Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Blocking of *.pages.dev in Russia #364

Open
nyuuzyou opened this issue May 14, 2024 · 4 comments
Open

Blocking of *.pages.dev in Russia #364

nyuuzyou opened this issue May 14, 2024 · 4 comments
Labels
Russia

Comments

@nyuuzyou
Copy link

From 09.05 between 17:52 and 18:53, all websites with the mask *.pages.dev (Cloudflare pages) became unavailable on the AS52207 (Er-telecom) network. According to measurements using RIPE Atlas and GlobalCheck, this problem is observed throughout the country: RIPE Atlas - https://atlas.ripe.net/measurementdetail/71407947

I also checked the history for *.workers.dev (Cloudflare workers) and *.cloudflarestorage.com (Cloudflare R2), but found no anomalies.

When I finished writing this post, I decided to go to the registry and the situation became a little clearer: an unspecified government agency decided to ban *.pages.dev for "rebellion and fakes". However, I could not find a single site in the registry on the pages.dev subdomain with "fakes".
@wkrp
Copy link
Member

wkrp commented May 14, 2024

Do you think the blocking of pages.dev is related to the apparent use of pages.dev by VPN services in Iran? Maybe the same thing happens in Russia?

Weird SNIs being requested from REALITY server in Iran, possible abuse?

So I wanted to understand whether this specific dest is targeted by the GFW, so I patched xray to log all client IPs who reach the fallback dest.

On both servers, besides the regular security scanning, I see very strange requests with SNIs that resolve to cloudflare, such as:

  • <randomstring>.pages.dev
  • <username>.pages.dev, where <username> is the name of a popular VPN config provider in Iran, and where I found configs from that VPN provider using the same pages.dev domain.
  • other domains that resolve to cloudflare

I found that those requests are not just normal HTTP requests, they are fully blown vless+ws connections, going through REALITY fallback! Based on response size, I think it's only urltest, not a long-lived connection.

REALITY servers in Iran being abused as sort-of SNI proxies

SNIs contain the name of the VPN vendor, and they attempt to exploit case-sensitivity bugs in GFW around SNI (for example mYtElegRamChannelNAME.pages.dev). VLESS-without-TLS (and so, without encryption) is very popular, because it is slightly more performant.

@wkrp wkrp added the Russia label May 14, 2024
@nyuuzyou
Copy link
Author

I doubt it, but right now it's the only theory that seems real to me.

@mmmray
Copy link

mmmray commented May 14, 2024

when testing with the methods found in #80, it seems workers.dev and pages.dev are also blocked in TKM. so it's not just Iran. I feel that it is reasonable to assume that proxies are the reason, after all cloudflare workers are a documented method in xray to bypass GFW. I am only a bit surprised that they tolerate this amount of collateral damage, given that they just started blocking vmess.

@nyuuzyou
Copy link
Author

https://atlas.ripe.net/measurementdetail/71581413

I can confirm the blocking of *.workers.dev in Russia, but there are no records related to workers.dev in the RKN list.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Russia
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@wkrp @nyuuzyou @mmmray