Discussion:
Gmail and China's GFW
(too old to reply)
Cal Leeming
2011-03-21 20:31:39 UTC
Permalink
Interesting approach for sure, but not sure how well "-m string --algo bm"
would fair up with performance.

Have you benchmarked this?

On Mon, Mar 21, 2011 at 5:52 PM, Alien Chatter
Gmail can be blocked by simply blocking Google's SSL certificate(s).
When you visit Gmail, Google sends your browser its SSL Server
Certificate. Without this certificate, no connection can be made.
For example, running the following command, then browsing to
$ sudo ngrep -d eth0 -x 'Google Inc'
...
47 6f 6f 67 6c 65 20 49 6e 63 31 18 30 16 06 03 Google Inc1.0...
55 04 03 14 0f 6d 61 69 6c 2e 67 6f 6f 67 6c 65 U....mail.google
2e 63 6f 6d 30 81 9f 30 0d 06 09 2a 86 48 86 f7 .com0..0...*.H..
...
This output shows part of Google's ASN.1 encoded X.509 certificate.
Therefore, the following Linux firewall commands will stop any
$ sudo iptables -I INPUT -m string --algo bm --hex-string
'|476f6f676c6520496e63311830160603550403140f6d61696c2e676f6f676c652e636f6d30819f30|'
-j DROP
$ curl --connect-timeout 60 https://mail.google.com/
curl: (28) SSL connection timeout
The same applies for Twitter, Facebook... Much more efficient than
DNS/IP blocking!
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Cal Leeming
2011-03-21 20:43:42 UTC
Permalink
I think what he meant by efficient, was that if their sites ever get
re-numbered or more end nodes are added (which may or may not be that
often), then this would still catch the connections.

Imho, I think it'd be better to just have a script checking for it, but
nether the less, it's a cute approach (albeit, probably not usable in a
production environment).
$ sudo iptables -I INPUT -m string --algo bm --hex-string
'|476f6f676c6520496e63311830160603550403140f6d61696c2e676f6f676c652e636f6d30819f30|'
-j DROP
$ curl --connect-timeout 60 https://mail.google.com/
curl: (28) SSL connection timeout
The same applies for Twitter, Facebook... Much more efficient than
DNS/IP blocking!
Because searching for a bytestring in payload generates so much less load
than just overriding a DNS result at the recursive server (that users are
forced to issue queries to) or a simply drop SYNs based on IP header value
that routers/firewalls are optimized for...
I think you forgot your coffee this morning. It's not just for aliens you
know.
--
chort
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Cal Leeming
2011-03-21 22:20:02 UTC
Permalink
Agreed ;p
Post by Cal Leeming
$ sudo iptables -I INPUT -m string --algo bm --hex-string
'|476f6f676c6520496e63311830160603550403140f6d61696c2e676f6f676c652e636f6d30819f30|'
-j DROP
$ curl --connect-timeout 60 https://mail.google.com/
curl: (28) SSL connection timeout
The same applies for Twitter, Facebook... Much more efficient than
DNS/IP blocking!
Because searching for a bytestring in payload generates so much less load
than just overriding a DNS result at the recursive server (that users are
forced to issue queries to) or a simply drop SYNs based on IP header value
that routers/firewalls are optimized for...
I think you forgot your coffee this morning. It's not just for aliens you
know.
--
chort
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
I think what he meant by efficient, was that if their sites ever get
re-numbered or more end nodes are added (which may or may not be that
often), then this would still catch the connections.
Imho, I think it'd be better to just have a script checking for it, but
nether the less, it's a cute approach (albeit, probably not usable in a
production environment).
It's "efficient" in that humans get to be lazy. It's not efficient as far
as hardware resource utilization.
--
chort
Loading...