今日已更新 339 条资讯 | 累计 19899 条内容
关于我们

标签:#networking

找到 47 篇相关文章

AI 资讯

Debugging LACP Instability in a Transparent OPNsense Bridge

I run a transparent OPNsense bridge between a UniFi Dream Machine Pro and the rest of my LAN. It is deliberately boring at Layer 3: the UDM keeps routing, DHCP, DNS, firewall policy, WAN handling, and VLAN definitions. OPNsense sits inline as a Layer 2 bump in the wire. The interesting part is that both sides of that bump use LACP . I already wrote the build/configuration guide for this setup here: Building a Transparent LAGG (LACP) Bridge with OPNsense, UDM, and UniFi - A Practical Guide . That article explains how the bridge was built, how the LAGG devices were configured, and why I wanted the firewall to remain transparent. This article is the other half of the story: what happens when that kind of setup fails in a non-obvious way. Not a clean outage. Not a single "the network is down" moment. Just enough instability to make everything feel wrong. 1. Topology and Failure Surface The topology looked like this: +----------------------+ | UniFi Dream Machine | | kantharos-udm-pro | +----------+-----------+ | LACP aggregate, 2 x 1G | OPNsense lagg0 "ingresslagg" igc1 + igc2, LACP | +----------v-----------+ | OPNsense bridge0 | | "laggbridge" | +----------+-----------+ | OPNsense lagg1 "egresslagg" igc4 + igc5, LACP | LACP aggregate, 2 x 1G | +----------v-----------+ | UniFi USW-Lite-16 | | downstream LAN | +----------------------+ On OPNsense, the relevant interfaces were: igc1 + igc2 -> lagg0 -> ingresslagg -> toward UDM igc4 + igc5 -> lagg1 -> egresslagg -> toward USW lagg0 + lagg1 -> bridge0 -> laggbridge The bridge is a FreeBSD bridge. The aggregates are FreeBSD lagg(4) interfaces using LACP. OPNsense exposes those through its Interfaces > Devices UI. The expected healthy OPNsense state is: laggproto lacp status: active laggport: igcX flags=<ACTIVE,COLLECTING,DISTRIBUTING> laggport: igcY flags=<ACTIVE,COLLECTING,DISTRIBUTING> Those three member states matter: ACTIVE : the member is participating in the LACP bundle. COLLECTING : the member may receive traffic. DIS

2026-06-06 原文 →
AI 资讯

NAT, SNAT, DNAT, PAT & Port Forwarding Explained Without the Networking Headache

Most people use these technologies every day. Almost nobody knows they exist. Every time you open YouTube, browse Instagram, join a Zoom meeting, or play an online game, your router is quietly performing a series of networking tricks behind the scenes. Those tricks have names: NAT SNAT DNAT PAT Port Forwarding They sound intimidating. They're actually much simpler than they appear. Let's break them down using something familiar: your home Wi-Fi. The Problem the Internet Had to Solve Imagine a family of five living in one house. Everyone owns a device: Laptop Phone Smart TV Gaming Console Tablet Each device needs internet access. The problem? Your Internet Service Provider usually gives you only one public IP address . Something has to manage all those devices sharing a single internet connection. That's where NAT comes in. NAT: The Receptionist of Your Network NAT stands for Network Address Translation . Think of NAT as a receptionist in an office building. People inside the building have room numbers: Laptop = Room 101 Phone = Room 102 TV = Room 103 But when communicating with the outside world, everyone uses the building's main address. The receptionist keeps track of who sent what. Your router does exactly the same thing. What Happens When You Visit Google? Inside your home: Laptop 192.168.1.10 Your router: Public IP 49.x.x.x When you open Google: 192.168.1.10 ↓ Router ↓ 49.x.x.x ↓ Google Google never sees your private IP. It only sees your router's public IP. That's NAT in action. SNAT: Changing the Sender's Address SNAT stands for Source Network Address Translation . The keyword is: Source It changes the sender's address. Before leaving your network: Source: 192.168.1.10 After SNAT: Source: 49.x.x.x The router replaces your private IP with its public IP. Without SNAT, websites wouldn't know how to send responses back to you. Real-Life Example Imagine mailing a letter. Instead of writing your bedroom number as the return address, you write the house address. Tha

2026-06-02 原文 →
AI 资讯

为什么使用代理总弹出“安全验证”?深度解析 Cloudflare 拦截机制与避坑指南

为什么使用代理总弹出“安全验证”?深度解析 Cloudflare 拦截机制与避坑指南 在互联网开发、跨国办公或日常浏览中,使用代理(如 VPN、机场、Socks5、OpenVPN/WireGuard 协议等)已经是不可或缺的技能。 然而,许多人在开启代理后,访问国外网站(如 Dev.to、GitHub、Medium 等)时,频繁遭遇如下提示: Performing security verification This website uses a security service to protect against malicious bots. This page is displayed while the website verifies you are not a bot. 甚至更让人崩溃的是,有时候点击了验证码,它依然不断刷新,陷入 无限验证死循环 。这并不是你的系统或浏览器损坏了,而是代理网络的特性触发了现代 Web 安全防御机制。本文将从技术原理深入拆解这一现象,并提供切实可行的优化方案。 一、 核心原理:网站安全服务是如何盯上你的? 现代网站大多会部署 Cloudflare(如 Turnstile 验证) 、Akamai、Imperva 等网络安全与防 DDoS 攻击服务。这些服务通过以下几个维度来评估访问者是“真实人类”还是“恶意机器人(Bot)”: 1. IP 信誉度(IP Reputation)与“连坐”机制 这是最核心的技术原因。代理服务商(特别是商业 VPN 或公共机场)所使用的 IP 地址,绝大多数属于 数据中心(Data Center)机房 IP ,而非普通家庭的 住宅(Residential)IP 。 高密度共用: 同一个代理 IP 节点上,可能同时有成百上千个用户在发起请求。 黑名单牵连: 如果该 IP 下的其他匿名用户正在使用自动化脚本抓取数据、进行端口扫描,或者发起恶意网络攻击,安全系统的风控引擎(如 Cloudflare IP Threat Score)就会瞬间拉高该 IP 的风险等级。当你恰好切换到这个“脏 IP”时,就会被系统无差别“连坐”,要求强制验证。 2. 被动指纹识别(Passive Fingerprinting)与几何特征 安全防御系统不仅看你的 IP 归属地,还会通过深层网络和浏览器几何特征来判断你的真实身份: TLS/SSL 握手特征(JA3 指纹): 当你通过一些特定协议或混淆模式(如带有特定加密的 TCP 隧道)连接网站时,浏览器发出的 TLS 握手特征可能会发生形变。 TCP/IP 栈特征: 经过代理服务器的转发,数据包的 TTL(生存时间)、Window Size(TCP 窗口大小)等底层参数可能会与你浏览器宣称的操作系统(如 Windows 11 或 Ubuntu 24.04)的标准特征不匹配。 浏览器画布与几何指纹(Canvas/Geometry): 浏览器的窗口大小、屏幕分辨率以及它们的比例,也是风控系统评估的重要指标。 自动化爬虫脚本(如 Selenium、Puppeteer)在启动时,常常使用死板的默认分辨率(如完美的 1024x768 或 800x600 )。如果你的代理 IP 本身信誉度低,窗口又处于这些“机器人专属分辨率”下,或者网页窗口大小与物理显示器分辨率比例极其诡异(例如伪造环境时穿帮),就会直接触发拦截。 3. 环境与地缘标签冲突(以 Yandex 浏览器为例) 风控系统对你使用的浏览器品牌同样有一套风险权重评估。 如果你使用的是 Yandex 浏览器 或某些小众、经过重度隐私魔改的浏览器,在配合代理时会变得 极其难通过验证 。Yandex 浏览器虽然基于 Chromium 内核,但其内部由俄罗斯团队集成了大量独特的隐私保护技术与 Canvas 渲染机制,计算出的浏览器指纹非常非主流。 更致命的是 地缘标签冲突 :欧美的主流网络安全公司(如 Cloudflare)对特定区域标签的客户端流量天然设置了更低的信任阈值。当你 用着 Yandex 浏览器 ,IP 却 挂着美国或日本的代理 时,这种“指纹与地理位置的剧烈冲突”在风控模型眼里极度反常,系统会判定该请求大概率来自自动化黑客工具,从而直接卡死验证。 4. 地理位置与行为“瞬移” 如果你的代理客户端开启了“负载均衡”或“定时自动切换节点”,可能会导致前一分钟请求来自日本,后一分钟请求来自美国。这种超越物理极限的“空间瞬移”属于高风险异常行为。此外,如果通过代码 瞬间改变 窗口尺寸,而非人类拖拽时产生的连续 resize 事件,也会被风控脚本捕捉到异常。 二、 实战优化:如何彻底摆脱“无限验证”死循环? 要彻底解决或缓解这个问题,可以根据实际的使用场景,从 节点筛选 、 路由分流 以及 浏

2026-05-30 原文 →
AI 资讯

Understanding known_hosts and Host Key Verification: What It Protects Against and How TOFU Works

That "authenticity of host can't be established" message isn't just noise. Here's what's actually happening — and why blindly typing "yes" is a security mistake. Every developer has seen this: The authenticity of host 'example.com (203.0.113.1)' can't be established. ED25519 key fingerprint is SHA256:abc123xyz... Are you sure you want to continue connecting (yes/no/[fingerprint])? Almost everyone types yes without reading it. Then they move on. This message is SSH trying to protect you from one of the most dangerous attacks in network security: the man-in-the-middle attack. Understanding what's happening here — and what the ~/.ssh/known_hosts file actually does — will change how you think about every SSH connection you make. The Problem SSH Is Solving When you connect to ssh user@example.com , how do you know you're actually talking to example.com ? You can't rely on the IP address — IP addresses can be spoofed or rerouted. You can't rely on DNS — DNS can be poisoned. You can't rely on the network path — traffic can be intercepted at any point between you and the server. Without verification, an attacker positioned between you and the server could intercept the connection, pose as the server, decrypt everything you send, re-encrypt it, and forward it along. You'd type your password or authenticate with your key and never know the attacker saw every keystroke. This is a man-in-the-middle (MITM) attack . It's not theoretical. It happens on compromised networks, corporate proxies, malicious Wi-Fi hotspots, and misconfigured infrastructure. SSH's defense is host key verification . Every SSH server has a unique cryptographic identity — its host key. Before you exchange any sensitive data, the server proves it holds the private key corresponding to a public key you've previously verified. If the keys don't match, SSH warns you — loudly. What a Host Key Actually Is When OpenSSH is installed on a server, it automatically generates a set of host key pairs. These live in /etc

2026-05-28 原文 →
AI 资讯

Sniffing Modbus Traffic with 5 Lines of Python (And Why It Should Scare Your OT Team)

⚠️ For defensive/educational purposes only. Sniff only networks you own or are explicitly authorized to test. Unauthorized network monitoring is illegal in most jurisdictions. The uncomfortable truth about your factory floor If your plant uses Modbus TCP — and statistically, it probably does — every register read, every coil write, every sensor value is flying across your network in plaintext . No encryption. No authentication. No signature. Nothing. Modbus was designed in 1979 by Modicon for serial communication between a PLC and a few field devices on a dedicated cable. The threat model was "someone might physically tap the wire." The solution was "don't let strangers into the control room." Forty-five years later, that same protocol is running over your corporate VLAN, talking to cloud historians, and occasionally — if your IT/OT segmentation has gaps — reachable from the internet. Let me show you what that looks like from the wire. The 5-line sniffer This is a defensive monitoring tool. Same code your blue team would use to baseline normal traffic and detect anomalies. Requires scapy : pip install scapy from scapy.all import sniff , TCP , Raw def show_modbus ( pkt ): if TCP in pkt and pkt [ TCP ]. dport == 502 and Raw in pkt : payload = pkt [ Raw ]. load print ( f " { pkt [ ' IP ' ]. src } → { pkt [ ' IP ' ]. dst } : { payload . hex () } " ) sniff ( filter = " tcp port 502 " , prn = show_modbus , store = False ) Run it on a span port, a TAP, or a mirror VLAN, and within seconds you'll see something like this: 192.168.1.50 → 192.168.1.10: 0001000000060103006400 02 192.168.1.10 → 192.168.1.50: 00010000000701030441f00000 192.168.1.50 → 192.168.1.10: 00020000000601100065000102 Every byte tells a story. Let's decode the first packet. Decoding what you just captured The Modbus TCP frame format is documented in the spec (it's public — that's part of the problem): Bytes 0-1: Transaction ID Bytes 2-3: Protocol ID (always 0x0000 for Modbus) Bytes 4-5: Length Byte 6: Unit

2026-05-28 原文 →