[tor-bugs] #20348 [Metrics/Censorship analysis]: Kazakhstan blocking of vanilla Tor and obfs4, 2016-06

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Dec 19 06:00:42 UTC 2016


#20348: Kazakhstan blocking of vanilla Tor and obfs4, 2016-06
-----------------------------------------+--------------------------
 Reporter:  dcf                          |          Owner:
     Type:  project                      |         Status:  reopened
 Priority:  Medium                       |      Milestone:
Component:  Metrics/Censorship analysis  |        Version:
 Severity:  Normal                       |     Resolution:
 Keywords:  censorship block kz          |  Actual Points:
Parent ID:                               |         Points:
 Reviewer:                               |        Sponsor:
-----------------------------------------+--------------------------

Comment (by dcf):

 Replying to [comment:149 dcf]:
 > Replying to [comment:145 dcf]:
 > > Blocked sites are redirected to !http://92.63.88.128/?NTDzLZ, which in
 turn redirects to a nonexistent !http://90.263.11.193/.
 >
 > It's a combination of a "meta-refresh" redirect and a JavaScript
 redirect.

 Using the [[attachment:grepsonar.go|grepsonar]] program, I found exactly
 one server in the 20160830-http data set that had the same peculiar
 combination of redirects: 178.208.91.128:80.

 {{{
 HTTP/1.1 200 OK\r\n
 Server: nginx\r\n
 Date: Tue, 30 Aug 2016 08:27:06 GMT\r\n
 Content-Type: text/html; charset=utf-8\r\n
 Content-Length: 378\r\n
 Connection: close\r\n
 Expires: Thu, 21 Jul 1977 07:30:00 GMT\r\n
 Last-Modified: Tue, 30 Aug 2016 08:27:06 GMT\r\n
 Cache-Control: max-age=0\r\n
 Pragma: no-cache\r\n
 \r\n
 <html>\n
         <head>\n
             <meta http-equiv=\"REFRESH\" content=\"1;
 URL='http://hookup48.com/rjbsbnntp/photo'\">\n
             <script type=\"text/javascript\">window.location =
 \"http://hookup48.com/rjbsbnntp/photo\";</script>\n
         </head>\n
         <body>\n
             The Document has moved <a
 href=\"http://hookup48.com/rjbsbnntp/photo\">here</a>\n
         </body>\n
         </html>
 }}}

 I would guess this server is redirecting to some malware or spam. In
 common with the response from comment:149, it has `Expires: Thu, 21 Jul
 1977 07:30:00 GMT`. (To be fair, there are lots of other servers with that
 particular value of the header, that don't have the same peculiar
 redirects.)

 Today, the server is still serving redirects, but they look different
 (note for example the time of `0` rather than `1` in the meta-refresh
 redirect and `\r\n` rather than `\n` in the body.

 {{{
 HTTP/1.1 200 OK\r\n
 Server: nginx\r\n
 Date: Mon, 19 Dec 2016 05:52:10 GMT\r\n
 Content-Type: text/html\r\n
 Transfer-Encoding: chunked\r\n
 Connection: keep-alive\r\n
 \r\n
 <html >\r\n
 <head>\r\n
 <meta http-equiv="Content-Type" content="text/html; charset=utf-8">\r\n
 <meta http-equiv="refresh" content="0;URL=http://aroma-
 academy.biz/disk/">\r\n
 </head> \r\n
 <body>\r\n
 <script language="javascript"
 src="http://aromaacademy.e-autopay.com/hit.js"></script> \r\n
 </body>\r\n
 </html>\r\n
 }}}

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20348#comment:169>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list