Welcome Guest ( Log In | Register )

21 Pages « < 17 18 19 20 21 >Bottom

Outline · [ Standard ] · Linear+

> YouTube Deep Packet Inspection, All HTTP connections being MITMed

views
     
skzisghost
post May 4 2013, 10:41 PM

Getting Started
**
Junior Member
262 posts

Joined: Dec 2006
Fresh reuploaded for some block vid please share now

http://www.youtube.com/watch?v=Ps0q5tIhJ0Y&feature=share

http://www.youtube.com/watch?v=XAQ1yiyBsnY&feature=share
nyemah_mulya
post May 4 2013, 10:46 PM

Getting Started
**
Junior Member
164 posts

Joined: Sep 2004
From: USJ


second time this week that i can't access malaysiakini, using both http and https. the error:

We're sorry...

... but your computer or network may be sending automated queries. To protect our users, we can't process your request right now.
See Google Help for more information.

fyezool
post May 4 2013, 11:09 PM

New Member
*
Junior Member
4 posts

Joined: Aug 2012
From: Mantin, Negeri Sembilan


QUOTE(rizvanrp @ May 1 2013, 04:00 AM)
Hi all,

I'm experiencing some anomalies while streaming videos off YouTube on Unifi. For certain 'political' videos -- I've observed that the HTTP connection for the videoplayback stream to YT's local CDNs are being disrupted as follows :

1. Client video player makes a connection to the YT CDN
2. HTTP GET request is sent

There's a few different behaviors after this .. :

3a. HTTP 200 OK is received however it arrives 90 seconds later (should be instant) :
user posted image

3b. HTTP 200 OK is received instantly, first 1-4KB of video stream traffic is sent (allowing the YT player to show the first frame of the video with a timestamp of 0:00).. then no traffic is received for 90 seconds once again :
user posted image

There's a duplicate TCP ACK when the stream returns, did my ACK at packet #271 ever reach the CDN in the first place??

Further testing :

1. Using an unencrypted SOCKS proxy on a remote server + non standard TCP port results in the same behavior with packet loss between the client and SOCKS proxy server

2. Using an encrypted SSH tunnel to the same remote server results in absolutely no issues with viewing the videos

Sample videos :
http://www.youtube.com/watch?v=hHTz22bTBRw
http://www.youtube.com/watch?v=uVWxB4AWOxc

UPDATE :

I performed a simultaneous packet capture on both my client + remote server while encapsulating the HTTP connection via plaintext SOCKS. All the video payload packets were dropped en route back to my SOCKS client :

user posted image

Dafuq?

UPDATE 2 :

Confirming all plaintext HTTP connections on Unifi (and maybe Celcom + Maxis) are being man-in-the-middle'd and dropped if they contain blacklisted data.

UPDATE 3 :

Other sources confirming this .. (thanks wkkay):

https://plus.google.com/1013966581485225280...sts/ak6opfbDxwa

UPDATE 4 :
What we know  :

i. The DPI isn't only being used to selectively block YouTube videos, however unencrypted Facebook pages belonging to certain parties are also being blocked. You can get around this by appending 'https://' to the Facebook URLs rather than trying to use 'http://'.

ii. The DPI is based on TCP segment analysis. Basically, every single TCP packet has its payload analyzed for certain request URI strings that have been blacklisted. Obfuscation attacks such as packet fragmentation (splitting a large TCP payload containing a single HTTP request into smaller TCP segments) as well as packet padding (appending large amount of junk data to the HTTP request URI in order to force the 'HTTP/1.1\r\n' trailer into a separate TCP segment) will also work however you need specialized HTTP proxy software or iptables rules (on Linux) to do this.

iii. Once a blacklisted payload is detected within a packet, the header information for the TCP stream (SRC/DST port + SRC/DST IP address) is added to some kind of blacklist for 90 seconds. This causes all traffic for that particular TCP stream to be dropped for 90 seconds (hence the 90 second gaps in my packet capture samples above). This is also why some of you have noticed that if you wait long enough (well, 90 seconds in my tests).. the videos/sites that are blocked will eventually continue to load. Due to the persistent nature of TCP, once the 90 second blacklist window passes.. your TCP stream will continue and the payload data for whatever you're requesting will reach your computer.
Mitigation techniques :

i. Use 'https://' wherever possible (especially on Facebook). Users in the thread have recommended HTTPS Everywhere which is a Firefox/Chrome addon to do this automatically for most major websites.

* While YouTube supports HTTPS for their main website, their player does not support it so even if you were to use HTTPS on YT.. the videos won't load.

ii. For accessing blocked YouTube videos, you can use some of the various YouTube proxy sites such as ProxFree.

iii. Get a VPN/SSH tunnel service if you're worried about having your HTTP requests intercepted.
UPDATE 5 :
Response from MCMC
Hey, here's a simple test you can do with less than 2 commands on a Linux box + Wireshark :

CODE
wget http://www.facebook.com/DAPMalaysia

user posted image

So a HTTP GET request for /DAPMalaysia results in the query taking 109 seconds to respond along with 8 TCP retransmissions (I'm basically getting 0 TCP responses from the server for 109 seconds). Let's see what happens when we request for the exact same URL however we append 1500 bytes of junk URI padding to the end :

CODE
#!/bin/bash
for i in {1..1500}
do
PADDING=$PADDING"A"
done
wget "http://www.facebook.com/DAPMalaysia?test="$PADDING

.. which results in ..
CODE
wget "http://www.facebook.com/DAPMalaysia?test=AAAAA... (1500 times)"

user posted image

Oh? What do you know, no issues at all. Apparently appending an extra 1500 bytes of junk data to every HTTP request in a 'congested' network results in less network congestion. Who would have guessed /s

---

My final comments on this issue ..

I'm pretty apolitical when it comes to the Internet and networking. The only reason I have to keep testing what some may call PR-friendly URLs is because it seems that the only time we have 'congestion' is when accessing such content.. and the 'congestion' goes away the moment you obfuscate the requests enough. With the resources that the MCMC has available to debug these kind of issues, I'm honestly surprised they haven't figured this out already.

The tests we've done here show at the very least there is some kind of HTTP request inspection happening and traffic is being dropped once certain strings have been identified. As Internet users and/or caretakers, we should be against any form of Internet censorship. I leave you with these two articles hosted on the MCMC/SKMM website :

http://www.skmm.gov.my/Media/Press-Clippin...sur-fitnah.aspx
http://www.skmm.gov.my/Media/Press-Clippin...edia-In-Ge.aspx

user posted image
*
wah, pakai wireshark oo..
fifa76
post May 5 2013, 01:15 AM

New Member
*
Junior Member
34 posts

Joined: Jan 2010
not sure what happen i can't access facebook from Maxis Fiber now..

karhoe
post May 5 2013, 01:17 AM

Look at all my stars!!
*******
Senior Member
6,236 posts

Joined: Sep 2005
From: Kuala Lumpur



QUOTE(fifa76 @ May 5 2013, 01:15 AM)
not sure what happen i can't access facebook from Maxis Fiber now..
*
Same!
yen223
post May 5 2013, 02:42 AM

Enthusiast
*****
Senior Member
777 posts

Joined: Jul 2005
From: mars


QUOTE(karhoe @ May 5 2013, 01:17 AM)
Same!
*
I can access facebook on Maxis fibre, but no pictures are showing up!

Also, can't access StackOverflow or Github cry.gif
babybaby1988
post May 5 2013, 02:57 AM

Getting Started
**
Junior Member
257 posts

Joined: Feb 2011
From: bolehLAND! <3


can I call 100 to complain?
wira4ce
post May 5 2013, 05:59 AM

Getting Started
**
Junior Member
187 posts

Joined: May 2005
From: 𝔒𝔲𝔱𝔢𝔯𝔰𝔭𝔞𝔠𝔢



QUOTE(skzisghost @ May 4 2013, 10:41 PM)
video 1 cannot open, positive
video 2 make my eyes watering.. cry.gif
steason
post May 5 2013, 06:23 AM

Getting Started
**
Junior Member
243 posts

Joined: Sep 2009



blocked, totally can't load. completely can't load. 100% can't load.

lucky that some one reupload here: https://www.facebook.com/photo.php?v=152704...2&t%C2%ADheater

Someone reupload here and at the moment i'm writing is working stream:



To check whether all being blocked, test all these : http://www.youtube.com/results?search_quer...BFull+Moment%5D

[Update 4:04am 5th May 2013] Most of the video of <tragedi flashmob in ipoh> is completely blocked/can't stream. To find the working video: use google search : http://goo.gl/ubjP3
Lot's of ppl upload it with title with < PRU13: Tragedi Flashmob berdarah di Ipoh [Full Moment] >


Copy from my post : https://forum.lowyat.net/index.php?showtopi...post&p=60129565
xbotzz
post May 5 2013, 07:12 AM

Casual
***
Junior Member
306 posts

Joined: Sep 2007


K guys.. Do this.. Android n apple os. Go download vpnintouch.. Read through the tutorial to set up the pptp vpn tunnel.. They cant do much when u encrypt ya payload and get in through a different gateway... I can watch all the clips above... Good luck guys...

I tested with my android... Malas to test with my ipad.. If it works pls spread it... Going to queue for my vote now... Ini kalilah...

This post has been edited by xbotzz: May 5 2013, 07:18 AM
solarmystic
post May 5 2013, 07:25 AM

Getting Started
**
Junior Member
183 posts

Joined: Jun 2009
I could watch all the posted videos, but only through VPN. Bloody hell they're really stepping up the censorship efforts, even blocking certain vids on youtube lol.

The video taken in Ipoh is quite damning though.
khairilyazit
post May 5 2013, 10:28 AM

Casual
***
Junior Member
404 posts

Joined: Sep 2010
From: Papar, Sabah


same here in sabah... speed is totally crap... u know something is wrong when ur down speed is lower than ur up speed...
DragonReine
post May 5 2013, 10:53 AM

just another dog on the Internet
*******
Senior Member
2,144 posts

Joined: Aug 2011
Look on other vid upload websites, those aren't blocked (yet).
steason
post May 5 2013, 12:35 PM

Getting Started
**
Junior Member
243 posts

Joined: Sep 2009


QUOTE(DragonReine @ May 5 2013, 10:53 AM)
Look on other vid upload websites, those aren't blocked (yet).
*
they just wan to block the famous link.
SUSvuetnam
post May 5 2013, 01:41 PM

Regular
******
Senior Member
1,259 posts

Joined: May 2012
From: Kaoshiung, Taiwan and Kuala Lumpur


can anyone here compile all the video and pm me? I'll email the United Nations, International Criminal Court and International Criminal Justice and US about this and I'll be online till 4pm/

This post has been edited by vuetnam: May 5 2013, 01:45 PM
steason
post May 5 2013, 01:55 PM

Getting Started
**
Junior Member
243 posts

Joined: Sep 2009


QUOTE(vuetnam @ May 5 2013, 01:41 PM)
can anyone here compile all the video and pm me? I'll email the United Nations,  International Criminal Court and International Criminal Justice and US about this and I'll be online till 4pm/
*
Most of the <PRU13: Tragedi Flashmob berdarah di Ipoh [Full Moment]> video is now working for me. i guess they stop blocking due to after 1pm polling.
SUSvuetnam
post May 5 2013, 01:56 PM

Regular
******
Senior Member
1,259 posts

Joined: May 2012
From: Kaoshiung, Taiwan and Kuala Lumpur


QUOTE(steason @ May 5 2013, 01:55 PM)
Most of the <PRU13: Tragedi Flashmob berdarah di Ipoh [Full Moment]> video is now working for me. i guess they stop blocking due to after 1pm polling.
*
whatever la I dun care... I just wan those idiots executed vmad.gif vmad.gif vmad.gif vmad.gif
amadeo
post May 5 2013, 02:02 PM

Mafia
*******
Senior Member
3,503 posts

Joined: Jan 2003
From: ..Whenever i may roam...
still blocked here.. i guess it depends on user ip then.. mine is 60.49.x.x ..tried using a crapy vpn and the video loads without a hitch.. rclxub.gif
paultantk
post May 6 2013, 09:02 PM

Casual
***
Junior Member
351 posts

Joined: Jan 2003


Guys, is the deep packet inspection still happening? On VPN a few days already...
mrl
post May 6 2013, 10:50 PM

Enthusiast
*****
Senior Member
977 posts

Joined: Jan 2009
From: In the middle...


seems to be that's the case... the vids still can't be viewed...

21 Pages « < 17 18 19 20 21 >Top
 

Change to:
| Lo-Fi Version
0.0209sec    0.21    5 queries    GZIP Disabled
Time is now: 16th August 2022 - 12:59 AM