[tor-bugs] #20348 [Metrics/Censorship analysis]: Kazakhstan blocking of vanilla Tor and obfs4, 2016-06
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Dec 19 04:36:53 UTC 2016
#20348: Kazakhstan blocking of vanilla Tor and obfs4, 2016-06
-----------------------------------------+--------------------------
Reporter: dcf | Owner:
Type: project | Status: reopened
Priority: Medium | Milestone:
Component: Metrics/Censorship analysis | Version:
Severity: Normal | Resolution:
Keywords: censorship block kz | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-----------------------------------------+--------------------------
Comment (by dcf):
Here is a pcap of trying to download a blocked site:
attachment:youporn.com.pcap. The response is the same redirect to
!http://92.63.88.128/?NTDzLZ first mentioned in comment:145.
The response looks like an in-band injection to me, for two reasons. The
first is that the TTLs differ in the SYN/ACK ('''`ttl 50`''') and the HTTP
response ('''`ttl 58`'''). The second is that there are TCP options in the
SYN/ACK ('''`[mss 1304,sackOK,TS val 845116384 ecr 17593903,nop,wscale
7]`''') but none in the HTTP response. Particularly the `TS` option should
oblige the server to include timestamps in all its subsequent segments.
The server sets the FIN bit when it sends the HTTP response. For some
reason, though, the client RSTs the connection at the end.
{{{
#!html
<pre>
<span style="background:cornsilk">10:40:31.768987 IP (tos 0x0, ttl 64, id
8730, offset 0, flags [DF], proto TCP (6), length 60)
10.11.0.150.52824 > 31.192.120.44.http: Flags [S], cksum 0x1df2
(correct), seq 2069320757, win 29200, <strong>options [mss 1460,sackOK,TS
val 17593903 ecr 0,nop,wscale 7]</strong>, length 0</span>
<span style="background:lavender">10:40:32.162036 IP (tos 0x20,
<strong>ttl 50</strong>, id 0, offset 0, flags [DF], proto TCP (6), length
60)
31.192.120.44.http > 10.11.0.150.52824: Flags [S.], cksum 0x4cf4
(correct), seq 3620557931, ack 2069320758, win 28960, options [mss
1304,sackOK,TS val 845116384 ecr 17593903,nop,wscale 7], length 0</span>
<span style="background:cornsilk">10:40:32.162067 IP (tos 0x0, ttl 64, id
8731, offset 0, flags [DF], proto TCP (6), length 52)
10.11.0.150.52824 > 31.192.120.44.http: Flags [.], cksum 0xeafc
(correct), ack 1, win 229, options [nop,nop,TS val 17594002 ecr
845116384], length 0
10:40:32.162223 IP (tos 0x0, ttl 64, id 8732, offset 0, flags [DF], proto
TCP (6), length 161)
10.11.0.150.52824 > 31.192.120.44.http: Flags [P.], cksum 0x9075
(correct), seq 1:110, ack 1, win 229, options [nop,nop,TS val 17594002 ecr
845116384], length 109: HTTP, length: 109
GET / HTTP/1.1
User-Agent: Wget/1.16 (linux-gnu)
Accept: */*
Host: youporn.com
Connection: Keep-Alive
</span>
<span style="background:lavender">10:40:32.457302 IP (tos 0x20,
<strong>ttl 58</strong>, id 0, offset 0, flags [DF], proto TCP (6), length
386)
31.192.120.44.http > 10.11.0.150.52824: Flags [FP.], cksum 0x55d6
(correct), seq 1:347, ack 110, win 229, length 346: HTTP, length: 346
HTTP/1.1 302 Found
Content-Length: 210
Location: http://92.63.88.128/?NTDzLZ
Content-Type: text/html; charset=UTF-8
<HTML><HEAD><meta http-equiv="content-type"
content="text/html;charset=utf-8">
<TITLE>302 Found</TITLE></HEAD><BODY>
<H1>302 Found</H1>
The document has moved
<A HREF="http://92.63.88.128/?NTDzLZ">here</A>
</BODY></HTML>
</span>
<span style="background:cornsilk">10:40:32.493859 IP (tos 0x0, ttl 64, id
8733, offset 0, flags [DF], proto TCP (6), length 52)
10.11.0.150.52824 > 31.192.120.44.http: Flags [.], cksum 0xe8d9
(correct), ack 348, win 237, options [nop,nop,TS val 17594085 ecr
845116384], length 0
10:40:34.829753 IP (tos 0x0, ttl 64, id 8734, offset 0, flags [DF], proto
TCP (6), length 52)
10.11.0.150.52824 > 31.192.120.44.http: Flags [R.], cksum 0xe68e
(correct), seq 110, ack 348, win 237, options [nop,nop,TS val 17594668 ecr
845116384], length 0</span>
</pre>
}}}
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20348#comment:166>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list