Open darkk opened 7 years ago
Yes, very good suggestion! On a related note (perhaps of the note to self type) the traceroute engine in measurement-kit is very basic, and I'd like to be able to do some mtr --report
ish from measurement-kit (I doubt this could work on mobile, at least to the full extent that mtr
works on desktops).
BTW, mtr
may be misleading too. I've observed mtr
showing stars for the final hop when the final hop was just replying slooowly (say 7-20seconds) while studying the data on TCP PEP (Performance-enhancing proxy) of a 3G ISP.
Always-on tcpdump revealed that mtr
behavior and saved me from producing a false claim :)
Some notes while observing DNS spoofing at AS41843:
dig +trace
) are intercepted and spoofed response is returned for bad domainsip.id
is likely hard to capture for non-root MK, but ip.ttl may be read with IP_RECVTTL
, it's also possible to have control server sending packets with TTL=192 (or anything uncommon), so IP_RECVTTL will show injected packets in a more contrast waySo (2) and (3) are already gathered, gathering data for (1), (4), (5), (7), (8) and (9) may be useful in some cases.
Some notes while observing RST injection at AS8997:
curl https://rutracker.org/forum/index.php
fails due to RST injectioncurl https://RuTracker.org/forum/index.php
works due to case-sensitive SNI field comparisonopenssl s_client -connect rutracker.org:443
works as openssl does not send SNI by defaultrutracker.org
is closer to me (in terms of TTL) than the injector service while doing tcptraceroute with payload packetGET
in the middle of domain name does not trigger RSTClientHello
anywhere within the ClientHello packet passes through the filterHost: rutracker.org\r\n
header right before \r\n
still triggers redirect injection, although it's technically incorrect as Host: rutracker.org
may become Host: rutracker.org.example.org\r\n
in further packetsRIPE Atlas DNS hackathon have brought another awesome masterpiece: Recursive DNS Server Fingerprint. I wonder if there is anything in IDN handling that may be used for fingerprinting as well.
PTRs of infrastructural IPs are also useful as services may migrate and it may be good to have that information stored (that can also be done in the pipeline).
Some notes while observing DNS zone hijacking at some of recursors in AS22047:
net
TLD returns SOA record for the TLDmeasurement-kit/measurement-kit#1311 brings the idea of fingerprinting https blockpage server checking supported TLS versions and ciphersuites. See also DinoTools/sslscan.
Simple
mtr --report-wide --show-ips --tcp --port 443 blocked.ws
andmtr --report-wide --show-ips --udp --port 53 8.8.8.8
in addition to plainmtr --report-wide --show-ips --icmp example.net
may add valuable information to web_connectivity report when some network block happens.Sending DNS query directly to SOA NS may be useful too as 8.8.8.8 is well-known and may be hijacked on per-IP basis.
ooniprobe
may gather alike data as soon as it detects major difference between measurement & control.