[help] Spectra Ping / Traceroute results to Singapore

404

New Member
Apr 13, 2019
2
1
I've been following this thread for same issue. My complaint went up to the L3 team but no dice. And now the HTTPS blocks despite using DNS over HTTPS. Perhaps another thread can be opened to figure out how they're doing it?
 

varkey

Regulars
Jun 11, 2006
508
166
They appear to make use of the SNI (server name indication) information which is included by the browsers/clients in all HTTPS requests these days. This is sent in plaintext at the first step of TLS handshake process.

To test my hypothesis, I did the following.

Code:
Viveks-MacBook-Air:tmp varkey$ dig +short soundcloud.com
68.232.44.127
Resolved the DNS name and attempted to access the site with just the IP address, this might not load the site itself cause the remote server would definitely depend on the hostname used to determinate what content to serve, so it returned a 404 which is kind of expected. However the interesting part is that it established the TLS connection and was able to make an HTTP request without issues.

Code:
Viveks-MacBook-Air:tmp varkey$ wget https://68.232.44.127
--2019-04-13 08:24:41--  https://68.232.44.127/
Connecting to 68.232.44.127:443... connected.
    ERROR: certificate common name '*.soundcloud.com' doesn't match requested host name '68.232.44.127'.
To connect to 68.232.44.127 insecurely, use `--no-check-certificate'.
Viveks-MacBook-Air:tmp varkey$ wget https://68.232.44.127 --no-check-certificate
--2019-04-13 08:24:46--  https://68.232.44.127/
Connecting to 68.232.44.127:443... connected.
    WARNING: certificate common name '*.soundcloud.com' doesn't match requested host name '68.232.44.127'.
HTTP request sent, awaiting response... 404 Not Found
2019-04-13 08:24:46 ERROR 404: Not Found.
Now for the second test I used the URL with the DNS name, and it failed right after the TLS client hello which includes the SNI information that contains the hostname.

Code:
Viveks-MacBook-Air:tmp varkey$ curl -vvv https://soundcloud.com
* Rebuilt URL to: https://soundcloud.com/
*   Trying 68.232.44.127...
* TCP_NODELAY set
* Connected to soundcloud.com (68.232.44.127) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to soundcloud.com:443
* stopped the pause stream!
* Closing connection 0
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to soundcloud.com:443
What is Server Name Indication (SNI)?
 
  • Like
Reactions: 404 and alphago

404

New Member
Apr 13, 2019
2
1
I thought the same that SNI is being read. But Firefox has the option to encrypt SNI and I double-checked using Cloudflare's checker. The usual sites are still getting blocked.
 


  • Like
Reactions: varkey

Anvith

Member
[OP]
Jan 19, 2019
42
14
This is similar to what jio and bsnl has been doing they Block https sites too DoH doesn't work on them wither (not sure about bsnl it might work on bsnl as my friend stated that sites open for him when opened through Google)
 

varkey

Regulars
Jun 11, 2006
508
166
I thought the same that SNI is being read. But Firefox has the option to encrypt SNI and I double-checked using Cloudflare's checker. The usual sites are still getting blocked.
Interesting, I wasn't aware of encrypted SNI -- Encrypt it or lose it: how encrypted SNI works

However for that to work, the remote website should support TLS 1.3 and have the necessary configuration for ESNI on the server side implemented, since its still new, I don't think many websites have ESNI stuff enabled yet.

So even though ESNI is available to use in Firefox, unless the blocked sites implement it on their side, it won't help us.
 
Last edited:
  • Like
Reactions: 404

Sushubh

Administrator
Oct 29, 2004
416,875
12,927
Gurugram
every domain on cloudflare has it enabled by default from my understanding.
also... browsers have to support it too. firefox has support but needs to be enabled. chrome has no support at the moment and it would take a while before it arrives.

First, you need to make sure you have DNS over HTTPS enabled. Once you’ve done that, you also need to set the “network.security.esni.enabled” preference in about:config to “true”). This should automatically enable ESNI for any site that supports it.
Encrypted SNI Comes to Firefox Nightly | Mozilla Security Blog

 


  • Like
Reactions: varkey

Anvith

Member
[OP]
Jan 19, 2019
42
14
Using a VPN server located at bangalore gives me much better ping to Singapore (110-120ms)than without VPN since the VPN server routing is proper. But i think if I had a VPN to Chennai I'd get even better latency since traffic to Bangalore is routed to and from Chennai
 

varkey

Regulars
Jun 11, 2006
508
166
@Anvith I just tried a similar thing, going via a VM in AWS Mumbai gives relatively good pings. I used ZeroTier for the connectivity, so there is a slight overhead of that too.

Code:
➜  ~ ping -c 4 speedtest-sgp1.digitalocean.com
PING speedtest-sgp1.digitalocean.com (159.89.192.182): 56 data bytes
64 bytes from 159.89.192.182: icmp_seq=0 ttl=48 time=79.627 ms
64 bytes from 159.89.192.182: icmp_seq=1 ttl=48 time=78.984 ms
64 bytes from 159.89.192.182: icmp_seq=2 ttl=48 time=81.837 ms
64 bytes from 159.89.192.182: icmp_seq=3 ttl=48 time=79.670 ms

--- speedtest-sgp1.digitalocean.com ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 78.984/80.029/81.837/1.078 ms
➜  ~ ping -c 4 speedtest.singapore.linode.com
PING speedtest.singapore.linode.com (139.162.23.4): 56 data bytes
64 bytes from 139.162.23.4: icmp_seq=0 ttl=47 time=77.039 ms
64 bytes from 139.162.23.4: icmp_seq=1 ttl=47 time=76.219 ms
64 bytes from 139.162.23.4: icmp_seq=2 ttl=47 time=79.858 ms
64 bytes from 139.162.23.4: icmp_seq=3 ttl=47 time=76.492 ms

--- speedtest.singapore.linode.com ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 76.219/77.402/79.858/1.448 ms
➜  ~   ping -c 4 speedtest-blr1.digitalocean.com
PING speedtest-blr1.digitalocean.com (139.59.80.215): 56 data bytes
64 bytes from 139.59.80.215: icmp_seq=0 ttl=46 time=53.026 ms
64 bytes from 139.59.80.215: icmp_seq=1 ttl=46 time=53.033 ms
64 bytes from 139.59.80.215: icmp_seq=2 ttl=46 time=52.406 ms
64 bytes from 139.59.80.215: icmp_seq=3 ttl=46 time=52.830 ms

--- speedtest-blr1.digitalocean.com ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 52.406/52.824/53.033/0.255 ms
Pings to AWS Mumbai is great too, getting 15-17 ms.
 
  • Like
Reactions: Anvith

Anvith

Member
[OP]
Jan 19, 2019
42
14
reverse route for 180.151.124.x has been fixed the ping is around 40-50 ms

Traceroute
Code:
                                            My traceroute  [v0.86]
NAS (0.0.0.0)                                                                        Sat Apr 20 14:33:46 2019
Resolver: Received error response 2. (server failure)er of fields   quit
                                                                     Packets               Pings
Host                                                              Loss%   Snt   Last   Avg  Best  Wrst StDev
1. dlinkrouter.Dlink                                               0.0%     6    1.2   1.1   0.7   1.6   0.0
2. 10.201.116.1                                                    0.0%     6    1.5   1.9   1.4   2.8   0.0
3. 203.92.63.177.reverse.spectranet.in                             0.0%     6    3.3   2.4   1.5   3.3   0.0
4. 203.92.63.158.reverse.spectranet.in                             0.0%     6   22.2  22.1  21.6  22.8   0.0
5. 180.151.59.30.reverse.spectranet.in                             0.0%     6   21.8  22.5  21.8  23.4   0.0
6. 219.65.111.13.STATIC-Chennai.vsnl.net.in                        0.0%     6   24.6  25.0  23.3  30.6   2.7
7. 172.31.167.45                                                   0.0%     6   11.2  12.9  11.2  16.8   2.3
8. ix-ae-2-1334.tcore2.svw-singapore.as6453.net                    0.0%     6   55.4  60.7  55.2  81.9  10.4
9. if-ae-2-2.tcore1.svw-singapore.as6453.net                       0.0%     5   42.6  43.3  42.6  44.2   0.0
10. 180.87.67.42                                                    0.0%     5   43.6  45.1  43.6  48.0   1.8
11. 139.162.0.6                                                     0.0%     5   55.0  55.8  55.0  56.4   0.0
12. speedtest.singapore.linode.com                                  0.0%     5   42.8  51.1  42.7  83.4  18.1

Reverse Trace
Code:
                                        My traceroute  [v0.86]
localhost (0.0.0.0)                                                          Sat Apr 20 14:34:46 2019
Resolver: Received error response 2. (server failure)er of fields   quit
                                                             Packets               Pings
Host                                                      Loss%   Snt   Last   Avg  Best  Wrst StDev
1. 103.3.60.3                                              2.2%    91    2.1   8.3   0.6  29.3   5.2
    103.3.60.2
2. 139.162.0.1                                             0.0%    91    4.6   8.2   0.4  26.6   5.4
3. be25-711.br04.sin02.pccwbtn.net                         0.0%    91    6.7   8.5   1.7  21.3   4.5
4. TenGE0-0-0-0.br02.sin01.pccwbtn.net                     0.0%    91    7.3   8.6   2.2  25.0   4.6
5. TenGE0-0-0-0.br02.sin01.pccwbtn.net                     0.0%    91   15.4   8.7   2.0  23.0   4.4
6. 63-218-163-170.static.pccwglobal.net                    0.0%    91    8.2   7.6   1.5  19.8   4.2
7. ???
8. 182.19.115.226                                          0.0%    91   39.0  41.8  36.1  52.2   4.1
9. 182.19.108.204                                          0.0%    91   39.2  41.7  35.6  73.1   6.0
10. 182.19.62.201                                           0.0%    91   40.1  41.6  34.9  60.5   5.5
11. 203.92.63.133.reverse.spectranet.in                     0.0%    90   72.2  73.9  66.9 104.8   5.7
12. ???
13. ???
14. 180.151.124.x.reverse.spectranet.in                   0.0%    90   99.1  78.1  68.9 112.6   7.3