昨日(2021年2月27日)起便不断有网友反映访问 gtihub.com 出错,错误提示 Connection reset by peer 。
根据开源网络监测项目OONI的监测结果,GFW监测项目Blocky的监测结果,自2021年2月27日 github.com 在中国大陆的访问出现故障。
程序员论坛v2ex上亦有相关的讨论贴:Github 无法访问了吗? - V2EX ,
OONI监测结果
Blocky监测结果
经测试,我们发现 github.com 部分IP在中国大陆的HTTP/HTTPS访问受到了阻断。
DNS解析
$ dig -4 github.com +trace ; <<>> DiG 9.16.12 <<>> -4 github.com +trace ;; global options: +cmd . 381180 IN NS g.root-servers.net. . 381180 IN NS f.root-servers.net. . 381180 IN NS j.root-servers.net. . 381180 IN NS c.root-servers.net. . 381180 IN NS b.root-servers.net. . 381180 IN NS e.root-servers.net. . 381180 IN NS a.root-servers.net. . 381180 IN NS l.root-servers.net. . 381180 IN NS d.root-servers.net. . 381180 IN NS i.root-servers.net. . 381180 IN NS h.root-servers.net. . 381180 IN NS k.root-servers.net. . 381180 IN NS m.root-servers.net. . 381182 IN RRSIG NS 8 0 518400 20210311050000 20210226040000 42351 . TVN+sfXywhhzHXs+SRxjfOkngi3zxV5oaGOMyDGeeCCCZBlVXx8fgY+B lIkVxu6M912KZsQ6k3wxOjpxRQc41g8LQfu+5c0nwakn4PZgUmIAWz35 +/c7h9Gs3P5sb15QoRX1PxvcwWkEncf26irY0cljqeKl1x0SDool3L3V mF7ldqtwzRk3CAsfz4aNC27GuWL3naibX2Y+2530zGm4PSvjHqpnDh5l AnryFJLQ/SrLIb7ZCy9A2vdQ6XVbTifjcgcMOpz7xr7CfsHVqsDXi0n3 oSswnUSNDdxys6pyL7GVgScRiNxKTA5RunWDC/2Lmcieig10lKMjCxpT 8eWirQ== ;; Received 1137 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms com. 172800 IN NS l.gtld-servers.net. com. 172800 IN NS b.gtld-servers.net. com. 172800 IN NS c.gtld-servers.net. com. 172800 IN NS d.gtld-servers.net. com. 172800 IN NS e.gtld-servers.net. com. 172800 IN NS f.gtld-servers.net. com. 172800 IN NS g.gtld-servers.net. com. 172800 IN NS a.gtld-servers.net. com. 172800 IN NS h.gtld-servers.net. com. 172800 IN NS i.gtld-servers.net. com. 172800 IN NS j.gtld-servers.net. com. 172800 IN NS k.gtld-servers.net. com. 172800 IN NS m.gtld-servers.net. com. 86400 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766 com. 86400 IN RRSIG DS 8 1 86400 20210312170000 20210227160000 42351 . nwUtecvYHYzJuLB7dY7S6V2MKqwCzo065LdzeDPLVumie+URZnPKyVRQ qro3Mz8IuIrE3RP94ph0Zo57YbKq1OyrbfBFQxKi6DSfXYhtT9nGPYaQ PF95cO7F+i0V/JHlsErD4xdqLGvfzQNSa70CBW5ymJlZsKzco6E33sjO z/blGsAW5v2VSRQE83vGE0vt1Ey2YOgkvpRDsWXkiLJjmcgh9Pm0Ityi hL7DvgUlW3KLGuLsG29ubqqqByy4QM6yOStyIuhVaUE1oPmeJRxDByhu N+4nD0rhBBPgT8JtECM743copOSwzndR6uSoTtto4hCPUSrn93lP29tq 3oNwzg== ;; Received 1170 bytes from 192.203.230.10#53(e.root-servers.net) in 233 ms github.com. 172800 IN NS ns-520.awsdns-01.net. github.com. 172800 IN NS ns-421.awsdns-52.com. github.com. 172800 IN NS ns-1707.awsdns-21.co.uk. github.com. 172800 IN NS ns-1283.awsdns-32.org. github.com. 172800 IN NS dns1.p08.nsone.net. github.com. 172800 IN NS dns2.p08.nsone.net. github.com. 172800 IN NS dns3.p08.nsone.net. github.com. 172800 IN NS dns4.p08.nsone.net. CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20210305054100 20210226043100 58540 com. KDtmd8qOjWqXn1QRmKcuLApb+1V14GNPoYJym3Myp6+fB7ZerqZi7NGP WBGZW2QJ7N6QVPih9xDOxjfzOefv6Uc0r8ipVR7sDy3ycFMwXBfCjW49 WZgHelXGUxhISPmV7/fQ8ZLZUi2a2voipDEme1GgJqnuxD33BlM9WmfJ 8WjtSPM7SKBsv7yeBwDrE3v6+YVo717AlogKGPHVvZFRJg== 4KB4DFS71LEP8G8P8VT4CCUSQNL4CNCS.com. 86400 IN NSEC3 1 1 0 - 4KB4PTQQ5CTA7POCTGM7RUFC8B1RKTEU NS DS RRSIG 4KB4DFS71LEP8G8P8VT4CCUSQNL4CNCS.com. 86400 IN RRSIG NSEC3 8 2 86400 20210306082256 20210227071256 58540 com. XvjLfvCGUAEYtZRAs/eaKoLGoQXz2UZ4E3aVarveyknKpCqy9OPJdVhs VK99XYSK0C2Cc8IotRv729CDagjVxaqPlCRSmRMjeCKljp6315C6bR5L FovXC8j+X7LDukwkoazIZpqBZi/7kgPYMIsO2iCrmG/1yBXR4tN5G++b H9nuunGQ0L/l59j50E5ZNU0rZRbD0Tn0Gpnd5CWcfpI4iQ== ;; Received 827 bytes from 192.54.112.30#53(h.gtld-servers.net) in 189 ms github.com. 60 IN A 13.229.188.59 ;; Received 55 bytes from 198.51.45.8#53(dns2.p08.nsone.net) in 79 ms
$ dig @example.com github.com ; <<>> DiG 9.16.12 <<>> @example.com github.com ; (2 servers found) ;; global options: +cmd ;; connection timed out; no servers could be reached
IPIP全局PING工具对 gtihub.com 的测试结果 (点击查看大图)
通过以上测试,同时参考 多个地点ping-站长工具 、PING查询-IPIP 等工具的测试结果,我们发现 github.com 并未遭到DNS注入攻击。
因此可以使用以下shell脚本,从权威DNS获取所有可用IP。
#!/bin/bash NSS=$(dig github.com ns +short) for (( i=1; i<=10; i=i+1 )) do for NS in $NSS do dig @$NS github.com +norecurse +short >> github.com-ips-raw.txt done sleep 1 done sort -u github.com-ips-raw.txt > github.com-ips.txt
最终获得以下三个IP:
在 https://tools.ipip.net/ping.php 页面运行如下js脚本,可获得一致的结果。
TCP连接
使用如下命令检测相应主机22、80、443端口开放情况。
结果如下:
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-28 14:21 CST Nmap scan report for ec2-13-229-188-59.ap-southeast-1.compute.amazonaws.com (13.229.188.59) Host is up (0.16s latency). PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https Nmap scan report for ec2-13-250-177-223.ap-southeast-1.compute.amazonaws.com (13.250.177.223) Host is up (0.12s latency). PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https Nmap scan report for ec2-52-74-223-119.ap-southeast-1.compute.amazonaws.com (52.74.223.119) Host is up (0.10s latency). PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https Nmap done: 3 IP addresses (3 hosts up) scanned in 3.96 seconds
经测试,三个IP均可在22、80、443端口正常建立TCP连接。
应用层情况
SSH协议
使用如下脚本测试SSH协议情况。
结果如下:
ssh -T [email protected] Hi yingziwu! You've successfully authenticated, but GitHub does not provide shell access. ssh -T [email protected] Hi yingziwu! You've successfully authenticated, but GitHub does not provide shell access. ssh -T [email protected] Hi yingziwu! You've successfully authenticated, but GitHub does not provide shell access.
经测试,三个IP均可正常建立SSH连接。
HTTP/HTTPS协议
使用如下脚本测试HTTP/HTTPS协议情况。
#!/bin/bash IPS=$(cat github.com-ips.txt) for IP in $IPS do echo "curl -vIk --max-time 5 --connect-to ::$IP: http://github.com/" curl -vIk --max-time 5 --connect-to ::$IP: http://github.com/ echo echo "curl -vIk --max-time 5 --connect-to ::$IP: https://github.com/" curl -vIk --max-time 5 --connect-to ::$IP: https://github.com/ echo done
结果如下:
curl -vIk --max-time 5 --connect-to ::13.229.188.59: http://github.com/ * Connecting to hostname: 13.229.188.59 * Trying 13.229.188.59:80... * Connected to 13.229.188.59 (13.229.188.59) port 80 (#0) > HEAD / HTTP/1.1 > Host: github.com > User-Agent: curl/7.75.0 > Accept: */* > * Mark bundle as not supporting multiuse < HTTP/1.1 301 Moved Permanently HTTP/1.1 301 Moved Permanently < Content-Length: 0 Content-Length: 0 < Location: https://github.com/ Location: https://github.com/ < * Connection #0 to host 13.229.188.59 left intact curl -vIk --max-time 5 --connect-to ::13.229.188.59: https://github.com/ * Connecting to hostname: 13.229.188.59 * Trying 13.229.188.59:443... * Connected to 13.229.188.59 (13.229.188.59) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt * CApath: none * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.3 (IN), TLS handshake, CERT verify (15): * TLSv1.3 (IN), TLS handshake, Finished (20): * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.3 (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 * ALPN, server accepted to use h2 * Server certificate: * subject: C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=github.com * start date: May 5 00:00:00 2020 GMT * expire date: May 10 12:00:00 2022 GMT * issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 High Assurance Server CA * SSL certificate verify ok. * Using HTTP2, server supports multi-use * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * Using Stream ID: 1 (easy handle 0x55b542a86930) > HEAD / HTTP/2 > Host: github.com > user-agent: curl/7.75.0 > accept: */* > * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * old SSL session ID is stale, removing * Connection state changed (MAX_CONCURRENT_STREAMS == 100)! < HTTP/2 200 HTTP/2 200 < server: GitHub.com server: GitHub.com < date: Sun, 28 Feb 2021 06:52:40 GMT date: Sun, 28 Feb 2021 06:52:40 GMT < content-type: text/html; charset=utf-8 content-type: text/html; charset=utf-8 < vary: X-PJAX, Accept-Language, Accept-Encoding, Accept, X-Requested-With vary: X-PJAX, Accept-Language, Accept-Encoding, Accept, X-Requested-With < x-rails-requested-accept-language: en x-rails-requested-accept-language: en < content-language: en-US content-language: en-US < etag: W/"45c62d9ff55bf2907a32b32672bde8f4" etag: W/"45c62d9ff55bf2907a32b32672bde8f4" < cache-control: max-age=0, private, must-revalidate cache-control: max-age=0, private, must-revalidate < strict-transport-security: max-age=31536000; includeSubdomains; preload strict-transport-security: max-age=31536000; includeSubdomains; preload < x-frame-options: deny x-frame-options: deny < x-content-type-options: nosniff x-content-type-options: nosniff < x-xss-protection: 1; mode=block x-xss-protection: 1; mode=block < referrer-policy: origin-when-cross-origin, strict-origin-when-cross-origin referrer-policy: origin-when-cross-origin, strict-origin-when-cross-origin < expect-ct: max-age=2592000, report-uri="https://api.github.com/_private/browser/errors" expect-ct: max-age=2592000, report-uri="https://api.github.com/_private/browser/errors" < content-security-policy: default-src 'none'; base-uri 'self'; block-all-mixed-content; connect-src 'self' uploads.github.com www.githubstatus.com collector.githubapp.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com cdn.optimizely.com logx.optimizely.com/v1/events wss://alive.github.com github.githubassets.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src 'self' data: github.githubassets.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com user-images.githubusercontent.com/ *.githubusercontent.com customer-stories-feed.github.com spotlights-feed.github.com; manifest-src 'self'; media-src github.githubassets.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; worker-src github.com/socket-worker-5029ae85.js gist.github.com/socket-worker-5029ae85.js content-security-policy: default-src 'none'; base-uri 'self'; block-all-mixed-content; connect-src 'self' uploads.github.com www.githubstatus.com collector.githubapp.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com cdn.optimizely.com logx.optimizely.com/v1/events wss://alive.github.com github.githubassets.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src 'self' data: github.githubassets.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com user-images.githubusercontent.com/ *.githubusercontent.com customer-stories-feed.github.com spotlights-feed.github.com; manifest-src 'self'; media-src github.githubassets.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; worker-src github.com/socket-worker-5029ae85.js gist.github.com/socket-worker-5029ae85.js < set-cookie: _gh_sess=xhc0GQv5yqaUMIyHg5gQdo0yk29IUMkhKTPD88K%2FWnqx%2Bcgzlri9mX5VevPDSbnPmmWrjc%2BmQ5c4N%2BlhvKmNS9DIKVuLL5b2nRSWOzPweWk9EEgjW6mX7HoZa3rbu4RcBqgNH5nBhHwNp15qGavmotzbE9sLvC3WDCgu3V%2FV0t9vgQYdjcvbnMH1zsiMHSfaupSHFR9DjTbYNirRSp6YGbeBXr1JdVnY1%2BFTRnGPZ79eQbnrJPexjIoSNdkbNLirwe85OuhGT99QRWePHbdd%2BQ%3D%3D--9YedbOmb6FEzQ0h6--j3Yd9TBxJbmjJGYk3l3FIA%3D%3D; Path=/; HttpOnly; Secure; SameSite=Lax set-cookie: _gh_sess=xhc0GQv5yqaUMIyHg5gQdo0yk29IUMkhKTPD88K%2FWnqx%2Bcgzlri9mX5VevPDSbnPmmWrjc%2BmQ5c4N%2BlhvKmNS9DIKVuLL5b2nRSWOzPweWk9EEgjW6mX7HoZa3rbu4RcBqgNH5nBhHwNp15qGavmotzbE9sLvC3WDCgu3V%2FV0t9vgQYdjcvbnMH1zsiMHSfaupSHFR9DjTbYNirRSp6YGbeBXr1JdVnY1%2BFTRnGPZ79eQbnrJPexjIoSNdkbNLirwe85OuhGT99QRWePHbdd%2BQ%3D%3D--9YedbOmb6FEzQ0h6--j3Yd9TBxJbmjJGYk3l3FIA%3D%3D; Path=/; HttpOnly; Secure; SameSite=Lax < set-cookie: _octo=GH1.1.1822258003.1614495166; Path=/; Domain=github.com; Expires=Mon, 28 Feb 2022 06:52:46 GMT; Secure; SameSite=Lax set-cookie: _octo=GH1.1.1822258003.1614495166; Path=/; Domain=github.com; Expires=Mon, 28 Feb 2022 06:52:46 GMT; Secure; SameSite=Lax < set-cookie: logged_in=no; Path=/; Domain=github.com; Expires=Mon, 28 Feb 2022 06:52:46 GMT; HttpOnly; Secure; SameSite=Lax set-cookie: logged_in=no; Path=/; Domain=github.com; Expires=Mon, 28 Feb 2022 06:52:46 GMT; HttpOnly; Secure; SameSite=Lax < accept-ranges: bytes accept-ranges: bytes < x-github-request-id: 361B:3CB4:1E3F:2045:603B3DBD x-github-request-id: 361B:3CB4:1E3F:2045:603B3DBD < * Connection #0 to host 13.229.188.59 left intact curl -vIk --max-time 5 --connect-to ::13.250.177.223: http://github.com/ * Connecting to hostname: 13.250.177.223 * Trying 13.250.177.223:80... * Connected to 13.250.177.223 (13.250.177.223) port 80 (#0) > HEAD / HTTP/1.1 > Host: github.com > User-Agent: curl/7.75.0 > Accept: */* > * Recv failure: Connection reset by peer * Closing connection 0 curl: (56) Recv failure: Connection reset by peer curl -vIk --max-time 5 --connect-to ::13.250.177.223: https://github.com/ * Connecting to hostname: 13.250.177.223 * Trying 13.250.177.223:443... * Connection timed out after 5000 milliseconds * Closing connection 0 curl: (28) Connection timed out after 5000 milliseconds curl -vIk --max-time 5 --connect-to ::52.74.223.119: http://github.com/ * Connecting to hostname: 52.74.223.119 * Trying 52.74.223.119:80... * Connected to 52.74.223.119 (52.74.223.119) port 80 (#0) > HEAD / HTTP/1.1 > Host: github.com > User-Agent: curl/7.75.0 > Accept: */* > * Recv failure: Connection reset by peer * Closing connection 0 curl: (56) Recv failure: Connection reset by peer curl -vIk --max-time 5 --connect-to ::52.74.223.119: https://github.com/ * Connecting to hostname: 52.74.223.119 * Trying 52.74.223.119:443... * Connected to 52.74.223.119 (52.74.223.119) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt * CApath: none * TLSv1.3 (OUT), TLS handshake, Client hello (1): * OpenSSL SSL_connect: Connection reset by peer in connection to github.com:443 * Closing connection 0 curl: (35) OpenSSL SSL_connect: Connection reset by peer in connection to github.com:443
经测试,我们发现 github.com 三个IP中, 对于HTTP/HTTPS协议,只有 13.229.188.59 可用,而另两个IP 13.250.177.223、52.74.223.119 无法建立HTTP/HTTPS连接。
网站测速-站长工具 对 github.com 的测试结果也证实了这一点。 所有正常建立连接的测试点,github.com 解析IP均为 13.229.188.59 。
网站测速-站长工具对 gtihub.com 的测试结果 (点击查看大图)
抓包结果:
13.250.177.223:80
13.250.177.223:443
52.74.223.119:80
52.74.223.119:443
总结
经测试,我们发现 github.com 部分IP在中国大陆的HTTP/HTTPS访问受到了阻断。
github.com DNS解析:正常
IP |
TCP连接 |
SSH连接 |
HTTP连接 |
HTTPS连接 |
|---|---|---|---|---|
13.229.188.59 |
22、80、443端口均可建立TCP连接 |
正常 |
正常 |
正常 |
13.250.177.223 |
22、80、443端口均可建立TCP连接 |
正常 |
Connection reset by peer |
Connection reset by peer |
52.74.223.119 |
22、80、443端口均可建立TCP连接 |
正常 |
Connection reset by peer |
Connection reset by peer |
GitHub Status
参考 GitHub Status ,Github 当前并无服务故障,且中国大陆以外区域并无上述问题。 高度怀疑GFW屏蔽了 github.com 部分IP。