[tor-bugs] #20348 [Metrics/Censorship analysis]: cyberoam assists bloody dictatorships.

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun Dec 18 02:29:36 UTC 2016


#20348: cyberoam assists bloody dictatorships.
-----------------------------------------+-------------------------
 Reporter:  dcf                          |          Owner:
     Type:  project                      |         Status:  closed
 Priority:  Medium                       |      Milestone:
Component:  Metrics/Censorship analysis  |        Version:
 Severity:  Normal                       |     Resolution:  invalid
 Keywords:  censorship block kz          |  Actual Points:
Parent ID:                               |         Points:
 Reviewer:                               |        Sponsor:
-----------------------------------------+-------------------------

Comment (by dcf):

 Replying to [comment:159 dcf]:
 > Replying to [comment:156 cypherpunks]:
 > > Redirect generated by KZ box for blocked site:
 > > https://paste.debian.net/plainh/39d8508f
 > > (can't paste here for spam filter block)
 >
 > {{{
 > HTTP/1.1 302 Found\r\n
 > Content-Length: 210\r\n
 > Location: http://92.63.88.128/?NTDzLZ\r\n
 > Content-Type: text/html; charset=UTF-8\r\n
 > \r\n
 > <HTML><HEAD><meta http-equiv="content-type"
 content="text/html;charset=utf-8">\n
 > <TITLE>302 Found</TITLE></HEAD><BODY>\n
 > <H1>302 Found</H1>\n
 > The document has moved\n
 > <A HREF="http://92.63.88.128/?NTDzLZ">here</A>\n
 > </BODY></HTML>\r\n
 > \r\n
 > }}}

 tl;dr: Nmap identifies a host with this signature as a Netgear wireless
 access point, by sending an HTTP request without a Host header. What do
 you see when you send `GET / HTTP/1.0\r\n\r\n` to the server that sent you
 this response?

 I ran [[attachment:grepsonar.go|a program]] to search
 [https://scans.io/study/sonar.http Project Sonar] scans of port 80 (I used
 20160830-http.gz) for the HTTP signatures in comment:149 and comment:159.
 The signature in comment:159 has many many matches, redirecting to various
 URLs, mostly under subdomains of telcom.co.id, but also afrihost.com,
 2090000.ru. Many of them are offline or have changed signature now, but by
 trying a few at random I found one that worked.

 {{{
 $ nmap -Pn -sV -p 80 37.192.17.117
 Starting Nmap 7.31 ( https://nmap.org ) at 2016-12-17 17:48 PST
 Nmap scan report for l37-192-17-117.novotelecom.ru (37.192.17.117)
 Host is up (0.26s latency).
 PORT   STATE SERVICE VERSION
 80/tcp open  http    uhttpd 1.0.0 (Netgear WNDRMACv2 WAP http config)
 Service Info: Device: WAP; CPE: cpe:/h:netgear:wndrmacv2
 }}}

 Nmap found this result using it `GetRequest` probe, which is just `GET /
 HTTP/1.0\r\n\r\n` and doesn't include a Host header. Indeed, if I probe it
 manually with a Host header, I get a similar 302 as in comment:159, but
 without a Host header I get a 401 with `Server: uhttpd/1.0.0` (note:
 doesn't seem to be the [https://wiki.openwrt.org/doc/howto/http.uhttpd
 uHTTPd] from OpenWRT).

 {{{
 $ echo $'GET / HTTP/1.0\r\nHost: 37.192.17.117\r\n\r\n' | ncat
 37.192.17.117 80
 HTTP/1.1 302 Found
 Content-Length: 202
 Location: http://0.2090000.ru
 Content-Type: text/html; charset=UTF-8

 <HTML><HEAD><meta http-equiv="content-type"
 content="text/html;charset=utf-8">
 <TITLE>302 Found</TITLE></HEAD><BODY>
 <H1>302 Found</H1>
 The document has moved
 <A HREF="http://0.2090000.ru">here</A>
 </BODY></HTML>

 $ echo $'GET / HTTP/1.0\r\n\r\n' | ncat 37.192.17.117 80
 HTTP/1.0 401 Unauthorized
 Server: uhttpd/1.0.0
 Date: Sun, 18 Dec 2016 01:41:43 GMT
 WWW-Authenticate: Basic realm="NETGEAR WNDRMACv2"
 Content-Type: text/html; charset="UTF-8"
 Connection: close

 <HTML><HEAD><META http-equiv='Pragma' content='no-cache'><META http-equiv
 ='Cache-Control' content='no-cache'><TITLE> 401 Authorization</TITLE>
 <script language=javascript type=text/javascript>
 function cancelevent()
 {
         location.href='/unauth.cgi';
 }
 </script>
 </HEAD><BODY onload=cancelevent()></BODY></HTML>
 }}}

 I tried a bunch of the other IP addresses (about 200), but this is the
 only one I found that was still live and matched the `302 Found`
 signature.

 Perhaps this is an instance of client-side censorship, where the ISP has
 loaded a blocklist onto the customer's router, and the router is enforcing
 the redirect?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20348#comment:161>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list