D
D
Denis Sechin2017-05-19 18:48:14
Computer networks
Denis Sechin, 2017-05-19 18:48:14

How is my ISP blocking the site?

Good afternoon, I'm one of those who were unlucky (I live in Ukraine), naturally my provider cut my VK entry, instead of VK, a stub is displayed in the browser asking me to familiarize myself with the presidential decree on blocking. In this connection, there was an interest in how the provider blocked my access to vk? ping to vk passes


PING vk.com (95.213.11.180) 56(84) bytes of data.
64 bytes from srv180-11-213-95.vk.com (95.213.11.180): icmp_seq=1 ttl=58 time=1.13 ms
64 bytes from srv180-11-213-95.vk.com (95.213.11.180): icmp_seq=2 ttl=58 time=1.14 ms

Further dig vk- does not give anything (I get nothing in response) the same with nslookup. But if you do nslookup vk 8.8.8.8 :

Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
Name: vk.com
Address: 87.240.165.82
Name: vk.com
Address: 95.213.11.180

It turns out here is such a picture. I understand that the provider erased the record in its dns server about VK? but I have google dns on my router. Help me figure out why this is the output of nslookup?
By the way, I use the bypass methods perfectly, I don’t need to advise them.

Answer the question

In order to leave comments, you need to log in

7 answer(s)
Y
Yaroslav, 2017-05-19
@tamogavk

Since DNS resolution is correct, there are three industrially ready options:
1. Provider DPI: probably all providers already have it in one form or another.
Logically, DPI is usually included in the link break between the kernel and NAT.
Physically, too.
In addition to the usual shaping and per-subscriber traffic counting, a set of ALGs (Application Layer Gateway) is implemented there, which are, in fact, transparent proxies for typical protocols: HTTP, FTP, DNS, etc.
As a rule, ALGs can not only respond to certain field values, but also interfere with the data transfer process.
The number of ALGs depends on the trickiness of the DPI; Procera even has World of Warcraft)
Well, HTTP page spoofing is perhaps the most used feature of the HTTP ALG.
2. A knee-deep solution:
Described by none7 Start
a server on your network with ip-addresses that match the IP-addresses of Vkontakte (well, or NAT'it all requests to it on a stub server, which is about the same) - quite a solution for yourself if you need to block the service as a whole, and not individual pages on it.
But if all of a sudden your politicians get stupid from ours, and the list of blocked resources starts to grow, providers will howl to support this
option
) thousand URLs.
It turned out that with such a number of entries, many provider DPIs are simply crushed, so this task is often solved as follows: separate servers are set up that connect directly to the provider's BR (Border routers).
Server tasks:
- swallow the list of blocked resources, tear out domain names from there and split them into ip-addresses; several tens of thousands
of addresses are obtained - the received addresses through OSPF or BGP are merged into BR. BR - it's big, it calmly holds BGP Full View, so 10-20-50k extra prefixes for it is a drop in the bucket
. It turns out that all traffic towards ip-addresses that contain at least one blocked page now flows to these servers .
It would seem, what server will digest all this, but dozens of them can be produced: ECMP / Load Balancing works at the routing level, and traffic is spread between servers approximately equally.
On the Linux servers themselves, and on Linux - squid in transparent mode and iptables )
Accordingly:
- tcp port 80 is sent to squid by iptables, where each URL requested by the subscriber is searched in the list of blocked resources
- SNI is checked in tcp port 443 to understand whether to let traffic through further, or cut to such and such a mother
- all other traffic (and pings, yeah) is passed through without change

N
none7, 2017-05-19
@none7

If it erased the DNS record, then you would not receive anything at all, except for a message from the browser about the network not working. Your ISP has configured NAT to block addresses and all traffic going to ip vk is processed by the provider's server, including ping. A delay of 1 millisecond shows this perfectly, since this happens only within the city, and vk does not have a CDN.

A
Anton Ulanov, 2017-05-19
@antonsr98

most likely checks packets on gateways

D
Dimonchik, 2017-05-19
@dimonchik2013

see about iptables , with the amendment that on Provo equipment this is done by specially sharpened iron

D
devalone, 2017-05-19
@devalone

Dns answer is correct, I have the same ips on vk.com. Most likely blocked by ip. By the way, what happens if you go to https://vk.com?

V
Valentin, 2017-05-19
@vvpoloskin

Most likely cut ports 80/443. You haven't had time to implement full dpi yet. This can be verified by running traceroute with an explicit port specification. Although if the provider is large, most likely it is still dns. Put explicitly on the PC Google.

L
latteo, 2017-05-20
@latteo

tracert look, most likely whois for the last hops will show that they belong to your provider.
Well, show us, I would be interested to look.
PS: from the provider's point of view, this is a big stink, because on the stub they can collect your cookies and some other private data.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question