We have a several Windows 10 workstation - 6 out of 20 - constantly hitting the url "captive.apple.com/generate_204" over wired internet. Its not causing any issues but we don't understand why its happening and we want to turn it off.
Our FW logs give us this info which may be pertinent:
udp:6514
pan:threat
action allowed
app web-browsing
app:default_ports tcp/80
app:has_known_vulnerability yes
app:risk 4
app:subcategory internet-utility
app:technology browser-based
app:tunnels_other_application yes
app:used_by_malware yes
application web-browsing
category computer-and-internet-info
content_type text/html
dest 17.253.63.202
dest_hostname captive.apple.com
dest_interface ethernet1/4
dest_ip 17.253.63.202
dest_port 80
dest_zone dsl
direction client-to-server
filename generate_204
flags 0x42b000
misc captive.apple.com/generate_204
protocol tcp
rule User Internet Access - App
signature URL Filtering log(9999)
signature_id 9999
src_interface ethernet1/5.6
src_port 56363
src_translated_ip 192.168.50.1
src_translated_port 8089
threat_id 9999
threat_name -9999
type THREAT
url captive.apple.com/generate_204
user_agent Mozilla / 4.0
Solved.. The GlobalProtect client for VPN access was hitting this "URL" to test for connectivity. I found out by eliminating what services were active on startup and it was the second one I tried.
Now we can eliminate this call-out as it is a trusted app that's doing it with no payload anyhow.
So it wasn't a browser but an embedded agent within the client
Related
I have requested a public ACM certificate and I have selected the DNS validation method. After requesting the certificate it went to Pending validation state. I have created a hosted zone in Route 53 with the same domain name which I have used for my certificate. After creating the certificate I got the option "Create record in Route 53". I have created the record in Route 53 with the CNAME and it displayed as " Success
The DNS record was written to your Route 53 hosted zone. It can take 30 minutes or longer for the changes to propagate and for AWS to validate the domain and issue the certificate.". But the status of the certificate is not getting changed and it is still in pending validation only. After some time the "Create record in Route 43" option is getting enabled again. I have tried the same process multiple times almost one day but the status is not getting changed. Can someone please help to fix the issue.
In the AWS Console (Web UI), on the Certificate Manager page,
Expand the certificate that is pending
Expand the table that has domain and validation status
Click the blue button that says "Create record in Route 53" (you can also do this manually)
Give it about 10 minutes
Or follow these instructions from AWS - Why is my AWS Certificate Manager (ACM) certificate DNS validation status still pending validation?
Having the same issue here and I found out that my problem is in the NS record in my domain. My mistake was I didn't update the Name Servers in my domain, what I did was the opposite. I updated the values of the NS record in R53 based on the NS on my domain then I realized that the right thing to do was to update your NS (Name Servers) of your domain to the values of the NS record in R53. Haha (english is not my native language btw).
Just make sure you have the correct Name Servers and correct CNAME suggested by ACM. I waited a day before and still Pending Validation, but when I fixed it it took only a few minutes for my certificate to be issued.
What I would do is:
Verify that the DNS returns what is expected.
For that you can use dig (Linux) or nslookup (Windows), or even better > https://www.digwebinterface.com
If you don't get what is expected, you need to reconfigure the DNS.
Once it is verified, wait a little bit (10 min to 2h I'd say).
Something to read while you wait:
https://docs.aws.amazon.com/acm/latest/userguide/acm-regions.html
https://docs.aws.amazon.com/acm/latest/userguide/dns-validation.html
https://aws.amazon.com/premiumsupport/knowledge-center/acm-certificate-pending-validation/
https://docs.aws.amazon.com/acm/latest/userguide/domain-ownership-validation.html
I have 4 servers for an http service defined on my DNS servers:
app.speednetwork.in. IN A 63.142.255.107
app.speednetwork.in. IN A 37.247.116.68
app.speednetwork.in. IN A 104.251.215.162
app.speednetwork.in. IN A 192.121.166.40
for all of them the DNS server specify a TTL (time to live) of more than 10 hours:
$ttl 38400
speednetwork.in. IN SOA plugandplay.click. info.plugandplay.click. (
1454402805
3600
3600
1209600
38400 )
Firefox ignore TTL and make a new DNS query after each 60 secs, as seen on
about:config -> network.dnsCacheExpiration 60 and on about:networking -> DNS.
Chrome shows here chrome://net-internals/#dns a correct cached dns entry, with more that 10 hours until Expired:
apis.google.com IPV4 216.58.210.174 2016-04-12 11:07:07.618 [Expired]
app.speednetwork.in IPV4 192.121.166.40 2016-04-12 21:45:36.592
but ignore this entry and every minute requery the dns as discussed https://groups.google.com/a/chromium.org/forum/#!topic/chromium-discuss/655ZTdxTftA and seen on chrome://net-internals/#events
The conclusion and the problem: every minute both browsers query dns again, receive a new IP from the 4 configured on DNS, go for a new IP/server and LOST THE TOMCAT SESSION.
As config every user browser is not an option, my question is:
1) There is some other DNS config I can use for high availability?
2) There is some http header I can use to instruct the browsers to continue using the same IP/server for the day?
The DNS TTL value is the maximum time the information may be cached. There is no minimum time, nor any requirement to cache at all. The browser behavior you describe is entirely within the DNS specs, and the browsers are doing nothing wrong. If your server solution depends on the clients remembering a DNS lookup for a certain time, then you need to redesign it. As you have already discovered, it does not work.
Building a load-balancing cluster of Tomcat servers is hardly rocket science these days, and you can easily google a solution yourself.
Keep-Alive header can make the trick. Using a large value as 65 secs, browsers reuse http connection along all session and don't try a new dns query. This is true in my app, where there is a piggyback XMLHttpRequest connection to server every minute, maybe you'll need a bigger value. Apache default is 5 secs.
On using tomcat directly:
response.setHeader("Keep-Alive", " timeout=65");
On using apache (and mod_ajp) in front of tomcat:
nano /etc/apache2/apache2.conf:
MaxKeepAliveRequests 0
KeepAliveTimeout 65
But this was not a total solution. After disconnects http connection is closed, or under several concurrent server petitions, each one is open over several servers, so results are not under the same server session.
Finally I solve this implementing CORS (cross domain), fixing a server to work with (app1, app2, etc.) and go for it until this server fails.
CORS headers on both server and client let me exchange data no matter that initial files download was from app. (IE another domain).
I'm curious if it's possible for me to write programs that can control an Apple TV, specifically an Apple TV 4th gen running tvOS 9.1.1, like Apple's Remote app for iOS can. I'd like to send it commands for navigating in the four cardinal directions, selecting an item on the screen, going up the navigation stack -- essentially what Apple's Remote app can do.
Has anyone done any work reverse engineering the protocol it uses? Cursory Googling only has so far yielded out of date results about earlier generation Apple TVs and the DAAP protocol which looks like something different than what I want.
I captured the traffic on my iPhone using tcpdump and analyzed it with WireShark. The Remote app asks the Apple TV with normal HTTP requests on port 3689.
The workflow of the app consists in four HTTP requests:
/server-info for getting infos about the Apple TV. It responds with a Apple proprietary DAAP response (Digital Audio Access Protocol) providing some tags about the device, like the display name.
/login is performed during connection, when the app displays the "Connecting to Apple TV..." message. It responds with a DAAP about the login status.
Here's the bottleneck. /home-share-verify validates the connection between the app and the Apple TV. This call needs a Client-DAAP-Validation header with a long unknown string value. According to Wikipedia, this seems to be like an hash generated by a certificate exchange between verified sources that was introduced in iTunes 7.0+ and never reverse engineered.
/ctrl-int/1/�{controlpromptupdate|controlpromptentry|playstatusupdate} seems to be the calls made for the input buttons.
Some other minor calls are fired in between (like a Bonjour service update or a /databases call).
Here and here you can find more infos. Hope this helps for getting an overview of how this simple (but protected) app works.
i wanted to tell alexa to trigger appletv and that would wake my appletv up and via HDMI & CEC turn my tv on,
in order to do that:
from your mac\linux\windows simply run:
curl -XPOST -d 'cmcc\x00\x00\x00\x01\x30cmbe\x00\x00\x00\x04menu' 'http://10.1.1.56:3689/ctrl-int/1/controlpromptentry?prompt-id=144&session-id=1'
the abstract command is:
curl -XPOST -d 'cmcc\x00\x00\x00\x01\x30cmbe\x00\x00\x00\x04menu' 'http://{APPLETV_IP}:3689/ctrl-int/1/controlpromptentry?prompt-id={CONTROL_PAIR_ID}&session-id={CONTROL_SESSION_ID}'
i extracted the CONTROL_PAIR_ID and CONTROL_SESSION_ID by setting my iphone wifi http proxy settings to my mac with fiddler on it and activated the old appletv remote app and that displayed the requests the app is executing
if you don't know how to set iphone to work with fiddler you can find it here:
http://docs.telerik.com/fiddler/Configure-Fiddler/Tasks/ConfigureForiOS
I did manage to control my Apple TV (currently running tvOS 9.2) from a python script. It turns out that you don't need to use Home Sharing to have a remote app control the Apple TV. I don't know if the following method will work if Home Sharing is enabled, but with it disabled on the Apple TV, the iOS Remote app has the option to manually add a device. (This may require removing all of the devices it is already paired with, since that was unfortunately necessary for me to get it to display the 'Add a device' button.) Once I had paired my iPhone to the Apple TV, I recorded some of its requests, copied the pairing GUID, and then constructed some of my own requests.
The only three requests necessary to make are:
/login?pairing-guid=< your pairing guid here >&hasFP=1
Logs into the Apple TV. The last four bytes of the response's is a session id, encoded as a big-endian four byte integer.
/logout?session-id=< your session id here >
Logs out. Not strictly necessary, as I found that logging in simply gets you a new session id, but probably not a bad idea to do things the way it expects.
/ctrl-int/1/controlpromptentry?prompt-id=114&session-id=< your session id here >
Send user input to the Apple TV. The data is one of several buffers that input a command, or possible a moving touch. For movement in the cardinal directions, sending several of these requests to simulate a moving touch is necessary.
I have a python script demonstrating how to do this here:
http://pastebin.com/mDHc353A
Utilizes the requests library: http://docs.python-requests.org/en/master/
Also special thanks to Adam Miskiewicz / github user skevy, since I made use of this file in his atlas-backend repo that conveniently had the right buffers to send for movement: https://github.com/skevy/atlas-backend/blob/master/atlas/services/appletv.coffee
For any people still checking out this question, I recommend checking out pyatv if they want to control their Apple TV through a python or command line interface.
i've noticed that on LoLReplays webpage you can now stream live games via their program LoLRecorder. I found this code on their page
href="lrf://spectator spectator.eu.lol.riotgames.com 2nHvYdkaSjjqC7f+mtHQeIhFcUSQLFu5 488978485 EUN1 3.01.0.1"
And i've tried a little to stream from my own (already recorded) game. But all i get is unable to find match. My question is: Does anyone here know how this works?
Thanks!
TL;DR; You can't stream anything, but you can open LoLReplay in spectator mode for a specific match.
Try reinstalling LoLReplay, seemed to fix the issues that I was having.
The title of your post is somewhat misleading as no streaming actually happens - all that the link does is open LoLReplay on your local machine and pass in the details of the match you want to spectate.
This will only work for matches that are happening now, as it connects in a similar way as the LoL client does when you spectate a match.
Calling LoLReplay from the browser
The links seem to be formatted as follows:
lrf://spectator [Observer IP Address][:Observer Port] [Observer Encryption Key] [Game Id] [Platform Id] [Client Version?]
lrf://spectator tells LoLReplay to open up in spectator mode.
Observer IP Address is required and can either be a hostname or an IP address. The hostname is usually in the format spectator.[eu/na/br/etc.].lol.riotgames.com.
Observer Port is optional, I believe it defaults to 8088 which appears to be the default spectator mode port.
Observer Encryption Key... is a required per-match encryption key.
Game Id is a required, per-match integer id.
Platform Id is a more specific version of the region, I guess relating to how Riot have grouped their servers. For example EUW1.
Client Version, the last field appears to be a version number - I can only assume this is either the version of the client that LoLReplay is using OR the version of the client the players in the match are using.
How to find IP address, encryption key etc.
Edit: you can now grab all the info you need using the official Riot API, you just need the SummonerId of the user you're querying for. See current-game API docs for usage.
We are sending hell lot of e-mails to our BREW devices ( in sprint network ) and after a while our mail server queues the messages and gets stuck. When we try to flush them, we get following from the server. Is there a solution to this problem? Is this error 452 from our mail server or sprint's mail server? How to tune up sendmail for faster e-mail processing?
Running /var/spool/mqueue/n7QNOrsZ072192 (sequence 1 of 3)
<6198466914#messaging.sprintpcs.com>... Connecting to mx.messaging.sprintpcs.com. via esmtp...
220 lxnipc6003.nmcc.sprintspectrum.com ESMTP
>>> EHLO smtp.xyz.com
250-lxnipc6003.nmcc.sprintspectrum.com
250-8BITMIME
250 SIZE 20480
>>> MAIL From:<LocateNow#xyz.com> SIZE=1148
250 sender <LocateNow#xyz.com> ok
>>> RCPT To:<6198466914#messaging.sprintpcs.com>
452 Too many recipients received this hour
<6198466914#messaging.sprintpcs.com>... Deferred: 452 Too many recipients received this hour
>>> DATA
503 #5.5.1 RCPT first
>>> RSET
250 reset
This is called grey-listing. When you send too many e-mails (or more often - a certain number of e-mails where a recipient does not exist) a destination mail server does not black list you, but instead they temporarily block access from your mail server (essentially the IP address of your mail server). Usually this block is set for 1 hour but obviously can vary depending on the configuration.
You can do several things:
Contact the admins of the domain in question (e.g. postmaster#messaging.sprintpcs.com) and request your IP address to be whitelisted. (They may refuse)
Check/increase time e-mails can stay in your local queues (to have more chances of them to retry and finally get delivered
Add more public IP addresses to your server
That's from their server. It looks like email flood prevention.
One alternative is to use app-directed SMS's to get data to your BREW application.
It looks like the mx.messaging.sprintpcs.com is throttling you. Perhaps try sending your mail with different IP addresses to beat this. It is probably an attempt at spam control.