[HN Gopher] I may be the only evil (bit) user on the internet (2...
___________________________________________________________________
I may be the only evil (bit) user on the internet (2015)
Author : luu
Score : 208 points
Date : 2023-06-14 18:14 UTC (4 hours ago)
(HTM) web link (blog.benjojo.co.uk)
(TXT) w3m dump (blog.benjojo.co.uk)
| xwdv wrote:
| Are there any domains that only accept evil packets?
| lucb1e wrote:
| Or sites that add an easter egg, give you a discount, that sort
| of thing. Don't need to alienate everyone-but-this-guy to have
| a unique thing, in case anyone is feeling like hacking
| something together tonight :D
| datenyan wrote:
| brb setting up my personal site to redirect people with the
| evil bit set to a "jail" page, kinda like how all cheaters in
| Fall Guys are put into the same server by themselves [1]
|
| [1]
| https://twitter.com/FallGuysGame/status/1305486780851007489
| loeg wrote:
| Shout out to Matthew Dodd's commitment to the April Fools joke
| bit:
| https://svnweb.freebsd.org/base?view=revision&revision=11292...
|
| My man added a sockopt, ping(8) option, documented all these
| changes in the manual pages, and added some fun sysctls related
| to the functionality.
| dang wrote:
| Discussed at the time:
|
| _I may be the only evil bit user on the internet_ -
| https://news.ycombinator.com/item?id=10632856 - Nov 2015 (36
| comments)
|
| (Reposts are fine after a year or so and links to past threads
| are just to satisfy extra curious readers!)
| BlackLotus89 wrote:
| Edit: Yay
|
| 1) add the check IP on the site to NFQUEUE
| iptables -A OUTPUT -p tcp -d 185.230.223.37 -j NFQUEUE --queue-
| num 1
|
| 2) write a little python script using [0] netfilterqueue and [1]
| scapy from scapy.all import IP, TCP from
| netfilterqueue import NetfilterQueue # Callback
| function for handling packets in the NFQUEUE def
| packet_callback(packet): pkt =
| IP(packet.get_payload()) # Modify only outgoing TCP
| packets to the target IP if pkt.haslayer(TCP) and
| pkt[TCP].dport == 3560 and pkt[TCP].dport == 3561:
| # Set the reserved bit to 1 # 6 ist DN und evil
| # 2 ist DN # 4 is evil pkt.flags |=
| 4 del pkt[IP].chksum del
| pkt[TCP].chksum pkt.show2()
| pkt.show() # Print a message
| indicating packet modification print("Modified
| packet:", pkt.summary()) # Update the
| packet payload packet.set_payload(bytes(pkt))
| # Accept the modified packet packet.accept()
| # Set up the NFQUEUE handler nfqueue = NetfilterQueue()
| nfqueue.bind(1, packet_callback) try: #
| Run the main loop nfqueue.run() except
| KeyboardInterrupt: # Cleanup on keyboard interrupt
| nfqueue.unbind()
|
| 3) analyze your packages with wireshark and find that your script
| works!
|
| 4) be sad because the response never arrives and your packages
| are treated as if they hadn't set the evil flag :(
|
| EDIT: YES! I didn't see that he does 2 checks and the second uses
| a different port. NOW I'M EVIL!
|
| [0] https://github.com/oremanj/python-netfilterqueue
|
| [1] https://scapy.readthedocs.io/
| mindcrime wrote:
| Am I evil? Yes I am
|
| Am I evil? I am man, yes I am...
|
| https://www.youtube.com/watch?v=HMW0FtvU5iQ
| lucb1e wrote:
| This is the sort of thing that comes back to bite you. Websites
| that you think are down and ignore for now, annoyed but ok
| happens, only to later notice it was your own doing.
|
| I played this on myself by setting X-Forwarded-For: '" which
| would trigger an sql error if someone assumes an IP address is
| safe to insert without escaping or parameterization. Very few
| sites broke, but the first one that did I remember sold TLS
| certificates.
| greyface- wrote:
| I put a <script> tag that phoned home in my User-Agent header
| for shits and giggles when I was a reckless teenager, and went
| about my normal browsing. It broke a web forum's admin panel,
| and the owner of the site threatened to report me to the FBI.
| Nothing came of it, but I wonder if they would have had a case.
| NavyG wrote:
| Haha reminds me of the one we made this year proposing adding
| barter system as a payment method to our processor:
| https://github.com/juspay/hyperswitch/issues/825, fun times :P
| jefftk wrote:
| Did anyone ever figure out why some domains were dropping evil
| packets? Were they dropping all packets with reserved bits set,
| or just evil ones? Did they have some infra in common?
| korethr wrote:
| My guess is that since the packet is officially reserved and
| should not be set, a common firewall or other security
| appliance considers said packets to be malformed and drops them
| as a default behavior.
| gwern wrote:
| > So now we know that sites target this bit to block, but the
| real question is why? Is it that someone didn't see the date
| of the RFC, maybe sarcasm doesn't translate very well,
| possibly someone in the real world actually sent the evil bit
| when doing evil things, and cause some products to target it?
|
| The evil bit could be something of a self-fulfilling
| prophecy. Because no one uses it, that makes it a source of
| bugs/vulnerabilities; therefore, anyone setting it
| deliberately but not maliciously (such as for a joke) will
| want to turn it off; only those who want to exploit it
| maliciously will keep it turned on; hence, anything with an
| evil bit can be safely assumed to be, in fact, _evil_ , and
| it _should_ be filtered out automatically.
| wwalexander wrote:
| This is in line with the evil bit spec as per TFA:
|
| > Devices such as firewalls MUST drop all inbound packets
| that have the evil bit set.
| TZubiri wrote:
| He did specify that the listed servers only blocked on evil
| bits, implying they didn't block when other private bits were
| used
| jackbondpreston wrote:
| I don't see anything saying that in the blog post
| [deleted]
| Terr_ wrote:
| Perhaps they were running TempleOS? :P That seems like one
| stack where the odds of evil-bit packets being deliberately
| blocked seems very high to me.
| eindiran wrote:
| TempleOS has no networking support at all, so I suppose
| one interpretation is that it drops all packets with the
| evil bit set.
| robinduckett wrote:
| The Cardiff University Network Team are funny guys
| BLKNSLVR wrote:
| Really?
|
| Because I heard they were just a bunch of
| LordDragonfang wrote:
| There's a sort of beautiful irony in the fact that
| freedesktop.org is one of the few domains that properly
| implements the spec.
| blunaxela wrote:
| Here's a Linux loadable kernel module to make all outgoing
| packets "evil". (That I hope still works... haven't tested it in
| a while.)
|
| https://github.com/alwilson/evil
| js2 wrote:
| Maybe 20 years ago now, I wrote a simple email-to-sms script that
| I ran from procmail. To send the email out as SMS, it connected
| to a Verizon web site.
|
| I wrote and tested the script under OS X and it worked fine. I
| then moved it to my Linux server on the same network and it
| couldn't connect to Verizon's web site.
|
| After using tcpdump to figure out what the difference was, I
| noticed that Linux was setting the ECN bit. Verizon had a
| firewall in front of their site that was apparently dropping
| packets with the ECN bit set. ECN was only a couple years old at
| that point. I think I figured out that it was due to an out-of-
| date Cisco PIX firewall on the Verizon end, but I'm not sure how
| I would have figured that out.
|
| The solution was to disable ECN on the Linux box.
|
| https://en.wikipedia.org/wiki/Explicit_Congestion_Notificati...
| bearbin wrote:
| Somewhat of a meta question for @luu - how did you come across
| this post today before you resubmitted to HN?
|
| I ask as I ended up searching for this article earlier today and
| thought about resubmitting (but ended up not doing so). It just
| seems a strange coincidence, unless there's something we both saw
| that made us think 'evil bit'!
| doctor_radium wrote:
| I was vaguely aware of this practice, but not the "evil bit" gag.
| The funniest thing I'll encounter today!
___________________________________________________________________
(page generated 2023-06-14 23:00 UTC)