Beating the net-censor
Although the following text refers to (and the methods described have been
tested in) the United Arab Emirates (UAE), most of it should also apply to other 'backward'
countries or corporations with censorship infrastructure in place (e.g. China, Singapore). If there's enough feedback, I'll attempt to make it as useful as possible to all.
The priority for users behind censoring firewalls is access, not privacy at the browsed site. The following text reflects this.
Net censorship in the UAE is quite sophisticated. There are two separate aspects which need to be considered by anyone wanting to communicate freely.
- web access is accomplished by a proxy array which filters according
to destination URL (web site ADDRESS + page). The list of censored URLs is updated frequently.
-
all TCP/IP packets (including web) are subject to filtering at the
packet filters according to destination PORT. Few packets appear to be filtered in the incoming direction. This 'firewall' is installed backwards; it is clearly meant to stop people getting out, not to stop the bad guys from getting in.
The immediately obvious effects are:
-
If you attempt web access, via the proxy array, to an 'unwanted' page you will receive an error message from a proxy telling you that your access is denied. Recently, for a day or so, 'unwanted' included any personal web pages with a '~'!
-
If you change your web browser settings to remove the proxy configuration
completely, your web browser requests are sent to a web site using the standard
port (80) and will be blocked by the UAE packet filters. A timeout occurs in this case.
-
Attempting to use an external web proxy will mostly fail simply because
the proxy port you need to connect to is blocked by the filters. 99.99% of
the proxies in the world are on ports 3128, 8080, 8000, 1080, 80 etc. Outgoing
packets to these ports are all blocked. Again a timeout occurs. Forget these.
-
Voice-over-IP communications to a telephone network gateway (e.g.
net2phone) are blocked by these same filters (so the monopoly ISP doesn't
lose money on their telco operations). The UAE police are certainly not responsible for this!
-
Usenet access is blocked (filtering on port 119). Email (25, 110) is not
blocked.
-
Some applications fail at random times because they may negotiate a
port with the other end which lies in the blocked set (though this seems less likely now that the number of blocked ports has been significantly reduced).
-
Internet access is generally flaky and slow because of all this
stupidity.
Solutions
I'll concentrate on web access, because most everything is available via that
protocol; later I'll mention simple quick approaches to obtaining access
to other protocols/services.
Web access
listed in order of decreasing usefulness...
-
If you can find a free, unblocked, non-censoring, public access external
proxy that's good for more than a few weeks ... lucky you! Keep it to
yourself. Point your browser at it and you can skip to the next section.
There are very few of these at any point in time; they're either
misconfigurations or experimental.
-
If you want to freely surf the net, the best solution is to pay an ISP
in the free world for the use of his proxy. This proxy needs to be special
though; you need the ISP's commitment to get their proxy
listening on a port you have unblocked access to (for example, some port
over 12000).
Point your browser at this proxy and you can skip the rest of this section.
Normal ISP service is $US10-$US15 per month. In case the ISP is doubtful, USA ISP's who check with their attorney will find there are no legal problems.
The proxy should be in the USA, because that's the first place your packets
go after leaving the UAE. You don't want every web access request to have to
go to Europe or Japan and back each time!
Your accesses will not appear in the proxy log in the UAE, but of course
could be 'sniffed' by an enterprising sysadmin because they're not encrypted.
recommended
Other solutions are slower, flakier, or more restrictive and some may get you kicked off any external
ISP you have an account with. But read on...
- A straightforward approach to getting through the packet filters is to use a port forwarding technique. Change the port number of your packets destined for (e.g.) an external proxy which
allows public access (such as those listed at irc4all and my disorganized notes (go thru the proxies page)). At the same time you change the address so that the packets go to your ISP where you have set up a server to readdress the packets to the chosen proxy. This is not as hard as it sounds.
- One of the easiest ways to do this actually ends up providing you with your own proxy! Get Stone down onto your ISP, follow the installation instructions and run ./stone proxy 12000. Then return to your browser and set the ISP and 12000 as the proxy. Simple. Stone builds easily on most ISPs operating systems. Tip: you'll see more reliable responses if you tell your browser to use HTTP 1.0 only. Stone can also encrypt, if you have the skills to build it up this way (you need to build openSSL first, then make a certificate for it). In this case, you have a completely encrypted connection to your own proxy! You can sleep soundly. Either way, you have an app which you can use to redirect any other ports you want (like 119 for Usenet news, 110 for email etc.)
- A web proxy only solution, is to use rinetd, or similar. Set it up on your ISP (no sshd required) and make it listen on port 13000 (say), and redirect to any uncensored public proxy (maybe your ISP itself has a proxy). Then locally you configure your browser to use your ISP and 13000 as the http proxy address and port. No problems with this approach - I once used it a lot. The connection is not encrypted, of course, but at least it is not passing thru the local proxy (and being logged).
- Junkbuster and other web proxy applications can be set up on the external ISP in a similar way.
- Another, safer, approach is to use the port forward capability of some Secure Shell clients and servers (since port 22 is not blocked in the UAE yet). Note: even if port 22 is eventually blocked, the port can be specified at both ends but you need to build/run your own sshd. This imposes another constraint on your choice of external ISP - they must provide access to 'sshd', the server side of the ssh connection. An advantage of this (ssh) approach is that your web browsing will be encrypted all the way out of the UAE, so nosy eavesdroppers will have nothing to see. Another advantage is that the same technique can be used to access other blocked services (e.g. Usenet news). The biggest disadvantage of this appears to be that (when used for a web proxy) each web page accessed will cause multiple shell startups on your ISP. This is a significant load for him and he may get upset if you use it for frequent web surfing.
For simple 'one-off' or infrequent web access, you have plenty of easy alternatives.
- A simple ssh port forwarding technique can be used. Run ssh on the external ISP to forward a particular port to any web site (or proxy) you wish, point your browser (or proxy settings) at this port, and voila! Once logged onto your ISP, type 'ssh -R 12000:www.l0pht.com:80 localhost' and then (locally) web browse to http://your.ext.isp.com:12000/. You should see www.l0pht.com pop up. But it gets better - here's how to make your own proxy. On the remote system, type (for example) ssh -R 13000:erde.salzburg.at:8080 localhost and then (locally) set your web browser proxy to <your ISP:13000>. Then click here and you'll see that you've bypassed the censors. It will work for any site you click on while you still have the listener on the remote ISP running. You've essentially made your own proxy, for your own use, on a port which YOU determined, so it can't be blocked. Note that this technique allows use of all public access proxies with common ports (and there are many of these, e.g. all of those at http://www.lightspeed.de/irc4all/). Also note that the encryption is not present between you and the external ISP (ssh -L run locally may be used for this purpose, but that's the case that might get you kicked off the external ISP!).
- You can choose to browse to one of the "anonymizer" web sites (if you can
find an uncensored one). For example, magusnet. There's a trick needed for this one (and it can be used in other cases too). http://www.magusnet.com/ is blocked by the UAE proxies, but it has several IP addresses. You can find these by a DNS lookup (nslookup under linux, win NT; not sure how you do it under Win9*). You will see something like:
Name: www.magusnet.com
Addresses: 24.221.4.112, 24.221.4.113, 24.221.4.110, 24.221.4.111. The URL's as defined by http://(IP address)/ are not all blocked - only 24.221.4.110 is blocked. This means that (e.g.) http://24.221.4.111/ (today, at least!) will get you there. Magusnet proxies (and others) ensure that they are hard to block by having multiple IP addresses and ports available.
- You can try some of Brian Ristuccia's Anti Censorware Proxies (ACP) mixed up with other proxy types in my notes. For example, sigint works ok.
Hundreds of CGI type proxies are around. You can click on links on my proxies page, use URLs like (for example) http://home.www5.fairagent.com/index.cgi?URL=http://www.l0pht.com/l0phtcrack/ to get you to l0phtcrack (which is blocked in the UAE).
Most of these approaches get your accesses enshrined in the censors' log files though. ACP log entries are almost all encrypted. Some ACP proxies even use https, the secure protocol. In these cases, only the first access (to the ACP mirror) will be readable.
There are also a few unusual web sites which can be used (e.g.
bobby).
Usenet news
Port 119 is blocked (UAE, KSA), so only the local ISP news is available (but at least there
are a few interesting news groups being carried now). To enable access to
external news servers via a normal news client (e.g. Outlook Express,
Netscape email) you need to use a different port number.
If you don't mind the slow web access, absence of synchronization capabilities etc., an easier way is to use Deja News (no binaries, I think), or a full news feed via the web at spaceports. To start you off, alt.hackers.malicious is always good fun, and the dirty pictures mostly start under 'alt.binaries.erotica' :-).
- you may be able to find or pay an external ISP who has a news server
listening on some unblocked port.
- The ssh technique described above can be used quite easily. Ask me at
the address below for the specific setup for the ssh client you choose. My favorite is secureCRT. Note
you must have the external ISP account. recommended
Voice-over-IP - warning: this info is old
I've tried about 6 or 7 of the popular PC-PC clients. All except a couple had
problems because the packets were blocked. IrisPhone is my current choice (15 day demo). SpeakFreely (Unix) and SpeakFreely (Windows)(free software) also works well and allows ports to be configured at the time of the call by the users.
The clients which allow a call to be made through a telephone gateway (to a
normal phone) are blocked by the UAE ISP (which is also the monopoly telco!),
for example Net2Phone. I haven't played with these for a year or so now, but
then DeltaThree was usable. There should be many more clients to choose from now.
No doubt any PC-PC client which allows a gateway to be used will be
blocked sooner or later to maintain telco profits.
Because the addresses and ports in use by these programs are dynamically allocated, the right answer is a virtual network connection to an external ISP, but that involves root access on the ISP. Although it is possible to redirect all the individual ports and addresses necessary to set up the call and talk, it's all a bit complicated an flakey.If anyone has better ideas, I'm happy to hear them.
BTW, this is the only case I know of where there is packet blocking on the returning packets based on the source IP address. Shows how important this is to them :-)
Strange/untested stuff
There's an app around called httpTunnel
(http://www.nocrew.org/software/httptunnel.html) which makes any type of
tcp/ip connection using only web accesses. It sounds interesting, but I've only
managed to make it work without a proxy. I can't get it to work through
Netscape (as in the UAE) or Apache proxies. It's been written and tested with Squid proxies.
Marcus Ranum once wrote an IP-over-Email package! Bit slow :-), but it's
another way, I guess.
rinetd may be used. Rinetd can be run on an external machine to redirect your proxy requests to your external proxy. This can, of course, be used for other protocols as well. There appear to be only linux and windows versions. I've tested this on windows servers now. It works as-advertized. Very nice! If you can get a Linux ISP, and then get it compiled, you're probably in the clear.
Any further comments for this section would be welcome.
Tools to find out things for yourself
You'll need:
- a network sniffer (MS SMS network monitor works for me), otherwise you're
always in the dark.
- a shell account at an external ISP (preferably with sshd) and some basic
knowledge of the OS it runs (probably some flavor of Unix).
- Perl (both local and external). I use a windows version from
Activestate locally. It's a breeze to install, update and install new modules. I understand it may not be quite so easy to install on Windows 95 (but why would you be using that anyway?).
- netcat (both local and external), from www.l0pht.com, Weld's page. This thing is indispensable!
- patience
References:
This guy talks about the sorts of things I'm on about above (ssh, your own proxy running on your external ISP).
http://www.vpn.outer.net/2e/vpnssh.html has a very nice introduction to ssh and vpn.
Craig has a detailed description of the setup and configuration of some of the techniques mentioned above - probably too detailed!. Join the dots (if you can find them!) and you'll be independent of these stupid lists of proxies forever.
ssh shell accounts are easy to find - a quick search at http://www.altavista.com/ using the search string "+ssh +telnet +shell +account" reveals about 10,000 hits. I checked some on the first page; almost every hit was an appropriate account to have. So there's no problem finding an ISP with sshd. Many of these specialize in telnet only accounts, so you're not paying extra for the dialup capability which you'll never use.
Disclaimer
Obviously I don't speak for the UAE ISP (Etisalat Telecommunications Corporation)! I have no access to any of the technical specifications for any of the network hardware or software used in the censorship. All statements made above are my suppositions based on testing. I don't guarantee anything will work for you.
Hope it all helps!
Please send criticisms, good ideas (I'll include with attributions), or just
plain old comments about this stuff to wayne
If you're worried about email 'snoopers', encrypt your email at
hushmail.
I'm particularly interested in making this paper useful for all net-censored
countries/corporations, so any tidbits from those would be especially useful.