#20348: Kazakhstan blocking of vanilla Tor and obfs4, 2016-06 -----------------------------------------+-------------------------- Reporter: dcf | Owner: Type: project | Status: reopened Priority: Medium | Milestone: Component: Metrics/Censorship analysis | Version: Severity: Normal | Resolution: Keywords: censorship block kz | Actual Points: Parent ID: | Points: Reviewer: | Sponsor: -----------------------------------------+--------------------------
Comment (by dcf): kzblocked showed me that the HTTP injection is bidirectional: you get the injection even if you send a request for a blocked Host from the outside to the inside: {{{ $ echo -n $'GET / HTTP/1.0\r\nHost: bash.im\r\n\r\n' | nc government.kz 80 HTTP/1.1 302 Found Content-Length: 210 Location: http://92.63.88.128/?NTDzLZ Content-Type: text/html; charset=UTF-8 <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"> <TITLE>302 Found</TITLE></HEAD><BODY> <H1>302 Found</H1> The document has moved <A HREF="http://92.63.88.128/?NTDzLZ">here</A> </BODY></HTML> }}} The KZ firewall is stateful: it doesn't respond to naked TCP payloads but requires a connection to be established first. I.e., in scapy, this doesn't work: {{{ sr(IP(dst="government.kz")/TCP(flags="PA", seq=123456, ack=1000)/"GET / HTTP/1.0\r\nHost: bash.im\r\n\r\n") }}} But it works if you do a TCP handshake first: {{{ r = sr(IP(dst="government.kz")/TCP(flags="S", seq=1000))[0][0][1] sr(IP(dst="government.kz")/TCP(flags="PA", seq=123456, ack=r.seq+1)/"GET / HTTP/1.0\r\nHost: bash.im\r\n\r\n") }}} In comment:161 I found an ISP in Russia (2090000.ru) that had an almost identical injection as the Kazakh firewall, with only the redirected-to URL differing. kzblocked found that the same ISP ''also'' injects responses for censorship purpose: you get an iframe with a block page if you request a forbidden Host. Ordinary site (example.com) takes you to a payment page: {{{ $ echo -n $'GET / HTTP/1.0\r\nHost: example.com\r\n\r\n' | nc 37.192.17.117 80 HTTP/1.1 302 Found Content-Length: 202 Location: http://0.2090000.ru Content-Type: text/html; charset=UTF-8 <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"> <TITLE>302 Found</TITLE></HEAD><BODY> <H1>302 Found</H1> The document has moved <A HREF="http://0.2090000.ru">here</A> </BODY></HTML> }}} Blocked site (ej.ru) takes you to a block page: {{{ $ echo -n $'GET / HTTP/1.0\r\nHost: ej.ru\r\n\r\n' | nc 37.192.17.117 80 HTTP/1.1 200 OK Connection: close Content-Type: text/html; charset=iso-8859-1 <HTML> <HEAD><TITLE>Access Denied</TITLE></HEAD> <BODY> <div align="left"> <iframe src="http://zapret.2090000.ru" width=100%" height="1250" frameborder="0"> </iframe> <p><p> </div> </BODY> </HTML> }}} "zapret" = [https://en.wiktionary.org/wiki/%D0%B7%D0%B0%D0%BF%D1%80%D0%B5%D1%82#Russian запрет] = "prohibition, interdiction, ban". The block page has a cute matryoshka doll and a link to http://blocklist.rkn.gov.ru/. The 2090000.ru responses have the same TTL and TCP option anomalies as in comment:166. This ISP uses the same tech for both payment enforcement and censorship, and all indications are that it is the same tech as in Kazakhstan. -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20348#comment:173> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online _______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs