- 发帖可能变空内容,邪门暂不知所以然
- 『稷下学宫』新认证方式,24年网站打算和努力目标
主题:【原创】纯技术分析贴,是谁封了ccthere.com? -- 江阔云低
家园 【原创】纯技术分析贴,是谁封了ccthere.com? 看到河里有人讨论这个话题,今天上班不忙,在公司做了个测试。
测试工具:snoop command
测试步骤:
Step 1: 执行以下命令:
bash-3.00# # nslookup
> ccthere.com
Server: xxxxxxx
Address: xxxxxxx
Non-authoritative answer:
Name: ccthere.com
Address: 68.233.230.142
>
DNS解析没有问题
bash-3.00# snoop -d hme -o snoop.out
Step 2: 用firefox访问ccthere.com,结果如图:
Step 3:
^C 得到snoop结果。
snoop 解析:
bash-3.00# snoop -i snoop.out -ta -V tcp port 80 |more
________________________________
1 14:49:11.27006 myhost -> ccthere.com ETHER Type=0800 (IP), size = 66
bytes
1 14:49:11.27006 myhost -> ccthere.com IP D=68.233.230.142 S=xxx.xxx.xxx.xxx LEN=52, ID=31942, TOS=0x0, TTL=64
1 14:49:11.27006 myhost -> ccthere.com TCP D=80 S=32971 Syn Seq=537354463 Len=0 Win=49640 Options=<mss 1460,nop,wscale 0,nop,nop,sackOK>
1 14:49:11.27006 myhost -> ccthere.com HTTP C port=32971
________________________________
2 14:49:11.69009 ccthere.com -> myhost ETHER Type=0800 (IP), size = 60
bytes
2 14:49:11.69009 ccthere.com -> myhost IP D=xxx.xxx.xxx.xxx S=68.233.230.142 LEN=44, ID=0, TOS=0x0, TTL=43
2 14:49:11.69009 ccthere.com -> myhost TCP D=32971 S=80 Syn Ack=537354464 Seq=2971482276 Len=0 Win=5840 Options=<mss 1380>
2 14:49:11.69009 ccthere.com -> myhost HTTP R port=32971
________________________________
3 14:49:11.69014 myhost -> ccthere.com ETHER Type=0800 (IP), size = 54
bytes
3 14:49:11.69014 myhost -> ccthere.com IP D=68.233.230.142 S=xxx.xxx.xxx.xxx LEN=40, ID=31943, TOS=0x0, TTL=64
3 14:49:11.69014 myhost -> ccthere.com TCP D=80 S=32971 Ack=2971482277
Seq=537354464 Len=0 Win=49680
3 14:49:11.69014 myhost -> ccthere.com HTTP C port=32971
________________________________
从前三个包可以看出从客户端(我本地)到server(ccthere.com),tcp 三次握手完成,建立连接。
-------------------------
4 14:49:11.69027 myhost -> ccthere.com ETHER Type=0800 (IP), size = 452 bytes
4 14:49:11.69027 myhost -> ccthere.com IP D=68.233.230.142 S=xxx.xxx.xxx.xxx LEN=438, ID=31944, TOS=0x0, TTL=64
4 14:49:11.69027 myhost -> ccthere.com TCP D=80 S=32971 Push Ack=2971482277 Seq=537354464 Len=398 Win=49680
4 14:49:11.69027 myhost -> ccthere.com HTTP GET / HTTP/1.1
________________________________
第四个包开始客户端向http server要求内容。
---------------------------------
5 14:49:11.82236 ccthere.com -> myhost ETHER Type=0800 (IP), size = 60
bytes
5 14:49:11.82236 ccthere.com -> myhost IP D=xxx.xxx.xxx.xxx S=68.233.230.142 LEN=40, ID=27586, TOS=0x0, TTL=238
5 14:49:11.82236 ccthere.com -> myhost TCP D=32971 S=80 Rst Ack=537354464 Seq=2971482277 Len=0 Win=3016
5 14:49:11.82236 ccthere.com -> myhost HTTP R port=32971
________________________________
6 14:49:11.82236 ccthere.com -> myhost ETHER Type=0800 (IP), size = 60
bytes
6 14:49:11.82236 ccthere.com -> myhost IP D=xxx.xxx.xxx.xxx S=68.233.230.142 LEN=40, ID=27614, TOS=0x0, TTL=238
6 14:49:11.82236 ccthere.com -> myhost TCP D=32971 S=80 Rst Ack=537354464 Seq=2971483737 Len=0 Win=3017
6 14:49:11.82236 ccthere.com -> myhost HTTP R port=32971
________________________________
7 14:49:11.82248 ccthere.com -> myhost ETHER Type=0800 (IP), size = 60
bytes
7 14:49:11.82248 ccthere.com -> myhost IP D=xxx.xxx.xxx.xxx S=68.233.230.142 LEN=40, ID=27656, TOS=0x0, TTL=238
7 14:49:11.82248 ccthere.com -> myhost TCP D=32971 S=80 Rst Ack=537354464 Seq=2971486657 Len=0 Win=3018
7 14:49:11.82248 ccthere.com -> myhost HTTP R port=32971
________________________________
对包4的请求,包5,6,7的内容来看,似乎是http server向客户端回送了三个rst/ack 包, 阻断了连接。也就是浏览器返回的画面结果。
当然,这个rest(重置连接)肯定不是铁手大人的web服务器发出的。理论上来讲,从web server到我本地,中间经过的网络设备上(ISP)都有可能做手脚。
谁干的呢?
我用Rst Ack GFW做关键字 搜索了一下。
下面的link里有一些对GFW的阻断特征相关的讨论。
看完以后,谁是最大的嫌疑呢,就不用多说了吧。呵呵
家园 看来这是专业技术的问题,我不太懂。 家园 看到楼下有人看不明白的,试着帮忙翻译一下 Step 1: 执行以下命令:
bash-3.00# # nslookup
> ccthere.com
Server: xxxxxxx
Address: xxxxxxx
Non-authoritative answer:
Name: ccthere.com
Address: 68.233.230.142
>
话说有一天楼主跑到互联网上,那是一个人山人海哪。楼主逮住旁边管花名册的DNS小妞问,“神仙JJ,请问哪一位是老铁?”小妞头也不抬随手一指,“坐在68.223.230.142山头上一直在改什么东西的就是。”
1 14:49:11.27006 myhost -> ccthere.com ETHER Type=0800 (IP), size = 66bytes
1 14:49:11.27006 myhost -> ccthere.com IP D=68.233.230.142 S=xxx.xxx.xxx.xxx LEN=52, ID=31942, TOS=0x0, TTL=64
1 14:49:11.27006 myhost -> ccthere.com TCP D=80 S=32971 Syn Seq=537354463 Len=0 Win=49640 Options=<mss 1460,nop,wscale 0,nop,nop,sackOK>
1 14:49:11.27006 myhost -> ccthere.com HTTP C port=32971
________________________________
2 14:49:11.69009 ccthere.com -> myhost ETHER Type=0800 (IP), size = 60
bytes
2 14:49:11.69009 ccthere.com -> myhost IP D=xxx.xxx.xxx.xxx S=68.233.230.142 LEN=44, ID=0, TOS=0x0, TTL=43
2 14:49:11.69009 ccthere.com -> myhost TCP D=32971 S=80 Syn Ack=537354464 Seq=2971482276 Len=0 Win=5840 Options=<mss 1380>
2 14:49:11.69009 ccthere.com -> myhost HTTP R port=32971
________________________________
3 14:49:11.69014 myhost -> ccthere.com ETHER Type=0800 (IP), size = 54
bytes
3 14:49:11.69014 myhost -> ccthere.com IP D=68.233.230.142 S=xxx.xxx.xxx.xxx LEN=40, ID=31943, TOS=0x0, TTL=64
3 14:49:11.69014 myhost -> ccthere.com TCP D=80 S=32971 Ack=2971482277
Seq=537354464 Len=0 Win=49680
3 14:49:11.69014 myhost -> ccthere.com HTTP C port=32971
楼主就冲老铁方向就喊开了,“老铁,你在哪里,在哪里,哪里,里~~~~”
老铁抬头冲楼主喊“在这里,这里,里~~~”
楼主在喊,“知道了,了~~~”
-------------------------4 14:49:11.69027 myhost -> ccthere.com ETHER Type=0800 (IP), size = 452 bytes
4 14:49:11.69027 myhost -> ccthere.com IP D=68.233.230.142 S=xxx.xxx.xxx.xxx LEN=438, ID=31944, TOS=0x0, TTL=64
4 14:49:11.69027 myhost -> ccthere.com TCP D=80 S=32971 Push Ack=2971482277 Seq=537354464 Len=398 Win=49680
4 14:49:11.69027 myhost -> ccthere.com HTTP GET / HTTP/1.1
________________________________
楼主写了张纸条“老铁兄台鉴,小弟最近饥饿万分,请将西西河的烘焙鸡打包一份与我,小弟先行谢过了”让送快递的将条子递了过去。
---------------------------------5 14:49:11.82236 ccthere.com -> myhost ETHER Type=0800 (IP), size = 60
bytes
5 14:49:11.82236 ccthere.com -> myhost IP D=xxx.xxx.xxx.xxx S=68.233.230.142 LEN=40, ID=27586, TOS=0x0, TTL=238
5 14:49:11.82236 ccthere.com -> myhost TCP D=32971 S=80 Rst Ack=537354464 Seq=2971482277 Len=0 Win=3016
5 14:49:11.82236 ccthere.com -> myhost HTTP R port=32971
________________________________
6 14:49:11.82236 ccthere.com -> myhost ETHER Type=0800 (IP), size = 60
bytes
6 14:49:11.82236 ccthere.com -> myhost IP D=xxx.xxx.xxx.xxx S=68.233.230.142 LEN=40, ID=27614, TOS=0x0, TTL=238
6 14:49:11.82236 ccthere.com -> myhost TCP D=32971 S=80 Rst Ack=537354464 Seq=2971483737 Len=0 Win=3017
6 14:49:11.82236 ccthere.com -> myhost HTTP R port=32971
________________________________
7 14:49:11.82248 ccthere.com -> myhost ETHER Type=0800 (IP), size = 60
bytes
7 14:49:11.82248 ccthere.com -> myhost IP D=xxx.xxx.xxx.xxx S=68.233.230.142 LEN=40, ID=27656, TOS=0x0, TTL=238
7 14:49:11.82248 ccthere.com -> myhost TCP D=32971 S=80 Rst Ack=537354464 Seq=2971486657 Len=0 Win=3018
7 14:49:11.82248 ccthere.com -> myhost HTTP R port=32971
________________________________
过了半晌,快递送回了一张条子,上书,“我看你不顺眼,恕不招待。”楼主郁闷中...
楼主与老铁素来交好,因此知道条子绝非老铁所写。江湖传闻快递员与寡妇王素有奸情,而寡妇王与老铁近来不睦,这条子的字迹看着倒有几分像寡妇王的,因此楼主怀疑是寡妇王从中捣鬼...
家园 为看不明白而花,呵呵 恭喜:你意外获得【通宝】一枚
鲜花已成功送出,消耗 铢钱 1 个,可能得宝。可通过工具取消
提示:此次送花为【有效送花赞扬,加乐善、声望、帖得花总数】。
家园 现在不是有个西厢计划 就是专门用来对付这招封锁的。
家园 这个分析靠谱! 其实一般看到connection reset基本就可以断定是GFW干的了。
家园 伪大胖子沙发。 老兄,您就直说了吧,西西河不是每个人都是IT高手的,还有大量像我这样的小白在啊。您的欲言又止,实在让我如坐针毡,您给出的两个链接,俺也是看不懂滴。
您接着往下写嘛,到底是怎么回事儿?有没有可能西西河从技术方面,自己解封出去?
俺的级别低,就不宝推了,只送花。楼下要是有宝多的,多送给楼主。