Beating the net-censor

Net censorship in the UAE is quite sophisticated. There are two separate aspects which need to be considered by anyone wanting to communicate freely.

1. web access is accomplished by a proxy array which filters according to destination URL (web site ADDRESS + page). The list of censored URLs is updated frequently.

2. all TCP/IP packets (including web) are subject to filtering at the packet filters according to destination PORT. Few packets appear to be filtered in the incoming direction. This 'firewall' is installed backwards; it is clearly meant to stop people getting out, not to stop the bad guys from getting in.

The immediately obvious effects are:

1. If you attempt web access, via the proxy array, to an 'unwanted' page you will receive an error message from a proxy telling you that your access is denied. Recently, for a day or so, 'unwanted' included any personal web pages with a '~'!

2. If you change your web browser settings to remove the proxy configuration completely, your web browser requests are sent to a web site using the standard port (80) and will be blocked by the UAE packet filters. A timeout occurs in this case.

3. Attempting to use an external web proxy will mostly fail simply because the proxy port you need to connect to is blocked by the filters. 99.99% of the proxies in the world are on ports 3128, 8080, 8000, 1080, 80 etc. Outgoing packets to these ports are all blocked. Again a timeout occurs. Forget these.

4. Voice-over-IP communications to a telephone network gateway (e.g. net2phone) are blocked by these same filters (so the monopoly ISP doesn't lose money on their telco operations). The UAE police are certainly not responsible for this!

5. Usenet access is blocked (filtering on port 119). Email (25, 110) is not blocked.

6. Some applications fail at random times because they may negotiate a port with the other end which lies in the blocked set (though this seems less likely now that the number of blocked ports has been significantly reduced).

7. Internet access is generally flaky and slow because of all this stupidity.

Solutions

Web access

1. If you can find a free, unblocked, non-censoring, public access external proxy that's good for more than a few weeks ... lucky you! Keep it to yourself. Point your browser at it and you can skip to the next section.

   There are very few of these at any point in time; they're either misconfigurations or experimental.

2. If you want to freely surf the net, the best solution is to pay an ISP in the free world for the use of his proxy. This proxy needs to be special though; you need the ISP's commitment to get their proxy listening on a port you have unblocked access to (for example, some port over 12000). Point your browser at this proxy and you can skip the rest of this section. Normal ISP service is $US10-$US15 per month. In case the ISP is doubtful, USA ISP's who check with their attorney will find there are no legal problems. The proxy should be in the USA, because that's the first place your packets go after leaving the UAE. You don't want every web access request to have to go to Europe or Japan and back each time! Your accesses will not appear in the proxy log in the UAE, but of course could be 'sniffed' by an enterprising sysadmin because they're not encrypted. recommended

   Other solutions are slower, flakier, or more restrictive and some may get you kicked off any external ISP you have an account with. But read on...

3. A straightforward approach to getting through the packet filters is to use a port forwarding technique. Change the port number of your packets destined for (e.g.) an external proxy which allows public access (such as those listed at irc4all and my disorganized notes (go thru the proxies page)). At the same time you change the address so that the packets go to your ISP where you have set up a server to readdress the packets to the chosen proxy. This is not as hard as it sounds.
4. One of the easiest ways to do this actually ends up providing you with your own proxy! Get Stone down onto your ISP, follow the installation instructions and run ./stone proxy 12000. Then return to your browser and set the ISP and 12000 as the proxy. Simple. Stone builds easily on most ISPs operating systems. Tip: you'll see more reliable responses if you tell your browser to use HTTP 1.0 only. Stone can also encrypt, if you have the skills to build it up this way (you need to build openSSL first, then make a certificate for it). In this case, you have a completely encrypted connection to your own proxy! You can sleep soundly. Either way, you have an app which you can use to redirect any other ports you want (like 119 for Usenet news, 110 for email etc.)
5. A web proxy only solution, is to use rinetd, or similar. Set it up on your ISP (no sshd required) and make it listen on port 13000 (say), and redirect to any uncensored public proxy (maybe your ISP itself has a proxy). Then locally you configure your browser to use your ISP and 13000 as the http proxy address and port. No problems with this approach - I once used it a lot. The connection is not encrypted, of course, but at least it is not passing thru the local proxy (and being logged).
6. Junkbuster and other web proxy applications can be set up on the external ISP in a similar way.
7. Another, safer, approach is to use the port forward capability of some Secure Shell clients and servers (since port 22 is not blocked in the UAE yet). Note: even if port 22 is eventually blocked, the port can be specified at both ends but you need to build/run your own sshd. This imposes another constraint on your choice of external ISP - they must provide access to 'sshd', the server side of the ssh connection. An advantage of this (ssh) approach is that your web browsing will be encrypted all the way out of the UAE, so nosy eavesdroppers will have nothing to see. Another advantage is that the same technique can be used to access other blocked services (e.g. Usenet news). The biggest disadvantage of this appears to be that (when used for a web proxy) each web page accessed will cause multiple shell startups on your ISP. This is a significant load for him and he may get upset if you use it for frequent web surfing.

   For simple 'one-off' or infrequent web access, you have plenty of easy alternatives.

8. A simple ssh port forwarding technique can be used. Run ssh on the external ISP to forward a particular port to any web site (or proxy) you wish, point your browser (or proxy settings) at this port, and voila! Once logged onto your ISP, type 'ssh -R 12000:www.l0pht.com:80 localhost' and then (locally) web browse to http://your.ext.isp.com:12000/. You should see www.l0pht.com pop up. But it gets better - here's how to make your own proxy. On the remote system, type (for example) ssh -R 13000:erde.salzburg.at:8080 localhost and then (locally) set your web browser proxy to <your ISP:13000>. Then click here and you'll see that you've bypassed the censors. It will work for any site you click on while you still have the listener on the remote ISP running. You've essentially made your own proxy, for your own use, on a port which YOU determined, so it can't be blocked. Note that this technique allows use of all public access proxies with common ports (and there are many of these, e.g. all of those at http://www.lightspeed.de/irc4all/). Also note that the encryption is not present between you and the external ISP (ssh -L run locally may be used for this purpose, but that's the case that might get you kicked off the external ISP!).

9. You can choose to browse to one of the "anonymizer" web sites (if you can find an uncensored one). For example, magusnet. There's a trick needed for this one (and it can be used in other cases too). http://www.magusnet.com/ is blocked by the UAE proxies, but it has several IP addresses. You can find these by a DNS lookup (nslookup under linux, win NT; not sure how you do it under Win9*). You will see something like:

   Name: www.magusnet.com Addresses: 24.221.4.112, 24.221.4.113, 24.221.4.110, 24.221.4.111. The URL's as defined by http://(IP address)/ are not all blocked - only 24.221.4.110 is blocked. This means that (e.g.) http://24.221.4.111/ (today, at least!) will get you there. Magusnet proxies (and others) ensure that they are hard to block by having multiple IP addresses and ports available.

10. You can try some of Brian Ristuccia's Anti Censorware Proxies (ACP) mixed up with other proxy types in my notes. For example, sigint works ok.

    Hundreds of CGI type proxies are around. You can click on links on my proxies page, use URLs like (for example) http://home.www5.fairagent.com/index.cgi?URL=http://www.l0pht.com/l0phtcrack/ to get you to l0phtcrack (which is blocked in the UAE).

    Most of these approaches get your accesses enshrined in the censors' log files though. ACP log entries are almost all encrypted. Some ACP proxies even use https, the secure protocol. In these cases, only the first access (to the ACP mirror) will be readable.

    There are also a few unusual web sites which can be used (e.g. bobby).

Usenet news

1. you may be able to find or pay an external ISP who has a news server listening on some unblocked port.

2. The technique described in 1.c above can be used quite easily. Ask me at the address below for the specific setup for the ssh client you choose. My favorite is secureCRT. Note you must have the external ISP account. recommended

Voice-over-IP

The clients which allow a call to be made through a telephone gateway (to a normal phone) are blocked by the UAE ISP (which is also the monopoly telco!), for example Net2Phone. I haven't played with these for a year or so now, but then DeltaThree was usable. There should be many more clients to choose from now.

No doubt any PC-PC client which allows a gateway to be used will be blocked sooner or later to maintain telco profits.

Because the addresses and ports in use by these programs are dynamically allocated, the right answer is a virtual network connection to an external ISP, but that involves root access on the ISP. Although it is possible to redirect all the individual ports and addresses necessary to set up the call and talk, it's all a bit complicated an flakey.If anyone has better ideas, I'm happy to hear them.

BTW, this is the only case I know of where there is packet blocking on the returning packets based on the source IP address. Shows how important this is to them :-)

Strange/untested stuff

There's an app around called httpTunnel (http://www.nocrew.org/software/httptunnel.html) which makes any type of tcp/ip connection using only web accesses. It sounds interesting, but I've only managed to make it work without a proxy. I can't get it to work through Netscape (as in the UAE) or Apache proxies. It's been written and tested with Squid proxies.

Marcus Ranum once wrote an IP-over-Email package! Bit slow :-), but it's another way, I guess.

rinetd may be used. Rinetd can be run on an external machine to redirect your proxy requests to your external proxy. This can, of course, be used for other protocols as well. There appear to be only linux and windows versions. I've tested this on windows servers now. It works as-advertized. Very nice! If you can get a Linux ISP, and then get it compiled, you're probably in the clear.

Any further comments for this section would be welcome.

Tools to find out things for yourself

• a network sniffer (MS SMS network monitor works for me), otherwise you're always in the dark.
• a shell account at an external ISP (preferably with sshd) and some basic knowledge of the OS it runs (probably some flavor of Unix).
• Perl (both local and external). I use a windows version from Activestate locally. It's a breeze to install, update and install new modules. I understand it may not be quite so easy to install on Windows 95 (but why would you be using that anyway?).
• netcat (both local and external), from www.l0pht.com, Weld's page. This thing is indispensable!
• patience

References:

This guy talks about the sorts of things I'm on about above (ssh, your own proxy running on your external ISP).

http://www.vpn.outer.net/2e/vpnssh.html has a very nice introduction to ssh and vpn.

Craig has a detailed description of the setup and configuration of some of the techniques mentioned above - probably too detailed!. Join the dots (if you can find them!) and you'll be independent of these stupid lists of proxies forever.

ssh shell accounts are easy to find - a quick search at http://www.altavista.com/ using the search string "+ssh +telnet +shell +account" reveals about 10,000 hits. I checked some on the first page; almost every hit was an appropriate account to have. So there's no problem finding an ISP with sshd. Many of these specialize in telnet only accounts, so you're not paying extra for the dialup capability which you'll never use.

Disclaimer

Hope it all helps!

Please send criticisms, good ideas (I'll include with attributions), or just plain old comments about this stuff to wayne

If you're worried about email 'snoopers', encrypt your email at replay. Include your email address if you want a reply!

I'm particularly interested in making this paper useful for all net-censored countries/corporations, so any tidbits from those would be especially useful.