[tor-bugs] #20348 [Metrics/Censorship analysis]: cyberoam assists bloody dictatorships.
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Dec 16 18:02:11 UTC 2016
#20348: cyberoam assists bloody dictatorships.
-----------------------------------------+-------------------------
Reporter: dcf | Owner:
Type: project | Status: closed
Priority: Medium | Milestone:
Component: Metrics/Censorship analysis | Version:
Severity: Normal | Resolution: invalid
Keywords: censorship block kz | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-----------------------------------------+-------------------------
Comment (by dcf):
Replying to [comment:145 dcf]:
> Blocked sites are redirected to !http://92.63.88.128/?NTDzLZ, which in
turn redirects to a nonexistent !http://90.263.11.193/.
{{{
$ torsocks wget -S --save-header --content-on-error
http://92.63.88.128/?NTDzLZ
HTTP/1.1 200 OK\r\n
Server: nginx\r\n
Date: Fri, 16 Dec 2016 17:01:22 GMT\r\n
Content-Type: text/html; charset=utf-8\r\n
Transfer-Encoding: chunked\r\n
Connection: keep-alive\r\n
Expires: Thu, 21 Jul 1977 07:30:00 GMT\r\n
Last-Modified: Fri, 16 Dec 2016 17:01:22 GMT\r\n
Cache-Control: max-age=0\r\n
Pragma: no-cache\r\n
Set-Cookie:
cfb9f=%7B%22streams%22%3A%5B1481907682%5D%2C%22campaigns%22%3A%7B%221%22%3A1481907682%7D%2C%22time%22%3A1481907682%7D;
expires=Mon, 16-Jan-2017 17:01:22 GMT; Max-Age=2678400; path=/\r\n
\r\n
<html>\n
<head>\n
<meta http-equiv="REFRESH" content="1;
URL='http://90.263.11.193'">\n
<script type="text/javascript">window.location =
"http://90.263.11.193";</script>\n
</head>\n
</html>
}}}
It's a combination of a "meta-refresh" redirect and a JavaScript redirect.
The header has a few noteworthy characteristics:
* `Server: nginx`.
* `Date` and `Last-Modified` are equal (and reflect the correct time).
* `expires=Mon, 16-Jan-2017 17:01:22 GMT` in the cookie. The date and
time are the same as in `Date` and `Last-Modified`, but the day of the
week is wrong: `Mon` should be `Fri`.
* `Expires: Thu, 21 Jul 1977 07:30:00 GMT`; stayed the same even when the
request was repeated.
* Sets a cookie. After removing URL quoting, the cookie is
`cfb9f={"streams":[1481907682],"campaigns":{"1":1481907682},"time":1481907682};
expires=Mon, 16-Jan-2017 17:01:22 GMT; Max-Age=2678400; path=/'`. The
number `1481907682` changes if you make repeated requests.
A few minutes later I tried downloading it again, and now the result is a
404.
{{{
$ torsocks wget -S --save-header --content-on-error
http://92.63.88.128/?NTDzLZ
HTTP/1.1 404 Not Found\r\n
Server: nginx\r\n
Date: Fri, 16 Dec 2016 17:32:36 GMT\r\n
Content-Type: text/html; charset=utf-8\r\n
Transfer-Encoding: chunked\r\n
Connection: keep-alive\r\n
Expires: Thu, 21 Jul 1977 07:30:00 GMT\r\n
Last-Modified: Fri, 16 Dec 2016 17:32:36 GMT\r\n
Cache-Control: max-age=0\r\n
Pragma: no-cache\r\n
\r\n
}}}
I also once saw it return `502 Bad Gateway`.
{{{
$ torsocks wget -S --save-header --content-on-error
http://92.63.88.128/?NTDzLZ
HTTP/1.1 502 Bad Gateway\r\n
Server: nginx\r\n
Date: Fri, 16 Dec 2016 17:34:02 GMT\r\n
Content-Type: text/html\r\n
Content-Length: 166\r\n
Connection: keep-alive\r\n
\r\n
<html>\r\n
<head><title>502 Bad Gateway</title></head>\r\n
<body bgcolor="white">\r\n
<center><h1>502 Bad Gateway</h1></center>\r\n
<hr><center>nginx</center>\r\n
</body>\r\n
</html>\r\n
}}}
> The `NTDzLZ` part is important; without it, the first server redirects
somewhere else. It could be an encoding of the destination address.
`NTDzLZ` could be base64. Decoding it results in `35 30 f3 2d`, or decimal
(53, 48, 243, 45), which doesn't look related to the "IP address"
90.263.11.193.
Without the `?NTDzLZ` part, I get a rather different HTTP reponse. It's a
302 redirect rather than a meta-refresh or JavaScript redirect, and the IP
address is different. Note also the capitalization on `LOCATION`.
{{{
$ torsocks wget -S --save-header --content-on-error --max-redirect=0
http://92.63.88.128/
HTTP/1.1 302 Moved Temporarily\r\n
Server: nginx\r\n
Date: Fri, 16 Dec 2016 17:29:42 GMT\r\n
Content-Type: text/html; charset=utf-8\r\n
Transfer-Encoding: chunked\r\n
Connection: keep-alive\r\n
LOCATION: http://92.62.192.41\r\n
\r\n
}}}
Using Wget again, I also got a slightly different response (`302 Found`
instead of `302 Moved Temporarily`, different order of headers, `Location`
instead of `LOCATION`). I only got this kind of response once, despite
repeated requests.
{{{
$ torsocks wget -S --save-header --content-on-error --max-redirect=0
http://92.63.88.128/
HTTP/1.1 302 Found\r\n
Server: nginx\r\n
Date: Fri, 16 Dec 2016 17:18:33 GMT\r\n
Content-Type: text/html; charset=utf-8\r\n
Location: http://92.62.192.41\r\n
Transfer-Encoding: chunked\r\n
Connection: keep-alive\r\n
\r\n
}}}
I had gotten the `Moved Temporarily` response in Tor Browser earlier (the
inspector reorders the headers and normalized capitalization:
{{{
HTTP/1.1 302 Moved Temporarily\r\n
Connection: keep-alive\r\n
Content-Type: text/html; charset=utf-8\r\n
Date: Fri, 16 Dec 2016 15:45:24 GMT\r\n
Location: http://92.62.192.41\r\n
Server: nginx\r\n
Transfer-Encoding: chunked\r\n
\r\n
}}}
Following the redirect to !http://92.62.192.41 leads to a `503 Service
Unavailable`, looking like a Squid proxy.
{{{
HTTP/1.1 503 Service Unavailable\r\n
Connection: keep-alive\r\n
Content-Length: 0\r\n
Content-Type: text/html\r\n
Date: Fri, 16 Dec 2016 15:46:50 GMT\r\n
Mime-Version: 1.0\r\n
Server: squid\r\n
X-Squid-Error: ERR_CONNECT_FAIL 110\r\n
\r\n
}}}
----
The whois of 92.63.88.128 says it belongs to an Internet company in
Latvia, http://mwtv.lv/:
{{{
inetnum: 92.63.88.0 - 92.63.88.255
netname: MWTV
descr: SIA
country: LV
}}}
There is no whois of 90.263.11.193 because the octet "263" is out of
range.
The whois of 92.62.192.41 looks like an Internet company in Denmark,
https://nianet.dk/:
{{{
inetnum: 92.62.192.0 - 92.62.192.255
netname: Fuzion
remarks: INFRA-AW
descr: INFRA DSL
country: DK
}}}
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20348#comment:149>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list