China and Iran use replay attacks to combat Telegram

China and Iran use replay attacks to combat Telegram


In the bug trackers of the popular MTProxy-servers mtg and mtprotoproxy there were reports that the supervisory authorities in Iran and China learned to somehow detect and block telegram proxies, even using randomization of the packet length (dd prefix).
As a result, an amusing story emerged: the attackers used replay attacks to identify MTProxy proxy servers.

Replay Attack (replay) - an attack on the authentication system by recording and then replaying previously sent correct messages or parts thereof
( wiki )

Connection packets with the proxy are “recorded” by a third party, and after some time a connection attempt is made using the saved packet header along with the “corrupted” data.

If you look at the structure of the MTProxy package

image (picture taken here from this article)

then it turns out to imagine how it can work:

the proxy server analyzes the packet header, recognizes it as valid, and sends it further directly to the Telegram server. Telegram servers accept the packet, but respond to it with an error message that is sent back by the proxy server, and it can be detected just along the packet length (packets with an error message are much shorter than normal).

Based on this, the server address is blocked.

The developers of both proxy servers have already released updates. When connecting, it is checked that there have not yet been any connections with such auth_key_id (which is essentially a 64-bit random number):

github.com/alexbers/mtprotoproxy/commit/4cae6290b9529485125377100604 304904304 304 github.com/9seconds/mtg/commit/33852ca4818c365778edccb7441a11decc9em4em4emcda9emcd9emcd9emcd9emcd9emcd5cc77cc77cd7ccb7441a11decff90009">
In addition to this, quite interesting information appeared a few days ago in the Russian network communities and telegram channels that our native RKN began using open proxies to check public mtproxy servers. On the one hand, this is quite a logical step, since they do not want to or cannot do such checks from their addresses, because their subnet ranges will quickly become known to server owners, and on the other hand, in many cases “public proxies” are hacked soho routers, which makes the situation very piquant. < br/>
Detailed
an article about this can be read on tjournal.

Enthusiasts have already developed a script that automatically retrieves the current list of open proxies and applies ipset rules for effective address filtering from of this list.
In addition to the script comes brief instructions on its use, written in a very lively and inspiring language.

Source text: China and Iran use replay attacks to combat Telegram