The ADR process is a very useful tool for consumers, albeit an unpopular one among ISPs (i.e. they still have to pay up to around £350 +vat in fees to the ADR regardless of whether or not they win), but some smaller providers continue to flout the rules by wrongly assuming that they don’t have to offer an ADR or by failing to make customers aware that one is available.

The key here is that if one were to make a request to unblock a website and the ISP doesn’t co-operate then you can start the ADR process.

Upon being told that the ISP won’t unblock the website request a deadlock letter in accordance with the Alternative Dispute Resolution process.

At this point the ISP representative will probably try and convince you that you cannot make an ADR complaint about this as they are scared of costing the company ~£350. Insist on your deadlock

Imagine if everyone with a censored Internet connection raised an ADR complaint for every blocked website.

Choose.net has an excellent guide on how to go about raising an ADR.

Costa Coffee / Cafe Nero – O2 Wifi

DNS Spoofing: Partial
MiTM SSL: No
Deep Packet Inspection: Yes
Destination IP Transit Interference: Yes

O2 WiFi requires two-factor registration via a phone number and SMS claiming that it is a legal requirement. This is easily traversed with a disposable PAYG phone (e.g. EE have a Nokia 106 for £4.99 – an excellent option for a burner phone). Once you’ve completed the two-factor check (the first being they record your MAC address) you can start browsing.

The first thing to notice is that unlike their mobile offering the WiFi has several layers of filtering, some DNS queries are intercepted to send you to a block page and even if you resolve the A record out-of-band Squid will intercept and block.

If you manually query a 3rd party DNS server for the record in question then it appears to return normally.

This level of blocking however is hit and miss with domains such as the thepiratebay.se suffering the worst interference but others that are blocked by the default mobile filters aren’t blocked on the WiFi.

Thankfully all the usual bypass methods (Tor, RoutingPacketsIsNotACrime.uk, SSH SOCKS5 tunnel and SSL) work flawlessly despite the use of Squid and DNS interference.

Interestingly O2 have chosen to force Google to not allow SSL searching (so they can inspect the content and block stuff) which also means anyone else in the coffee shop can spy on your browsing. DuckDuckGo.com does still offer SSL searching and isn’t blocked.

Breaking down an O2 Intercept

The packet capture for this attempt to hit http://reddit.com/r/nsfw is here, the pertinent part of the HTTP transfer is below;

GET /r/nsfw HTTP/1.1
User-Agent: curl/7.34.0
Host: reddit.com
Accept: */*

HTTP/1.1 200 OK
Date: Mon, 29 Sep 2014 10:28:51 GMT
X-Template: blacklisted
Content-Type: text/html
Content-Length: 195
Cache-Control: no-cache
X-Cache: MISS from Squid
Via: 1.1 Squid (squid/3.2.11)
Connection: keep-alive
< !DOCTYPE html>
<html>
<head>
    <meta http-equiv="refresh" content="0; url=https://www.o2wifi.co.uk/pages/n4?bd=http://reddit.com:80/r/nsfw"/>
    <title></title>
</head>
<body>
</body>
</html>

Despite getting the correct A records back from the nameservers in packet 5 we can see in packets 12 onwards that the O2 Squid server (ironically the same software PacketFlagon.is uses to bypass censorship!) returns back some HTML with a meta refresh that instantly directs the browser to their block page.

As shown in this packet capture there is no IP/Host matching it is all done on the GET path and the Host header so Hosts files hacks won’t work either.

High Court blocks are solved using DNS and an attempt to resolve thepiratebay.se returns 127.0.0.1.

Finally some other blocks such as the block of torproject.org are achieved by just silently dropping the packets.

Starbucks – BT / Friendly WiFi

The people at Friendly WiFi appear to be quite zealous about blocking “pornography” and come out with ridiculous claims such as that by putting in their filtering one gets a “porn free city”

Thanks @stephen_mosley for supporting our campaign to make Chester world's first #pornfreecity @chestertweetsuk pic.twitter.com/WlL4X1cOJv

— getmedigital.com (@getmedigital) September 23, 2014

Thankfully their blocks are almost as easy to bypass as O2′s. Interestingly, unlike O2, Starbucks and BT don’t believe they are required to legally know who is using their WiFi and no registration is required.

DNS Spoofing: Yes
MiTM SSL: No
Deep Packet Inspection: Yes
Destination IP Transit Interference: No

Websites that are blocked due to sub-content (e.g. reddit.com/r/nsfw) are blocked over HTTP but accessible over SSL. Interestingly thepiratebay.se is reachable over SSL e.g.

curl -k -v https://194.71.107.27 -H 'Host: thepiratebay.se'

Using PAC files such as RoutingPacketsIsNotACrime.uk was hit and miss and requires some more investigation but other bypass options such as SSL, Tor and using an SSH SOCKS5 tunnel all worked without issue.

BT also force Google to downgrade search to a non-ssl version which means others could monitor your search terms.

Breaking down a BT Intercept

When trying to hit reddit.com/r/nsfw this packet capture shows a HTTP 302 is returned rather than the site we’re after.

GET /r/nsfw HTTP/1.1
User-Agent: curl/7.34.0
Accept: */*
Host: reddit.com

HTTP/1.1 302 Found
Location: http://217.41.225.106/redirect/starbucks/index.html

An attempt to reach thepiratebay.se resulted in a forged DNS reply for 193.113.9.167 that simply displays the words “Error – site blocked”

Interestingly as shown in this packet capture, resolving the A record out-of-band and then passing a HTTP request through works fine!

Bonus – EE Hotspot

During my travels between coffee shops I stumbled across an EE hotspot which had a completely different set of filtering as it uses OpenDNS.

DNS Spoofing: Yes
MiTM SSL: No
Deep Packet Inspection: No
Destination IP Transit Interference: No

Much like O2 you are required to register using a phone and EE uses www.picopoint.com to do this.

The filtering is very lax with reddit.com/r/nsfw and the Pirate Bay being allowed through however shock sites like rotten.com resolve to 67.215.65.130 which results in an OpenDNS block page.

Since the filtering is entirely DNS based out-of-band resolution, RoutingPacketsIsNotACrime, Tor and SSH SOCKS5 tunnels all work fine.

I’ve drank far too much coffee today and it’s a shame that public establishments feel it necessary to put censorship technology that performs excessive over-blocking (how is torproject.org sexual?) but at least it is still easy to bypass.

You can buy an O2 PAYG device such as a phone, dongle or MiFi in cash and with a name that doesn’t require verification.

This will however result in you receiving a SIM with the “Default Safety” level of filtering enabled. Attempting to visit legitimate, non-sexual and legal websites such as RoutingPacketsIsNotACrime.uk can result in a block page;

The good news is that the O2 filters are quite easy to circumnavigate.

DNS Spoofing: No
MiTM SSL: No
Deep Packet Inspection: Partial
Destination IP Transit Interference: Yes
-
Unique Reason for Block: No
Categorised Block: No
Ability to report incorrect block: No

Tor

The goto advice is, as always, to download Tor as it will not only bypass all filtering but will also help mask those who need to use Tor to aid in protecting their privacy if configured as a relay too.

With Tor installed and configured to listen on port 9050 as a SOCKS proxy (or using the bundled Tor Browser if using the Tor Bundle or the Android port Orbot) you will be able to bypass all filtering (including the censored blocks forced on you even if you are over 18)

SOCKS5 SSH Proxy

If you don’t want to use Tor then creating a SOCKS tunnel via SSH is also an excellent option. Visit LowEndBox.com where you can get tiny cloud servers (e.g. 128Mb of RAM) for as little as £5 a year that can be paid for in advance with a prepaid Visa/Mastercard.

Once you’ve purchased or otherwise acquired a server running OpenSSH (or any other variety that supports tunneling) simply connect to it specifying the -D option to create a local dynamic tunnel;

ssh -D 9050 proxy1.survivetheclaireperryinter.net

Once connected you can configure your browser to use 127.0.0.1 port 9050 as a SOCKS5 proxy (Edit – Preferences > Network > Settings > SOCKS Host) and bypass all filtering.

SSL

O2 cannot Man in the Middle (MiTM) SSL connections so any website that has an SSL component and not yet subject to a High Court Order block is accessible over SSL.

This also means that you can use a RoutingPacketsIsNotACrime.uk PAC file to get around all filtering despite them banning the HTTP path.

Attacking from Both Sides

Since this is the first time I’ve had access to both sides of the filtering fence I can examine what is happening to our packets to see how O2′s filtering works.

A first attempt at connecting provides the attached packet capture where we can see that our host (OpenBSD) does a DNS lookup for both the A and the AAAA record. The MiFi dongle returns the correct IP addresses for both queries indicating that there isn’t any Nominum style DNS interference going on.

Packet 5 is the start of the HTTP sequence and everything is going fine, in packet 8 curl sends the host header we’re after, at this point there’s a rogue TLSv1 encrypted connection to 185.29.44.9 (o2bb.winint.net and mobilebroadbandaccess.o2.co.uk – we’ll delve into this later) which is from an earlier session.

Packet 11 appears to be an ACK from my server in response to packet 8 however packets 12 and 13 shows that the server sent a 302 redirect to send the browser to http://assets.o2.co.uk/18plusaccess. Well we know that this isn’t true. Interestingly we then get some packets (16,17 and 19) that Wireshark flags as out of order and duplicate responses to the earlier packets.

From this we can make a couple of assumptions, the first that O2′s filtering system relies on a deep packet or proxy inspection of the host header and secondly that there is possibly a race condition for returning HTTP packets.

Hacking RFCs

RFC 2616 section 14.23 dictates that a valid HTTP/1.1 request will contain a host header but doesn’t specify how many (for obvious reasons), so lets see if we can abuse this by manipulating the HTTP headers using curl e.g;

curl 89.151.84.121 -H 'Host: o2-censor.com' -H 'routingpacketsisnotacrime.uk'

The HTTP request is allowed through without issue however the web server at the other end will also ignore the second Host header and attempt to serve the first.

Passing the first host header as an empty string and the second as the host we want results in a block. Maybe we’ll come back to this later (custom build of apache + browser plugin?).

The next test is to see if there is coupling between the IP and HTTP host.

curl 46.4.22.9 -H 'routingpacketsisnotacrime.uk'

Still results in a block. OK, well we know that O2 can’t interfere with 443, it’s possible that they see the cypto handshake or that they see it’s not port 80 and ignore it so I tried setting an apache host to listen on 8081 but the Host header was still detected and blocked.

On a whim I tried using a RoutingPacketsIsNotACrime.uk PAC file served over SSL and that worked which was a relief.

Anyhow, back to messing with host headers. Since we know that O2 rely on the Host header lets set a rubbish DNS name in /etc/hosts (or C:\windows\system32\drivers\etc\hosts for you Windows people) and configure apache to serve the censored website on a given IP regardless of host header (a default vhost if you will).

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
89.151.84.121 routingpacketsisgreat.fucko2

Success! As you can see in packet 4 of this Wireshark packet capture we sent a Host header of routingpacketsisgreat.fucko2 and received the correct response back from the server which is a 302 to https://RoutingPacketsIsNotACrime.uk and since we know that SSL is not interfered with the connection continues.

For completeness sake lets see what a censored connection looks like from the server side.

When sending a HTTP GET to wtfismyip.com the IP returned was consistently 82.132.245.233 however as we can see from the packet capture the IP that reached out to my server was 82.132.245.111. It starts the first part of the TCP handshake and then sends a TCP reset.

From within the O2 network this server appears to be listening on thousands of ports whereas from an outside source it appears that there are no listening ports.

All servers within the 82.132.244.0/24 have a PTR record of dab-rcn1-h-xx-3.dab.02.net where xx does increase with each IP but does not correlate to the IP itself.

There appears to be a limited form of session or IP ‘stickiness’ with repeated connections to differing remote IPs always coming from the same host (e.g. a.b.c.d ‘sticks’ to dab-rcn1-h-ab-3.dab.02.net but e.f.g.h ‘sticks’ to dab-rcn1-h-xy-3.dab.02.net).I didn’t test the longevity of the stickiness but it doesn’t really matter.

Using our fake Host header trick the connection completes but still comes from the 82.132.245.0/24 range (although in other captures I’ve seen 82.132.244.0/24). So it would appear that these proxies will evaluate all plain text traffic regardless of whether the IP is known to host blocked content.

The TCP dump indicates that whilst the initial TCP handshake happens the upper layer (HTTP) doesn’t until the proxy has evaluated the host header which means the second assumption about a possible race condition was incorrect.

StreamShield

As an interesting aside by evaluating how the server responds to certain requests it’s fairly likely that these filtering boxes are running some form of Linux, that conclusion is further strengthened by the fact that BAE is hiring Linux C++ engineers for their StreamShield product which we know from Court documents is what O2 use.

The BAE StreamShield system is quite nasty, enabling real time deep packet inspection of various protocols (which is how it picks out the host header from HTTP streams) but can also do real time filtering based on the content of the returned data.

It also gathers and stores all that information about you so that O2 can hand over details about what you’ve been doing to anyone who asks thanks to the Data Retention and Investigatory Powers Act.

Returning to 185.29.44.9

This IP block belongs to a company called IMIMOBILE EUROPE LTD who appear to be in the business of monetizing mobile customers through a variety of means.

185.29.44.9 is mobilebroadbandaccess.o2.co.uk and is part of a joint venture between the two to create self service portals.

Interestingly you can put any O2 phone number in, from any Internet connection (including Tor) and it will divulge a limited amount of information about the account.

Little though the information may be, with scams such as the “Microsoft Event View Tech Support” or “Compromised Bank Card key in your Pin” call it is dangerous to tell the wrong people when another persons PAYG SIM expires and how much data is left, vulnerable people can be convinced with less. But then again, we’re talking about the company that censored the NSPCC and ChildLine websites so looking after vulnerable people isn’t top of their priorities.

So, I’m down another £40 but it’s been very interesting to play with O2′s censorship technology which, it turns out, is easy to circumnavigate because the ‘Net interprets censorship as damage and routes around it.

To prohibit the reading of certain books is to declare the inhabitants to be either fools or slavesClaude Adrien Helvétius

PinkNews.co.uk reported today that it is blocked at Costa Coffee locations due to “Sexual Orientation”.

Yes, we’ve got to protect those kids from the childhood corrupting influence of Gay news.

But don’t worry, in the event that someone then planned on browsing to Stonewall to report what they may feel is an inappropriate block bordering on discrimination they’d find that Stonewall is blocked too.

Things are only going to get worse…