[This article shields mainland China] 20221003 Case report on large-scale interference of GFW with overseas IP443 ports

04/10/2022 /
20221003 GFW大规模干扰 境外IP443端口的案例报告

Timeline

At around 11:30 UTC+8, the attack was detected

At UTC+8 11:45, after a control experiment, it was found that HTTPS was not available when accessing from mainland China, but HTTP was normal.

At 11:50 UTC+8, after a control experiment, it is found that it has nothing to do with the domain name (including IP HTTPS)

At 11:55 UTC+8, after a control experiment, it was found that TCP443 was not working, and services such as HTTPS and HTTP on other ports were normal.

The preliminary judgment is that the unified attack IP: 443 port, especially TCP. ICMP and other ports are not affected.

Attack Mode Features

  1. At present, it is known that only port 443 is blocked. It is not known whether UDP is blocked or not.
  2. Overseas CDN has no additional impact (CloudFlare, G-Core), and does not attack the IP of overseas CDN
  3. The use of HTTP back-to-source for domestic CDNs has no effect, and the use of HTTPS-443 port is also affected (such as Baidu Cloud Acceleration, Dogecloud)
  4. Replacing other ports (HTTPS/TLS) and HTTP-80 has no effect
  5. The registered domain name is invalid, and the IP port is attacked instead of the domain name

The impact of service nodes on this site

Service nodes affected by this round of attacks

  • Tencent Cloud Singapore
  • American Bricklayer – DC6-GIAE
  • Japan Xtom Softbank
  • UK London Oracle (1 node)
  • KR Chuncheon Oracle (3 nodes)
  • US Phoenix Oracle (1 node)

Service nodes not affected by this round of attacks

  • Hosthatch Hong Kong
  • Contabo, USA
  • AE Dubai Oracle (4 nodes)
  • AU Melbourne Oracle (2 nodes)
  • US Phoenix Oracle (1 node)

Note that among the Oracle nodes, the attacked nodes were all mentioned in the case report in which GFW continued to interfere with the normal access of overseas IPs in late August 2022

Note that among other nodes, the attacked nodes are the main service nodes (and are basically not used directly, but dolls other CDNs)

Note that among other nodes, the unattacked nodes are all back-end nodes, relay nodes, and cold standby nodes.

Solution

Hard GFW

Consider using a low-cost IP address that is easy to replace, and do not use a high-cost IP/server

(Direct replacement) AWS, Oracle, GCP, AZure

(may need to restart) Vultr, DigitalOcean, Linode, Buyvm

CDN and Matryoshka

Mainland China CDN

You can consider Acceleration Music, Baidu Cloud Acceleration, Tencent Cloud CDN, Huawei Cloud CDN, Dogecloud

Overseas CDN

Consider CloudFlare (completely free), CloudFront (be careful not to get scammed), Gcore (free and stable)

In addition to using CDN directly, you can also add another layer of reverse IP

play dead

Directly block IP access in mainland China

Change port and IP

Changing the IP should be a cure for the symptoms but not the root cause, it is very likely to be closed immediately, and the port is also changed.

friendly reminder

The “Administrative Measures for the Recordation of Non-Commercial Internet Information Services” (Order No. 33 of the Ministry of Information Industry) , which was deliberated and adopted at the 12th executive meeting of the Ministry of Information Industry of the People’s Republic of China on January 28, 2005, is hereby promulgated, since 2005 Effective March 20.

It mentions that “to provide non-commercial Internet information services within the territory of the People’s Republic of China, the filing procedures shall be performed in accordance with the law. Without filing, non-commercial Internet information services shall not be provided within the territory of the People’s Republic of China. The provision of non-commercial Internet information services refers to the provision of non-commercial Internet information services by organizations or individuals within the territory of the People’s Republic of China using websites accessed through Internet domain names or websites that can only be accessed through Internet IP addresses. Those who access the commercial Internet to engage in non-commercial Internet information services may entrust Internet access service business operators, Internet data center business operators, and telecommunications business operators that provide access services to their websites by other means to perform the recordation on their behalf. , record change, record cancellation and other procedures.”

This article is reprinted from https://www.blueskyxn.com/202210/6660.html
This site is for inclusion only, and the copyright belongs to the original author.