On Mon, Mar 14, 2022 at 6:07 AM Lukas Tribus <lukas@ltri.eu> wrote:

Most likely TCP session kill based on the server response (certificate).

It could also be a combination of multiple indicators. IP addresses,
SNI, TTL, but here it seems more likely to be the first one.

This could be proven: put a self-signed cert of www.facebook.com on a
server and try to repeat the IP address based check.

This is indeed what I could see last week.

For instance, providing a SNI of Instagram.com (1 week ago) would get through, providing an SNI of foo.com would fail verification (expected), providing an empty value for SNI would also fail with client hello read timeout. When no SNI is provided, the default cert is for *.Facebook.com.

Asking for Facebook.com against a Cloudflare IP was also showing the read timeout.

Request to CF IP with empty SNI would successfully return a cert.

This suggest that either SNI filtering is done on return client hello so it can catch the default cert when no SNI is provided, or that there is a combination of dropping outgoing client hello with specific name + dropping empty SNI to specific ranges, or a combination of both.

The CF example makes he believe it is the second option.

I will send example probes when I get to a device with a keyboard.

Manu

Lukas

--
ripe-atlas mailing list
ripe-atlas@ripe.net
https://lists.ripe.net/mailman/listinfo/ripe-atlas