[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #20348 [Metrics/Censorship analysis]: cyberoam assists bloody dictatorships.



#20348: cyberoam assists bloody dictatorships.
-----------------------------------------+-------------------------
 Reporter:  dcf                          |          Owner:
     Type:  project                      |         Status:  closed
 Priority:  Medium                       |      Milestone:
Component:  Metrics/Censorship analysis  |        Version:
 Severity:  Normal                       |     Resolution:  invalid
 Keywords:  censorship block kz          |  Actual Points:
Parent ID:                               |         Points:
 Reviewer:                               |        Sponsor:
-----------------------------------------+-------------------------

Comment (by dcf):

 Replying to [comment:145 dcf]:
 > Blocked sites are redirected to !http://92.63.88.128/?NTDzLZ, which in
 turn redirects to a nonexistent !http://90.263.11.193/.

 {{{
 $ torsocks wget -S --save-header --content-on-error
 http://92.63.88.128/?NTDzLZ

 HTTP/1.1 200 OK\r\n
 Server: nginx\r\n
 Date: Fri, 16 Dec 2016 17:01:22 GMT\r\n
 Content-Type: text/html; charset=utf-8\r\n
 Transfer-Encoding: chunked\r\n
 Connection: keep-alive\r\n
 Expires: Thu, 21 Jul 1977 07:30:00 GMT\r\n
 Last-Modified: Fri, 16 Dec 2016 17:01:22 GMT\r\n
 Cache-Control: max-age=0\r\n
 Pragma: no-cache\r\n
 Set-Cookie:
 cfb9f=%7B%22streams%22%3A%5B1481907682%5D%2C%22campaigns%22%3A%7B%221%22%3A1481907682%7D%2C%22time%22%3A1481907682%7D;
 expires=Mon, 16-Jan-2017 17:01:22 GMT; Max-Age=2678400; path=/\r\n
 \r\n
 <html>\n
             <head>\n
                 <meta http-equiv="REFRESH" content="1;
 URL='http://90.263.11.193'">\n
                 <script type="text/javascript">window.location =
 "http://90.263.11.193";;</script>\n
             </head>\n
             </html>
 }}}

 It's a combination of a "meta-refresh" redirect and a JavaScript redirect.
 The header has a few noteworthy characteristics:
  * `Server: nginx`.
  * `Date` and `Last-Modified` are equal (and reflect the correct time).
  * `expires=Mon, 16-Jan-2017 17:01:22 GMT` in the cookie. The date and
 time are the same as in `Date` and `Last-Modified`, but the day of the
 week is wrong: `Mon` should be `Fri`.
  * `Expires: Thu, 21 Jul 1977 07:30:00 GMT`; stayed the same even when the
 request was repeated.
  * Sets a cookie. After removing URL quoting, the cookie is
 `cfb9f={"streams":[1481907682],"campaigns":{"1":1481907682},"time":1481907682};
 expires=Mon, 16-Jan-2017 17:01:22 GMT; Max-Age=2678400; path=/'`. The
 number `1481907682` changes if you make repeated requests.

 A few minutes later I tried downloading it again, and now the result is a
 404.

 {{{
 $ torsocks wget -S --save-header --content-on-error
 http://92.63.88.128/?NTDzLZ

 HTTP/1.1 404 Not Found\r\n
 Server: nginx\r\n
 Date: Fri, 16 Dec 2016 17:32:36 GMT\r\n
 Content-Type: text/html; charset=utf-8\r\n
 Transfer-Encoding: chunked\r\n
 Connection: keep-alive\r\n
 Expires: Thu, 21 Jul 1977 07:30:00 GMT\r\n
 Last-Modified: Fri, 16 Dec 2016 17:32:36 GMT\r\n
 Cache-Control: max-age=0\r\n
 Pragma: no-cache\r\n
 \r\n
 }}}

 I also once saw it return `502 Bad Gateway`.

 {{{
 $ torsocks wget -S --save-header --content-on-error
 http://92.63.88.128/?NTDzLZ

 HTTP/1.1 502 Bad Gateway\r\n
 Server: nginx\r\n
 Date: Fri, 16 Dec 2016 17:34:02 GMT\r\n
 Content-Type: text/html\r\n
 Content-Length: 166\r\n
 Connection: keep-alive\r\n
 \r\n
 <html>\r\n
 <head><title>502 Bad Gateway</title></head>\r\n
 <body bgcolor="white">\r\n
 <center><h1>502 Bad Gateway</h1></center>\r\n
 <hr><center>nginx</center>\r\n
 </body>\r\n
 </html>\r\n
 }}}

 > The `NTDzLZ` part is important; without it, the first server redirects
 somewhere else. It could be an encoding of the destination address.

 `NTDzLZ` could be base64. Decoding it results in `35 30 f3 2d`, or decimal
 (53, 48, 243, 45), which doesn't look related to the "IP address"
 90.263.11.193.

 Without the `?NTDzLZ` part, I get a rather different HTTP reponse. It's a
 302 redirect rather than a meta-refresh or JavaScript redirect, and the IP
 address is different. Note also the capitalization on `LOCATION`.

 {{{
 $ torsocks wget -S --save-header --content-on-error --max-redirect=0
 http://92.63.88.128/

 HTTP/1.1 302 Moved Temporarily\r\n
 Server: nginx\r\n
 Date: Fri, 16 Dec 2016 17:29:42 GMT\r\n
 Content-Type: text/html; charset=utf-8\r\n
 Transfer-Encoding: chunked\r\n
 Connection: keep-alive\r\n
 LOCATION: http://92.62.192.41\r\n
 \r\n
 }}}

 Using Wget again, I also got a slightly different response (`302 Found`
 instead of `302 Moved Temporarily`, different order of headers, `Location`
 instead of `LOCATION`). I only got this kind of response once, despite
 repeated requests.

 {{{
 $ torsocks wget -S --save-header --content-on-error --max-redirect=0
 http://92.63.88.128/

 HTTP/1.1 302 Found\r\n
 Server: nginx\r\n
 Date: Fri, 16 Dec 2016 17:18:33 GMT\r\n
 Content-Type: text/html; charset=utf-8\r\n
 Location: http://92.62.192.41\r\n
 Transfer-Encoding: chunked\r\n
 Connection: keep-alive\r\n
 \r\n
 }}}

 I had gotten the `Moved Temporarily` response in Tor Browser earlier (the
 inspector reorders the headers and normalized capitalization:

 {{{
 HTTP/1.1 302 Moved Temporarily\r\n
 Connection: keep-alive\r\n
 Content-Type: text/html; charset=utf-8\r\n
 Date: Fri, 16 Dec 2016 15:45:24 GMT\r\n
 Location: http://92.62.192.41\r\n
 Server: nginx\r\n
 Transfer-Encoding: chunked\r\n
 \r\n
 }}}

 Following the redirect to !http://92.62.192.41 leads to a `503 Service
 Unavailable`, looking like a Squid proxy.

 {{{
 HTTP/1.1 503 Service Unavailable\r\n
 Connection: keep-alive\r\n
 Content-Length: 0\r\n
 Content-Type: text/html\r\n
 Date: Fri, 16 Dec 2016 15:46:50 GMT\r\n
 Mime-Version: 1.0\r\n
 Server: squid\r\n
 X-Squid-Error: ERR_CONNECT_FAIL 110\r\n
 \r\n
 }}}

 ----

 The whois of 92.63.88.128 says it belongs to an Internet company in
 Latvia, http://mwtv.lv/:

 {{{
 inetnum:        92.63.88.0 - 92.63.88.255
 netname:        MWTV
 descr:          SIA
 country:        LV
 }}}

 There is no whois of 90.263.11.193 because the octet "263" is out of
 range.

 The whois of 92.62.192.41 looks like an Internet company in Denmark,
 https://nianet.dk/:

 {{{
 inetnum:        92.62.192.0 - 92.62.192.255
 netname:        Fuzion
 remarks:        INFRA-AW
 descr:          INFRA DSL
 country:        DK
 }}}

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20348#comment:149>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs