昨日(2021年2月27日)起便不断有网友反映访问 gtihub.com 出错,错误提示 Connection reset by peer

根据开源网络监测项目OONI的监测结果,GFW监测项目Blocky的监测结果,自2021年2月27日 github.com 在中国大陆的访问出现故障。

程序员论坛v2ex上亦有相关的讨论贴:Github 无法访问了吗? - V2EX

/images/2021/github-ips-gfw/ooni.png

OONI监测结果

/images/2021/github-ips-gfw/greatfire.png

Blocky监测结果

经测试,我们发现 github.com 部分IP在中国大陆的HTTP/HTTPS访问受到了阻断。

DNS解析

$ dig -4 github.com +trace

; <<>> DiG 9.16.12 <<>> -4 github.com +trace
;; global options: +cmd
.                       381180  IN      NS      g.root-servers.net.
.                       381180  IN      NS      f.root-servers.net.
.                       381180  IN      NS      j.root-servers.net.
.                       381180  IN      NS      c.root-servers.net.
.                       381180  IN      NS      b.root-servers.net.
.                       381180  IN      NS      e.root-servers.net.
.                       381180  IN      NS      a.root-servers.net.
.                       381180  IN      NS      l.root-servers.net.
.                       381180  IN      NS      d.root-servers.net.
.                       381180  IN      NS      i.root-servers.net.
.                       381180  IN      NS      h.root-servers.net.
.                       381180  IN      NS      k.root-servers.net.
.                       381180  IN      NS      m.root-servers.net.
.                       381182  IN      RRSIG   NS 8 0 518400 20210311050000 20210226040000 42351 . TVN+sfXywhhzHXs+SRxjfOkngi3zxV5oaGOMyDGeeCCCZBlVXx8fgY+B lIkVxu6M912KZsQ6k3wxOjpxRQc41g8LQfu+5c0nwakn4PZgUmIAWz35 +/c7h9Gs3P5sb15QoRX1PxvcwWkEncf26irY0cljqeKl1x0SDool3L3V mF7ldqtwzRk3CAsfz4aNC27GuWL3naibX2Y+2530zGm4PSvjHqpnDh5l AnryFJLQ/SrLIb7ZCy9A2vdQ6XVbTifjcgcMOpz7xr7CfsHVqsDXi0n3 oSswnUSNDdxys6pyL7GVgScRiNxKTA5RunWDC/2Lmcieig10lKMjCxpT 8eWirQ==
;; Received 1137 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

com.                    172800  IN      NS      l.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      e.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      m.gtld-servers.net.
com.                    86400   IN      DS      30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com.                    86400   IN      RRSIG   DS 8 1 86400 20210312170000 20210227160000 42351 . nwUtecvYHYzJuLB7dY7S6V2MKqwCzo065LdzeDPLVumie+URZnPKyVRQ qro3Mz8IuIrE3RP94ph0Zo57YbKq1OyrbfBFQxKi6DSfXYhtT9nGPYaQ PF95cO7F+i0V/JHlsErD4xdqLGvfzQNSa70CBW5ymJlZsKzco6E33sjO z/blGsAW5v2VSRQE83vGE0vt1Ey2YOgkvpRDsWXkiLJjmcgh9Pm0Ityi hL7DvgUlW3KLGuLsG29ubqqqByy4QM6yOStyIuhVaUE1oPmeJRxDByhu N+4nD0rhBBPgT8JtECM743copOSwzndR6uSoTtto4hCPUSrn93lP29tq 3oNwzg==
;; Received 1170 bytes from 192.203.230.10#53(e.root-servers.net) in 233 ms

github.com.             172800  IN      NS      ns-520.awsdns-01.net.
github.com.             172800  IN      NS      ns-421.awsdns-52.com.
github.com.             172800  IN      NS      ns-1707.awsdns-21.co.uk.
github.com.             172800  IN      NS      ns-1283.awsdns-32.org.
github.com.             172800  IN      NS      dns1.p08.nsone.net.
github.com.             172800  IN      NS      dns2.p08.nsone.net.
github.com.             172800  IN      NS      dns3.p08.nsone.net.
github.com.             172800  IN      NS      dns4.p08.nsone.net.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20210305054100 20210226043100 58540 com. KDtmd8qOjWqXn1QRmKcuLApb+1V14GNPoYJym3Myp6+fB7ZerqZi7NGP WBGZW2QJ7N6QVPih9xDOxjfzOefv6Uc0r8ipVR7sDy3ycFMwXBfCjW49 WZgHelXGUxhISPmV7/fQ8ZLZUi2a2voipDEme1GgJqnuxD33BlM9WmfJ 8WjtSPM7SKBsv7yeBwDrE3v6+YVo717AlogKGPHVvZFRJg==
4KB4DFS71LEP8G8P8VT4CCUSQNL4CNCS.com. 86400 IN NSEC3 1 1 0 - 4KB4PTQQ5CTA7POCTGM7RUFC8B1RKTEU NS DS RRSIG
4KB4DFS71LEP8G8P8VT4CCUSQNL4CNCS.com. 86400 IN RRSIG NSEC3 8 2 86400 20210306082256 20210227071256 58540 com. XvjLfvCGUAEYtZRAs/eaKoLGoQXz2UZ4E3aVarveyknKpCqy9OPJdVhs VK99XYSK0C2Cc8IotRv729CDagjVxaqPlCRSmRMjeCKljp6315C6bR5L FovXC8j+X7LDukwkoazIZpqBZi/7kgPYMIsO2iCrmG/1yBXR4tN5G++b H9nuunGQ0L/l59j50E5ZNU0rZRbD0Tn0Gpnd5CWcfpI4iQ==
;; Received 827 bytes from 192.54.112.30#53(h.gtld-servers.net) in 189 ms

github.com.             60      IN      A       13.229.188.59
;; Received 55 bytes from 198.51.45.8#53(dns2.p08.nsone.net) in 79 ms
$ dig @example.com github.com

; <<>> DiG 9.16.12 <<>> @example.com github.com
; (2 servers found)
;; global options: +cmd
;; connection timed out; no servers could be reached
/images/2021/github-ips-gfw/ipip.net.thumbnail.png

IPIP全局PING工具对 gtihub.com 的测试结果 (点击查看大图)

通过以上测试,同时参考 多个地点ping-站长工具PING查询-IPIP 等工具的测试结果,我们发现 github.com 并未遭到DNS注入攻击。

因此可以使用以下shell脚本,从权威DNS获取所有可用IP。

#!/bin/bash

NSS=$(dig github.com ns +short)

for (( i=1; i<=10; i=i+1 ))
do
        for NS in $NSS
        do
            dig @$NS github.com +norecurse +short >> github.com-ips-raw.txt
        done
        sleep 1
done
sort -u  github.com-ips-raw.txt > github.com-ips.txt

最终获得以下三个IP:

13.229.188.59
13.250.177.223
52.74.223.119

https://tools.ipip.net/ping.php 页面运行如下js脚本,可获得一致的结果。

let IPS = [];
let tds = document.querySelectorAll('table#pdata>tbody>tr>td:nth-child(2)');
tds.forEach(td => IPS.push(td.textContent));
console.log(new Set(IPS))
Set(4) [ "13.229.188.59(新加坡  amazon.com)", "13.250.177.223(新加坡  amazon.com)", "52.74.223.119(新加坡  amazon.com)", "github.com()" ]

TCP连接

使用如下命令检测相应主机22、80、443端口开放情况。

xargs -a github.com-ips.txt nmap -Pn --host-timeout 5s -p 22,80,443

结果如下:

Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-28 14:21 CST
Nmap scan report for ec2-13-229-188-59.ap-southeast-1.compute.amazonaws.com (13.229.188.59)
Host is up (0.16s latency).

PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https

Nmap scan report for ec2-13-250-177-223.ap-southeast-1.compute.amazonaws.com (13.250.177.223)
Host is up (0.12s latency).

PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https

Nmap scan report for ec2-52-74-223-119.ap-southeast-1.compute.amazonaws.com (52.74.223.119)
Host is up (0.10s latency).

PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https

Nmap done: 3 IP addresses (3 hosts up) scanned in 3.96 seconds

经测试,三个IP均可在22、80、443端口正常建立TCP连接。

应用层情况

SSH协议

使用如下脚本测试SSH协议情况。

IPS=$(cat github.com-ips.txt)
for IP in $IPS
do
        echo "ssh -T git@$IP"
        ssh -T git@$IP
done

结果如下:

ssh -T git@13.229.188.59
Hi yingziwu! You've successfully authenticated, but GitHub does not provide shell access.
ssh -T git@13.250.177.223
Hi yingziwu! You've successfully authenticated, but GitHub does not provide shell access.
ssh -T git@52.74.223.119
Hi yingziwu! You've successfully authenticated, but GitHub does not provide shell access.

经测试,三个IP均可正常建立SSH连接。

HTTP/HTTPS协议

使用如下脚本测试HTTP/HTTPS协议情况。

#!/bin/bash

IPS=$(cat github.com-ips.txt)
for IP in $IPS
do
        echo "curl -vIk --max-time 5 --connect-to ::$IP: http://github.com/"
        curl -vIk --max-time 5 --connect-to ::$IP: http://github.com/
        echo

        echo "curl -vIk --max-time 5 --connect-to ::$IP: https://github.com/"
        curl -vIk --max-time 5 --connect-to ::$IP: https://github.com/
        echo
done

结果如下:

curl -vIk --max-time 5 --connect-to ::13.229.188.59: http://github.com/
* Connecting to hostname: 13.229.188.59
*   Trying 13.229.188.59:80...
* Connected to 13.229.188.59 (13.229.188.59) port 80 (#0)
> HEAD / HTTP/1.1
> Host: github.com
> User-Agent: curl/7.75.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
HTTP/1.1 301 Moved Permanently
< Content-Length: 0
Content-Length: 0
< Location: https://github.com/
Location: https://github.com/

<
* Connection #0 to host 13.229.188.59 left intact

curl -vIk --max-time 5 --connect-to ::13.229.188.59: https://github.com/
* Connecting to hostname: 13.229.188.59
*   Trying 13.229.188.59:443...
* Connected to 13.229.188.59 (13.229.188.59) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=github.com
*  start date: May  5 00:00:00 2020 GMT
*  expire date: May 10 12:00:00 2022 GMT
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 High Assurance Server CA
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55b542a86930)
> HEAD / HTTP/2
> Host: github.com
> user-agent: curl/7.75.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 200
HTTP/2 200
< server: GitHub.com
server: GitHub.com
< date: Sun, 28 Feb 2021 06:52:40 GMT
date: Sun, 28 Feb 2021 06:52:40 GMT
< content-type: text/html; charset=utf-8
content-type: text/html; charset=utf-8
< vary: X-PJAX, Accept-Language, Accept-Encoding, Accept, X-Requested-With
vary: X-PJAX, Accept-Language, Accept-Encoding, Accept, X-Requested-With
< x-rails-requested-accept-language: en
x-rails-requested-accept-language: en
< content-language: en-US
content-language: en-US
< etag: W/"45c62d9ff55bf2907a32b32672bde8f4"
etag: W/"45c62d9ff55bf2907a32b32672bde8f4"
< cache-control: max-age=0, private, must-revalidate
cache-control: max-age=0, private, must-revalidate
< strict-transport-security: max-age=31536000; includeSubdomains; preload
strict-transport-security: max-age=31536000; includeSubdomains; preload
< x-frame-options: deny
x-frame-options: deny
< x-content-type-options: nosniff
x-content-type-options: nosniff
< x-xss-protection: 1; mode=block
x-xss-protection: 1; mode=block
< referrer-policy: origin-when-cross-origin, strict-origin-when-cross-origin
referrer-policy: origin-when-cross-origin, strict-origin-when-cross-origin
< expect-ct: max-age=2592000, report-uri="https://api.github.com/_private/browser/errors"
expect-ct: max-age=2592000, report-uri="https://api.github.com/_private/browser/errors"
< content-security-policy: default-src 'none'; base-uri 'self'; block-all-mixed-content; connect-src 'self' uploads.github.com www.githubstatus.com collector.githubapp.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com cdn.optimizely.com logx.optimizely.com/v1/events wss://alive.github.com github.githubassets.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src 'self' data: github.githubassets.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com user-images.githubusercontent.com/ *.githubusercontent.com customer-stories-feed.github.com spotlights-feed.github.com; manifest-src 'self'; media-src github.githubassets.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; worker-src github.com/socket-worker-5029ae85.js gist.github.com/socket-worker-5029ae85.js
content-security-policy: default-src 'none'; base-uri 'self'; block-all-mixed-content; connect-src 'self' uploads.github.com www.githubstatus.com collector.githubapp.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com cdn.optimizely.com logx.optimizely.com/v1/events wss://alive.github.com github.githubassets.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src 'self' data: github.githubassets.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com user-images.githubusercontent.com/ *.githubusercontent.com customer-stories-feed.github.com spotlights-feed.github.com; manifest-src 'self'; media-src github.githubassets.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; worker-src github.com/socket-worker-5029ae85.js gist.github.com/socket-worker-5029ae85.js
< set-cookie: _gh_sess=xhc0GQv5yqaUMIyHg5gQdo0yk29IUMkhKTPD88K%2FWnqx%2Bcgzlri9mX5VevPDSbnPmmWrjc%2BmQ5c4N%2BlhvKmNS9DIKVuLL5b2nRSWOzPweWk9EEgjW6mX7HoZa3rbu4RcBqgNH5nBhHwNp15qGavmotzbE9sLvC3WDCgu3V%2FV0t9vgQYdjcvbnMH1zsiMHSfaupSHFR9DjTbYNirRSp6YGbeBXr1JdVnY1%2BFTRnGPZ79eQbnrJPexjIoSNdkbNLirwe85OuhGT99QRWePHbdd%2BQ%3D%3D--9YedbOmb6FEzQ0h6--j3Yd9TBxJbmjJGYk3l3FIA%3D%3D; Path=/; HttpOnly; Secure; SameSite=Lax
set-cookie: _gh_sess=xhc0GQv5yqaUMIyHg5gQdo0yk29IUMkhKTPD88K%2FWnqx%2Bcgzlri9mX5VevPDSbnPmmWrjc%2BmQ5c4N%2BlhvKmNS9DIKVuLL5b2nRSWOzPweWk9EEgjW6mX7HoZa3rbu4RcBqgNH5nBhHwNp15qGavmotzbE9sLvC3WDCgu3V%2FV0t9vgQYdjcvbnMH1zsiMHSfaupSHFR9DjTbYNirRSp6YGbeBXr1JdVnY1%2BFTRnGPZ79eQbnrJPexjIoSNdkbNLirwe85OuhGT99QRWePHbdd%2BQ%3D%3D--9YedbOmb6FEzQ0h6--j3Yd9TBxJbmjJGYk3l3FIA%3D%3D; Path=/; HttpOnly; Secure; SameSite=Lax
< set-cookie: _octo=GH1.1.1822258003.1614495166; Path=/; Domain=github.com; Expires=Mon, 28 Feb 2022 06:52:46 GMT; Secure; SameSite=Lax
set-cookie: _octo=GH1.1.1822258003.1614495166; Path=/; Domain=github.com; Expires=Mon, 28 Feb 2022 06:52:46 GMT; Secure; SameSite=Lax
< set-cookie: logged_in=no; Path=/; Domain=github.com; Expires=Mon, 28 Feb 2022 06:52:46 GMT; HttpOnly; Secure; SameSite=Lax
set-cookie: logged_in=no; Path=/; Domain=github.com; Expires=Mon, 28 Feb 2022 06:52:46 GMT; HttpOnly; Secure; SameSite=Lax
< accept-ranges: bytes
accept-ranges: bytes
< x-github-request-id: 361B:3CB4:1E3F:2045:603B3DBD
x-github-request-id: 361B:3CB4:1E3F:2045:603B3DBD

<
* Connection #0 to host 13.229.188.59 left intact

curl -vIk --max-time 5 --connect-to ::13.250.177.223: http://github.com/
* Connecting to hostname: 13.250.177.223
*   Trying 13.250.177.223:80...
* Connected to 13.250.177.223 (13.250.177.223) port 80 (#0)
> HEAD / HTTP/1.1
> Host: github.com
> User-Agent: curl/7.75.0
> Accept: */*
>
* Recv failure: Connection reset by peer
* Closing connection 0
curl: (56) Recv failure: Connection reset by peer

curl -vIk --max-time 5 --connect-to ::13.250.177.223: https://github.com/
* Connecting to hostname: 13.250.177.223
*   Trying 13.250.177.223:443...
* Connection timed out after 5000 milliseconds
* Closing connection 0
curl: (28) Connection timed out after 5000 milliseconds

curl -vIk --max-time 5 --connect-to ::52.74.223.119: http://github.com/
* Connecting to hostname: 52.74.223.119
*   Trying 52.74.223.119:80...
* Connected to 52.74.223.119 (52.74.223.119) port 80 (#0)
> HEAD / HTTP/1.1
> Host: github.com
> User-Agent: curl/7.75.0
> Accept: */*
>
* Recv failure: Connection reset by peer
* Closing connection 0
curl: (56) Recv failure: Connection reset by peer

curl -vIk --max-time 5 --connect-to ::52.74.223.119: https://github.com/
* Connecting to hostname: 52.74.223.119
*   Trying 52.74.223.119:443...
* Connected to 52.74.223.119 (52.74.223.119) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: Connection reset by peer in connection to github.com:443
* Closing connection 0
curl: (35) OpenSSL SSL_connect: Connection reset by peer in connection to github.com:443

经测试,我们发现 github.com 三个IP中, 对于HTTP/HTTPS协议,只有 13.229.188.59 可用,而另两个IP 13.250.177.223、52.74.223.119 无法建立HTTP/HTTPS连接。

网站测速-站长工具 对 github.com 的测试结果也证实了这一点。 所有正常建立连接的测试点,github.com 解析IP均为 13.229.188.59 。

/images/2021/github-ips-gfw/chinaz.com.thumbnail.png

网站测速-站长工具对 gtihub.com 的测试结果 (点击查看大图)

抓包结果:

/images/2021/github-ips-gfw/13.250.177.223-80.thumbnail.png

13.250.177.223:80

/images/2021/github-ips-gfw/13.250.177.223-443.thumbnail.png

13.250.177.223:443

/images/2021/github-ips-gfw/52.74.223.119-80.thumbnail.png

52.74.223.119:80

/images/2021/github-ips-gfw/52.74.223.119-443.thumbnail.png

52.74.223.119:443

总结

经测试,我们发现 github.com 部分IP在中国大陆的HTTP/HTTPS访问受到了阻断。

  • github.com DNS解析:正常

IP

TCP连接

SSH连接

HTTP连接

HTTPS连接

13.229.188.59

22、80、443端口均可建立TCP连接

正常

正常

正常

13.250.177.223

22、80、443端口均可建立TCP连接

正常

Connection reset by peer

Connection reset by peer

52.74.223.119

22、80、443端口均可建立TCP连接

正常

Connection reset by peer

Connection reset by peer

/images/2021/github-ips-gfw/GitHub-Status.thumbnail.png

GitHub Status

参考 GitHub Status ,Github 当前并无服务故障,且中国大陆以外区域并无上述问题。 高度怀疑GFW屏蔽了 github.com 部分IP。