gfw_resist_tls_proxy
gfw_resist_tls_proxy copied to clipboard
GFW-knocker
Alternative method to bypass the GFW | روش دیگری برای دور زدن فیلترینگ
فارسی
اول از همه بگم که دمتون گرم فکر نمیکردم افراد ایرانی زیادی باشن که روی فیلترینگ تحقیق کرده باشن ولی انگاری که اشتباه میکردم😅.
من هم روی سیستم فیلترینگ ایران تحقیق کردم و یکی از روش هایی که پیدا کردم برای http بود.
همونطور که میدونید فیلترینگ از هدر Host برای فیلترکردن سایت های http استفاده میکنه ولی خب همونطور که میدونید دستگاه های فیلترینگ حافظه محدود دارن پس میشه دورش زد.
روشی که پیدا کردم اینه که با اضافه کردن حدود 17000 عدد کاراکتر / میشه به قسمت path توی پرتکل http حجم رکوئست بیشتر از حدی میشه که فیلترینگ میتونه آنالیز کنه و از فیلترینگ رد میشه.
مثال:
# http://yotube.com////////////...17000.../
# for test:
curl -v --resolve youtube.com:80:142.250.74.110 http://youtube.com$(for i in {1..17000}; do echo -n "/"; done)
اگر دستور بالا رو در محیط bash بزنید میبینید که فیلترینگ رو رد میکنه ولی ارور از سمت گوگل میده که چه خبره اینهمه کاراکتر😂. این روش شاید زیاد به درد بخور نباشه کما اینکه رمزگذاری نمیشه و خیلی از سایتا قبولش نمیکنن ولی درکل گفتم خوبه با بقیه اینو در میون بزارم شاید به درد کسی خورد.
English
The GFW has very limited memory and we can exploit that to evade censorship. I have found a method to evade Host header censorship in the http protocol:
By adding about 17k / characters in the http path property it can successfully bypass the GFW. Heres an example:
# http://yotube.com////////////...17000.../
# for test:
curl -v --resolve youtube.com:80:142.250.74.110 http://youtube.com$(for i in {1..17000}; do echo -n "/"; done)
If you run the command above in a bash shell it bypasses the GFW! However you get an error from google saying this request is malicious! I know this is not very useful given that http is not encrypted and many websites won't accept so many slashes but I thought it would be cool to share it with you fellow netizens in the censored countries😊.
I'm also interested in understanding it but I'm outside of Iran.
Iran's censorship is bidirectional sometimes, for example if you send the host header containing youtube.com to an Iranian IP you can trigger the censorship and study it from the outside!
Heres an example using curl:
$ curl -v --resolve youtube.com:80:5.144.128.66 http://youtube.com
* Added youtube.com:80:5.144.128.66 to DNS cache
* Hostname youtube.com was found in DNS cache
* Trying 5.144.128.66:80...
* Connected to youtube.com (5.144.128.66) port 80 (#0)
> GET / HTTP/1.1
> Host: youtube.com
> User-Agent: curl/7.87.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 403 Forbidden
< Connection: close
< Content-Type: text/html; charset=utf-8
< Content-Length: 337
<
<html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1256"><title>NTR3</title>
</head><body><iframe src="http://10.10.34.36/?type=Invalid Keyword&policy=MainPolicy " style="width: 100%; height: 100%" scrolling="no" marginwidth="0" marginheight="0" frameborder="0" vspace="0" hspace="0"></iframe></body></html>
* Closing connection 0
Here I'm using the IP 5.144.128.66 which is from hostiran.net and it can successfully trigger the censorship. Reading the response you'll notice the URL http://10.10.34.36/?type=Invalid Keyword&policy=MainPolicy which indicates this response has been injected by the GFW!
PS: While I was testing different Iranian IPs to trigger the censorship it seems the IP 185.143.235.200 from Arvan cloud CDN does not trigger the censorship which is weird.
No this is not triggered by the GFW. This is just saying YouTube does not exist on our server IP. If it is triggered by GFW either you should get 10.10... (peyvandha) page or most likely you will be timedout/reset during tcp handshake.
Nice one!
I'm also interested in understanding it but I'm outside of Iran.
if you are expert , you can buy two VPS one inside and one outside and test your idea. also feel free to share your ideas here whatever it is.
