71.867 ms 72.608 ms 72.667 ms | |
| 17 12.116.103.6 289.208 ms 289.009 ms 289.292 ms | |
| 18 219.158.4.177 280.327 ms 280.069 ms 280.181 ms | |
| 19 219.158.15.10 277.672 ms 277.070 ms 277.369 ms | |
| 20 219.158.23.242 295.198 ms 295.630 ms 295.114 ms | |
| 21 221.11.155.250 296.065 ms 295.571 ms 295.917 ms | |
| 22 221.11.160.14 301.651 ms 301.019 ms 301.074 ms | |
| 23 * 221.11.160.14 299.997 ms 301.065 ms | |
| 24 * * * | |
| 25 * * *^C | |
| Sample using mikeperry's iptables hack to use the same exact TCP tuple as | |
| the live connection, while it was live it failed; pcaps showed that the | |
| packets weren't going out at all, and appeared to be eaten at the iptables | |
| layer. | |
| traceroute -T -O ack --sport=1234 -n -p 15713 60.13.132.232 | |
| traceroute to 60.13.132.232 (60.13.132.232), 30 hops max, 40 byte packets | |
| 1 * * * | |
| 2 * * * | |
| 3 * * * | |
| 4 *^C | |
| But the same ports to a different IP were okay: | |
| traceroute -T -O ack --sport=1234 -n -p 15713 1.2.3.4 | |
| traceroute to 1.2.3.4 (1.2.3.4), 30 hops max, 40 byte packets | |
| 1 10.208.200.3 0.432 ms 0.355 ms 1.001 ms | |
| 2 10.1.16.13 0.593 ms 0.576 ms 0.339 ms | |
| 3 10.1.17.14 0.349 ms 0.425 ms 0.436 ms | |
| 4 216.182.224.82 0.645 ms 0.479 ms 0.436 ms | |
| 5 72.21.222.148 0.691 ms 0.680 ms 0.733 ms | |
| 6 72.21.220.36 40.609 ms 1.297 ms 1.244 ms | |
| 7 168.143.232.73 1.207 ms !N 1.361 ms !N 1.499 ms !N | |
| And after the prober closed its connection: | |
| traceroute -T -O ack --sport=1234 -n -p 15713 60.13.132.232 | |
| traceroute to 60.13.132.232 (60.13.132.232), 30 hops max, 40 byte packets | |
| 1 10.208.200.3 0.328 ms 0.268 ms 0.284 ms | |
| 2 10.1.14.13 0.412 ms 0.520 ms 0.283 ms | |
| 3 10.1.15.14 0.393 ms 0.424 ms 0.441 ms | |
| 4 216.182.224.78 0.497 ms 0.429 ms 0.501 ms | |
| 5 72.21.222.148 0.806 ms 0.728 ms 0.688 ms | |
| 6 72.21.220.68 0.870 ms 0.972 ms 0.931 ms | |
| 7 168.143.191.17 1.439 ms 1.325 ms 1.378 ms | |
| 8 192.205.37.53 3.388 ms 3.271 ms 3.050 ms | |
| 9 12.122.134.134 73.478 ms 71.643 ms 71.718 ms | |
| 10 12.122.18.21 76.272 ms 75.908 ms 78.250 ms | |
| 11 12.122.31.85 74.103 ms 71.976 ms 82.942 ms | |
| 12 12.122.30.25 75.551 ms 74.995 ms 76.269 ms | |
| 13 12.122.30.30 73.357 ms 75.962 ms 75.576 ms | |
| 14 12.123.30.249 73.233 ms 73.750 ms 73.583 ms | |
| 15 12.122.129.49 74.569 ms 74.515 ms 73.608 ms | |
| 16 12.118.130.86 238.895 ms 282.266 ms 252.014 ms | |
| 17 219.158.96.221 240.930 ms 240.885 ms 240.886 ms | |
| 18 219.158.96.225 242.314 ms 242.288 ms 242.288 ms | |
| 19 219.158.23.94 311.817 ms 311.760 ms 311.904 ms | |
| 20 221.7.2.250 314.890 ms 314.793 ms 314.791 ms | |
| 21 221.7.3.26 313.309 ms 313.450 ms 313.255 ms | |
| 22 * * * | |
| 23 * * *^C | |
| Another prober, this time actually during the probing thanks to more | |
| iptables and routing hackery: | |
| traceroute -T -O ack --sport=1234 -n -p 18339 113.58.244.209 | |
| traceroute to 113.58.244.209 (113.58.244.209), 30 hops max, 40 byte packets | |
| 1 10.208.200.3 22.941 ms 4.654 ms 0.896 ms | |
| 2 10.1.14.13 0.308 ms 0.294 ms 0.335 ms | |
| 3 10.1.15.14 0.400 ms 0.446 ms 0.353 ms | |
| 4 216.182.232.50 0.614 ms 0.492 ms 0.457 ms | |
| 5 72.21.222.148 0.657 ms 0.689 ms 0.749 ms | |
| 6 72.21.220.52 1.107 ms 1.243 ms 1.206 ms | |
| 7 168.143.232.49 1.208 ms 1.221 ms 1.207 ms | |
| 8 129.250.3.118 2.107 ms 2.286 ms 2.263 ms | |
| 9 192.205.37.53 11.880 ms 3.407 ms 3.336 ms | |
| 10 12.122.134.134 72.544 ms 71.551 ms 71.749 ms | |
| 11 12.122.18.21 72.905 ms 75.897 ms 75.792 ms | |
| 12 12.122.31.85 77.837 ms 75.563 ms 76.777 ms | |
| 13 12.122.30.25 76.276 ms 75.540 ms 76.331 ms | |
| 14 12.122.30.30 73.454 ms 74.699 ms 71.855 ms | |
| 15 12.123.30.249 74.593 ms 74.357 ms 74.842 ms | |
| 16 12.122.129.145 73.903 ms 69.713 ms 72.209 ms | |
| 17 12.116.103.10 279.680 ms 279.639 ms 279.349 ms | |
| 18 219.158.3.161 266.821 ms 269.409 ms 267.077 ms | |
| 19 219.158.96.54 256.382 ms 254.179 ms 254.349 ms | |
| 20 219.158.14.106 306.252 ms 306.526 ms 306.267 ms | |
| 21 221.11.155.250 305.514 ms 305.254 ms 305.474 ms | |
| 22 221.11.160.14 308.502 ms 310.979 ms 311.144 ms | |
| 23 * * * | |
| 24 * * * | |
| 25 * * * | |
| 26 *^C | |
| And the same prober, > 5 minutes after the probe: | |
| & traceroute -T -O ack --sport=1234 -n -p 18339 113.58.244.209 | |
| traceroute to 113.58.244.209 (113.58.244.209), 30 hops max, 40 byte packets | |
| 1 10.208.200.3 0.439 ms 0.278 ms 0.236 ms | |
| 2 10.1.14.13 5.294 ms 1.225 ms 0.739 ms | |
| 3 10.1.15.14 0.385 ms 0.430 ms 0.442 ms | |
| 4 216.182.232.50 7.351 ms 0.657 ms 0.501 ms | |
| 5 72.21.222.148 0.798 ms 0.719 ms 0.757 ms | |
| 6 72.21.220.52 1.056 ms 1.101 ms 1.108 ms | |
| 7 168.143.232.49 1.062 ms 1.192 ms 1.017 ms | |
| 8 129.250.3.118 2.472 ms 2.231 ms 2.240 ms | |
| 9 192.205.37.53 3.337 ms 3.206 ms 3.288 ms | |
| 10 12.122.134.134 73.007 ms 72.235 ms 71.503 ms | |
| 11 12.122.18.21 75.957 ms 76.638 ms 75.013 ms | |
| 12 12.122.31.85 74.581 ms 76.336 ms 76.061 ms | |
| 13 12.122.30.25 74.598 ms 76.213 ms 75.506 ms | |
| 14 12.122.30.30 72.519 ms 72.265 ms 71.669 ms | |
| 15 12.123.30.249 74.450 ms 74.448 ms 74.605 ms | |
| 16 12.122.129.145 69.584 ms 69.976 ms 69.622 ms | |
| 17 12.116.103.10 279.630 ms 279.473 ms 279.406 ms | |
| 18 219.158.3.161 266.466 ms 266.928 ms 267.200 ms | |
| 19 219.158.96.54 254.338 ms 254.340 ms 254.042 ms | |
| 20 219.158.14.106 306.293 ms 306.199 ms 306.074 ms | |
| 21 221.11.155.250 305.337 ms 305.372 ms 305.138 ms | |
| 22 221.11.160.14 305.191 ms 311.037 ms 312.963 ms | |
| 23 * * * | |
| 24 * * * | |
| 25 * * * | |
| 26 * * * | |
| 27 * * * | |
| 28 * * * | |
| 29 * * * | |
| 30 * * * |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment