[tor-bugs] #20348 [Metrics/Censorship analysis]: Allot Communications blocking of vanilla Tor, obfs4, and meek in Kazakhstan, starting 2016-06

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Jun 16 00:59:22 UTC 2017


#20348: Allot Communications blocking of vanilla Tor, obfs4, and meek in
Kazakhstan, starting 2016-06
-----------------------------------------+--------------------------
 Reporter:  dcf                          |          Owner:
     Type:  project                      |         Status:  reopened
 Priority:  Medium                       |      Milestone:
Component:  Metrics/Censorship analysis  |        Version:
 Severity:  Normal                       |     Resolution:
 Keywords:  censorship block kz          |  Actual Points:
Parent ID:                               |         Points:
 Reviewer:                               |        Sponsor:
-----------------------------------------+--------------------------

Comment (by dcf):

 Replying to [comment:174 dcf]:
 > Replying to [comment:159 dcf]:
 > > Replying to [comment:156 cypherpunks]:
 > > > Redirect generated by KZ box for blocked site:
 > > > https://paste.debian.net/plainh/39d8508f
 > > > (can't paste here for spam filter block)
 > >
 > > {{{
 > > HTTP/1.1 302 Found\r\n
 > > }}}
 >
 > kzblocked found a similar 302 redirect in a Stack Overflow question,
 apparently from a www.google.co.in frontend server:
 >
 > https://stackoverflow.com/questions/29861189/302-found-response-for-
 google-com
 > {{{
 > HTTP/1.1 302 Found
 > Cache-Control: private
 > Content-Type: text/html; charset=UTF-8
 > Location: http://www.google.co.in/?gfe_rd=cr&ei=Uhw7Vbe6H_PI8Ae_qICIBA
 > Content-Length: 261
 > Date: Sat, 25 Apr 2015 04:47:14 GMT
 > Server: GFE/2.0
 > Alternate-Protocol: 80:quic,p=1
 >
 > <HTML><HEAD><meta http-equiv="content-type"
 content="text/html;charset=utf-8">
 > <TITLE>302 Moved</TITLE></HEAD><BODY>
 > <H1>302 Moved</H1>
 > The document has moved
 > <A
 HREF="http://www.google.co.in/?gfe_rd=cr&ei=Uhw7Vbe6H_PI8Ae_qICIBA">here</A>.
 > </BODY></HTML>
 > }}}
 >
 > The header is rather different; also notice `302 Moved` rather than `302
 Found` in the HTML body.

 I thought that this google.co.in response was a fluke; but it seems to be
 representative of Google's geolocation redirects. I just now captured one
 for www.google.nl by requesting www.google.com through Tor:
 {{{
 (echo -n $'GET / HTTP/1.1\r\nHost: www.google.com\r\n\r\n'; cat) |
 torsocks -i ncat --ssl -v www.google.com 443
 }}}
 The exact file: attachment:20170615-google.nl-302.http. Here it is with
 whitespace visualized (including both `\n` and `\r\n` line endings):
 {{{
 HTTP/1.1 302 Found\r\n
 Cache-Control: private\r\n
 Content-Type: text/html; charset=UTF-8\r\n
 Referrer-Policy: no-referrer\r\n
 Location: https://www.google.nl/?gfe_rd=cr&ei=eyhDWYnWEIzHsAHJ3biIBw\r\n
 Content-Length: 259\r\n
 Date: Fri, 16 Jun 2017 00:38:19 GMT\r\n
 Alt-Svc: quic=":443"; ma=2592000; v="38,37,36,35"\r\n
 \r\n
 <HTML><HEAD><meta http-equiv="content-type"
 content="text/html;charset=utf-8">\n
 <TITLE>302 Moved</TITLE></HEAD><BODY>\n
 <H1>302 Moved</H1>\n
 The document has moved\n
 <A
 HREF="https://www.google.nl/?gfe_rd=cr&ei=eyhDWYnWEIzHsAHJ3biIBw">here</A>.\r\n
 </BODY></HTML>\r\n
 }}}

 Now, this response is quite similar to the injected KZ censorship response
 from comment:159, including whitespace and capitalization quirks, but
 there are some differences. Here is a diff of the two responses.
 {{{#!diff
 --- Google      2017-06-15 17:39:18.799403353 -0700
 +++ KZ  2017-06-15 17:39:47.215466524 -0700
 @@ -1,15 +1,12 @@
  HTTP/1.1 302 Found\r\n
 -Cache-Control: private\r\n
 +Content-Length: 210\r\n
 +Location: http://92.63.88.128/?NTDzLZ\r\n
  Content-Type: text/html; charset=UTF-8\r\n
 -Referrer-Policy: no-referrer\r\n
 -Location: https://www.google.nl/?gfe_rd=cr&ei=eyhDWYnWEIzHsAHJ3biIBw\r\n
 -Content-Length: 259\r\n
 -Date: Fri, 16 Jun 2017 00:38:19 GMT\r\n
 -Alt-Svc: quic=":443"; ma=2592000; v="38,37,36,35"\r\n
  \r\n
  <HTML><HEAD><meta http-equiv="content-type"
 content="text/html;charset=utf-8">\n
 -<TITLE>302 Moved</TITLE></HEAD><BODY>\n
 -<H1>302 Moved</H1>\n
 +<TITLE>302 Found</TITLE></HEAD><BODY>\n
 +<H1>302 Found</H1>\n
  The document has moved\n
 -<A
 HREF="https://www.google.nl/?gfe_rd=cr&ei=eyhDWYnWEIzHsAHJ3biIBw">here</A>.\r\n
 +<A HREF="http://92.63.88.128/?NTDzLZ">here</A>\n
  </BODY></HTML>\r\n
 +\r\n
 }}}

 The differences are:
  1. Google uses `302 Found` in the status-line but `302 Moved` in the
 body; KZ uses `302 Found` in both places.
  2. The set of headers and their order are different. Google has `Content-
 Type` before `Location` but KZ has it the other way around.
  3. Google's `Content-Length` is correct while KZ's [[comment:202|is
 wrong]].
  4. Google says `here</A>.\r\n` while KZ says `here</A>\n` (removes the
 dot and changes the line ending).
  5. KZ ends with an additional `\r\n`.

 It almost looks like the KZ firewall was trying to imitate the Google
 redirect, but didn't quite succeed.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20348#comment:203>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list