Comments (8)
The IP addresses making up the total pool are not random—most of them belong to US-based organizations like Facebook, Dropbox, and Twitter
Ah, this is interesting. This could explain more and more reports that access to websites encounters certificate errors instead of timeout. Certificate errors appear legitimately caused by misconfiguration instead of censorship as certificate misconfiguration is very common in China, thus the grievance is no longer directed at the GFW.
There is more than one DNS injector
I think these could be independently developed projects with different design goals. Maybe some of these are outsourced to contractors. Being independent allows them not fail simultaneously.
from bbs.
This could explain more and more reports that access to websites encounters certificate errors instead of timeout.
Thank you for sharing such an interesting hypothesis; however, it seems these certificate errors may not mainly because the clients were directed to some Facebook/Dropbox/Twitter servers. This is because clients in China could not even complete a TCP handshake to the port 443 of these injected IPs in the first place.
As mentioned in Section 3.2, we test the reachability of the 216 injected IPs from our VPS in China and the United States by initiating TCP handshakes on port 80 and port 443. Specifically, we perform this experiment daily for 7 days (from April 17, 2020 to April 23, 2020) and each days results looked similar.
The result, summarized in Figure 3, shows only 0.4%
of these IP-port pairs were ever observed to be reachable from China.
You may find the following code and data helpful:
from bbs.
OK, these reports may come users with partial circumvention where they can reach the injected IPs but nonetheless are affected by DNS pollution for some reasons. As is quantified in your data, this should be an uncommon case.
from bbs.
There is more than one DNS injector
I think these could be independently developed projects with different design goals. Maybe some of these are outsourced to contractors.
This is a very reasonable hypothesis.
Being independent allows them not fail simultaneously.
It makes sense that the censor tries to avoid single point failure. One evidence that supports your hypothesis is that we indeed observed some injectors were halting for a short period of time, but we never observed all three injectors halted at the same time.
Specifically, as introduced in the Halting interval of injectors paragraph, we discover that while Injector 2 has been working consecutively, Injector 1 and Injector 3 occasionally stopped working for a few hours. All of these occasionally happened halts lasted less than 6 hours and most of them happened during work hours in China.
from bbs.
OK, these reports may come users with partial circumvention where they can reach the injected IPs but nonetheless are affected by DNS pollution for some reasons.
Oh, it definitely makes sense then! These cases are not uncommon in many circumvention scenarios.
from bbs.
we discover that while Injector 2 has been working consecutively, Injector 1 and Injector 3 occasionally stopped working for a few hours. All of these occasionally happened halts lasted less than 6 hours and most of them happened during work hours in China.
This is a more vivid picture. I imagine the three injectors are maintained by three different contractors independently and this allows they to rotate shifts and improve reliability at the project management level.
from bbs.
Sorry, to add one more. Certificate errors are very common in this sense: A common setup uses domain-based traffic routing to improve performance so domestic traffic is direct and not routed through circumvention. Facebook, Twitter, et al are always in the circumvention routing lists. And whenever a domain (especially CDN domains) is blocked but not updated to the routing list, it will be resolved directly and incorrectly to Facebook's IPs and then have certificate errors via circumvention, which are confusing because users will perceive this as errors on the CDN side.
from bbs.
And whenever a domain (especially CDN domains) is blocked but not updated to the routing list,
Yes, we agreed this could happen quiet often, especially nowadays when one of the most popular routing list is less actively maintained.
from bbs.
Related Issues (20)
- Many Popular Censorship Circumvention Tools Deleted or Archived since November 2, 2023 HOT 52
- Freedom on the Net 2023 report
- Share a simple implementation of HTTPS proxy 分享一个简单的代理实现
- 现在用户量较大的机场的直连节点,还能较长期活着吗?/ Can airport direct-connect nodes with a large number of users stay alive in the longer term now? HOT 1
- FOCI, PETS, HotPETs 2023 videos HOT 2
- TLS record fragmentation, DPYProxy HOT 21
- Fastly announces plans to block domain fronting in February 2024 HOT 11
- Removal of some projects on Github HOT 2
- Guide for using http header or tls in vless HOT 3
- On Precisely Detecting Censorship Circumvention in Real-World Networks (NDSS 2024) HOT 2
- OONI Censorship Findings
- s2n-tls
- Saudi Arabia blocked WireGuard circa 2023-12-03 HOT 1
- Indonesian Focus Group discusses filtering mechanisms HOT 47
- Turkey tightens internet censorship, bans access to 16 VPN providers
- I wrote a netns based network containerization tool in Rust
- Secure DNS (DoH/DoT) blocking in Indonesia 2023-12-30 HOT 3
- Lox: Protecting the Social Graph in Bridge Distribution (PETS 2023) HOT 1
- How does the DNS/domain block work if connecting to a CDN via IP address? HOT 1
- Chasing Shadows: A security analysis of the ShadowTLS proxy (FOCI 2023) HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bbs.