Thursday, August 30, 2007

Green Screen of Death?


(Standard Disclaimer: As always, views, opinions, and actions expressed in this post are solely mine and in no way reflect that of my employer. Additionally, in no way is this meant to reflect negatively on Thailand, its people, or its government.)

Thailand's Internet Filtering Gone Awry

While browsing my companies website, I noticed that alot of pages were failing to render properly. After a bit of digging, I noticed some strange behavior. Some of our CSS and Javascript files are being blocked.

For instance, the following HTTP request:

GET http://www.revolutionhealth.com/stylesheets/65919/common.css HTTP/1.1
Host: www.revolutionhealth.com
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6 Paros/3.2.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://www.revolutionhealth.com/omag/?ipc=B00145
Cookie: (Cookies Removed!)
Cache-Control: max-age=0


Returns the following 302 HTTP Redirect:

HTTP/1.0 302 Moved Temporarily
Server: squid/2.5.STABLE11
Mime-Version: 1.0
Date: Wed, 29 Aug 2007 10:27:00 GMT
Content-Type: text/html
Content-Length: 0
Expires: Wed, 29 Aug 2007 10:27:00 GMT
Location: http://w3.mict.go.th/ci/blocked.html
X-Squid-Error: 403 Access Denied
X-Cache: MISS from proxy
X-Cache: MISS from 192.168.0.1
Connection: keep-alive


This of course redirects us to what is apparently locally known as "The Green Screen of Death". It seems that the local ISP used by my hotel, PROEN Internet (while a mistake, is ironically enough is listed as one of Google Badware Sites!), is filtering all web traffic through a caching/ filtering Squid proxy server.

So all requests which pass through this service appear as:

GET / HTTP/1.0
Host: (Removed)
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Via: 1.1 192.168.0.1:8080 (squid/2.5.STABLE1), 1.0 proxy:8080 (squid/2.5.STABLE11)
X-Forwarded-For: 192.168.0.198, 202.151.184.194
Cache-Control: max-age=259200
Connection: keep-alive


And in my case are coming from 202.151.191.38 as seen by:

Aug 30 04:03:22 10.54.54.254 Aug 30 2007 04:03:30: %PIX-5-304001: 202.151.191.38 Accessed URL (Removed):/

Squid is running on port 8080 of this machine, but use is limited by source IP address.

However, when the proxy server sees something that it does not like, it redirects to the http://w3.mict.go.th/ci/blocked.html site. An IIS 6 webserver hosted by Thailand's Ministry of Information and Communication Technology (ICT).

So, the obvious questions become:

  • How are the block lists generated and maintained?
  • Is it controlled by a central authority or is supplied as part of a commercial product?
  • What is the process to report and remove false positives?
  • Is any dynamic and/or keyword filtering being utilized, or is it solely based on a list of URLs?
  • Is participation mandatory for all ISPs or is it elective?
Can anyone in Thailand or with knowledge of this, provide further insight on the matter?

**I know there are several ways to bypass this including Tor (which is also blocked in Thailand), various anonymous proxies, tunneling web traffic over SSH to a remote machine, etc. This post is not about that, so please don't post circumvention methods. I am much more interested in sharing knowledge of the system's design and operations.

Labels: , , , ,

0 Comments:

Post a Comment

Links to this post:

Create a Link

<< Home