24

For the past week I've been getting a huge stream of traffic from a wide range of Chinese IP addresses. This traffic appears to be from normal people and their HTTP requests indicate that they think I'm:

  • Facebook
  • The Pirate Bay
  • various BitTorrent trackers,
  • porn sites

All of which sounds like things people would use a VPN for. Or things that would make Great Wall of China angry.

User-agents include web browsers, Android, iOS, FBiOSSDK, Bittorrent. The IP addresses are normal commercial Chinese providers.

I have Nginx returning 444 if the host is incorrect or the user agent is obviously wrong:

## Deny illegal Host headers
if ($host !~* ^({{ www_domain }})$ ) {
   return 444;
}
## block bad agents
if ($http_user_agent ~* FBiOSSDK|ExchangeWebServices|Bittorrent) {
    return 444;
}

I can handle the load now, but there were some bursts of up to 2k/minute. I want to find out why they are coming to me and stop it. We also have legitimate CN traffic, so banning 1/6th of planet earth is not an option.

It is possible that its malicious and even personal, but it may just be a misconfigured DNS over there.

My theory is that its a misconfigured DNS server or possibly some VPN services that people are using to get around Great Fire Wall.

Given a client IP address:

183.36.131.137 - - [05/Jan/2015:04:44:12 -0500] "GET /announce?info_hash=%3E%F3%0B%907%7F%9D%E1%C1%CB%BAiF%D8C%DE%27vG%A9&peer_id=%2DSD0100%2D%96%8B%C0%3B%86n%8El%C5L%11%13&ip=183.36.131.137&port=11794&uploaded=4689970239&downloaded=4689970239&left=0&numwant=200&key=9085&compact=1 HTTP/1.0" 444 0 "-" "Bittorrent"

I can know:

descr:          CHINANET Guangdong province network
descr:          Data Communication Division
descr:          China Telecom
  • How can I find out what DNS server those customers are using ?
  • Is there anyway to determine if an HTTP request is coming from a VPN ?
  • What is really going on here ?
Chris Sattinger
  • 343

3 Answers3

31

There is one theoretical way of determining the DNS resolver of your clients, but it's quite advanced and I don't know any off-the-shelf software that will do that for you. You'll for sure have to run a authoritative DNS server for that in addition to your nginx.

In case the HTTP Host header is incorrect, serve an error-document and include a request to a dynamically created, unique FQDN for each and every request which you log to a database. eg.

http://e2665feebe35bc97aff1b329c87b87e7.example.com/img.png

As long as Chinas great firewall doesn't fiddle with that request and the client requests the document from that unique FQDN+URI, each request will result a new DNS lookup to your authoritative DNS for example.com where you can log the IP of the DNS resolver and later correlate this with your dynamically generated URIs.

r_3
  • 896
5

I've heard the great firewall used to redirect "blocked" traffic to a handful of phony IPs, but this was causing their blocks to be easily spotted (I'm not sure if it allowed easy subversion). In any case the administrators have started redirecting to random IPs. This has led to some Chinese users getting porn, instead of facebook or vpns, apparently.

I suspect one of your IPs has turned out to be a recipient of blocked chinese traffic - hence you seeing Facebook IPI user agents.

This means the host-header check should be a good one. Most user agents support SNI these days, so you should be able to drop no-host-header traffic with relative impunity.

Edit: http://www.infosecurity-magazine.com/news/great-firewall-upgrade-redirects/

Tom Newton
  • 4,251
4

How can I find out what DNS server those customers are using ?

Contact Chinanet and ask? Seriously, DNS is configurable on the client side. Most people get DNS settings via DHCP, but OpenDNS and Google's DNS offering wouldn't have a business model if you couldn't change them.

Is there anyway to determine if an HTTP request is coming from a VPN ?

Not really, except that the IP would be of the VPN, not the end user in China.

What is really going on here ?

That I can't tell you, but perhaps there's some kind of misconfiguration in the Great Firewall of China?

unor
  • 246
Katherine Villyard
  • 18,618