Welcome Guest ( Log In | Register )

Forum Announcement

Please keep your account's email current. http://lowy.at/chgEmail

Outline · [ Standard ] · Linear+

> YouTube Deep Packet Inspection, All HTTP connections being MITMed

views
     
wKkaY
post May 1 2013, 10:14 PM

misutā supākoru
Group Icon
Admin
6,008 posts

Joined: Jan 2003
I tried the accessing the DAP facebook page and confirm that something is blocking it.

I also found a way to defeat their DPI. They are matching within a single packet instead of a stream. So if you make your HTTP request in two segments, one containing the URL and another containing the Host header, your request will not be filtered.

This (python code) will get stuck:
CODE
from socket import socket, IPPROTO_TCP, TCP_NODELAY
s = socket()
s.setsockopt(IPPROTO_TCP, TCP_NODELAY, 1)
s.connect(("www.facebook.com", 80))
s.send("GET /DAPMalaysia HTTP/1.1\r\nHost: www.facebook.com\r\n\r\n")
print s.recv(65536)


While this one succeeds:
CODE
from socket import socket, IPPROTO_TCP, TCP_NODELAY
s = socket()
s.setsockopt(IPPROTO_TCP, TCP_NODELAY, 1)
s.connect(("www.facebook.com", 80))
s.send("GET /DAPMalaysia HTTP/1.1\r\n")
s.send("Host: www.afacebook.com\r\n\r\n")
print s.recv(65536)

wKkaY
post May 1 2013, 10:15 PM

misutā supākoru
Group Icon
Admin
6,008 posts

Joined: Jan 2003
QUOTE(rizvanrp @ May 1 2013, 09:58 PM)
This works for me :

CODE
iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 10

Fragmenting the blacklisted HTTP requests into smaller TCP segments bypasses the blocks. It seems they are analyzing traffic on a per TCP segment basis.
*
Damn, you posted this 15 minutes before I did! tongue.gif
wKkaY
post May 1 2013, 11:04 PM

misutā supākoru
Group Icon
Admin
6,008 posts

Joined: Jan 2003
Cross-posting: https://plus.google.com/1013966581485225280...sts/ak6opfbDxwa
wKkaY
post May 2 2013, 01:07 AM

misutā supākoru
Group Icon
Admin
6,008 posts

Joined: Jan 2003
Cross-posting from Webcamp KL:
QUOTE
Asohan Aryaduray: DNA will be discussing this on Tech Talks on BFM, 12 noon (May 2, which is later today); Premesh Chandran of Mkini is probably joining us.

wKkaY
post May 2 2013, 09:54 AM

misutā supākoru
Group Icon
Admin
6,008 posts

Joined: Jan 2003
QUOTE(Meek @ May 2 2013, 04:54 AM)
Completely unrelated, but since 5 minutes ago I'm getting "Lowyat forum is busy blablabla" every few clicks. Everything else works fine, downloading and uploading as usual.

What are the odds Lowyat server is that busy at almost 5am in Malaysia?
*
We perform backups at that hour. This should improve once we finalize our database migration to SSDs.
wKkaY
post May 2 2013, 10:32 AM

misutā supākoru
Group Icon
Admin
6,008 posts

Joined: Jan 2003
QUOTE(JinXXX @ May 2 2013, 10:28 AM)
what ssd are you guys using ? pcie ? sata ?
*
https://forum.lowyat.net/topic/2795523?author=wKkaY
wKkaY
post May 3 2013, 06:20 AM

misutā supākoru
Group Icon
Admin
6,008 posts

Joined: Jan 2003
QUOTE(tadwinks @ May 3 2013, 06:00 AM)
Could it be just pure coincidence that TM's uplinks serving those particular 'hot' pages/videos are  congested?
*
It is absolutely not a coincidence. The experiments that rizvanrp and I did approached it from two directions:

1) Route requests to the same originating servers, but circumvent packet inspection by splitting HTTP headers across two packets. Requests succeed.

2) Route requests via a intermediate server that has a known good connection with the originating servers. When a packet capture is performed at the intermediate server and at the end-user, we see that packets is sent but not received. Requests still fail.
wKkaY
post May 3 2013, 06:56 AM

misutā supākoru
Group Icon
Admin
6,008 posts

Joined: Jan 2003
QUOTE(tadwinks @ May 3 2013, 06:53 AM)
Would splitting requests = smaller request packets? Now just for discussion sake, would a smaller packet somehow be able to 'squeeze' its way in easier?
*
There's one more test that I didn't mention above which controlled for this.

If you change one letter in the URL from http://www.facebook.com/DAPMalaysia to http://www.facebook.com/XAPMalaysia , the request succeeds even without splitting. If you add letters to it, it also succeeds.

 

Change to:
| Lo-Fi Version
0.0178sec    0.34    6 queries    GZIP Disabled
Time is now: 6th December 2021 - 01:11 AM