[tor-bugs] #20348 [Metrics/Censorship analysis]: Kazakhstan blocking of vanilla Tor and obfs4, 2016-06
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Dec 21 20:53:32 UTC 2016
#20348: Kazakhstan blocking of vanilla Tor and obfs4, 2016-06
-----------------------------------------+--------------------------
Reporter: dcf | Owner:
Type: project | Status: reopened
Priority: Medium | Milestone:
Component: Metrics/Censorship analysis | Version:
Severity: Normal | Resolution:
Keywords: censorship block kz | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-----------------------------------------+--------------------------
Comment (by dcf):
kzblocked showed me that the HTTP injection is bidirectional: you get the
injection even if you send a request for a blocked Host from the outside
to the inside:
{{{
$ echo -n $'GET / HTTP/1.0\r\nHost: bash.im\r\n\r\n' | nc government.kz 80
HTTP/1.1 302 Found
Content-Length: 210
Location: http://92.63.88.128/?NTDzLZ
Content-Type: text/html; charset=UTF-8
<HTML><HEAD><meta http-equiv="content-type"
content="text/html;charset=utf-8">
<TITLE>302 Found</TITLE></HEAD><BODY>
<H1>302 Found</H1>
The document has moved
<A HREF="http://92.63.88.128/?NTDzLZ">here</A>
</BODY></HTML>
}}}
The KZ firewall is stateful: it doesn't respond to naked TCP payloads but
requires a connection to be established first. I.e., in scapy, this
doesn't work:
{{{
sr(IP(dst="government.kz")/TCP(flags="PA", seq=123456, ack=1000)/"GET /
HTTP/1.0\r\nHost: bash.im\r\n\r\n")
}}}
But it works if you do a TCP handshake first:
{{{
r = sr(IP(dst="government.kz")/TCP(flags="S", seq=1000))[0][0][1]
sr(IP(dst="government.kz")/TCP(flags="PA", seq=123456, ack=r.seq+1)/"GET /
HTTP/1.0\r\nHost: bash.im\r\n\r\n")
}}}
In comment:161 I found an ISP in Russia (2090000.ru) that had an almost
identical injection as the Kazakh firewall, with only the redirected-to
URL differing. kzblocked found that the same ISP ''also'' injects
responses for censorship purpose: you get an iframe with a block page if
you request a forbidden Host. Ordinary site (example.com) takes you to a
payment page:
{{{
$ echo -n $'GET / HTTP/1.0\r\nHost: example.com\r\n\r\n' | nc
37.192.17.117 80
HTTP/1.1 302 Found
Content-Length: 202
Location: http://0.2090000.ru
Content-Type: text/html; charset=UTF-8
<HTML><HEAD><meta http-equiv="content-type"
content="text/html;charset=utf-8">
<TITLE>302 Found</TITLE></HEAD><BODY>
<H1>302 Found</H1>
The document has moved
<A HREF="http://0.2090000.ru">here</A>
</BODY></HTML>
}}}
Blocked site (ej.ru) takes you to a block page:
{{{
$ echo -n $'GET / HTTP/1.0\r\nHost: ej.ru\r\n\r\n' | nc 37.192.17.117 80
HTTP/1.1 200 OK
Connection: close
Content-Type: text/html; charset=iso-8859-1
<HTML>
<HEAD><TITLE>Access Denied</TITLE></HEAD>
<BODY>
<div align="left">
<iframe src="http://zapret.2090000.ru" width=100%" height="1250"
frameborder="0"> </iframe>
<p><p>
</div>
</BODY>
</HTML>
}}}
"zapret" =
[https://en.wiktionary.org/wiki/%D0%B7%D0%B0%D0%BF%D1%80%D0%B5%D1%82#Russian
запрет] = "prohibition, interdiction, ban". The block page has a cute
matryoshka doll and a link to http://blocklist.rkn.gov.ru/. The 2090000.ru
responses have the same TTL and TCP option anomalies as in comment:166.
This ISP uses the same tech for both payment enforcement and censorship,
and all indications are that it is the same tech as in Kazakhstan.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20348#comment:173>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list