Personal tools

Bastard ISPs from Hell

From 25C3 Public Wiki

Jump to: navigation, search

Contents

[edit] Bastard ISPs from Hell

[edit] Black sheep, Squids and the *tubes

Image:BIfH.jpg


Image:1337_part_1.png

[edit] Date

Day 3 - 16:30--18:00 (Berlin time) - Monday - 2008-12-29

[edit] Contact

craig ät haquarter d0t de

[edit] Website

tba

[edit] Caching System

The caching system is up and running. Further tests were done this night :) You can use the config url http://81.163.130.222/proxy.pac to configure your browser to only proxy youtube/googlevideo/clipfish/youporn traffic via the system and nothing else; other *tubes might be added tomorrow (tomorrow is when I wake up *g).

Please check out http://81.163.130.222/ !

The content of proxy.pac was: 

function FindProxyForURL(url, host)
{
        if(shExpMatch(url,"*.youtube.com/*") || shExpMatch(url,"*.googlevideo.com/*") || shExpMatch(url,"*.clipfish.de/*") || shExpMatch(url,"*.youporn.com/*") || shExpMatch(url,"*.redtube.com/*") )
        {
                return "PROXY 81.163.130.222:3128";
        }
        else
        {
                return "DIRECT";
        }
}

THE URL IS OFFLINE NOW (of course)!

[edit] About the workshop

This workshop will be about network traffic modifications done by ISPs for traffic-minimizing and political reasons. I'm going to explain how ISPs can and do interfere with your traffic, e.g. BT, Comcast and O2. We'll talk about CDN (Content Delivery Networks) like akami and think about the different possibilites on how your traffic might be modified and abused. The "hands on" action will focus on "good" changes like transparent caching of traffic, we'll setup a transparent squid proxy for ourselves and extend it so that it's even able to cache Youtube - which does not work out-of-the-box.

[edit] What you need

  • very basic knowledge of networking (if in doubt just come around)
  • a Laptop (Linux prefered, maybe *nix, but I won't explain pf to you)
  • RJ45 cable
  • 1,5hrs of time ;)
  • pre-installing iptables and squid would time-saving

[edit] Questions?

Mail me, ask here or call me: C-R-A-I

[edit] Presentation

[| here]

[edit] Squid version

Use 2.7.*, version 2.6 will not and 3.x does not yet support several directives that are used.

[edit] Scripts

DO NOT FORGET TO chmod +x THE SCRIPTS!

[edit] Additions to squid.conf 

# ACL to allow access from the Congress:
acl 25c3 src 81.163.0.0/16
http_access allow 25c3

# better logging so you can see what happens
strip_query_terms off

# pattern matching
acl store_rewrite_list url_regex ^http://.*?/get_video\?.*video_id=
acl store_rewrite_list url_regex ^http://.*?/videodownload\?docid=
acl store_rewrite_list url_regex ^http://.*?.\files\.youporn\.com/.*?/.*?/.*?\.flv\?.*

cache allow store_rewrite_list

acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY

# we need to ignore some stuff
refresh_pattern ^http://.*?/get_video\?.*video_id= 10080 90% 999999 override-expire ignore-no-cache ignore-private
refresh_pattern ^http://.*?/videodownload\?docid= 10080 90% 999999 override-expire ignore-no-cache ignore-private
refresh_pattern ^http://.*?.\files\.youporn\.com/.*?/.*?/.*?\.flv\?.* 10080 90% 999999 override-expire ignore-no-cache ignore-private

storeurl_access allow store_rewrite_list
storeurl_access deny all

# specify programs to use
storeurl_rewrite_program /etc/squid/store_url_rewrite.pl
redirect_program /etc/squid/google.sh

# this often defaults to 4MB only
maximum_object_size 250 MB

[edit] store_url_rewrite.pl 

#!/usr/bin/perl
$|=1;
while (<>)
{
        @X = split;
        $url = $X[0];

        $url =~ s@^http://.*?/get_video\?.*video_id=(.*?)&.*@squid://videos.youtube.INTERNAL/ID=$1@;
        $url =~ s@^http://.*?/get_video\?.*video_id=(.*?)$@squid://videos.youtube.INTERNAL/ID=$1@;

        $url =~ s@^http://.*?/videodownload\?docid=(.*?)&.*@squid://videos.google.INTERNAL/ID=$1@;
        $url =~ s@^http://.*?/videodownload\?docid=(.*?)$@squid://videos.google.INTERNAL/ID=$1@;

        $url =~ s@^http://.*?\.files\.youporn\.com/.*?/.*?/(.*?)\?.*@squid://videos.youporn.com.INTERNAL/ID=$1@;

        print "$url\n";
}

[edit] google.sh (traffic manipulation) 

#!/bin/bash
while read line
do
        echo $line | sed 's@http://www.google.de/intl/de_de/images/logo.gif@http://events.ccc.de/congress/2008/wiki/images/d/df/Horizontal_banner_240x120.gif@g'
done

[edit] other modifications

When modifying a page, write a script that downloads it to a local apache document root and rewrite the URL to load that page.

[edit] Sniffing

The best way for finding the videolink is using ngrep:

ngrep -q -W byline > LOG

Just search for .flv in the LOG.

[edit] Config for transparent caching proxy 

squid.conf:
http_port internal-addr:3128 transparent

Bridging:
/sbin/brctl addbr br0
/sbin/brctl addif br0 eth0
/sbin/brctl addif br0 eth1
ifconfig br0 81.163.7.132 netmask 255.255.255.0
route add default gw 81.163.7.1
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 3128

[edit] Other Ideas

  • replacing every .flv with some other video (Auto-Rickrolling?)
  • Adding messages to heise.de
  • Transforming every page to 13375p34k!

[edit] Participating?

You may add your name here so that I know how many people will be there and if additional switchports are required.

[edit] Sources

[edit] Feedback

Please tell me how you liked it! :)

[edit] Problems

  • When running the modified squid for some time and revisiting a youtube video again, I often get 'We're sorry, this video is no more available.' (but it is in fact, if I reload the video with the proxy disabled...) Any hints? Thx..., Ethan Hunt
  • As I wrote you by mail: please provide me with your *exact* config and logfiles - then I will possibly be able to help you. Maybe youtube built in some more nasty stuff to prevent us from proxying? Craig
Retrieved from "http://events.ccc.de/congress/2008/wiki/Bastard_ISPs_from_Hell"
Archived page - Impressum/Datenschutz