Похоже обнаружил режим stateless для quic на dpi для ip адресов GGC и стыков гугла в РФ. Как пример 173.194.177.21 - стык гугла в МСК (домен https://rr3---sn-n8v7kn7k.googlevideo.com).
curl -v --http3-only https://rr3---sn-n8v7kn7k.googlevideo.com
- Host rr3---sn-n8v7kn7k.googlevideo.com:443 was resolved.
- IPv6: (none)
- IPv4: 173.194.177.21
- Trying 173.194.177.21:443…
- CAfile: C:\curl-8.9.1_3-win64a-mingw\bin\curl-ca-bundle.crt
- CApath: none
- ngtcp2_conn_handle_expiry returned error: ERR_HANDSHAKE_TIMEOUT
- Failed to connect to rr3---sn-n8v7kn7k.googlevideo.com port 443 after 10040 ms: Failed sending data to the peer
- closing connection #0
curl: (55) ngtcp2_conn_handle_expiry returned error: ERR_HANDSHAKE_TIMEOUT
curl -v --http3-only https://rr3---sn-n8v7kn7k.googlevideo.com --connect-to ::8.8.8.8
- Connecting to hostname: 8.8.8.8
- Trying 8.8.8.8:443…
- CAfile: C:\curl-8.9.1_3-win64a-mingw\bin\curl-ca-bundle.crt
- CApath: none
- ngtcp2_conn_handle_expiry returned error: ERR_HANDSHAKE_TIMEOUT
- Failed to connect to 8.8.8.8 port 443 after 10022 ms: Failed sending data to the peer
- closing connection #0
curl: (55) ngtcp2_conn_handle_expiry returned error: ERR_HANDSHAKE_TIMEOUT
C:\curl-8.9.1_3-win64a-mingw\bin>curl -v --http3-only https://google.com --connect-to ::173.194.177.21
- Connecting to hostname: 173.194.177.21
- Trying 173.194.177.21:443…
- CAfile: C:\curl-8.9.1_3-win64a-mingw\bin\curl-ca-bundle.crt
- CApath: none
- Server certificate:
- subject: CN=*.googlevideo.com
- start date: Aug 20 14:31:13 2024 GMT
- expire date: Oct 29 14:31:12 2024 GMT
- subjectAltName does not match hostname google.com
- SSL: no alternative certificate subject name matches target hostname ‘google.com’
- QUIC connect to 173.194.177.21 port 443 failed: SSL peer certificate or SSH remote key was not OK
- Failed to connect to 173.194.177.21 port 443 after 35 ms: SSL peer certificate or SSH remote key was not OK
- closing connection #0
curl: (60) SSL: no alternative certificate subject name matches target hostname ‘google.com’
More details here: curl - SSL CA Certificatescurl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.
Попытки обходить на адресе 173.194.177.21 блокировку quic различными фейкми не помогли (разные фейки, разное их количество и тд). С локальными GGC провайдера такая же история. На ipv6 такого не заметил. Для других ip с отправкой фейков этот домен начинает работать. Но на родном ip так же таймаут
С фейками:
curl -v --http3-only https://rr3---sn-n8v7kn7k.googlevideo.com --connect-to ::8.8.8.8
- Connecting to hostname: 8.8.8.8
- Trying 8.8.8.8:443…
- CAfile: C:\curl-8.9.1_3-win64a-mingw\bin\curl-ca-bundle.crt
- CApath: none
- Server certificate:
- subject: CN=dns.google
- start date: Aug 5 07:20:11 2024 GMT
- expire date: Oct 28 07:20:10 2024 GMT
- subjectAltName does not match hostname rr3---sn-n8v7kn7k.googlevideo.com
- SSL: no alternative certificate subject name matches target hostname ‘rr3---sn-n8v7kn7k.googlevideo.com’
- QUIC connect to 8.8.8.8 port 443 failed: SSL peer certificate or SSH remote key was not OK
- Failed to connect to 8.8.8.8 port 443 after 104 ms: SSL peer certificate or SSH remote key was not OK
- closing connection #0
curl: (60) SSL: no alternative certificate subject name matches target hostname ‘rr3---sn-n8v7kn7k.googlevideo.com’
More details here: curl - SSL CA Certificatescurl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.