Bypassing blocking of a prohibited site by a webmaster without settings and software on the client side

    I once saw IPv6 Teredo peers in µTorrent under Windows that downloaded pieces at a pretty decent speed, and then it dawned on me ...

    What is Teredo?

    Teredo is an IPv6 tunneling technology through IPv4 UDP packets. It was conceived as a transition technology that works for NAT, and, in general, more or less fulfills its responsibilities. Teredo allows you to access IPv6 Internet through public Teredo servers. Interestingly, in Windows 7, 8 and 8.1, Teredo is configured and enabled by default, right out of the box, and uses Microsoft's Teredo server (teredo.ipv6.microsoft.com).

    Why do we need this?

    Web sites whose specific links for one reason or another are in the registry of banned sites can organize access using Teredo, which will allow about 80-85% of users of modern versions of Windows to regain access to the site without additional settings and software! Access through Teredo allows you to bypass all tested DPI-solutions used by providers. Roskomnadzor not only cannot enter such pages into the registry, but also cannot access them (probably Teredo does not work for them):
    Hidden text
    Hello.
    Thank you for your active citizenship, but we inform you that your application was rejected for the following possible reasons:
    - at the time of the audit, the address indicated in your appeal is http: // [2001: 0: 9d38: 6ab8: 30c4: d940: 9469: f43e] / was not available;
    - the address specified in your appeal is http: // [2001: 0: 9d38: 6ab8: 30c4: d940: 9469: f43e] / is specified incorrectly or it is being redirected to another address;
    - the address indicated in your appeal http: // [2001: 0: 9d38: 6ab8: 30c4: d940: 9469: f43e] / requires registration / authorization.
    Sincerely,
    THE FEDERAL SERVICE FOR SURVEILLANCE IN THE FIELD OF COMMUNICATION, INFORMATION TECHNOLOGIES AND MASS COMMUNICATIONS.
    In addition, Roskomnadzor has no authority to block pages that redirect to other pages, and the “Actual Bulk” button confirms this.

    Microsoft Teredo Server Features

    To access “regular” IPv6, Teredo uses Relay servers that have full IPv6 access and act as proxies. In turn, Microsoft's Teredo relay servers do not allow access to “regular” IPv6 or other Teredo servers, allowing only the connectivity of Teredo clients configured on the Microsoft server and forming such a large closed network from Windows computers.

    Windows DNS Implementation Features

    If Windows only has a Teredo IPv6 address, the DNS resolver will not even try to get an AAAA record from domains. Thus, just logging into the site by domain name, even if it has only an AAAA record and no A record, it will not work. This can be disabled by a special parameter in the registry, but it is not interesting, because requires action on the client side.

    What to do?

    The solution is simple and not very elegant - use a domain with IPv4 access, which will make HTTP redirection to Teredo IPv6 address. You can do either regular redirection with code 307 or 301, or through javascript, pre-checking the availability of a Teredo address or combining it with other solutions to bypass blocking.

    How to setup?

    To host a website in Teredo for Linux, you need to use the miredo Teredo client, and be sure to configure it to use win8.ipv6.microsoft.com server. Also, so that you change the Teredo address as little as possible, I recommend setting a static outgoing port in the miredo configuration file ( /etc/miredo/miredo.conf or /etc/miredo.conf , depending on the distribution), i.e. set the BindPort parameter .
    Make sure your web server is listening on IPv6 addresses. For nginx, this is the listen parameter .
    My config looks something like this:
    Hidden text
    server {
            server_name 5yo.panty.shot.valdikss.org.ru;
            location / {
                    return 307 http://[2001:0:9d38:90d7:899:d93f:9469:f43e]/;
            }
    }
    server {
            listen [2001:0:9d38:90d7:899:d93f:9469:f43e]:80;
            server_name [2001:0:9d38:90d7:899:d93f:9469:f43e];
            root /usr/share/nginx/html/pantyshot/;
            index index.html index.htm;
            location / {
                    try_files $uri $uri/ =404;
            }
    }

    I made a test page where you can listen to the wonderful Panty Shot from Mindless Self Indulgence. I think it can be considered illegal, given the bunch of canceled concerts by unspiritual groups.
    5yo.panty.shot.valdikss.org.ru A
    page should only open if you are using Windows 7, 8 or 8.1 and do not have other IPv6 connections (native, 6to4, 6in4).

    Conclusion

    In my opinion, this technology will significantly affect the availability of blocked sites.

    UPD : Microsoft has disabled the Teredo servers that were used for Windows Vista and 7. Now Teredo by default only works on Windows 8, 8.1, and Windows 10.

    Also popular now: