Hacker News new | past | comments | ask | show | jobs | submit login
The traceroute hand is stealing your data (twitter.com/outoutxyz)
163 points by pjf 7 months ago | hide | past | favorite | 32 comments



See also:

https://news.ycombinator.com/item?id=13122389

https://news.ycombinator.com/item?id=5192656

The second one doesn't seem to work anymore. There is probably a nontrivial cost to maintaining something like this.


Tetris:

    traceroute -I -q 1 -m 60 trh.milek7.pl
Append wasd command to subdomain. eg. tracerouting wwddds.trh.milek7.pl rotates 2x, moves right 3x and drops piece. After dropping traceroute without commands to get another piece.


Wow, you made this? Amazing. How much does it cost to implement something like this? My guess is actually that it’s pretty easy with ipv6.


It's just simple application running on VPS with /64 subnet assigned to it. Captures on AF_PACKET socket, filters packets with low HL and sends back ICMP responses. And it also works as as DNS server for commands and revdns lookup.


That is a very complicated magical spell, that I’m not sure I could cast on my own, but is amazing to see those pieces put together in that way. Thank you so much for sharing it.


IIRC you only need control of the one IP address, the rest is spoofed. The endpoint can report that TTL expired at any IP address it wants so it just invents extra hops between the real last hop and the endpoint.


The first time I saw traceroute art was in ~1996 by Julian Assange (prof). He had set up his system so that when inbound traceroute is detected it would spoof additional hop responses to some official bureau (federal police or similar) in pure jest.


Why does this work with traceroute but not with tracepath?


https://birdsite.xanny.family/outoutxyz/status/1404411770534...

    $ traceroute -6 -m 50 hand.bb0.nl
    traceroute to hand.bb0.nl (2a0e:fd45:2a0a:2::cafe), 50 hops max, 80 byte packets
    ...
     7  MYLOC-MANAG.ear3.Amsterdam1.Level3.net (2001:1900:5:2:2:0:8:780a)  253.218 ms  251.177 ms  251.017 ms
     8  2a00:a7c0:e20a:20::1 (2a00:a7c0:e20a:20::1)  250.961 ms  250.912 ms  250.870 ms
     9  2a0e:fd40:1337:1::2 (2a0e:fd40:1337:1::2)  250.759 ms  250.615 ms  250.390 ms
    10  speed-ix.bakker-it.eu (2001:7f8:b7::a504:4103:1)  260.648 ms  260.656 ms  256.790 ms
    11  core.dro.bb.enpls.org (2a0e:fd40:1:114::1)  243.415 ms  243.390 ms  242.867 ms
    12  e19-vlan1-up6.vm2.dro.bb0.nl (2a0e:fd45:2a0a:b::a)  266.776 ms  291.814 ms  291.755 ms
    13  ____________36936936936936936__________________ (2a0e:fd45:2a0a:2::ca01)  291.833 ms  291.741 ms  291.643 ms
    14  ____________36936936936936936__________________ (2a0e:fd45:2a0a:2::ca02)  266.123 ms  256.651 ms  249.852 ms
    15  ____________369369369369369369_________________ (2a0e:fd45:2a0a:2::ca03)  261.516 ms  261.339 ms  258.174 ms
    16  ___________36936936936936933693________________ (2a0e:fd45:2a0a:2::ca04)  241.054 ms  243.898 ms  243.724 ms
    17  __________3693693693693693693693_______________ (2a0e:fd45:2a0a:2::ca05)  269.403 ms  254.471 ms  261.275 ms
    18  _________369369369369369369369369______________ (2a0e:fd45:2a0a:2::ca06)  244.441 ms  244.373 ms  244.325 ms
    19  _________3693693693693693693693699_____________ (2a0e:fd45:2a0a:2::ca07)  263.220 ms  251.262 ms  251.193 ms
    20  ________3693693693693693693693699369___________ (2a0e:fd45:2a0a:2::ca08)  283.519 ms  273.903 ms  262.867 ms
    21  _______36936939693693693693693693693693________ (2a0e:fd45:2a0a:2::ca09)  262.790 ms  258.498 ms  258.254 ms
    22  _____3693693693693693693693693693693636936_____ (2a0e:fd45:2a0a:2::ca0a)  260.935 ms  260.744 ms  261.780 ms
    23  ___36936936936936936936936936936___369369369___ (2a0e:fd45:2a0a:2::ca0b)  254.720 ms  257.055 ms  249.360 ms
    24  __36936___369336936369369369369________36936___ (2a0e:fd45:2a0a:2::ca0c)  249.210 ms  244.177 ms  244.089 ms
    25  _36936___36936_369369336936936_________________ (2a0e:fd45:2a0a:2::ca0d)  238.127 ms  238.067 ms  238.331 ms
    26  36933___36936__36936___3693636_________________ (2a0e:fd45:2a0a:2::ca0e)  259.337 ms  256.708 ms  256.546 ms
    27  693____36936__36936_____369363_________________ (2a0e:fd45:2a0a:2::ca0f)  245.896 ms  245.831 ms  247.166 ms
    28  ______36936__36936______369369_________________ (2a0e:fd45:2a0a:2::ca10)  252.041 ms  252.006 ms  250.902 ms
    29  _____36936___36936_______36936_________________ (2a0e:fd45:2a0a:2::ca11)  259.269 ms  259.277 ms  259.244 ms
    30  _____36936___36936________36936________________ (2a0e:fd45:2a0a:2::ca12)  255.846 ms  255.080 ms  254.934 ms
    31  _____36936___36936_________36936_______________ (2a0e:fd45:2a0a:2::ca13)  264.530 ms *  264.507 ms
    32  ______369____36936__________369________________ (2a0e:fd45:2a0a:2::ca14)  255.705 ms  283.080 ms  282.870 ms
    33  ______________369______________________________ (2a0e:fd45:2a0a:2::ca15)  257.068 ms  248.604 ms  255.563 ms
    34  _______________6_______________________________ (2a0e:fd45:2a0a:2::ca16)  255.445 ms  251.531 ms  250.614 ms
    35  _______________________________________________ (2a0e:fd45:2a0a:2::ca17)  249.952 ms  240.459 ms  240.802 ms
    36  ___00000000000000000000000000000000000000000___ (2a0e:fd45:2a0a:2::ca18)  243.548 ms  242.710 ms  242.676 ms
    37  ___0________the_traceroute_hand_is_________0___ (2a0e:fd45:2a0a:2::ca19)  260.059 ms  260.027 ms  253.016 ms
    38  ___0__________stealing_your_data___________0___ (2a0e:fd45:2a0a:2::ca1a)  252.847 ms  255.637 ms  258.055 ms
    39  ___0_______________________________________0___ (2a0e:fd45:2a0a:2::ca1b)  241.792 ms  241.658 ms  241.624 ms
    40  ___00000000000000000000000000000000000000000___ (2a0e:fd45:2a0a:2::ca1c)  237.356 ms  238.580 ms  238.545 ms
    41  _______________________________________________ (2a0e:fd45:2a0a:2::ca1d)  247.027 ms  247.011 ms  246.979 ms
    42  ______________________________________enpls.org (2a0e:fd45:2a0a:2::ca1e)  258.079 ms  254.880 ms  256.042 ms
    43  _______________________________________________ (2a0e:fd45:2a0a:2::ca1f)  256.001 ms  266.648 ms  257.876 ms
    44  _______________________________________________ (2a0e:fd45:2a0a:2::ca20)  239.803 ms  241.085 ms  241.019 ms
    45  _______________________________________________ (2a0e:fd45:2a0a:2::ca21)  278.180 ms  278.103 ms  278.055 ms
    46  * _______________________________________________ (2a0e:fd45:2a0a:2::ca22)  247.076 ms  247.464 ms
    47  ____________well_this_is_the_end.______________ (2a0e:fd45:2a0a:2::ca23)  247.424 ms *  244.341 ms
    48  _______you_can_stop_your_traceroute_here_______ (2a0e:fd45:2a0a:2::ca24)  248.702 ms  246.836 ms  248.054 ms
    49  * _______________________________________________ (2a0e:fd45:2a0a:2::ca25)  256.373 ms  255.375 ms
    50  _______________________________________________ (2a0e:fd45:2a0a:2::ca26)  245.333 ms  245.198 ms  245.186 ms
And, for those who aren't living in 01996, it works in mtr too.


There's a few more about 30 more hops beyond that, but I'm not getting a clean enough scan to post it here.

It was still tracerouting at 255, bouncing around IPv6 addresses, but I didn't see anymore past that. It was 13 hops for me to get to this stuff, so maybe someone closer can see if there's a grand finale.


I don't get any name resolutions after 81 through max TTL. Here is the printout to that point.

     1. _gateway
     2. 2604:5800:1:c::1
     3. 2604:5800:1:24::2
     4. 2001:438:fffe::31ed
     5. ae3.mpr1.kcy4.us.zip.zayo.com
     6. ae9.cs2.dfw2.us.zip.zayo.com
     7. ae24.er2.dfw2.us.zip.zayo.com
     8. 2001:438:ffff::407d:de6
     9. hundredgige0-3-0-0.ashtr2.ashburnva.opentransit.net
    10. 2001:688:0:2:1::127
    11. hundredgige0-1-0-19.partr1.paris.opentransit.net
    12. 2001:688:0:3:8::143
    13. vlan92.core02.par01.fr.virtua.systems
    14. vm.par.bb0.nl
    15. core.dro.bb.enpls.org
    16. e19-vlan1-up6.vm2.dro.bb0.nl
    17. ____________36936936936936936__________________
    18. ____________36936936936936936__________________
    19. ____________369369369369369369_________________
    20. ___________36936936936936933693________________
    21. __________3693693693693693693693_______________
    22. _________369369369369369369369369______________
    23. _________3693693693693693693693699_____________
    24. ________3693693693693693693693699369___________
    25. _______36936939693693693693693693693693________
    26. _____3693693693693693693693693693693636936_____
    27. ___36936936936936936936936936936___369369369___
    28. __36936___369336936369369369369________36936___
    29. _36936___36936_369369336936936_________________
    30. 36933___36936__36936___3693636_________________
    31. 693____36936__36936_____369363_________________
    32. ______36936__36936______369369_________________
    33. _____36936___36936_______36936_________________
    34. _____36936___36936________36936________________
    35. _____36936___36936_________36936_______________
    36. ______369____36936__________369________________
    37. ______________369______________________________
    38. _______________6_______________________________
    39. _______________________________________________
    40. ___00000000000000000000000000000000000000000___
    41. ___0________the_traceroute_hand_is_________0___
    42. ___0__________stealing_your_data___________0___
    43. ___0_______________________________________0___
    44. ___00000000000000000000000000000000000000000___
    45. _______________________________________________
    46. ______________________________________enpls.org
    47. _______________________________________________
    48. _______________________________________________
    49. _______________________________________________
    50. _______________________________________________
    51. ____________well_this_is_the_end.______________
    52. _______you_can_stop_your_traceroute_here_______
    53. _______________________________________________
    54. _______________________________________________
    55. _______________________________________________
    56. _______________________________________________
    57. _______________________________________________
    58. 2a0e:fd45:2a0a:2::ca2a
    59. 2a0e:fd45:2a0a:2::ca2b
    60. 2a0e:fd45:2a0a:2::ca2c
    61. 2a0e:fd45:2a0a:2::ca2d
    62. 2a0e:fd45:2a0a:2::ca2e
    63. 2a0e:fd45:2a0a:2::ca2f
    64. ____wtf_are_you_still_doing_here_______________
    65. _______________________________________________
    66. _______________________________________________
    67. _______________________________________________
    68. ____________________________mmmmmmmmh__________
    69. _______________________________________________
    70. _______________________________________________
    71. _______________________________________________
    72. _____i_will_stop_writing_this_reverse__________
    73. _______________________________________________
    74. 2a0e:fd45:2a0a:2::ca3a
    75. 2a0e:fd45:2a0a:2::ca3b
    76. 2a0e:fd45:2a0a:2::ca3c
    77. 2a0e:fd45:2a0a:2::ca3d
    78. 2a0e:fd45:2a0a:2::ca3e
    79. 2a0e:fd45:2a0a:2::ca3f
    80. _______________________________________________
    81. ________________________42_____________________


I’ve done too much JavaScript and started trying to work out what 1996 was in octal.


Syntax error, since octal digits are only [0-7] .


Command to run it on macOS:

    traceroute6 -m 40 hand.bb0.nl


Can't steal my data if our ISP is still too incompetent to provide IPv6!

sigh


Don't you see? It's not incompetence, it's a security measure!


Ugh, I am still salty that we let NAT steal the federated internet from us. It just happened to double as the laziest possible way to throw up something that resembles a security perimeter and now that assumption is baked so deeply into multiple industries (social networks, consumer electronics, even the networking and security industries themselves) that it will take decades to back it out, if we ever do.


Airgapped ipv6!


This post has reminded me to re-enable it in my router. I can't even remember what it was now (I think ruby bundle, or something?), but something simply would not work with it enabled, with extremely opaque errors.

Hopefully that's either been fixed or I don't use whatever it was anymore.


ISP(hinet) here made the ipv6 works in an absolutely shitty way for some reason. Make sites got 2x ~ 3x latency randomly. And it also use some absolutely insane routing to make sites barely usable. (Or even unusable) I sometimes enable ipv6 in my router to see whether the situation have been improved. But it never be (as last time I checked it last year).


It can't steal your data anyway, unless I'm missing something.


what is this?


A shitpost showing an IPv6 route that produces ascii art when traced.


I would classify it under "art" rather than "shitpost", but yeah.


I said art! And fwiw, shitposting itself is considered an art, to some.


Of course it is! The equivalence between art and comedy is the importance of context to its meaning and value


What does it have to do with stealing of data?


That part appears to be a joke in the vein of the old cat memes[1] like "i'm in ur browser, stealin ur cookies"

[1] https://i.redd.it/v5cingisv6p01.jpg


Looks like someone setup a network where each hop deeper into the network has a name setup to display a line of ascii art.


It's going to get old quick is what it is.


Just increase the TTL.


What is missing is the long arm (of the law).

- End of dry sardonic quip (or equivalent of a dead-cat-bounce).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: