It should be possible to run ICMP tunnel or something. I’m pretty sure if DNS is working, than not all protocols with direct connectivity are blocked.
ICMP не работает. Я пробовал снаружи пингануть пару адресов, но ни один не ответил. Изнутри ICMP идёт только к 8.8.8.8. TCP, UDP не работает, за исключением dns на 53 к операторскому и гугловскому резолверам. Вообще, у каждого провайдера свой тип блокировки. Сейчас пишу про Билайн, но говорят, что на Казахтелекоме намного проще, там можно просто https проксей. Но, ещё раз говорю, в каждом регионе и у каждого оператора свои заморочки.
SOCKS5 proxy 3785 port works fine. Not sure why, VoIP using skype and other services works as well, so I guess 3785 may be used for VoIP
in general, it’s easy to configure in telegram, but if clients are able to configure proxy on their OS(for example using proxifyer) https and all other traffic works as well.
This has been tested in at least 3 regions.
That’s great, thank you for the information.
I am not familiar with that one either. nmap-services calls it bfd-echo “BFD Echo Protocol”. RFC 5881 says it is a UDP protocol:
BFD Echo packets MUST be transmitted in UDP packets with destination UDP port 3785 in an IPv4 or IPv6 packet.
comment is saying that proxy only works on main provider in Kazakhstan - KazakhTelecom.
Yeah, if it’s not VoIP I have no idea why it works. I guess people found it out by brute-forcing different ports
Also, working VoIP makes me think that there are other ports open on this provider as it also provides landline in Kazakhstan
Here is an obfs4 bridge on port 3785 (IPv4 and IPv6) to try in Tor Browser:
Bridge obfs4 172.105.56.235:3785 DD9769A0D6A9F18C24FCE731583597012E66273F cert=AEu2dF5cSjzQwA8kDx4R+38u10TReImk3ERjWFmzBGA0tPGyFxnsJRke5iSBef6+QDejew iat-mode=0
Bridge obfs4 [2400:8904::f03c:92ff:fe93:f42d]:3785 DD9769A0D6A9F18C24FCE731583597012E66273F cert=AEu2dF5cSjzQwA8kDx4R+38u10TReImk3ERjWFmzBGA0tPGyFxnsJRke5iSBef6+QDejew iat-mode=0
Documentation for entering bridges:
If this works, we may be able to set up more, for as long as it lasts.
Hello, I am that guy from Kazakhstan. Everything is as zhenyolka says. (Beeline)
The IPv4 obfs4 bridge is working!
I did some port scans. It looks like some other ports to try are 179, 646, 3784, 3785, 4784, 5060.
First I did a scan to see if any hosts in the /24 neighborhood of gov.kz were reachable on port 3785. Only one of them was, 195.12.114.89 (whois), which is part of “National Information Technologies Joint-Stock Company”:
# nmap -PS3785 -sn -n gov.kz/24
Nmap scan report for 195.12.114.89
Host is up (0.21s latency).
Nmap done: 256 IP addresses (1 host up) scanned in 15.57 seconds
Then, I scanned all the ports on that host. 6 ports were responsive, including 3785:
# nmap -n -PS3785 -p- --reason 195.12.114.89
Nmap scan report for 195.12.114.89
Host is up, received reset ttl 236 (0.21s latency).
Not shown: 65529 filtered ports
Reason: 65529 no-responses
PORT STATE SERVICE REASON
179/tcp closed bgp reset ttl 233
646/tcp closed ldp reset ttl 236
3784/tcp closed bfd-control reset ttl 234
3785/tcp closed bfd-echo reset ttl 234
4784/tcp closed bfd-multi-ctl reset ttl 233
5060/tcp open sip syn-ack ttl 50
Nmap done: 1 IP address (1 host up) scanned in 344.21 seconds
A port scan could also be a way to discover what foreign ports are accessible from inside Kazakhstan. You need to target a host that responds to every port (with either a SYN/ACK or a RST), like scanme.nmap.org. Any port that has reason syn-ack
or rst
is making it through the shutdown. Any port that has no-response
is blocked by the shutdown.
# nmap -v -n -Pn -p- -T4 --reason scanme.nmap.org
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up, received user-set (0.23s latency).
Not shown: 65531 closed ports
Reason: 65531 resets
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 55
80/tcp open http syn-ack ttl 55
9929/tcp open nping-echo syn-ack ttl 56
31337/tcp open Elite syn-ack ttl 56
Nmap done: 1 IP address (1 host up) scanned in 108.98 seconds
# nmap -v -n -Pn -p- -T4 --reason -6 scanme.nmap.org
Nmap scan report for scanme.nmap.org (2600:3c01::f03c:91ff:fe18:bb2f)
Host is up, received user-set (0.23s latency).
Not shown: 65532 closed ports
Reason: 65532 resets
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 55
80/tcp open http syn-ack ttl 56
31337/tcp open Elite syn-ack ttl 56
Nmap done: 1 IP address (1 host up) scanned in 146.68 seconds
I see you have already set up the bridge. But Softether VPN also allows to encapsulate VPN in DNS or ICMP. I don’t know if this is available for public VPNGate servers.
Провайдер Казахтелеком.
Интернет отключили 17:00 05.01.2022
Дальше отключили полностью мобильную связь, не ловило в любых режимах(2G, 3G, 4G)
Через несколько дней включили мобильную связь, но звонки до сих пор отвратно работают.
Вывод traceroute:
traceroute to dns.google (8.8.4.4), 30 hops max, 60 byte packets
1 _gateway (192.168.100.1) 1.340 ms 2.627 ms 2.562 ms
2 82.200.242.218 (82.200.242.218) 6.005 ms 6.513 ms 7.061 ms
Дальше одни звездочки
С этим выводом я воодушёвленный пошёл проверять связь с другими клиентами сети казахтелекома. И пинг был(3 хопа)! И даже больше, кажется на них нету фильтра.
Мы спокойно прокидывали порты, HTTP, SSH, и прочие протоколы.
До других IP происходит полная фильтрация(даже icmp). Режим белый список.
В белом списке находится:
dns.google(8.8.8.8), akorda.kz, IP банков и государственых новостных агенств, а также мобильных операторов
Ставлю предположение, что фильтрующее обуродование на третьем/четвертом хопе стоит.
С этим уже кажется можно получить доступ в интернет, через dns туннель. Но к сожалению у меня нету сервера за рубежом. Также скорее фильтрация, крайне сильная с урезанием функционала до минимума, так я не смог icmp трафик сделать до всех хостов в whitelist. Кроме altel.kz
09.01.2022 дали доступ ко всем подсетям hoster.kz, neolabs.kz, ps.kz. Мне кажется или у хостингов есть интернет, так как судя по зеркалу репозиториев там они относительно свежие.
Сегодня, 10.01.2022 в 8:45 дали интернет.
В Астане давали интернет уже 3 дня назад. Но временно, с 8:00-13:00
I verified that shadowsocks+v2ray works just fine trough 3785 port.
Almaty, Kazakhtelecom
OpenVPN on port 3785 (udp) works.
Some information:
$ ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
^C
--- 1.1.1.1 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time ms
$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=100 time= ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=100 time= ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=100 time= ms
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time ms
$ dig google.com @8.8.8.8
; <<>> DiG <<>> google.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
google.com. 272 IN A 173.194.222.113
google.com. 272 IN A 173.194.222.138
google.com. 272 IN A 173.194.222.100
google.com. 272 IN A 173.194.222.102
google.com. 272 IN A 173.194.222.101
google.com. 272 IN A 173.194.222.139
;; Query time: msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Jan 10 18:58:53 +06 2022
;; MSG SIZE rcvd: 135
$ curl https://8.8.8.8
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="https://dns.google/">here</A>.
</BODY></HTML>
hoster.kz, neolabs.kz, ps.kz - timeout
altel.kz, akorda.kz - works
(If you want to investigate, you can contact me using Discord (invite: rTjTadmYvt))
TCP, UDP, ICMP трейсы (-T, -U, -I) до 8.8.8.8 нормально выглядят в Казахтелекоме?
Wrote you PM but it seems that Kazakhstan net is getting shut down again.
#Internet connectivity was shutdown in #Kazakhstan again at ~1300 UTC after 6th brief service restoration since shutdowns started on Jan. 5. @cloudflareradar shows that this one saw peak traffic 2x or more as compared to previous restorations.
That matches the IODA signals as well. The restoration of access of January 10 (starting 00:00 UTC) lasted 13 hours and seemed to include more networks than past ones.
We’ve switched all Lantern (https://lantern.io) servers in the region to listen on 3785, 5060, as well as randomized high ports.
I found that port 179 works fine on both ISPs (KazakhTelecom and Beeline).
Thanks @sasha0552 for help!
The Tor community team posted a guide on how to get working bridges. You will not be able to use BridgeDB or Moat; instead, email frontdesk@torproject.org with subject “bridge kz”.
Thank you for the information. I opened port 179 on the the bridge from earlier as a backup in case 3785 gets blocked.
Bridge obfs4 172.105.56.235:179 DD9769A0D6A9F18C24FCE731583597012E66273F cert=AEu2dF5cSjzQwA8kDx4R+38u10TReImk3ERjWFmzBGA0tPGyFxnsJRke5iSBef6+QDejew iat-mode=0
Bridge obfs4 [2400:8904::f03c:92ff:fe93:f42d]:179 DD9769A0D6A9F18C24FCE731583597012E66273F cert=AEu2dF5cSjzQwA8kDx4R+38u10TReImk3ERjWFmzBGA0tPGyFxnsJRke5iSBef6+QDejew iat-mode=0
I did it with port forwarding:
iptables -A PREROUTING -t nat -p tcp --dport 179 -j REDIRECT --to-ports 3785
Репортирую, что вчера при включение интернета было ограничение скорости до 3Мбит /с примерно. На https видимо максимум по 20Кбит/с, не смог даже обновить репозитории.