According to my theory at that time, it was probably a smooth net and it was not a unique incident, so I visited e-commerce websites such as Yi Xun, Taobao, and Tmall, and found that Yi Xun was also affected by the same thing. attack. It seems that the purpose of this traffic hijacking is to direct e-commerce website traffic to the rebate alliance, and obtain rebates on the current user transaction amount through the rebate alliance.
It is basically confirmed that there is a problem with the operator, but it is impossible to confirm whether it is intentional by the operator or it was hacked or secretly done by insiders.
Locating the attack source
Let’s take a look at the routing results at that time:
If the initial TTL value is 255, the HTTP packet will be 252 after it reaches the machine. , it is deduced that 3 (255-252) routes have been passed, and the problem is near the fourth route, which is 119.145.220.86 here (belonging to Shenzhen Telecom).
Of course, although it can basically be confirmed that the problem is near the fourth route (the author captured packets for several days in a row, the TTL value of the forged HTTP response packet has always been 252), it does not rule out that the device deliberately constructs an initial The TTL value (for example, set to 254) increases the difficulty of tracing. In order to maintain a rigorous academic attitude and avoid being confused by attackers, the evidence must be solid.
The positioning is relatively simple. Since the attacking device listens for data packets in the side channel, it can be inferred that it is based on packets rather than status. We construct the data packets to be listened to (that is, directly send out the data packets to access the Jingdong homepage). HTTP request TCP packet, no three-way handshake is required) is sent multiple times, the TTL value is incremented from 1, and the data packet is accurately delivered to each path until a forged response occurs - there will be no response at the location where there is no problem, Chapter 1 A location where a bogus response appears is a problem location.
At this time, you need a packet construction tool, either Scapy based on Python or XCAP under Windows.
So I sent it all the way, and the forged response packet appeared when the TTL value was equal to 4 - it was confirmed that there was a problem with the fourth-hop routing, and 119.145.55.14 responded with a Time-to-liveExceeded ICMP packet. .
With sufficient evidence, we compiled a document with pictures and texts to report the problem to Shenzhen Telecom through the Tencent Security Emergency Response Center. Website e-commerce website e-commerce network e-commerce website traffic