TCP Traceroute停在第二个跳动
我的Web服务器的一些用户会体验到TCP/443的流量块。即使在单个ISP/城市中,该块在用户的主页ISP上也是不一致的。似乎被流量量激活。当我将流量引导到其他IP时,将块上抬起,将新IP阻止。
所有这些Traceroute方法有效:ICMP,UDP,TCP/NON-443-PORT。
仅在第二个跳跃上只有TCP/443 Traceroute失败(在家庭路由器之后的下一个路由器没有响应)。
问题:
- 这是否表明某些黑名单被推到主场ISP?如果是这样,则可以使用哪种协议/技术如此具体地阻止流量(仅TCP/443)和如此早(在其他国家/地区的Home ISP)?
- 还是这与TCP Traceroute的工作原理有关?
mtr <host> // Full trace
mtr --tcp --port 80 <host> // Full trace
mtr --tcp --port 666 <host> // Full trace (except the host), even to a closed port
mtr --tcp --port 443 <host> // Only home route responds (1 hop), no further hops
(我已经联系了沿路线的所有ASE,没有人承认到目前为止的任何交通障碍。因此,问题是关于此类交通阻塞的示踪剂和可能的机制。)
Some users of my web server experience a TCP/443-only traffic block. The block is inconsistent across the users' home ISPs, even within a single ISP/city. Seems to be activated by traffic volume. Block lifted on the old IP when I direct traffic to a different IP, new IP is blocked.
All these traceroute methods work: ICMP, UDP, TCP/non-443-port.
Only TCP/443 traceroute fails, right on the 2nd hop (the next router after the home router does not respond).
The question:
- does this indicate some blacklist being pushed up to the home ISP? If so, what protocol/technology might be used to block traffic so specifically (TCP/443 only) and so early (home ISP in a different country)?
- or is this related to how TCP traceroute works?
mtr <host> // Full trace
mtr --tcp --port 80 <host> // Full trace
mtr --tcp --port 666 <host> // Full trace (except the host), even to a closed port
mtr --tcp --port 443 <host> // Only home route responds (1 hop), no further hops
(I have contacted all the ASes along the route, nobody acknowledges any traffic blocking so far. So the question is specifically about traceroute and possible mechanisms of such traffic blocking.)
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
这可能是由于您网站的流量引起的,经过某种 middlebox 阻止端口443。有各种各样的设备能够为合法的拦截/审查/服务质量/安全/等做这种事情。
出于技术或法律原因,从ISP获得“特殊待遇”的特定IPS和端口的流量是完全合理的。
尽管您看到的内容可能有更多的良性解释,但它与TCP Traceroute的工作原理无关(例如,由于某种错误,端口443的路由器未返回ICMP TTL过期的数据包)。
考虑在网络工程上询问。
This might be caused by traffic to your site going through some sort of middlebox that blocks port 443. There's a wide variety of equipment capable of doing this sort of thing for lawful interception/censorship/quality-of-service/security/etc.
It's perfectly plausible for traffic to a specific range of IPs and ports to get "special treatment" from an ISP for either technical or legal reasons.
It's not related to how TCP traceroute works although there could be more benign explanations for what you're seeing (e.g. routers not returning ICMP TTL Expired packets for port 443 due to some sort of bug).
Consider asking on network engineering.