Internet Connectivity Test:using Google's public DNS server (8.8.8.8:53/TCP)

acrolink · January 1, 2020, 8:00pm

As described here:

gist.github.com

https://gist.github.com/7h3rAm/a4c3de8e502f755a7253

internet.py

import socket

def internet(host="8.8.8.8", port=53, timeout=3):
  """
  Host: 8.8.8.8 (google-public-dns-a.google.com)
  OpenPort: 53/tcp
  Service: domain (DNS/TCP)
  """
  try:
    socket.setdefaulttimeout(timeout)

This file has been truncated. show original

My question, won’t checking internet connection by accessing port 53 on 8.8.8.8 every 5 seconds lead possibly to getting client’s IP blocked by Google (get marked as abuse)?

Any better ideas?

kip · January 1, 2020, 8:18pm

All this does is show that at that time google’s DNS server was reachable. It says nothing about whether there is connectivity before, or after. It say nothing about whether any other destinations are reachable. ie A strategy that makes assumptions about the state of connectivity based upon a test cannot be deterministic or reliable

One of the great things about the BEAM is that it provides strategies for dealing with failure and recovery in a structured fashion and therefore using native BEAM tools would, to me, be a superior approach to the “check connectivity every so often” strategy.

nroi · January 1, 2020, 8:46pm

There’s no way to tell for certain, but I think its rather unlikely for two reasons:

a request once every five seconds is really negligible.
blocking an entire IP is unwise since IPv4s are shared among multiple users for many reasons (company proxies, NATing implemented by the ISP in order to handle IPv4 scarcity, etc). Blocking an IP, and thereby risking innocent clients to be blocked also, is something you would do out of self defense, if a client compromises the overall stability or security of your infrastructure. A request every 5 seconds is nowhere near that category.

No, there really is no clean way to test for IP connectivity in a platform- and environment-agnostic manner.

ityonemo · January 1, 2020, 10:56pm

Maybe it might be possible to do an icmp ping against 8.8.8.8, which is very unlikely to cause abuse flagging problems. The existing icmp open source ping library that exists uses a nif to get low level socket access, but since OTP 21 has a socket module, a nif should no longer be necessary. I’ve been working on getting an icmp ping module in elixir for a while (it was part of my motivation to get zigler out)… Would that be helpful to you?

acrolink · January 2, 2020, 1:06am

@ityonemo, thank you that was informative. I am actually developing for Android

kip · January 2, 2020, 1:10am

In that case wouldn’t it be more reasonable to use the Android SDK network callbacks?

hauleth · January 2, 2020, 11:26am

It is still needed as currently one cannot create ICMP socket as non-root. I have tried to write gen_icmp and I have spotted exactly this problem. In general you cannot open raw socket as non-root, so you need to use other socket type (which is possible at least on Linux).

ityonemo · January 2, 2020, 1:13pm

the old gen_icmp from msantos procket did a setuid trick which I’m not sure is the way I’d do it (since it requires I believe doing a setuid fork).

Does the socket module not work with setcap CAP_NET_RAW?

hauleth · January 2, 2020, 1:21pm

It probably does, but Linux allow to create ICMP sockets as DGRAM sockets, which allow them to be run via unprivileged user. The change I have posted will allow creation of such sockets without problems as soon as it will land in the release.

ityonemo · January 2, 2020, 1:28pm

looking forward to it! The node that will need ping has sudo privileges so it’s not a problem now, but moving forward I’d love to be able to take it off, security in depth and all that.