Open 7c opened 4 months ago
free-the-internet
commented
4 months ago I see many pings starting from last week, also 10 - 15 probes everyday from China and a few from Russia on port specially on port 443.
The most interesting one was a forged Client Hello packet without SNI and many other fields. But it was from a Digital ocean IP. Unfortunately I deleted it.
Could you share some of you prob packets detail?
wkrp
commented
4 months ago Can you say more about what indicates the IPs are hijacked?
Hijacked or "borrowed" IP addresses was a hypothesis put forth in some GFW active probing papers:
https://censorbib.nymity.ch/#Winter2012a
One explanation for the changing TTL, but definitely not the only one, is that the GFC could be spoofing IP addresses. The firewall could be abusing several IP address pools intended for Internet users to allocate short-lived IP addresses for the purpose of scanning.
https://blog.torproject.org/learning-more-about-gfws-active-probing-system/
Is the GFW using dedicated machines behind their thousands of probing IP addresses? Does the GFW even "own" all these IP addresses? Rumour had it that the GFW was hijacking IP addresses for a short period of time, but there was no conclusive proof. As a result, we teamed up and set out to answer these, and other questions.
we see huge amount of most likely hijacked china ips, doing probes on our infrastructure. can they really hijack them with full capabilities or do they have certain restrictions? i have the feeling they avoid certain actions like doing https with them. experiences are welcome, they are all from china and can do tcpip at application level