WingNews logo WingNews GitHub [2]

Rasbora's comments

Rasbora | 2 months ago | on: Show HN: Aroma: Every TCP Proxy Is Detectable with RTT Fingerprinting

This is the core concept of how proxies are detected via services like https://layer3intel.com/tripwire or https://spur.us/monocle/

The difference in min TCP RTT and min RTT to respond to a websocket payload is a dead giveaway that there's a middlebox terminating TCP somewhere along the path. You can bypass this by sourcing your request within 30ms of wherever TCP is being terminated, anything under that threshold could be caused by regular noise and isn't a reliable fingerprint. Due to how many gateway's there are between you and a residential proxy exit node this makes fingerprinting them extremely easy.

I expect it won't be long until someone deploys the first proxy service that handles the initial CONNECT payload in the kernel before offloading packet forwarding to an eBPF script that will proxy packets between hosts at layer 3, making this fingerprinting technique obsolete. The cat and mouse game continues.

Rasbora | 1 year ago | on: How to get the whole planet to send abuse complaints to your best friends

Back in the day I would scan for DrDoS reflectors in a similar way, no hosting provider wants to get reports for port scanning so the source address of the scan would belong to an innocent cloud provider with a reputable IP that reflectors would happily send UDP replies to. The cloud provider would of course get a massive influx of complaints but you would just say that you aren't doing any scanning from your server (which they would verify) and they wouldn't shut your service off. The server sending out the spoofed scan packets is undetectable so you're able to scan the entire internet repeatedly without the typical abuse issues that come with it.

I'm not sure how often this happens in practice but tracing the source of a spoofed packet is possible if you can coordinate with transit providers to follow the hops back to the source. One time JPMorgan worked with Cogent to tell us to stop sending packets with their IP addresses (Cogent is one of the most spoofer friendly tier 1's on the internet btw).

This is the first time I've heard of this being used to target TOR specifically which seems counterintuitive, you would think people sending out spoofed packets would be advocates of TOR. Probably just a troll, luckily providers that host TOR won't care about this type of thing.

Rasbora | 3 years ago | on: Cloudflare servers don't own IPs anymore so how do they connect to the internet?

Whenever I see the name Marek Majkowski come up, I know the blog post is going to be good.

I had to solve this exact problem a year ago when attempting to build an anycast forward proxy, quickly came to the conclusion that it'd be impossible without a massive infrastructure presence. Ironically I was using CF connections to debug how they might go about this problem, when I realized they were just using local unicast routes for egress traffic I stopped digging any deeper.

Maintaining a routing table in unimog to forward lopsided egress connections to the correct DC is brilliant and shows what is possible when you have a global network to play with, however I wonder if this opens up an attack vector where previously distributed connections are now being forwarded & centralized at a single DC, especially if they are all destined for the same port slice...

Rasbora | 3 years ago | on: IPv4 Turf War

I had an almost identical idea to this website a while ago but never acted on it, props to the dev.

Here is how you win the IPv4 games, in order of most to least effective:

1) Have a large online following that is willing to visit your claim link or a page where you can embed an iframe / img / etc that points to your claim link.

2) Pay to use someone else's (consensual) botnet by paying a residential proxy service, this is the approach I just used and it cost me a few dollars for access to a massive amount of distributed IPv4 space.

3) Abuse cloud / serverless offerings as far as they will go, unlikely to win more than a few blocks this way.

4) Own IPv4 space.

Other less ethical approaches: possibly exploit the system by sending a XFF header the developer forgot to block (probably just checking socket address so unlikely to work here), spin up a Vultr VPS in the same DC and probe for a way to connect with a local address, hijack BGP space, run your own botnet, I'm reminded of an old exploit in WordPress XMLRPC...

From what I can see the current rankings are just me and mike fighting for the same proxy space (the vote goes to the most recent visit per IP), and everyone else falls into buckets 3 & 4.

Rasbora | 3 years ago | on: I ran the worlds largest DDoS-for-Hire empire and Cloudflare helped

I would agree with you, however please take a look at a statement from CloudFlare earlier today: https://news.ycombinator.com/item?id=32707821

"Our decision today was that the risk created by the content could not be dealt with in a timely enough matter by the traditional rule of law systems."

Booter services have been using CloudFlare for the better part of a decade, sure individual services come and go but the trend is persistent. So for booter services a decade is enough time for the rule of law to make the decision but another type of controversial platform follows it's own arbitrary timeline, and I would argue that is setting the most dangerous precedent of all, especially when the 'risk' created by a particular type of content doesn't outweigh any potential financial incentives.

page 1