WEBSITE-TARGETEDFALSECONTENTINJECTIONBYNETWORKOPERATORSGabiNakibly1,2,JaimeSchcolnik3andYossiRubin21Technion–IsraelInstituteoftechnology2Rafael–AdvancedDefenseSystemsltd.
3IDCHerzliyaKNOWNEVENTSOFWEBCONTENTALTERATIONSomeISPsinthepasthavebeenspottedalteringtheircustomers'traffic:CMACommunicationsin2013Comcastin2012Mediacomin2011WOW!
in2008….
RogueadvertisementHOWTHEPRACTICEOFCONTENTALTERATIONWASSTUDIEDSeveralworksstudiedandanalyzedthispracticeE.
g.
NetalyzrHowpastworkmonitoredtraffictounearthcontentalterations:HOWTRAFFICWASMONITOREDINOURSTUDYWHATISOUT-OF-BANDCONTENTALTERATIONIn-bandcontentalteration:Out-of-bandcontentalteration:OUT-OF-BANDINJECTION–MODUSOPERANDI250bytessq#=0100bytessq#=250150bytessq#=350ourmonitoringpoint150bytessq#=350OUT-OF-BANDINJECTIONDETECTIONForgedbytessq#=350Validbytessq#=350TCPinjectionhasoccurrediftherearetwopacketsthathave:IdenticalIPaddressesandportnumbers,IdenticalTCPsequencenumber,But,havedifferentpayload.
THEINJECTIONEVENTSWediscovered14differentgroupsofinjectionevents.
AlmostallofthemwereinjectionstoChinesewebsites.
7injectiongroupsaimedtoaddrogueadvertisementstothewebsite.
5ofinjectiongroupshassomesortofmaliciousintent.
2injectiongroupsaimedtosimplyblockcontent(howeverisitnotcensorshiprelated).
INJECTIONEXAMPLE#1Thisinjectiongroupaimstoinjectrogueadvertisements.
Thisistheclient'sHTTPrequest:GET/core.
phpshow=pic&t=zHTTP/1.
1User-Agent:Mozilla/5.
0(WindowsNT6.
1;WOW64)Host:c.
cnzz.
comAccept-Encoding:gzipReferer:http://tfkp.
com/INJECTIONEXAMPLE#1(CONT.
)ThevalidHTTPresponse:TheinjectedHTTPresponse:HTTP/1.
1200OKServer:TengineContent-Type:application/javascriptContent-Length:762Connection:keep-aliveDate:Tue,07Jul201504:54:08GMTLast-Modified:Tue,07Jul201504:54:08GMTExpires:Tue,07Jul201505:09:08GMT!
function(){varp,q,r,a=encodeURIComponent,c=.
.
.
HTTP/1.
1302FoundConnection:closeContent-Length:0Location:http://adcpc.
899j.
com/google/google.
jsINJECTIONEXAMPLE#2ThevalidHTTPresponse:HTTP/1.
1200OKServer:nginx/1.
4.
4Content-Type:text/javascript;charset=UTF-8Transfer-Encoding:chunkedVary:Accept-EncodingExpires:-1Cache-Control:no-store,private,post-check=0…Pragma:no-cacheP3P:CP="CURaADMaDEVaPSAoPSDoOURBUSUNIINT….
JiaTag:de2a570993d722c94……Content-Encoding:gzipTheforgedHTTPresponse:HTTP/1.
1200OKDate:May,28Mar201214:59:17GMTServer:Microsoft-IIS/6.
0X-Powered-By:ASP.
NETPragma:No-CacheContent-Length:145Cache-control:no-cacheJiaThisisaChinesecompanythatprovidesasocialsharingtoolbar.
Arequestforaresourceatjiathis.
comresultsinthefollowing:AredirectiontoBaiduwithsearchterm"UNIQLO"'GPWA'INJECTION'GPWA'INJECTIONGPWA–GamblingPortalWebmastersAssociation.
Itrunsacertificationprogramtogamblingsites.
AsitethatmeetsthecertificationstandardgetstoshowanGPWAseal.
Thereareabout2500GPWAapprovedgamblingsites.
http://certify.
gpwa.
org/seal/online.
casinocity.
com/'GPWA'INJECTIONTheclient'sHTTPrequestis:GET/script/europeansoccerstatistics.
com/HTTP/1.
1Host:certify.
gpwa.
orgConnection:keep-aliveAccept:*/*User-Agent:Mozilla/5.
0(WindowsNT6.
1;WOW64)AppleWebKit/537.
36(KHTML,likeGecko)Chrome/44.
0.
2403.
107Safari/537.
36Referer:http://europeansoccerstatistics.
com/Accept-Encoding:gzip,deflate,sdchAccept-Language:en-US,en;q=0.
8,he;q=0.
6'GPWA'INJECTION(CONT.
)Theinjectedresource.
Referstoqpwa.
orginsteadofgpwa.
org.
Thisisnotanattackbyanetworkoperator,butbyathirdpartywhoprobablycompromisedarouter.
Thevictimsoftheattackhasreportedlyhavebeenshownadsandspoofedaffiliatetags.
{vari=newImage();i.
src="http://qpwa.
org/q="+document.
referrer;l=localStorage;if((document.
referrer!
="")&&(document.
location.
hostname!
=document.
referrer.
split('/')[2])&&(!
l.
g)){c=document.
createElement('script');c.
src='http://certify.
qpwa.
org/script/'+document.
location.
hostname.
replace('www\.
','')+'/';document.
getElementsByTagName('head')[0].
appendChild(c)}l.
g=1;}WHOISBEHINDTHEINJECTIONSIngeneral,itisdifficulttounveiltheinjectingentitiesasthereisnoidentifyinginformationintheinjectedcontent.
wetriedtogetanindicationoftheiridentitybyidentifyingtheautonomoussystemfromwhichtheforgedpacketoriginated.
Sincetheinjectionswerenotreproducible,wecannotemploytheoft-usedtraceroute-likeproceduretolocatetheinjector.
WHOISBEHINDTHEINJECTIONS(CONT.
)Weusedaheuristicbasedontheforgedpacket'sIPTTLtotrackdownitssource.
ItisknownthatthedefaultinitialTTLvaluesofthemajoroperatingsystemsare32,64,128and255.
Iftheattackerusedoneofthosevalueswecancalculatehowmanyhopstheinjectedpackettraversed.
Forexample,ifaninjectedpacketarrivedattheclienthavingTTL=59,thenmostprobablyit'sinitialvaluewas64andittraversed5hops.
Giventhepathbetweentheserverandtheclientwecanpin-pointtheinjector'slocation.
ServerClientEstimatednumberofhopstraversedbytheforgedpacketPATHDETECTIONUSINGRIPEATLASHowever,wedonotknowwhatistheactualpathfromthewebservertotheuser.
Thereversepath(clienttoserver)canbetrace-routed,butInternetpathsarenotalwayssymmetric.
TosolvethisproblemweleveragedRIPEAtlas:AglobalnetworkofprobesthatmeasureInternetconnectivityandreachability.
UsingRIPEAtlaswetraceroutedthepathfromanodeintheASofthewebservertotheclient(whenthereisone).
Thisisstillanapproximationsincethatnodeinnottheactualwebserver.
THESUSPICIOUSAUTONOMOUSSYSTEMSOuranalysisindicatesthattheinjectorresideswithintheASoftheinjectedwebsite.
Usually2-5hopsawayfromthewebserver.
MostinjectionsaretriggeredfromChineseoperators.
CONCLUSIONSFollowingalarge-scalesurveyofInternettrafficwediscoveredthatnotonlyedgeISPsaltertrafficbutalsonon-edgenetworkoperatorsthataimtoincreasetheirrevenue.
Therewerenumerousincidentswithmaliciousintent.
Weproposeaclient-sidemitigationfortheattacksincaseHTTPScannotbeused.
Wepublishedsamplesoftheinjections.
Virmach自上次推出了短租30天的VPS后,也就是月抛型vps,到期不能续费,直接终止服务。此次又推出为期6个月的月抛VPS,可选圣何塞和水牛城机房,适合短期有需求的用户,有兴趣的可以关注一下。VirMach是一家创办于2014年的美国商家,支持支付宝、PayPal等方式,是一家主营廉价便宜VPS服务器的品牌,隶属于Virtual Machine Solutions LLC旗下!在廉价便宜美国...
cmivps香港VPS带来了3个新消息:(1)双向流量改为单向流量,相当于流量间接扩大一倍;(2)Hong Kong 2T、Hong Kong 3T、Hong Kong 无限流量,这三款VPS开始支持Windows系统,如果需要中文版Windows系统请下单付款完成之后发ticket要求官方更改即可;(3)全场7折年付、8折月付优惠,优惠码有效期一个月!官方网站:https://www.cmivp...
萤光云怎么样?萤光云是一家国人云厂商,总部位于福建福州。其成立于2002年,主打高防云服务器产品,主要提供福州、北京、上海BGP和香港CN2节点。萤光云的高防云服务器自带50G防御,适合高防建站、游戏高防等业务。目前萤光云推出北京云服务器优惠活动,机房为北京BGP机房,购买北京云服务器可享受6.5折优惠+51元代金券(折扣和代金券可叠加使用)。活动期间还支持申请免费试用,需提交工单开通免费试用体验...
acceptencoding为你推荐
中证财通中国可持续发展100(ECPI建筑业127重要产品信息指南国家标准苹果5eacceleratoraccess violation问题的解决办法!itunes备份itunes备份是什么win7telnetwindows7旗舰版中telnet在哪iphonewifi为什么我的苹果手机连不上wifi如何用itunes备份如何使用iTunes最新版进行备份?急!!杀毒软件免费下载2013排行榜免费杀毒软件最好的是那个?在那下载
河南虚拟主机 播放vps上的视频 ftp空间 securitycenter zpanel 私人服务器 好看的桌面背景图片 100m免费空间 100x100头像 cdn加速原理 七夕快乐英语 dnspod 深圳域名 免 register.com 服务器操作系统 低价 极域网 国外bt网站 万网空间价格 更多