There have been many reports of a blocking of 1.1.1.1 in China, starting from October 1, 2023.
As discussed in a different post on Net4People, China injected TCP RST packets to block 1.1.1.1:443 from September 5 to 20, 2023.
Major observations
Below is our observation from a VPS in Tencent Cloud Beijing (ASN AS45090) on October 1, 2023:
- Different from @5e2t ’s observation, we have not been able to observe the TCP RSTs on the
1.1.1.1:443from our vantage point. In particular, we can successfully retrieve a complete webpage usingcurl -v https://1.1.1.1. This shows inconsistency of this new censorship incident across different geo-locations or ASes. - We observed that there was a chance that the TCP port
80of1.1.1.1got injected with a"302 Moved Temporarily"or"301 Moved Permanently"message, attempting to redirect users to the National Anti-Fraud Center website (wiki).
Analysis on the injection to 1.1.1.1:80
Here is one example when no injection happens:
ubuntu@VM-32-5-ubuntu:~$ curl -v http://1.1.1.1
* Trying 1.1.1.1:80...
* TCP_NODELAY set
* Connected to 1.1.1.1 (1.1.1.1) port 80 (#0)
> GET / HTTP/1.1
> Host: 1.1.1.1
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Server: cloudflare
< Date: Sun, 01 Oct 2023 22:49:54 GMT
< Content-Type: text/html
< Content-Length: 167
< Connection: keep-alive
< Location: https://1.1.1.1/
< CF-RAY: **REDACTED**-SJC
<
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>cloudflare</center>
</body>
</html>
* Connection #0 to host 1.1.1.1 left intact
This is one example when the "302 Moved Temporarily" got injected.
ubuntu@VM-32-5-ubuntu:~$ curl -v http://1.1.1.1
* Trying 1.1.1.1:80...
* TCP_NODELAY set
* Connected to 1.1.1.1 (1.1.1.1) port 80 (#0)
> GET / HTTP/1.1
> Host: 1.1.1.1
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Moved Temporarily
< Connection: close
< Location: http://182.43.124.6/fzyujing?parameter2=REDACTED
<
* Closing connection 0
In particular, the redacted parameter in the output consists of 319 characters. Querying from the same vantage point across time, only the 129th to 150th characters (22 characters) and the 257th to 278th characters (22 characters) in the 319 character message got changed. It is still unclear to us what information got encoded in this parameter.
The real 301 Moved Permanently response from the 1.1.1.1 will eventually get to the client (but arrived later than the injected message), indicating the censor doesn’t drop the real response from 1.1.1.1:80.
The ASN of the IP 182.43.124.6 that hosts the National Anti-Fraud Center website:
| host | asn | asname | cc | registry |
|---|---|---|---|---|
| 182.43.124.6 | AS58519 | CHINATELECOM-CTCLOUD Cloud Computing Corporation, CN | CN | apnic |
Experiment
We conducted an ongoing experiment from a vantage point in Tencent Cloud Beijing (ASN AS45090). Specifically, we curl https://1.1.1.1 and curl http://1.1.1.1 every minute and capture the network traffic.
Below is an analyis based on the data we collected between Sunday, October 1, 2023 19:54 PM (Beijing Time, UTC+8) and Friday, October 6, 2023 2:43 PM (Beijing Time, UTC+8). In total, we made 6169 HTTP requests. We received 559 HTTP/1.1 301 Moved Permanently injected packets and 1760 HTTP/1.1 302 Moved Temporarily.
This table summarizes all possible values seen in each type of injected responses:
| HTTP Status Code | 301 | 302 |
|---|---|---|
| Total Number of Injections | 559 | 1760 |
| Injection Ratio (over 6169 requests) | 9.06% | 28.5% |
| IP ID | 0X99b3 | 0x4c57 |
| IP TTL | 251 | 251 |
| IP Flags | 0x0 | 0x0 |
| TCP Flags | 0x18 (PSH+ACK) | 0x19 (PSH+ACK+FIN) |
| TCP Window Size | 502 | 65535 |
In comparision with @klzgrad ’s observation that:
Injected HTTP/1.1 301 Moved Permanently packets have IP ids of 0x99d1, 0x99d2, 0x99d3, 0x99d4. Injected HTTP/1.1 302 Moved Temporarily packets have IP id of 0x4c57.
We only observed one IP ID value 0x99b3 for the HTTP/1.1 301 Moved Permanently injection, which is dffierent from the four reported values.
They also have consistent TTLs.
We also observed consistent TTLs and its value is the same as the packets sent by the real 1.1.1.1 server.
The figure below shows the number of injections we received in each hour. We send around 60 requests in each hour and the average injection rate for 301 and 302 responses are only 9.06% and 28.5% respectively: