谁将数据注入网络数据包。 [英] Who is injecting data into network packets.
问题描述
我使用的是我自己编写的数据包嗅探器,它有点像wireshark,但它很轻巧,似乎做得很好,但我注意到在端口80上为网页发出TCP请求后从网上传来的数据包。我可以通过检查也在Syslogs中显示的数据包嗅探器IP地址来检查。请注意时间延迟的长度。
我得到的奇怪数据看起来总是看起来一样,ID相同但这种情况发生在多台机器上数据中的相同ID和数据包的数据部分看起来有点像这样。
(Ref.Id:?sufKKsWW98F4Cs2CEW6MM?)
就好像我得到某种类型的迟到回复,由于时间或某种原因,它在路由器防火墙中通过NAT,而我注意到的另一件事就是网络窗口大小似乎总是为零,这可能与缓冲区溢出有关。
我使用的路由器是Sonicwall(没有许可证也不是很好,大多数很高兴有工作unles你支付他们的钱)所以,如果那不注入这些数据包,那么似乎我的ISP必须支持这一点,并使用后门黑客将数据推送到我的网络,因为路由器没有映射任何入站数据包。
我知道w因为我的ISP劫持了DNS查询,并以某种方式设法使用被劫持的查找来从它的服务器提供HTTPS页面,所以这不是我要放过它们的东西。
< blockquote>
引用:我使用的路由器是Sonicwall(没有许可证也没什么好处,最好的工作是你付钱给他们钱)所以,如果没有注入这些数据包那么似乎我的ISP必须支持这个并且使用后门黑客将数据推送到我的网络,因为路由器没有映射任何入站数据包。
请改用 pfSense 免费软件路由器。
https://www.pfsense。 org / [ ^ ]
< blockquote>我抓到的这些奇怪的数据包数据
(Ref.Id:?sufKKsWW98F4Cs2CEW6MM?)
连接到SSL证书请求,它似乎是Visual Studio,当程序在调试模式下运行并使用VHost时发送它们。
现在我知道VS2010喜欢有一个互联网连接,因为它经常崩溃没有一个,这些年来有很好的记录,但你的猜测和我的一样好,为什么它需要一个安全的连接来打电话回家。
我试过让pfSense在一台旧笔记本电脑上运行,但它只能看到我给的其中一张网卡。
这些DrayTek路由器很好但是我因为它可以进行出站NAT映射,因此可以将任何进入微软或谷歌的请求发送回局域网以供DNS服务器或代理服务器处理。
Google将书中的每一个技巧都用来破解你机器上的细节,你不能阻止它,但我现在在我的代理服务器上使用man-in-the-middle来修复脚本在飞行中。
我也想阻止微软,就像所有2000万个ip一样,并开始在我的防火墙中输入大量的ip-range来阻止它们但它开始看起来很大所以我现在使用DNS服务器中的一些ASN来阻止微软,使用XML文件中的本地whois查找,这可能不是最新的,但大部分时间都是正确的。
另一个技巧是拉SSL证书,看看谁真正拥有什么网站,然后基于此阻止。
仍然没有线索在哪里这些消息来自,它是sonicwall或我的ISP推送一些东西到我的网络,似乎没有人知道
I use a packet sniffer that i wrote myself and it's a bit like wireshark but is lightweight and seems to be doing a good job but i have noticed packets arriving from the internet after making TCP request out on port 80 for web-pages. This i can check by checking the packet sniffer IP address that also showns up in Syslogs. Note sure about the length of the time lag.
The strange data i am getting always looks the same with the same ID and this is happening on more than one machine with the same id in the data and the data part of the packet looks a bit like this.
"(Ref.Id: ?sufKKsWW98F4Cs2CEW6MM?)"
it's as if i am getting some type of late reply that makes it way past the NAT in the routers firewall due to timing or something and the other thing i have noticed is that the network windows size seems to always be zero which might have something to do with a buffer overrun.
The router i use is a Sonicwall (not much good without a licence, most nice to have's doing work unles you pay them money) so if thats not injecting these packets then it seems like my ISP must be behind this and are using a back-door hack to push data to my network since the router does not map any inbound packets.
I know for a fact that my ISP hijacks DNS lookup's and somehow manages to serve up HTTPS pages from it's servers using the hijacked lookup's so it's not something i would put past them.
Quote:The router i use is a Sonicwall (not much good without a licence, most nice to have's doing work unles you pay them money) so if thats not injecting these packets then it seems like my ISP must be behind this and are using a back-door hack to push data to my network since the router does not map any inbound packets.
Use pfSense freeware router instead.
https://www.pfsense.org/[^]
Well these strange bits of packet data I caught
"(Ref.Id: ?sufKKsWW98F4Cs2CEW6MM?)"
Are connected to SSL Certificate requests and it seems to be Visual Studio thats sending them out as programs are running in debug mode and using VHost.
Now i know VS2010 likes to have an internet connection because it often crashes without one, been well documented over the years but your guess is as good as mine as to why it needs a secure connection to call home.
I tried to get pfSense working on an old laptop but it could only see one of the network cards so i gave in.
For the money these DrayTek routers are good but i've stuck with the Sonicwall only because it can do outbound NAT mapping so it can send any requests that were going to microsoft or google back to the LAN to be processed by a DNS server or proxy server.
Google pulls every trick in the book to hack details from your machine, you cannot block it all but i now used man-in-the-middle on my proxy server to fix the scripts on the fly.
I also wanted to block microsoft, like all 20 million ip's and started to type lots of ip-ranges into my firewall to block them but it started to look a big mess so I now block microsoft using a few ASNs in the DNS server using a local whois lookup from a XML file that might not be upto date but get it right most of the time.
Another trick is to pull SSL-Certificate to see who realy owns what site and then block based on that.
Still don't have a clue where these messages are coming from, it's the sonicwall or my ISP pushing something to my network, no one seems to know
这篇关于谁将数据注入网络数据包。的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
