When I was in China my company's website was blocked for about 24 hours.
I assume it was the "Great Chinese Firewall" but I was wondering if there is any way that I can find out exactly where a packet or TCP/IP connection gets blocked.
I was able to verify that it wasn't being blocked at our end(I used the local host file to point to the backup server inside of China) or at the end of our server (Other people could still connect to both ISPs).
I tried tracert but only port 80 was being redirected. I could ssh into the server without any problems.
The other problem is that most of the routers in China just drop the packets and don't respond to ping etc so you can't find out their IP addresses.
In the future are there any tools that can track down where packets are being blocked?
tcptraceroute
I have lot's of problems with that firewall. Having my server into EEUU doesn't help. If you need tools to test your site hosted outside from china like you were in China, you can try that page:
http://www.websitepulse.com/help/tools.php
Good luck
Related
There have been many articles on various forums on how to setup mcrosoft active directory domain services. I am a bit new to the field, so please bear with my ignorance. I have a very basic query whose answer i am not able to find. I have an office of 20 people where i would like to deploy AD Domain services to have a better control. i want to know how should i set my network PHYSICALLY. I have a router supplied by my internet provider. Where exactly should i put my server? Can i plug my server anyhere in the network and connect the users through domain, or the main internet wire should plug into the server first and the users in turn be connected to the server. enter image description here I hope i am clear. Should internet ‘flow’ from the server which has AD to users, or i can put the serverver anywhere in the topology.
In a small size network like yours, 1 server should be enough. It should be somewhere behind the router. Plugging it into the switch is fine as it will have a internal address.
You will need DNS on your server which will install when you promote to a DC. All of your computers need to look at your server for DNS. Your Server's DNS should have a forwarder to your ISP DNS or to a public DNS. It doesn't matter if you server or your router does DHCP so long as it gives out the server Internal IP for DNS.
What would I do:
I would plug your ISP into the Router, Your Router into your Switch, and all computers + server into the Switch.
You can place your server anywhere in the topology. It is not necessary for all user traffic to the internet to be routed through the server.
With small-scale deployments (less than 25 Users) I typically just put the server on the same switch and subnet as the users.
We are using a Centos 7 Google Cloud Instance web server, and I'm experiencing connectivity problems when multiple clients from my company try to connect to the web server at the same time.
We are surfing the site ok, then suddenly can't connect for a while (perhaps some 10 or 20 seconds, and then we can connect again.
At the same moment, I can browse it perfectly from other ip public from the same subnet and company, other cellphones with 4g, etc.
It seems thats some DDOS filter, waf protection, ips signature is doing something.
The server only have apache and nothing else.
Is my diagnosis on the right track? How can I fix this behaviour?
It would be worth to check any firewall and load balancer for your application server. As you suggesting that you are able to access website from same subnet when it is inaccessible, can you perform port scanning to review http service and latency through nmap command: nmap -p 80 [public IP address] from external network?
It is worth to perform VM instance health checks (CPU load, network I/O performance etc.) during the time website becomes inaccessible. There might be chances that some resources becomes unavailable during high load.
I am doing malware analysis of a pdf file in windows vm. This malicious pdf file is going to connect to the internet and I don't want it to. But I want to see the network activity it is going to do.
I watched in a video that I can connect the windows vm to some other vm like remnux and test the packets being sent through wireshark.
If somebody wants to watch the video I am talking about here is the link: -https://www.youtube.com/watch?v=kNlRDNt7Zp0
She talks about the remnux thing in between 15:00 to 16:00 min. I don't understand how she did that.
Can somebody please explain me how those steps are done. I have searching the net all day but I can't find anything. I am really a beginner in all that networking stuff so any topics I did find were just jargon to me.
Thank you for your help.
I am using VMware player version 7.
Edit: I did do a lot of research on this topic but whatever is available on google is far too much for me to understand. Please don't think that I didn't try anything myself.
Malware is likely to generate a DNS request to resolve the ip of the C&C server. Therefore you can set the DNS in the victim (windows) machine to the ip address of the remnux machine and you will get the DNS request generated by the malware. You can then configure remnux to direct the malware to the same remnux machine to monitor traffic generated by malware when it tries to connect to C&C server after DNS resolution.
You may have to write a custom server for responding to the malware request. Modern malware use RSA challenge which will almost render initiating communication impossible.
Ref SANS tutorial for further details
My company is international and has subsidiary in China, and is using Google Apps for email, calendar, contacts, etc.
But unfortunately, we know Chinese Greater Firewall blocked google (and many others like Facebook, Twitter, etc.).
We have the VPN link to Singapore office, therefore I configure the local DHCP to allocate a DNS server in Singapore, so that will get the correct google servers' IP. And the traffic to google will go through Singapore and access google successfully. (We use Singapore DNS because sometimes China GFW do DNS poisoning, therefore can't trust the local China DNS provider)
But we don't want to route all traffic to Singapore, so I also setup traffic split route rule:
All traffic dest to China IP range, will go directly through local Internet connection.
All traffic dest to Non-China IP, will go through the VPN tunnel to Singapore.
This solution works fine until recently I find out that the Singapore server will resolve some China website (e.g. baidu.com, taobao.com, jd.com, etc.) to a IP which is located outside of China (e.g. IP in Hong Kong, IP in US, etc.) I guess it resolve to some mirroring host, or CDN host etc. Therefore all the web browsing traffic will go through Singapore.
This outside IP still works but the speed is quite slow compare to access these website with local DNS/Internet link (this make sense since the route will be much longer compare to local dest IP).
So my question is is there good practice to solve this issue?
My idea is to do selective DNS resolution on my local DNS server:
Setup local DNS server with local DNS provider to resolve all DNS request, except:
Add some DNS entry list (e.g. *.google.com, *.facebook.com) in local server, and setup a secondary DNS provider in Singapore.
Whenever a client try to resolve *.google.com, local DNS server will notice and pass the request to the Singapore DNS provider, therefore bypass the China GFW DNS poisoning and get correct dest IP.
Could anyone recommend how to do it? Or recommend a better solution?
Thanks in advance!
I think what you want to do is "conditional forwarding" which I've seen in SimpleDNS... http://www.simpledns.com/help/v50/index.html?df_forward.htm
Apparently, this is also available in the Windows DNS service... https://technet.microsoft.com/en-us/library/cc794735(v=ws.10).aspx
Did you use teamviewer? (comic question i know... Who doesn't use it?)
Do you have any idea how does teamviewer make connection even if i am behind the router, firewall, switch and my local firewall..?
I'm trying to imagine a connection that is between remote machinge and my computer. Remote machine is sending the packets (and its header (for instance, destination IP, message body)) to me but it only knows my id number(which is given by my local teamviewer application).
And this packets are reaching to my computer even if there is a juniper firewall (and also my windows firewall).
What kind a message body is recieving by computer? (of course it is not like xml, text, html, excel :)
Do you have any idea?
PS. Please share your knowledge like you are explaining to beginner level user.
The software is communicating with a central server, and has made an outbound connection. When you start TeamViewer, it will try to make a direct connection, but if both directions fail that (ie. firewall or NATting at both places), then it will fall back on communicating through a server.
This is basically the same approach most online games use. Changes at one end is sent to a central server, and is then relayed back to other connected computers.