All geek questions in one place

How do you determine if a device is worth a Chinese firewall with the iOS SDK?

Due to problems reaching our regular endpoints located outside of China reliably when the user is behind a large firewall, we are looking for a way to reliably determine whether the user is currently behind a large firewall and using a different set of endpoints for the URL. hosted in china.

What we would like to do is some kind of check that the client can do, for example access to a URL that, as we know, will always be blocked by the firewall forever (or accessible only from the inside) or checks some property of the configuration network.

Things that are currently being considered:

  • Checking the device IP address for a list of network units assigned to China
    • It does not work if the device is located behind the NAT firewall
  • Perform tracing from the device to the host, which is known to be located outside of China. If packets are routed through hosts located in China (see above), then the device must be in China.
    • It may work, but it will introduce delays before the application can make calls while it is.
  • Just ask user
    • In the worst case, this may be the best option.
+5
source share
4 answers

IP ranges or you can check several key sites with top blocking ... maybe Facebook, Google, Wall Street Journal? Choose variety.

+3
source

I suspect that any method that tries to test a large firewall directly will be unreliable, possibly in the short term and definitely in the long term. However, since your goal is to choose servers both within China and outside the country, I suggest using the device’s time zone as quick and dirty "where am I?" check. If the time zone name is Asia/Chungking , for example, use a Chinese server. If he is Europe/Amsterdam , for example, does not use a Chinese server. Check every time zone in mainland China and you will probably be fine.

You can get the time zone name as TimeZone.current.identifier .

+2
source

A more technical approach might be to analyze the initial TCP RST packet sent by the firewall. This document (page 5) shows how researchers were able to distinguish TCP RST from the firewall from their server by setting the TTL value and noticing when it is different (61 versus 42 in the document).

When the client is possibly located in China (determined by other information), you can force RST on the first connection, save the TTL value and then notice when you get the RST of a different value.

+1
source

My suggestion is based on several assumptions and some previous checks on traffic sources.

Assumptions

  • Any URL that you constantly check will eventually be noticed by GFWOC administrators.

    a. this traffic pattern will create a permanent block,

    b. and / or used to track devices trying to reach this URL (possibly like honeypot),

    with. and / or redirected to an internal state sponsored and controlled endpoint.

  • You have the ability to push updates to your iOS application through the firewall.

Options

  • Create an endpoint outside of China using an authenticated ppk login and include the ppk file in your iOS app. The endpoint returns a message encrypted with ppk so that only the calling instance of the iOS application can decrypt the response, which may just be something like "ext_endpoint_reached" or some other known acknowledgment.

    If this has ever failed to properly decrypt or provide the expected message, go to internally hosted endpoints. If he succeeds, proceed as usual.

  • If outgoing encrypted traffic is not allowed, and incoming encrypted traffic is blocked, a two-way handshake can accept it. In this case, call one of the outgoing connection registers to the external endpoint A. Then the device connects to the endpoint B, which is another face of the same service firewall, to see if it has a message waiting that matches certain parameters, known only for iOS.

    If the message found in B matches the expected one, and it can be a simple keyword based on time or date or some other unique factor, you managed to reach the external endpoint, whereas if you did not receive the expected response or lack of response, you You know that you are being blocked or redirected.

Both of these options provide a failure that confirms that you are clicking on the firewall, and both rely on nothing terribly exotic to provide an external, possibly unverifiable, confirmation that you are outside the firewall.

0
source

Source: https://habr.com/ru/post/1275797/

More articles:


All Articles