[HN Gopher] A New Future for Icanhazip
___________________________________________________________________
A New Future for Icanhazip
Author : nkcmr
Score : 375 points
Date : 2021-06-06 19:21 UTC (3 hours ago)
(HTM) web link (major.io)
(TXT) w3m dump (major.io)
| andrewmcwatters wrote:
| Reminds me of `echo $(dig @ns1.google.com o-o.myaddr.l.google.com
| TXT +short | tr -d \")`. I have no idea where this DNS query came
| from, because searching all of Google turns up nothing but
| https://github.com/GoogleCloudPlatform/cloud-self-test-kit/b...,
| which is never referenced by anyone. I had to track it down
| myself for a bootstrap.sh, but I don't like using undocumented
| sources for critical infrastructure.
|
| My use case was needing to set the result of `hostname -f` in
| /etc/hosts in an automated fashion if a VPS provider didn't
| already add a line for the public Internet address in that file.
| You need to do this so that sendmail doesn't fail on `apt
| install` when it attempts to read your FQDN. So I couldn't use
| the NGINX example posted elsewhere here.
|
| It seems like https://checkip.amazonaws.com/ is much more
| "reliable" in that it is publicly documented at
| https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/s....
|
| To anyone who needs to read this: please don't use "services"
| like icanhazip for your provisioning. Even my examples above are
| bad.
|
| It does strike me as weird that there is seemingly no POSIX-
| compliant way to get your public Internet address, from my
| readings.
| Ayesh wrote:
| I was using icanhazip to check if my Tor circuit was complete,
| and probably made 50-100 requests per week. The site was getting
| slow, and I thought it is just a random site that the author
| didn't really care too much.
|
| I dropped my jaw when I read it was getting 30B req/day.
|
| Thank you for running this site for so long, and thank you for
| keeping it up for free, and deciding to not monetize it.
| tyingq wrote:
| I got a lot of mileage out of neverssl.com before somebody
| fixed the process to log into various "guest wifi"
| setups...ones that would intercept/redirect any http request.
|
| I'm somewhat curious what fixed things, as I've not had to use
| neverssl.com for some time.
| lolinder wrote:
| From what I can tell, most operating systems will now ping
| their own version of neverssl as you connect to a network to
| find out whether they need to show you a login prompt. It
| looks like they basically just check to see if they get the
| content they expect from a domain they own, and if not they
| serve you that page so you can see whatever it is your
| network injected. (You can usually see the OS domain in the
| address bar.)
| tyingq wrote:
| Ah, that's interesting. I remember it being very broken for
| a long time...especially for "normal" users that wouldn't
| understand why navigating to an https site wouldn't work in
| that captive wifi situation.
| toxik wrote:
| captive.apple.com is what Apple uses
| lolinder wrote:
| Thanks. I was reaching for an example but don't have a
| guest WiFi nearby to test.
| bombcar wrote:
| Apple has at least ten or more of these I've seen - on
| badly configured networks you sometimes see it in the
| address bar - because cached responses could destroy the
| utility.
| walrus01 wrote:
| Yes, google, apple and Microsoft all maintain their own
| httpd with tiny stub content on it which specifically is
| not tls.
| nerdponx wrote:
| I set up my own version of both neverssl and icanhazip, with
| nothing but Nginx on a cheap VPS. I already had the server up
| for other purposes, and I feel better knowing that I'm not
| mooching off of other people's effort (and money).
| OskarS wrote:
| I've seen packages that do "internet-detection" by calling out to
| icanhazip.com, and I just thought that was so irresposnible. What
| if your package got popular, how much money are you costing the
| hoster? For services like this, people just don't consider the
| fact that there's someone on the other side.
| Seirdy wrote:
| If you want, you can set up a similar service yourself by
| adding the following lines to an NGINX config:
| location = /ip { default_type text/plain;
| return 200 '$remote_addr'; }
|
| Requesting "yoursite.tld/ip" will then return your IP address.
| I set up something like this on all my servers and recommend
| that others do the same. It's easy to do the same for Apache
| and Caddy configs. That should help spread the load.
|
| I'm curious as to what other overused utilities can be
| trivially done with pure server configs.
| jacobmischka wrote:
| Is it easy to do the same for Apache? The best solution I
| found was some hacky way with an ErrorDocument directive
| which seems pretty gross.
| lsiebert wrote:
| Doing this for HN asks you to login as an administrator.
| ljm wrote:
| I feel the same about dependency steps in CI, without a cache
| or any similar structure. Package repos like Rubygems, NPM and
| PyPi get utterly rinsed by the continual downloading and
| redownloading of stuff the client should have already stored.
| trulyme wrote:
| This. And both with GitHub and GitLab it takes quite a bit of
| an extra effort to setup caching. It hurts to see 'npm ci'
| download half the internet every time a developer pushes to
| dev server.
| yellow_lead wrote:
| Would be interesting to speculate about the greenhouse
| effect of all these repeated downloads
| kortilla wrote:
| The article was about abusive floods accounting for 90% of the
| traffic. The author was happy with legitimate use cases like
| packages doing detection, contrary to your comment.
| kissgyorgy wrote:
| I use this service in my Dynamic DNS script for Cloudflare too:
| https://github.com/kissgyorgy/cloudflare-dyndns
|
| It's time to put this service to the first place.
| CliffStoll wrote:
| Just checked your python script - looks great! I wrote my own
| script a few years ago -- yours is way more robust!
| forrestthewoods wrote:
| > The site went from 1B requests per day to 30-35B requests per
| day over a weekend.
|
| This is absolutely mind blowing.
| jayonsoftware wrote:
| I always type "what is my ip" in google and get a reply. I am
| amazed that this service gets 30B to 35B hits a day
| aembleton wrote:
| It will be bots using it. I have a python script that calls
| it every 5 minutes to get my current IP so that I can update
| my DNS records on Cloudflare. This is because my server is
| self hosted on a Pi and I don't have a static IP.
| swlkr wrote:
| That's $8.03 per year right?
| yakubin wrote:
| There was a thread[1] a couple months ago where I discovered a
| method to get one's IP address relying only on DNS:
| nslookup myip.opendns.com resolver1.opendns.com
|
| I love it.
|
| [1]: <https://news.ycombinator.com/item?id=26634476>
| moreati wrote:
| That will return an IPv6 address, if you have IPv6
| connectivity. That's normally be fine, but for occasions it
| isn't there is dig +short -4 myip.opendns.com
| a @resolver1.opendns.com
| zatkin wrote:
| This command just returns the IP:
|
| dig +short @resolver2.opendns.com myip.opendns.com
| pytlicek wrote:
| WOW! Nice story. I'm running very similar project for free and
| for fun. Also this is usually happening to me every day. Besides
| other things I'm providing also website checks, so almost every
| second registration is used to wake up bots like repl.co or
| minecraft bots hosted on such sites. Life isn't easy, right? :D
| anyway it is still the fun to run such service and I understand
| why author want it alive for a such long time :) when you want to
| try something similar with few more features, give a try to
| hostbeat.info
| [deleted]
| Klasiaster wrote:
| For those behind a home router an alternative is to use UPNP,
| e.g., through the miniupnpc package on Debian which ships the
| `/usr/bin/external-ip` script that postprocesses the `upnpc -s`
| output.
| ColdHeat wrote:
| I used to use this site until I found
| https://checkip.amazonaws.com/. Switched because I wasn't sure
| who was behind icanhazip.com and it's tough to beat AWS. Glad to
| hear that it will likely be maintained for awhile longer!
| epse wrote:
| Does that one only do IPv4?
| madars wrote:
| Something to be aware of: checkip.amazonaws.com will happily
| return an X-Forwarded-For address
| https://stackoverflow.com/questions/52618096/under-what-circ...
| kortilla wrote:
| Use https
| lucb1e wrote:
| That has nothing to do with an HTTP header. See for
| yourself: $ curl -HX-Forwarded-
| For:127.0.0.1 https://checkip.amazonaws.com
| 127.0.0.1
| gruez wrote:
| I think the point is to prevent middleboxes (eg. caching
| proxy servers) from interfering with the request.
| Otherwise I don't really see the issue with the ip
| address being affected by X-Forwarded-For. You can
| just... not specify the header.
| thewakalix wrote:
| HTTPS encrypts headers, thereby preventing other people
| from adding headers to your request. Typically people are
| not adding X-Forwarded-For to their _own_ requests.
| lucb1e wrote:
| I'm not arguing either point, I just pointed out that
| headers are independent of whether you use encryption.
| But now that I'm thinking about it for a sec, you might
| want to know what the proxy's exit IP is, and if the
| proxy adds an XFF Header then you just learn your own IP
| which wasn't what you wanted. If that is what GGGP meant.
| delduca wrote:
| I use this https://cloudflare.com/cdn-cgi/trace
| Kaze404 wrote:
| Reading the title I expected the article to be about a zipping
| tool called Icanha Zip. Pleasantly surprised by the great
| article.
| slowmovintarget wrote:
| I appreciate the x-otter header, and I think I should now have my
| team add x-rtfm headers to all of our services and apps.
| [deleted]
| grouphugs wrote:
| my boats for me. i'm not abraham fucking over all of earth lmao
| chrischen wrote:
| I feel like in theory google should be returning this site,
| instead of the ad-filled sites when one searches "my ip address."
| But it always seems like Google heavily over-values the domain
| name and search term matches.
| slig wrote:
| The "first result" in a Google query for "my ip" and other
| combinations is a box with your public IP. There's no reason to
| click in any of the ad-filled sites anymore.
| jetrink wrote:
| This had been true for me for several years, but recently, I
| have found that Google no longer provides that info box and
| it's necessary to click into one of the search results. (I am
| using Firefox, but I am logged into a Google account of it
| makes any difference.)
| arkitaip wrote:
| Maybe you are getting a/b trapped?
| nodesocket wrote:
| Icanhazip could easily just be pure NGINX[1], additionally why
| not add rate limiting by ip address to limit malicious Chinese
| users? Though this does not address the servers falling over just
| from the raw incoming connections alone.
|
| [1] https://news.ycombinator.com/item?id=27416090
| [deleted]
| jaeerffa wrote:
| Lolhis story is very similar to rawgit which was a wonderful site
| but also fell prey to malware aholes.
| madars wrote:
| Thanks for all your hard work! icanhazip.com / icanhazptr.com
| have been incredibly useful.
|
| Small feature request: back in the day
| {ipv4,ipv6}.{icanhazptr,icanhazip}.com only had A / AAAA records,
| but now it seems they have both and thus a simple "curl
| ipv4.icanhzptr.com" can also give me a v6 address (of course,
| "curl -4" works). Would Cloudfare be OK with separating them
| again?
| sneak wrote:
| This story is kind of sad. I wonder why the operator didn't
| blacklist certain netblocks/ASNs who were abusing the service.
| blibble wrote:
| or even better: respond with incorrect data
|
| they'll soon learn
| thegeekbin wrote:
| Why punish a group for one bad actor?
| jjeaff wrote:
| So shutting down the entire service would be preferable to
| blocking one group?
| zootboy wrote:
| > There were many times where I saw a big traffic jump and I
| realized the traffic was coming from the same ASN, and likely
| from the same company. I tried reaching out to these
| companies when I saw it but they rarely ever replied. Some
| even became extremely hostile to my emails.
|
| A hostile reply from a netblock operator seems like a
| perfectly valid reason to block their traffic.
| jeroenhd wrote:
| The problem is that you don't know what the source of the
| traffic is. It could be an incompetent network
| operator/sysadmin, but it could just as well be something
| like an IP camera that people bought in good faith. If you
| block the CGNAT system of an operator that has a hundred
| million subscribers because it all seems to come from a
| single IP range you know nothing about, you could be
| hurting innocent users with the block.
|
| That being said, a service like this doesn't come with any
| guarantees and if it'd disappear from the net tomorrow, I
| wouldn't blame the author. Blocking is a perfectly valid
| solution to this problem, but assuming malice isn't always
| the right answer.
|
| Were I in this situation, I'd rate limit networks per /24
| (maybe even /16?) as much as I could, and work together
| with antivirus companies to help identify infections of
| malware known to use the service to discourage criminals
| from abusing the system. I wouldn't even bother hosting the
| site on IPv6 since those addresses are supposed to be
| public anyway. The author clearly has more patience than I
| do.
| kortilla wrote:
| This isn't "one person bought a bad camera", it was
| certain ASNs accounting for a huge portion of the
| traffic. If the operators are unresponsive to the abuse
| request (making them incompetent network operators), then
| you absolutely block them. At that point the fallout is
| the fault of the network operators for operating an abuse
| friendly network.
|
| This is how cloudflare handles it for normal web
| services. If you're coming from trash IPs there is no
| chance a curl request is going to make it through to a
| backend without an onerous captcha.
| jeroenhd wrote:
| I wouldn't expect one person with one camera to cause
| such a load, but popular, cheap internet cameras pull
| this crap all the time. I remember reading a story here
| about one company that hardcoded a particular IP address
| for their NTP bootstrapping in their firmware, with
| thousands of devices all across the world and no way to
| easily update them. Such a thing can easily happen with
| consumer routers and other networking equipment,
| generating a publicly accessible link for their user's
| convenience.
|
| If I saw the Time Warner ASN send too many requests, my
| first thought wouldn't be to just block a huge ISP. Who
| knows what mihjt be causing these issues and what you
| could be breaking by interrupting service.
|
| The Time Warner NOC wouldn't be able to completely fix
| the problem if the source of the issue is the firmware of
| a certain shitty IoT device. If someone emailed their NOC
| about some weird IP cams installed by their customers
| causing load on their servers, they could feel like
| that's a problem between icanhazip and the camera
| manufacturer, not something they can fix.
|
| The author is quite tolerant of the obviously malicious
| behaviour others are attacking his servers with. I'd have
| taken more aggressive measures instead of scaling up
| capacities myself. Because the problem is volume and not
| necessarily anything complex, I'd wager that even a
| simple block could be quite expensive because that
| traffic and the associated retries will be going
| somewhere. Directing the traffic towards the last router
| in their ASN through DNS would be something I'd consider,
| making it the problem of the network operators.
| terom wrote:
| Looking at the icanhazip.com site, I wonder how much any
| kind of rate-limiting per address/block would even help.
|
| At the HTTP level it's probably cheaper to just return
| the HTTP 200 response. I suppose if you're doing TLS
| handshakes then a packet-level rate-limit would help
| significantly, but at the same time I'd be wary of
| triggering any kind of retry-behavior.
|
| Worst-case scenario for a service like this would be
| having an error response/timeout trigger some kind of
| unlimited retry flood.
| jeroenhd wrote:
| The block route I'd go with is blackholing the entire
| range into nothing through BGP or similar so the servers
| wouldn't have to deal with the traffic, similar to how
| anti DDOS tools often work. Might even redirect the DNS
| for that subnet to the IP of the people running the
| network, let them deal with the abuse. That'd be a very
| offensive approach, though.
|
| I probably wouldn't bother with TLS either, just a plain
| HTTP 0.1 response with minimum information should be
| enough.
| eximius wrote:
| In some sense, it might not matter. If an ASN/company
| admin responds to emails in a hostile fashion, does it
| matter if they bought their devices in good faith?
| They're still assholes.
| jeroenhd wrote:
| Hostility can often come from a place of ignorance or
| misunderstanding. I can't say much for the former, but
| the latter can easily go wrong with the cultural and
| linguistic barrier between operators.
|
| The guy operating the NOC may be a dick, but is taking
| down the IoT networks for all of their customers
| unknowingly relying on your services really the right
| way?
|
| Personally, I'd say yes, it'd help. However, there's an
| argument to be made that the hostile ASN operator doesn't
| represent the people behind the network in the slightest.
| I can understand that someone may give such an asshat the
| benefit of doubt and drop it despite their abuse.
| thegeekbin wrote:
| As a network operator, you would be surprised how many AS
| operators are hostile or simply don't respond. It's
| unfortunately very common, even Tier-1's are hostile.
|
| Out of the last month, I sent out 191 abuse reports, of
| which 10 got replied to, 2 were resolved 6 were "no f**
| off" style, and 2 were told "can't fix / won't fix / don't
| know how to fix".
|
| I'm not just referring to Chinese ASNs either, some US
| Telco's, German, Australia even.
| nixgeek wrote:
| We're entering an era where the content providers and the
| major clouds are >50% of demand on new subsea capacity.
| Feels like this blurs 'Tier 1' and the role of backbones
| because major eyeball networks now interconnect directly
| with e.g. Facebook or Google.
|
| Anyway, on abuse@ response rates, my probably unpopular
| but realistic take based on looking at tens of thousands
| of such complaints over the years and having worked for
| ASNs which have received millions, I'd hazard everyone
| has an SNR and ROI problem with handling these. There's
| just too many of them and most aren't actionable.
|
| Some examples, "I saw a failed SSH login attempt from
| 1.2.3.4 and OMG that's a huge issue, you have been
| compromised, and you must solve this immediately!". OK,
| well, the subscriber might have: a) Typoed your IP
| address, b) Been running nmap/zmap over a wide range of
| IPs for research purposes; c) You're on an IP with a
| provider who recycled it to you, subscriber has outdated
| DNS records.
|
| What do you expect a 'Tier 1' to do with your report?
|
| Many ASNs are now just looking at the pattern of reports
| per IP address or subscriber, are automating scanning for
| e.g. open mail relays when whatever processes abuse@
| determines the person is complaining about spam, or
| automating looking for anomalies in flows for DDoS
| complaints, a human may not even see the ticket unless
| the automation was able to confirm a problem may exist,
| and the human will probably only engage the subscriber
| and won't respond to the 1-1000 things received to abuse@
| related to the issue.
|
| In Major's case with icanhazip.com it looks like pretty
| bad behavior from the Chinese ASNs mentioned, but could
| just be IOT configured to fetch its IP every minute
| instead of every 60 minutes of 24 hours because someone
| misunderstood cron. Unfortunate that nobody responded but
| 30B a day is ~350kRPS (which isn't a lot, in the grand
| scheme of the internet). I'm sure 30B requests per day is
| nothing at Cloudflare's scale and they have options to
| cure these ASNs behavior should they choose, including
| stuff like IP-based or ASN-based ratelimiting, or even
| IP/ASN restrictions.
|
| I'm sure Cloudflare will learn some interesting things
| about both the accidental contributors (e.g. cron) and
| intentional contributors (e.g. botnets) from analyzing
| the sources generating the requests, and I'm ultimately
| glad it is them picking this up, their other initiatives
| like 1.1.1.1 have had been positive for the internet
| (IMHO).
| superasn wrote:
| Wow so this person has been running this site for so many years,
| paying bills, answering god knows how many idiots and even
| getting close to trouble with 3 letter agencies and senators for
| absolutely nothing.. hats off to you sir, any other person would
| have thrown in the towel a long time ago.
|
| Also i feel little bad you didn't get any money out of it whether
| the site was designed to make money or not. It would have been a
| wonderful end to the story if you got something back for all the
| years of hardwork you put into running it. You do have my
| appreciation if that means anything though.
|
| P.S. this story is very similar to rawgit which was a wonderful
| site but also fell prey to malware aholes.
| jedberg wrote:
| > Also i feel little bad you didn't get any money out of I
|
| Most likely it got them a much higher paying job than they
| would have otherwise gotten. Walking in and saying you single
| handedly run a site with billions of requests per day and
| petabytes of traffic will get you noticed.
| rantwasp wrote:
| Icanhazjob approach!
| rajishx wrote:
| Major didn't need icanhazip.com to get a good paying and
| quality job, this man is legend (at RAX when working with
| him)
| jedberg wrote:
| Being good is neither necessary or sufficient for getting a
| high paying job.
|
| Being able to get in front of a hiring manager who is
| offering a high paying job and convincing them to hire you
| is the only thing. And having a very popular website with a
| ton of traffic is more likely to get you in front of a
| hiring manager with a good job than actually being good.
| movedx wrote:
| Ditto (London office.)
| barosl wrote:
| Thanks for your service. Now it will get even more traffic as I
| realized the existence of the site!
| eruci wrote:
| I used it for a while, then after a couple of failures decided to
| whip up my own at https://geocode.xyz/myip
|
| Took me 5 minutes of work and exactly one line of code.
| andrewstuart2 wrote:
| There's a lot more helpful info you can return, too. Try
| https://ifconfig.me. Works great in bash scripts too, as it
| only returns the IP when called with a curl user agent.
| eruci wrote:
| This is cool!
| coderholic wrote:
| I'm glad icanhazip will live on! We also see a lot of malware and
| bot traffic to https://ipinfo.io, but nowhere near these levels!
| CliffStoll wrote:
| I've been using ipinfo.io for several years -- checking a
| dynamic ip address every 10 minutes. My thanks for supplying
| this service! Is there a reason to change over to icanhazip ?
| TazeTSchnitzel wrote:
| I admire the fact the author didn't snap at some point and start
| returning 0.0.0.0 or 127.0.0.1 to some or all queries.
| Aeolun wrote:
| Or a rate limit of some kind
| KirillPanov wrote:
| Suggest retitle: "Cloudflare acquires Icanhazip".
|
| Glad it will live on!
| trulyme wrote:
| "Acquires" is a strong word when we are talking about $8 price.
| Maybe "Cloudflare becomes custodian of Icanhazip"?
| leesalminen wrote:
| I run a very simple, completely free API service as well.
| Currently using Google Cloud Run, handling a constant 10 rps for
| ~$8/mo. Pretty happy with it. I could probably cost optimize
| more. I sure hope I never have to deal with 30 billion requests
| per day, though. I'm sure my patience would run thin as well.
| Thank you to the author for running this site for so many years!
| toxik wrote:
| Chinese originated spam and abuse is so outrageously widespread,
| I don't understand why there isn't a conversation going on about
| cutting them off from the wider internet. They blocked most of it
| anyway.
| egypturnash wrote:
| China currently makes some absurdly large percentage of the
| world's consumer goods, and the discussions about producing
| them are probably being had over the internet. Cut them off of
| the internet and we have to rebuild manufacturing capacity
| everywhere else.
|
| Which might not be a bad thing overall, but it's sure not gonna
| make any transnational corporation's bottom line happy over the
| next few quarters, so they'll be waving a lot of money at
| politicians to make this not happen.
| ALittleLight wrote:
| China is an oppressive authoritarian state currently engaged
| in ethnic cleansing. How is enabling them indefinitely an
| option?
| julianlam wrote:
| Because doing so would essentially push China towards a
| China-only internet, which they're already halfway towards.
|
| The benefits of gobalization and the spread of democracy
| (or even just alternative governance models) via exposure
| to other cultures cannot be understated
| theli0nheart wrote:
| Not a strong reason. I would be shocked if the average
| Internet user has heard of any of the top ten most
| visited websites in China. Their entire infrastructure,
| from the technological layer to the bureaucratic layer,
| has ensured that the average Chinese Internet user knows
| very little about the outside world that hasn't been pre-
| vetted or filtered out completely by the GFW.
| baud147258 wrote:
| Is it really working, though? Has there been a push in
| China (or other country connected to the global internet)
| for more democracy?
| Arubis wrote:
| I liked this hypothesis overall--that exposure to
| democracy through trade is sufficient to breed democracy
| in China. It's a confident and peaceful approach, and I'm
| glad that we tested it. However, in this case, I believe
| we've disproven the hypothesis; continuing to run the
| same experiment unmodified and expecting improving
| results is signing up for disappointment.
| mwcampbell wrote:
| It stands to reason that an especially large volume of abuse
| will originate from the most populous country in the world. I
| don't think that's a reason to cut them off from the global
| Internet. If it's true that their government is already
| oppressing their own people (I don't know what's truth and
| what's propaganda), then the rest of us shouldn't make it worse
| for those people by cutting off whatever outside connections
| they manage to have.
|
| Also, I'm generally bothered by comments like this one that
| stir up the general human tendency toward xenophobia. We should
| be fighting that tendency within ourselves, not fighting the
| out group. Whichever group of people we want to demonize, we
| should remember that they're people just like us. We shouldn't
| punish the majority of them for what a minority are doing to
| us.
| toxik wrote:
| They are not the most connected country, but a long shot. Why
| isn't India no. 2 by your logic? Stop apologizing for
| unacceptable behavior from a country that openly purports to
| become "the superpower of the world".
| mwcampbell wrote:
| I'm not apologizing for anyone's bad behavior; I just don't
| want us to escalate an already tense situation. "The only
| winning move is not to play", right?
| Aeolun wrote:
| I mean, if their government doesn't stop, and often even
| encourages the behavior, what are we supposed to do? Just
| roll over and show them the other cheek?
|
| I agree you don't _want_ to cut them off, but on the other
| hand, I don't want 90% of all global malicious traffic to
| originate from a specific country.
| mwcampbell wrote:
| > I don't want 90% of all global malicious traffic to
| originate from a specific country.
|
| Is that actually true? I guess I'm inclined to believe that
| claims like that are more likely to be propaganda from
| western governments and/or western-owned companies.
|
| If it _is_ true, I wonder why their government isn 't
| stopping it. They must realize that it's giving them a bad
| reputation in the wider world.
| jedberg wrote:
| It's not even a new trend either. Back in 2003 when I worked at
| eBay and PayPal doing security, the bulk of the attempts came
| from China and Romania (Romania at the time had one ISP for the
| whole country that was fast but didn't care about abuse at
| all).
| jmartrican wrote:
| The other trending article on HN today is about Chinese fishing
| boats abusing the world's oceans. Its ok, we'll learn to get
| used to it.
| swinglock wrote:
| Wouldn't want to be rude.
| corndoge wrote:
| Any criticism of China can be construed as being pro-US and
| we can't have that. Criticism of Chinese traditional
| medicine, which is a forcing function for the endangering and
| extinction of species across the globe, is also unacceptable
| since criticism of any aspect of a culture is just racism
| (unless it's the one culture that's okay to criticize).
|
| As long as the truth doesn't match what the preferred
| narrative is we'll continue to suffer the consequences, which
| is true of so many things beyond just attitudes towards
| China.
| wyager wrote:
| I would rather have a global network with marginally more spam
| than a regional network with marginally less.
| kortilla wrote:
| This false dichotomy is impressive. A single country
| accounting for for 50+% sets up the choice to be, "a global
| network with a lot less spam and a regional island with a lot
| of spam" vs "a global network with a ton of spam barely
| connected to a regional network that much of the spam
| originates from".
| npteljes wrote:
| That "single country" is of 1.4B people.
| systemvoltage wrote:
| I believe in reciprocity. China has blocked a lot of the
| western traffic. So, the west should block China. If they
| open up, we should welcome them with open arms. Similar
| spirit as some open source licenses - reciprocity creates
| fairness and increases collaboration, prevents hawks in a
| population of doves and improves stability.
|
| We are already doing this with trade. The amount of leeway
| and free lunch China has gotten from the west is insane. I
| don't blame China, I blame the west and the rest of the world
| for not preventing it. Asymmetrical policies are often
| exploited by capitalism and governments have been caught off
| guard.
|
| I'm not an Anti-China lunatic. It's just common sense.
| dvfjsdhgfv wrote:
| The lives of people in China trying to use Internet
| services outside are already miserable; let's not make it
| worse and alienate others. We should treat them just like
| the rest: if extensive malicious traffic arrives, we drop
| it, but we don't ban the entire country.
| toxik wrote:
| The internet is built on institutional trust. You can't
| have a properly functioning network when a sizable part
| is just not giving a shit about its users abusing your
| users.
|
| It very much echoes the problems of intellectual property
| theft in China.
| crumbshot wrote:
| This supposed 'intellectual property theft' is mostly
| just reverse engineering of technology.
|
| It's not really a problem anyway. If some capitalists in
| the US and Europe don't get to skim off a slice of profit
| from another country's manufacturing output, then so
| what?
| yarcob wrote:
| I really don't think blocks and embargoes are going to help
| anyone. They just suck for all the affected people, but I
| don't think they are very effective at convincing foreign
| governments to open up.
| systemvoltage wrote:
| We're talking about blocking IPs originating from China.
| How would that hurt the affected people outside of China?
|
| In regards to trade war, HN has discussed this ad-
| nauseum, I think we should restrict the discussion to
| internet traffic even though I brought it up as an
| analogy about asymmetric response from the west in
| general: https://hn.algolia.com/?q=trade+war
| yarcob wrote:
| > We're talking about blocking IPs originating from
| China. How would that hurt the affected people outside of
| China?
|
| Most of the affected people would obviously be _inside_
| China.
| snowwrestler wrote:
| The Chinese government operates their Internet blocks (the
| "Great Firewall"). But overwhelmingly, it is the Chinese
| people who are trying to access information on the public
| Internet.
|
| Blocking the entire country will do little to hurt the
| government (who can employ state resources to get whatever
| information they want) and do quite a bit more to harm the
| Chinese people by reducing whatever level of information
| independence they still have.
|
| If there is going to be significant change in China, it
| will have to come from the Chinese people. Cutting them off
| from the Internet vindictively does not advance that goal.
|
| There are specific people in China doing specific bad
| things with specific computing resources. It would be far
| better for the U.S. government to dedicate more resources
| to finding and partnering with orgs and projects (like
| icanhazip or Cloudflare) to find the info they need to
| apply targeted mitigations.
|
| "China does it, so we should do it too" only makes sense as
| a strategy if our goal is to become exactly like China is
| today. I don't think that should be our goal.
| systemvoltage wrote:
| > "China does it, so we should do it too" only makes
| sense as a strategy if our goal is to become exactly like
| China is today. I don't think that should be our goal.
|
| I very strongly disagree. An eye for an eye is _exactly_
| what needs to be done and should have been done from the
| beginning. Unfortunately, it is too late. 1989 massacre
| should have been condemned more solidly and trade
| restrictions should have been placed in the 90 's. The
| bet that western alliances made is that China would open
| up in the 2000s leading into 2010s. That has gone
| horribly wrong.
|
| The west is finally waking up:
| https://en.wikipedia.org/wiki/Inter-
| Parliamentary_Alliance_o...
| jjeaff wrote:
| I don't think every country in the world minus one or two
| would be "regional".
| [deleted]
| croes wrote:
| Maybe that is the plan, that we cut them off, so they don't
| have to
| c7DJTLrn wrote:
| I often use whatismyip.akamai.com as a reliable "what's my IP"
| service but unfortunately it isn't configured correctly for
| HTTPS.
| lucb1e wrote:
| Out of curiosity, what makes you use it, if it isn't even
| configured correctly and there's a million alternatives out
| there?
| mjsir911 wrote:
| This kind of service is exactly what STUN servers are made for.
| Designed to be used with webrtc, but it works perfectly alright
| by itself.
|
| There are a plethora of unauthenticated STUN servers around, and
| while there's still room for abuse, the protocol is a bit more
| lightweight than full-blown http requests, and faster, too!
|
| I've dabbled with doing this on my own, but I've found `myip` to
| do the job nicely and without hassle:
|
| https://github.com/Snawoot/myip
| politelemon wrote:
| Can this be done using the stun command directly?
|
| http://manpages.ubuntu.com/manpages/bionic/man1/stun.1.html
| Snawoot wrote:
| It is, but utility above queries multiple public STUN servers
| concurrently. As soon as quorum of servers replied with
| matching addresses, result is returned. This way it's more
| reliable and offers decent latency guarantees.
___________________________________________________________________
(page generated 2021-06-06 23:00 UTC)