[HN Gopher] I may be the only evil (bit) user on the internet (2... ___________________________________________________________________ I may be the only evil (bit) user on the internet (2015) Author : luu Score : 208 points Date : 2023-06-14 18:14 UTC (4 hours ago) (HTM) web link (blog.benjojo.co.uk) (TXT) w3m dump (blog.benjojo.co.uk) | xwdv wrote: | Are there any domains that only accept evil packets? | lucb1e wrote: | Or sites that add an easter egg, give you a discount, that sort | of thing. Don't need to alienate everyone-but-this-guy to have | a unique thing, in case anyone is feeling like hacking | something together tonight :D | datenyan wrote: | brb setting up my personal site to redirect people with the | evil bit set to a "jail" page, kinda like how all cheaters in | Fall Guys are put into the same server by themselves [1] | | [1] | https://twitter.com/FallGuysGame/status/1305486780851007489 | loeg wrote: | Shout out to Matthew Dodd's commitment to the April Fools joke | bit: | https://svnweb.freebsd.org/base?view=revision&revision=11292... | | My man added a sockopt, ping(8) option, documented all these | changes in the manual pages, and added some fun sysctls related | to the functionality. | dang wrote: | Discussed at the time: | | _I may be the only evil bit user on the internet_ - | https://news.ycombinator.com/item?id=10632856 - Nov 2015 (36 | comments) | | (Reposts are fine after a year or so and links to past threads | are just to satisfy extra curious readers!) | BlackLotus89 wrote: | Edit: Yay | | 1) add the check IP on the site to NFQUEUE | iptables -A OUTPUT -p tcp -d 185.230.223.37 -j NFQUEUE --queue- | num 1 | | 2) write a little python script using [0] netfilterqueue and [1] | scapy from scapy.all import IP, TCP from | netfilterqueue import NetfilterQueue # Callback | function for handling packets in the NFQUEUE def | packet_callback(packet): pkt = | IP(packet.get_payload()) # Modify only outgoing TCP | packets to the target IP if pkt.haslayer(TCP) and | pkt[TCP].dport == 3560 and pkt[TCP].dport == 3561: | # Set the reserved bit to 1 # 6 ist DN und evil | # 2 ist DN # 4 is evil pkt.flags |= | 4 del pkt[IP].chksum del | pkt[TCP].chksum pkt.show2() | pkt.show() # Print a message | indicating packet modification print("Modified | packet:", pkt.summary()) # Update the | packet payload packet.set_payload(bytes(pkt)) | # Accept the modified packet packet.accept() | # Set up the NFQUEUE handler nfqueue = NetfilterQueue() | nfqueue.bind(1, packet_callback) try: # | Run the main loop nfqueue.run() except | KeyboardInterrupt: # Cleanup on keyboard interrupt | nfqueue.unbind() | | 3) analyze your packages with wireshark and find that your script | works! | | 4) be sad because the response never arrives and your packages | are treated as if they hadn't set the evil flag :( | | EDIT: YES! I didn't see that he does 2 checks and the second uses | a different port. NOW I'M EVIL! | | [0] https://github.com/oremanj/python-netfilterqueue | | [1] https://scapy.readthedocs.io/ | mindcrime wrote: | Am I evil? Yes I am | | Am I evil? I am man, yes I am... | | https://www.youtube.com/watch?v=HMW0FtvU5iQ | lucb1e wrote: | This is the sort of thing that comes back to bite you. Websites | that you think are down and ignore for now, annoyed but ok | happens, only to later notice it was your own doing. | | I played this on myself by setting X-Forwarded-For: '" which | would trigger an sql error if someone assumes an IP address is | safe to insert without escaping or parameterization. Very few | sites broke, but the first one that did I remember sold TLS | certificates. | greyface- wrote: | I put a <script> tag that phoned home in my User-Agent header | for shits and giggles when I was a reckless teenager, and went | about my normal browsing. It broke a web forum's admin panel, | and the owner of the site threatened to report me to the FBI. | Nothing came of it, but I wonder if they would have had a case. | NavyG wrote: | Haha reminds me of the one we made this year proposing adding | barter system as a payment method to our processor: | https://github.com/juspay/hyperswitch/issues/825, fun times :P | jefftk wrote: | Did anyone ever figure out why some domains were dropping evil | packets? Were they dropping all packets with reserved bits set, | or just evil ones? Did they have some infra in common? | korethr wrote: | My guess is that since the packet is officially reserved and | should not be set, a common firewall or other security | appliance considers said packets to be malformed and drops them | as a default behavior. | gwern wrote: | > So now we know that sites target this bit to block, but the | real question is why? Is it that someone didn't see the date | of the RFC, maybe sarcasm doesn't translate very well, | possibly someone in the real world actually sent the evil bit | when doing evil things, and cause some products to target it? | | The evil bit could be something of a self-fulfilling | prophecy. Because no one uses it, that makes it a source of | bugs/vulnerabilities; therefore, anyone setting it | deliberately but not maliciously (such as for a joke) will | want to turn it off; only those who want to exploit it | maliciously will keep it turned on; hence, anything with an | evil bit can be safely assumed to be, in fact, _evil_ , and | it _should_ be filtered out automatically. | wwalexander wrote: | This is in line with the evil bit spec as per TFA: | | > Devices such as firewalls MUST drop all inbound packets | that have the evil bit set. | TZubiri wrote: | He did specify that the listed servers only blocked on evil | bits, implying they didn't block when other private bits were | used | jackbondpreston wrote: | I don't see anything saying that in the blog post | [deleted] | Terr_ wrote: | Perhaps they were running TempleOS? :P That seems like one | stack where the odds of evil-bit packets being deliberately | blocked seems very high to me. | eindiran wrote: | TempleOS has no networking support at all, so I suppose | one interpretation is that it drops all packets with the | evil bit set. | robinduckett wrote: | The Cardiff University Network Team are funny guys | BLKNSLVR wrote: | Really? | | Because I heard they were just a bunch of | LordDragonfang wrote: | There's a sort of beautiful irony in the fact that | freedesktop.org is one of the few domains that properly | implements the spec. | blunaxela wrote: | Here's a Linux loadable kernel module to make all outgoing | packets "evil". (That I hope still works... haven't tested it in | a while.) | | https://github.com/alwilson/evil | js2 wrote: | Maybe 20 years ago now, I wrote a simple email-to-sms script that | I ran from procmail. To send the email out as SMS, it connected | to a Verizon web site. | | I wrote and tested the script under OS X and it worked fine. I | then moved it to my Linux server on the same network and it | couldn't connect to Verizon's web site. | | After using tcpdump to figure out what the difference was, I | noticed that Linux was setting the ECN bit. Verizon had a | firewall in front of their site that was apparently dropping | packets with the ECN bit set. ECN was only a couple years old at | that point. I think I figured out that it was due to an out-of- | date Cisco PIX firewall on the Verizon end, but I'm not sure how | I would have figured that out. | | The solution was to disable ECN on the Linux box. | | https://en.wikipedia.org/wiki/Explicit_Congestion_Notificati... | bearbin wrote: | Somewhat of a meta question for @luu - how did you come across | this post today before you resubmitted to HN? | | I ask as I ended up searching for this article earlier today and | thought about resubmitting (but ended up not doing so). It just | seems a strange coincidence, unless there's something we both saw | that made us think 'evil bit'! | doctor_radium wrote: | I was vaguely aware of this practice, but not the "evil bit" gag. | The funniest thing I'll encounter today! ___________________________________________________________________ (page generated 2023-06-14 23:00 UTC)