[help] Spectra Ping / Traceroute results to Singapore

[404]

I've been following this thread for same issue. My complaint went up to the L3 team but no dice. And now the HTTPS blocks despite using DNS over HTTPS. Perhaps another thread can be opened to figure out how they're doing it?

 

[varkey]

They appear to make use of the SNI (server name indication) information which is included by the browsers/clients in all HTTPS requests these days. This is sent in plaintext at the first step of TLS handshake process.

To test my hypothesis, I did the following.

Viveks-MacBook-Air:tmp varkey$ dig +short soundcloud.com
68.232.44.127

Resolved the DNS name and attempted to access the site with just the IP address, this might not load the site itself cause the remote server would definitely depend on the hostname used to determinate what content to serve, so it returned a 404 which is kind of expected. However the interesting part is that it established the TLS connection and was able to make an HTTP request without issues.

Viveks-MacBook-Air:tmp varkey$ wget https://68.232.44.127
--2019-04-13 08:24:41--  https://68.232.44.127/
Connecting to 68.232.44.127:443... connected.
    ERROR: certificate common name '*.soundcloud.com' doesn't match requested host name '68.232.44.127'.
To connect to 68.232.44.127 insecurely, use `--no-check-certificate'.
Viveks-MacBook-Air:tmp varkey$ wget https://68.232.44.127 --no-check-certificate
--2019-04-13 08:24:46--  https://68.232.44.127/
Connecting to 68.232.44.127:443... connected.
    WARNING: certificate common name '*.soundcloud.com' doesn't match requested host name '68.232.44.127'.
HTTP request sent, awaiting response... 404 Not Found
2019-04-13 08:24:46 ERROR 404: Not Found.

Now for the second test I used the URL with the DNS name, and it failed right after the TLS client hello which includes the SNI information that contains the hostname.

Viveks-MacBook-Air:tmp varkey$ curl -vvv https://soundcloud.com
* Rebuilt URL to: https://soundcloud.com/
*   Trying 68.232.44.127...
* TCP_NODELAY set
* Connected to soundcloud.com (68.232.44.127) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to soundcloud.com:443
* stopped the pause stream!
* Closing connection 0
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to soundcloud.com:443

What is Server Name Indication (SNI)?

 

[404]

I thought the same that SNI is being read. But Firefox has the option to encrypt SNI and I double-checked using Cloudflare's checker. The usual sites are still getting blocked.

 

[The_PC_Guy]

This is similar to what jio and bsnl has been doing they Block https sites too DoH doesn't work on them wither (not sure about bsnl it might work on bsnl as my friend stated that sites open for him when opened through Google)

 

[varkey]

I thought the same that SNI is being read. But Firefox has the option to encrypt SNI and I double-checked using Cloudflare's checker. The usual sites are still getting blocked.

Interesting, I wasn't aware of encrypted SNI -- Encrypt it or lose it: how encrypted SNI works

However for that to work, the remote website should support TLS 1.3 and have the necessary configuration for ESNI on the server side implemented, since its still new, I don't think many websites have ESNI stuff enabled yet.

So even though ESNI is available to use in Firefox, unless the blocked sites implement it on their side, it won't help us.

 

[Sushubh]

every domain on cloudflare has it enabled by default from my understanding.
also... browsers have to support it too. firefox has support but needs to be enabled. chrome has no support at the moment and it would take a while before it arrives.

First, you need to make sure you have DNS over HTTPS enabled. Once you’ve done that, you also need to set the “network.security.ESNI.enabled” preference in about:config to “true”). This should automatically enable ESNI for any site that supports it.

Encrypted SNI Comes to Firefox Nightly | Mozilla Security Blog

908132 - chromium - An open-source project to help move the web forward. - Monorail

bugs.chromium.org

 

---

[The_PC_Guy]

Using a VPN server located at bangalore gives me much better ping to Singapore (110-120ms)than without VPN since the VPN server routing is proper. But i think if I had a VPN to Chennai I'd get even better latency since traffic to Bangalore is routed to and from Chennai

 

[varkey]

@The_PC_Guy I just tried a similar thing, going via a VM in AWS Mumbai gives relatively good pings. I used ZeroTier for the connectivity, so there is a slight overhead of that too.

➜  ~ ping -c 4 speedtest-sgp1.digitalocean.com
PING speedtest-sgp1.digitalocean.com (159.89.192.182): 56 data bytes
64 bytes from 159.89.192.182: icmp_seq=0 ttl=48 time=79.627 ms
64 bytes from 159.89.192.182: icmp_seq=1 ttl=48 time=78.984 ms
64 bytes from 159.89.192.182: icmp_seq=2 ttl=48 time=81.837 ms
64 bytes from 159.89.192.182: icmp_seq=3 ttl=48 time=79.670 ms

--- speedtest-sgp1.digitalocean.com ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 78.984/80.029/81.837/1.078 ms
➜  ~ ping -c 4 speedtest.singapore.linode.com
PING speedtest.singapore.linode.com (139.162.23.4): 56 data bytes
64 bytes from 139.162.23.4: icmp_seq=0 ttl=47 time=77.039 ms
64 bytes from 139.162.23.4: icmp_seq=1 ttl=47 time=76.219 ms
64 bytes from 139.162.23.4: icmp_seq=2 ttl=47 time=79.858 ms
64 bytes from 139.162.23.4: icmp_seq=3 ttl=47 time=76.492 ms

--- speedtest.singapore.linode.com ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 76.219/77.402/79.858/1.448 ms
➜  ~   ping -c 4 speedtest-blr1.digitalocean.com
PING speedtest-blr1.digitalocean.com (139.59.80.215): 56 data bytes
64 bytes from 139.59.80.215: icmp_seq=0 ttl=46 time=53.026 ms
64 bytes from 139.59.80.215: icmp_seq=1 ttl=46 time=53.033 ms
64 bytes from 139.59.80.215: icmp_seq=2 ttl=46 time=52.406 ms
64 bytes from 139.59.80.215: icmp_seq=3 ttl=46 time=52.830 ms

--- speedtest-blr1.digitalocean.com ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 52.406/52.824/53.033/0.255 ms

Pings to AWS Mumbai is great too, getting 15-17 ms.

 

[The_PC_Guy]

reverse route for 180.151.124.x has been fixed the ping is around 40-50 ms

Traceroute

                                            My traceroute  [v0.86]
NAS (0.0.0.0)                                                                        Sat Apr 20 14:33:46 2019
Resolver: Received error response 2. (server failure)er of fields   quit
                                                                     Packets               Pings
Host                                                              Loss%   Snt   Last   Avg  Best  Wrst StDev
1. dlinkrouter.Dlink                                               0.0%     6    1.2   1.1   0.7   1.6   0.0
2. 10.201.116.1                                                    0.0%     6    1.5   1.9   1.4   2.8   0.0
3. 203.92.63.177.reverse.spectranet.in                             0.0%     6    3.3   2.4   1.5   3.3   0.0
4. 203.92.63.158.reverse.spectranet.in                             0.0%     6   22.2  22.1  21.6  22.8   0.0
5. 180.151.59.30.reverse.spectranet.in                             0.0%     6   21.8  22.5  21.8  23.4   0.0
6. 219.65.111.13.STATIC-Chennai.vsnl.net.in                        0.0%     6   24.6  25.0  23.3  30.6   2.7
7. 172.31.167.45                                                   0.0%     6   11.2  12.9  11.2  16.8   2.3
8. ix-ae-2-1334.tcore2.svw-singapore.as6453.net                    0.0%     6   55.4  60.7  55.2  81.9  10.4
9. if-ae-2-2.tcore1.svw-singapore.as6453.net                       0.0%     5   42.6  43.3  42.6  44.2   0.0
10. 180.87.67.42                                                    0.0%     5   43.6  45.1  43.6  48.0   1.8
11. 139.162.0.6                                                     0.0%     5   55.0  55.8  55.0  56.4   0.0
12. speedtest.singapore.linode.com                                  0.0%     5   42.8  51.1  42.7  83.4  18.1

Reverse Trace

                                        My traceroute  [v0.86]
localhost (0.0.0.0)                                                          Sat Apr 20 14:34:46 2019
Resolver: Received error response 2. (server failure)er of fields   quit
                                                             Packets               Pings
Host                                                      Loss%   Snt   Last   Avg  Best  Wrst StDev
1. 103.3.60.3                                              2.2%    91    2.1   8.3   0.6  29.3   5.2
    103.3.60.2
2. 139.162.0.1                                             0.0%    91    4.6   8.2   0.4  26.6   5.4
3. be25-711.br04.sin02.pccwbtn.net                         0.0%    91    6.7   8.5   1.7  21.3   4.5
4. TenGE0-0-0-0.br02.sin01.pccwbtn.net                     0.0%    91    7.3   8.6   2.2  25.0   4.6
5. TenGE0-0-0-0.br02.sin01.pccwbtn.net                     0.0%    91   15.4   8.7   2.0  23.0   4.4
6. 63-218-163-170.static.pccwglobal.net                    0.0%    91    8.2   7.6   1.5  19.8   4.2
7. ???
8. 182.19.115.226                                          0.0%    91   39.0  41.8  36.1  52.2   4.1
9. 182.19.108.204                                          0.0%    91   39.2  41.7  35.6  73.1   6.0
10. 182.19.62.201                                           0.0%    91   40.1  41.6  34.9  60.5   5.5
11. 203.92.63.133.reverse.spectranet.in                     0.0%    90   72.2  73.9  66.9 104.8   5.7
12. ???
13. ???
14. 180.151.124.x.reverse.spectranet.in                   0.0%    90   99.1  78.1  68.9 112.6   7.3

 

[404]

Still atrocious for me. Pings are 250+ ms..

 

[varkey]

@404 Are you also from Bangalore? Which subnet IP addresses do you get?

 

[varkey]

Interesting, even my pings are sub 50ms. Nice! I'm on 180.151.124.0/24 subnet

[root@varkey-minipc ~]# ping -c 4 speedtest-sgp1.digitalocean.com
PING speedtest-sgp1.digitalocean.com (159.89.192.182) 56(84) bytes of data.
64 bytes from 159.89.192.182 (159.89.192.182): icmp_seq=1 ttl=51 time=42.9 ms
64 bytes from 159.89.192.182 (159.89.192.182): icmp_seq=2 ttl=51 time=41.9 ms
64 bytes from 159.89.192.182 (159.89.192.182): icmp_seq=3 ttl=51 time=42.3 ms
64 bytes from 159.89.192.182 (159.89.192.182): icmp_seq=4 ttl=51 time=41.9 ms

--- speedtest-sgp1.digitalocean.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 41.961/42.304/42.925/0.415 ms
[root@varkey-minipc ~]# ping -c 4 speedtest.singapore.linode.com
PING speedtest.singapore.linode.com (139.162.23.4) 56(84) bytes of data.
64 bytes from speedtest.singapore.linode.com (139.162.23.4): icmp_seq=1 ttl=51 time=45.0 ms
64 bytes from speedtest.singapore.linode.com (139.162.23.4): icmp_seq=2 ttl=51 time=47.8 ms
64 bytes from speedtest.singapore.linode.com (139.162.23.4): icmp_seq=3 ttl=51 time=43.4 ms
64 bytes from speedtest.singapore.linode.com (139.162.23.4): icmp_seq=4 ttl=51 time=43.6 ms

--- speedtest.singapore.linode.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 43.450/45.011/47.855/1.766 ms
[root@varkey-minipc ~]#

 

[Deleted member 63558]

You're Lucky @varkey. Play some Multiplayer Games now. 😀

 

[The_PC_Guy]

@404 are you in bangalore and area? also if possible raise a complaint with spectra if many people report it they might just give in and fix it

 

[404]

@The_PC_Guy @varkey I'm in BLR and in 180.151.117.x subnet. I have complained about their routing with a few streaming services not running properly as examples. I don't have the means or the know-how to give exact network data to their engineers. They did some tests remotely and just gave up.