Bastard ISPs from Hell
From 25C3 Public Wiki
[edit] Bastard ISPs from Hell
[edit] Black sheep, Squids and the *tubes
[edit] Date
Day 3 - 16:30--18:00 (Berlin time) - Monday - 2008-12-29
[edit] Contact
craig ät haquarter d0t de
[edit] Website
tba
[edit] Caching System
The caching system is up and running. Further tests were done this night :) You can use the config url http://81.163.130.222/proxy.pac to configure your browser to only proxy youtube/googlevideo/clipfish/youporn traffic via the system and nothing else; other *tubes might be added tomorrow (tomorrow is when I wake up *g).
Please check out http://81.163.130.222/ !
The content of proxy.pac was:
function FindProxyForURL(url, host) { if(shExpMatch(url,"*.youtube.com/*") || shExpMatch(url,"*.googlevideo.com/*") || shExpMatch(url,"*.clipfish.de/*") || shExpMatch(url,"*.youporn.com/*") || shExpMatch(url,"*.redtube.com/*") ) { return "PROXY 81.163.130.222:3128"; } else { return "DIRECT"; } }
THE URL IS OFFLINE NOW (of course)!
[edit] About the workshop
This workshop will be about network traffic modifications done by ISPs for traffic-minimizing and political reasons. I'm going to explain how ISPs can and do interfere with your traffic, e.g. BT, Comcast and O2. We'll talk about CDN (Content Delivery Networks) like akami and think about the different possibilites on how your traffic might be modified and abused. The "hands on" action will focus on "good" changes like transparent caching of traffic, we'll setup a transparent squid proxy for ourselves and extend it so that it's even able to cache Youtube - which does not work out-of-the-box.
[edit] What you need
- very basic knowledge of networking (if in doubt just come around)
- a Laptop (Linux prefered, maybe *nix, but I won't explain pf to you)
- RJ45 cable
- 1,5hrs of time ;)
- pre-installing iptables and squid would time-saving
[edit] Questions?
Mail me, ask here or call me: C-R-A-I
[edit] Presentation
[| here]
[edit] Squid version
Use 2.7.*, version 2.6 will not and 3.x does not yet support several directives that are used.
[edit] Scripts
DO NOT FORGET TO chmod +x THE SCRIPTS!
[edit] Additions to squid.conf
# ACL to allow access from the Congress: acl 25c3 src 81.163.0.0/16 http_access allow 25c3 # better logging so you can see what happens strip_query_terms off # pattern matching acl store_rewrite_list url_regex ^http://.*?/get_video\?.*video_id= acl store_rewrite_list url_regex ^http://.*?/videodownload\?docid= acl store_rewrite_list url_regex ^http://.*?.\files\.youporn\.com/.*?/.*?/.*?\.flv\?.* cache allow store_rewrite_list acl QUERY urlpath_regex cgi-bin \? cache deny QUERY # we need to ignore some stuff refresh_pattern ^http://.*?/get_video\?.*video_id= 10080 90% 999999 override-expire ignore-no-cache ignore-private refresh_pattern ^http://.*?/videodownload\?docid= 10080 90% 999999 override-expire ignore-no-cache ignore-private refresh_pattern ^http://.*?.\files\.youporn\.com/.*?/.*?/.*?\.flv\?.* 10080 90% 999999 override-expire ignore-no-cache ignore-private storeurl_access allow store_rewrite_list storeurl_access deny all # specify programs to use storeurl_rewrite_program /etc/squid/store_url_rewrite.pl redirect_program /etc/squid/google.sh # this often defaults to 4MB only maximum_object_size 250 MB
[edit] store_url_rewrite.pl
#!/usr/bin/perl $|=1; while (<>) { @X = split; $url = $X[0]; $url =~ s@^http://.*?/get_video\?.*video_id=(.*?)&.*@squid://videos.youtube.INTERNAL/ID=$1@; $url =~ s@^http://.*?/get_video\?.*video_id=(.*?)$@squid://videos.youtube.INTERNAL/ID=$1@; $url =~ s@^http://.*?/videodownload\?docid=(.*?)&.*@squid://videos.google.INTERNAL/ID=$1@; $url =~ s@^http://.*?/videodownload\?docid=(.*?)$@squid://videos.google.INTERNAL/ID=$1@; $url =~ s@^http://.*?\.files\.youporn\.com/.*?/.*?/(.*?)\?.*@squid://videos.youporn.com.INTERNAL/ID=$1@; print "$url\n"; }
[edit] google.sh (traffic manipulation)
#!/bin/bash while read line do echo $line | sed 's@http://www.google.de/intl/de_de/images/logo.gif@http://events.ccc.de/congress/2008/wiki/images/d/df/Horizontal_banner_240x120.gif@g' done
[edit] other modifications
When modifying a page, write a script that downloads it to a local apache document root and rewrite the URL to load that page.
[edit] Sniffing
The best way for finding the videolink is using ngrep:
ngrep -q -W byline > LOG
Just search for .flv in the LOG.
[edit] Config for transparent caching proxy
squid.conf: http_port internal-addr:3128 transparent Bridging: /sbin/brctl addbr br0 /sbin/brctl addif br0 eth0 /sbin/brctl addif br0 eth1 ifconfig br0 81.163.7.132 netmask 255.255.255.0 route add default gw 81.163.7.1 iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 3128
[edit] Other Ideas
- replacing every .flv with some other video (Auto-Rickrolling?)
- Adding messages to heise.de
- Transforming every page to 13375p34k!
[edit] Participating?
You may add your name here so that I know how many people will be there and if additional switchports are required.
- Johnyb
- hellfyre
- Dominik
- Sergej
- der-mo
- Ethan Hunt
- Glisha (if it's in english)
- sonium
- mxey
- r00tk1d
- Driekus & Guido
- cy3er
- shadow
[edit] Sources
- http://www.ex-parrot.com/~pete/upside-down-ternet.html
- http://www.squid-cache.org/
- Some more which will be added later...(sorry)
[edit] Feedback
Please tell me how you liked it! :)
[edit] Problems
- When running the modified squid for some time and revisiting a youtube video again, I often get 'We're sorry, this video is no more available.' (but it is in fact, if I reload the video with the proxy disabled...) Any hints? Thx..., Ethan Hunt
- As I wrote you by mail: please provide me with your *exact* config and logfiles - then I will possibly be able to help you. Maybe youtube built in some more nasty stuff to prevent us from proxying? Craig