cancel
Showing results for 
Search instead for 
Did you mean: 
ratfiv
Beginner
659 Views
Message 1 of 14

Some HTTP traffic being MITMed

Hi, I was trying to access 8ch.net and found that sometimes it shows me up as permanently banned, apparently connecting from the IP 213.121.193.248 (AKA bn-proxy1a.ealing.ukcore.bt.net).

 

Traceroute to port 443 (a normal traceroute) is as follows:

 

traceroute to 8ch.net (104.20.82.196), 30 hops max, 60 byte packets
1 host81-135-160-1.in-addr.btopenworld.com (81.135.160.1) 6.470 ms 6.465 ms 6.459 ms
2 213.120.178.141 (213.120.178.141) 6.454 ms 6.631 ms 7.033 ms
3 213.120.177.98 (213.120.177.98) 7.765 ms 8.473 ms 8.477 ms
4 213.120.178.67 (213.120.178.67) 13.521 ms 8.897 ms 11.877 ms
5 217.41.168.107 (217.41.168.107) 9.578 ms 11.661 ms 7.513 ms
6 acc1-10GigE-0-0-0-5.l-far.21cn-ipp.bt.net (109.159.249.78) 13.491 ms acc1-te0-0-0-12.l-far.21cn-ipp.bt.net (109.159.249.84) 9.378 ms acc1-10GigE-0-1-0-7.l-far.21cn-ipp.bt.net (109.159.249.118) 8.176 ms
7 core3-te0-2-0-19.faraday.ukcore.bt.net (109.159.249.5) 9.526 ms core4-te0-2-0-19.faraday.ukcore.bt.net (109.159.249.7) 12.359 ms core4-te0-9-0-26.faraday.ukcore.bt.net (109.159.249.59) 11.203 ms
8 core1-Te0-13-0-6.ealing.ukcore.bt.net (213.121.193.24) 10.748 ms core1-te0-1-0-0.ealing.ukcore.bt.net (213.121.193.22) 16.589 ms core1-Te0-0-0-2.ealing.ukcore.bt.net (213.121.193.30) 14.404 ms
9 host213-121-193-230.ukcore.bt.net (213.121.193.230) 12.891 ms 13.560 ms 14.755 ms
10 213.137.183.98 (213.137.183.98) 14.514 ms 213.137.183.100 (213.137.183.100) 12.644 ms 213.137.183.102 (213.137.183.102) 13.135 ms
11 t2c3-xe-11-1-2-1.uk-lof.eu.bt.net (166.49.164.90) 12.645 ms t2c3-xe-11-1-3-1.uk-lof.eu.bt.net (166.49.164.94) 9.006 ms t2c3-xe-1-1-3-1.uk-lof.eu.bt.net (166.49.164.78) 9.167 ms
12 ldn-b3-link.telia.net (213.248.67.97) 9.161 ms 7.690 ms 9.670 ms
13 ldn-bb3-link.telia.net (62.115.117.10) 11.275 ms ldn-bb2-link.telia.net (62.115.116.248) 8.012 ms ldn-bb3-link.telia.net (62.115.117.8) 9.318 ms
14 ldn-b5-link.telia.net (80.91.246.145) 8.364 ms ldn-b5-link.telia.net (80.91.246.147) 11.307 ms ldn-b5-link.telia.net (213.155.136.75) 10.157 ms
15 cloudflare-ic-306325-ldn-b3.c.telia.net (62.115.42.242) 10.616 ms 12.774 ms 11.473 ms
16 104.20.82.196 (104.20.82.196) 12.523 ms 11.996 ms 8.753 ms

 

Traceroute to port 80 (exhibiting the suspicious behaviour) is as follows:

 

traceroute to 8ch.net (104.20.82.196), 30 hops max, 60 byte packets
1 host81-135-160-1.in-addr.btopenworld.com (81.135.160.1) 6.320 ms 6.327 ms 6.322 ms
2 213.120.178.141 (213.120.178.141) 6.313 ms 6.309 ms 6.885 ms
3 213.120.177.98 (213.120.177.98) 8.155 ms 8.561 ms 8.760 ms
4 213.120.178.67 (213.120.178.67) 11.750 ms 8.122 ms 8.749 ms
5 217.41.168.107 (217.41.168.107) 11.029 ms 9.661 ms 11.710 ms
6 acc1-te0-4-0-9.l-far.21cn-ipp.bt.net (109.159.255.192) 12.316 ms acc1-10GigE-0-2-0-5.l-far.21cn-ipp.bt.net (109.159.249.99) 7.908 ms acc1-te0-4-0-11.l-far.21cn-ipp.bt.net (109.159.255.194) 7.211 ms
7 core3-te-0-0-0-18.faraday.ukcore.bt.net (109.159.249.41) 10.971 ms core4-te0-0-0-26.faraday.ukcore.bt.net (109.159.249.57) 9.760 ms core3-te0-19-0-26.faraday.ukcore.bt.net (109.159.249.55) 9.936 ms
8 core4-te-0-10-0-2.faraday.ukcore.bt.net (213.121.193.66) 14.842 ms core1-te0-11-0-5.ealing.ukcore.bt.net (213.121.193.38) 11.552 ms core1-Te0-13-0-6.ealing.ukcore.bt.net (213.121.193.24) 15.049 ms
9 104.20.82.196 (104.20.82.196) 12.953 ms 12.942 ms 13.348 ms

 

Notice how 7 router hops just vanish, where presumably a different machine is pretending to be 104.20.82.196. I've tried switching back and forth between these different ports and between using ICMP traceroutes, and the result is always the same: the port 80 trace stops early and strongly suggests that the connection is being proxied.

Add to that that the website is reporting a permanent IP ban originating from a completely different IP address unrelated to the one I get from "whatismyip.com", "ipinfo.io", etc, and I suspect BT is conducting a man-in-the-middle attack against this website.

 

Is this normal, and can I turn it off?

0 Ratings
Reply
13 REPLIES 13
anthonyUK
Expert
606 Views
Message 2 of 14

Re: Some HTTP traffic being MITMed

BT like many other large ISP are using transparent DNS proxies to intercept DNS lookups for various reasons such as to comply with government endorsed blocking or in future, surveillance of everyones browsing habits e.g. Snoopers charter.

There are things you can do to avoid this as it is totally unacceptable not to at least make you aware of this but you'll need to change your router to one that supports DNSCrypt or use a VPN that doesn't 'leak' DNS.

 

ratfiv
Beginner
597 Views
Message 3 of 14

Re: Some HTTP traffic being MITMed

The issue is irrelevant to DNS. The issue specifically affects HTTP at TCP port 80 and is visible in the traceroutes I provided above. Also note that the IPs resolved are identical, even though they reach different destinations. This is not something DNS can do, and is happening at a much lower level.

It is a very sinister issue. It suggests that BT is intentionally storing and/or modifying all HTTP communication to this server, and unintentionally masking the IP address of the user. Either BT are doing something they should not (which I hope they offer an opt-out from), or an attacker has control of one of BT's routers. Neither of these options are very palatable so I would like someone to explain what on earth is going on here.

0 Ratings
Reply
Distinguished Sage
591 Views
Message 4 of 14

Re: Some HTTP traffic being MITMed

This is a customer to customer self help forum posts made here do not go to BT although the forum is moderated by BT not every post is read
0 Ratings
Reply
anthonyUK
Expert
581 Views
Message 5 of 14

Re: Some HTTP traffic being MITMed

Given the content of the site you mentioned, is it possible that BT protect or whatever it is called is blocking it?

Using HTTPS was a simple workaround for many of the blocked sites apparently.

The IP you are trying to reach is part of Cloudflare.

 

0 Ratings
Reply
ratfiv
Beginner
571 Views
Message 6 of 14

Re: Some HTTP traffic being MITMed

I don't think it's a site blocking issue, since I can access the site over HTTP just fine. (And that's not turned on in the first place)

I first noticed that it was being proxied and my source IP was being masked when I hit a page saying the proxy's IP was permanently banned from posting due to uploading child pornography.

If I connect via HTTPS, the site sees my real IP and I don't get the ban page.

0 Ratings
Reply
Jonkarra
Expert
561 Views
Message 7 of 14

Re: Some HTTP traffic being MITMed

If it has DDOS protection by cloudflare that is what is doing the proxying.
0 Ratings
Reply
ratfiv
Beginner
553 Views
Message 8 of 14

Re: Some HTTP traffic being MITMed

Cloudflare is involved, but please read the first post. The IP the website is seeing resolves to "bn-proxy1a.ealing.ukcore.bt.net", which is a BT address, not a Cloudflare address. Not only that, but the site usually gets the real IP of the user without any problems, even though everyone is connecting through cloudflare. The cloudflare theory also doesn't explain why port 80 is being hijacked by a completely different machine presumably owned by BT, or why that machine so brazenly has "proxy" in its hostname.

0 Ratings
Reply
anthonyUK
Expert
537 Views
Message 9 of 14

Re: Some HTTP traffic being MITMed

I would imagine that most ISPs use a caching proxy to save bandwidth. Could it be something like this?

0 Ratings
Reply
Highlighted
ratfiv
Beginner
512 Views
Message 10 of 14

Re: Some HTTP traffic being MITMed

If it is a caching proxy, it seems strange that they'd offer it without advertising it and without an option to disable it, especially when they don't have any kind of transparent proxying deal going on with cloudflare (as evidenced by the site seeing the wrong IP).

There's also the question of why other websites (notably things like ipinfo.io) are not similarly proxied.

0 Ratings
Reply