DPI: Deep Packer INJECTION, or conspiracy theory of conspiracy between RTK and MRG

Hello, Habr!
It’s me again, the one who is responsible for the IT component of RosKomSvoboda! You probably remember me from the post about spontaneous camera activation when opening a page with embedded-youtube video.

This time I have a story from my personal life and, in my opinion, the investigation is a little more interesting.
Perhaps it even smells of conspiracy theory (between Rostelecom (CC: Rostelecom ROSTELECOM-CENTER) and Mail.Ru Group).


Before joining, I would like to note that, in fact, this post was spent in my drafts for more than a month, because darkk and ValdikSS and I are still (actual on 02/28/2020) collecting and analyzing data on the coverage of this problem, reproducibility, and others technical details. And we wanted to first collect a complete set of data, and only then publish it.
But since the hype has already gone, then, apparently, the time has come to release this post outside (and we will already supplement it with new data as they accumulate) …

This story began with the fact that a couple of years ago the provider, which I used for more than 10 years, bought Er-Telecom (aka Dom.Ru).
After one unpleasant technical situation (there was a story with all the details, but it took up too much space and led the article in a different direction), it all ended up after weighing the pros and cons I switched to Rostelecom (and the options, in general, and it wasn’t: all the providers in the city were bought either by the first or the second).

In general, I lived for myself half of January with the Internet from Rostelecom, until another interesting day arrived …
It began with the fact that at work I debugged some “buns” in the self-hosted installation of Sentry, and it turned out to be necessary for me to check something in Incognito-mode (that is, without any uBlock / uMatrix and other buns), and even by http (in the sense without SSL).

Imagine how surprised I was when I saw an ad banner on the Sentry error page:

And when I opened the DOM inspector, I found this:

First, I suspected add-ons that were allowed to boot into Incognito mode, and disabled them.
And, at first it seemed to me – it even helped. However, in fact, it turned out to be a trick by MitM: after a couple more page reloads, I again saw a banner.

Now I decided to open the source code of the page, (to see how it looks before the JS scripts process it and make changes to the DOM).

There my eyes fell on such a block:

The next step I went to look for this ads.js in Sentry code and … still discovered his.

I looked at all this and, frankly, ofigel …

Just last night I, to put it mildly, cursed upstream Sentry for here it is, and the fact that because of this I had to significantly alter the Sentry deployment process.
So, because of “oil into the fire” that was “poured” yesterday’s grudge, I decided that “they were there in Sentry” had already cut off and messed up the coast, and was about to go and swear …

But out of habit, he dug further, and saw that in fact, this script does not do anything offensive in itself (although its existence, and the definition of the ad block by sentry, in itself raises questions about tangled shores, oh well).
As it turned out, he, as written in the commentary, simply sets the variable about the detected ad unit in false and does nothing else.

But where did the banner come from ?!

Vague suspicions start to overwhelm me, given the fact that Mail.Ru’s ad unit does not always appear in the DOM, but once every N reboots, it means that sometimes a different file is given instead.
At the moment, I’m still sure that Sentry is doing this, and I want to find which file it’s giving away to go and poke developers’s nose into it on the github, which is supposedly ugly.

I open, then a tab with a script, restart it several times …
And magically throws me to the domain r.analytic.press, and as parameters a lot of tracking information is transferred, including the region and the original link to the file (and all the transferred parameters are sewn into the issued obfuscated script). It would be possible to parse the script (all the more so since by now I’m actually already a deobfuscirovar), but, in fact, this is again a departure from the topic of the article, because it shouldn’t be in my traffic at all!

It is clear that no redirect to such suspicious domains was found in Sentry code.
Who is our next suspect in line? ..
Yeah … the traffic goes through HTTP, there is an intrusion into the traffic and the substitution of “ours” … Already very much resembles the model of the Rostelecom DPI, which in the same way sticks in stubs about resource blocking.
So, we need to check whether Skeleton Rostelecom accurately? And then, maybe, now I’m also telling him how much in vain? .. The next thing, after all, is only the Trojan among the suspects, but I don’t want to believe in it yet (flashforward: I don’t have to), because . this would mean either that my technical competence is too overestimated, or that someone was found “smarter” than me, since he could quietly slip a trojan into me. And that would be an occasion for another article :).

First, check curl‘om a link to the script and … a redirect does not happen, as I am not trying …
Good. It turns out the following fork of options: either a browser is configured, or MitM is even more tricky than expected (yes).

To check the second option, I go back to the tab where I caught the redirect, and I do like this:

I check it in the console, and, yes, once out of several, 307 redirects to the specified domain occur.
I check on another device (in the home network) – it is reproduced.

Well, then all the same, it’s not a trojan. Or at least not on my computer.

The question then arises: does this happen on CloudFlare, or, nevertheless, at the provider (remember, did I talk about DPI?)?
To begin with, I try to repeat requests from servers located outside the apartment (and not using Rostelecom).
Not playable.
And this means that the chance that it is the DPI of Rostelecom is increasing. But for now – these are just guesses …

And here comes a wonderful utility called Wireshark.
I open it, select the interface to remove the traffic dump, turn on the filter (so as not to parse the excess traffic), start the process of removing the traffic dump and play the redirect.

After several attempts, you see such a picture:

Particularly noteworthy here is the almost instant response after 15ms (the one that is TCP ZeroWindow), as well as the fact that immediately after it comes a real response from the server (but cURL he doesn’t accept him anymore, because for him it is garbage, and sends back TCP RST)
Further, analyzing the traffic, you can see that the “fake” answer, with the redirect, has the TTL field set to 59 (which means it is in 64-59=5 “jumps” from me, and the real answer from CloudFlare has TTL = 54 (in 10 jumps).

Well … You need to take a break and see who is there in these 5 races …

But this is already interesting: the router itself does not seem to be, but … both of the IPs “surrounding” it belong to Rostelecom (!!!):

Which extremely unambiguously hints that the answer comes from the equipment standing somewhere on the Rostelecom network.

Fortunately, or unfortunately, the acquaintances from Roscomsvoboda’s tech-board, who helped me debug this, ValdikSS and darkk (for which many thanks to them) could not reproduce this on their “Rostelecom” links, so judging by in all, it is extremely regionally dependent.[1]

By the way, although it depends on the region, but it does not depend on the target site:
1) if you do not contact CloudFlare’s servers, but, for example, the darkk server, then the redirect is also reproduced (although in the original its server gives 404), but it doesn’t bother MitM-DPI, it still pops up its ad 🙂 By the way, an interesting artifact of this problem – darkk, collecting traffic from tests on its part, drew attention to the fact that I received confirmation of receiving packets that the server did not send. Those. the level at which this “juggling” of traffic occurs is simply clumsy …
2) in fact, I’m not the only one and in people it is reproduced on other sites:
ValdikSS found these cases: time and two (h) (don’t open if there are children nearby, or some anonymus posted eroticism in that thread),
and darkk – these: one and two.

Firstly, it evokes very vivid memories of similar behavior among mobile operators who insert their ads (which also includes subscriptions, sometimes)
Secondly, a question for Rostelecom raises: do you clients (including most state institutions) bring so little money that you can’t do without selling user traffic and analytics to the “left” (to third-party companies)?
The fact that the above is an accident, I will not believe for any gingerbread.
I’m ready to believe that DPI is not under your control and is a hooligan himself, but, you know, then another question arises for you.
Thirdly, as it was predicted, technologies that (supposedly) are aimed at “protecting” (again, “supposedly”): filtering traffic from “forbidden information” are quite used to stuff someone’s pockets with money …
Fourth, it seems to me that it would be better if our valiant deputies, instead of inventing a “souvenir” Internet and building a virtual Iron Curtain, would be better off sending their legislative activities in a positive direction and banning providers (everyone, and “wired”, and “mobile”) to interfere with traffic and insert into it no matter what (especially – unsolicited advertising).

Well, summing up, I want to say that it seems that the moment when you can no longer access the Internet through a tunnel raised somewhere on your own (rented) VPS in a country where network neutrality is fixed at the legislative level.
Otherwise, your “soul” (in the sense of a “digital footprint”) will be sold not only by some FaceBook or Google, but even by your Internet provider.

[1] Those theses that use the footnote here are a little outdated, because that part of the article was written before darkk and ValdikSS and I began a large-scale study of this problem (not just all-Russian, but also worldwide, using projects such as Ripe atlas) But I decided that it makes sense to leave this part as it is, at least until we are ready to post the results of the study (or, perhaps, as a separate post?).

Similar Posts

Leave a Reply