Router eavesdropping on SSH tunnel?

So I'm on a public WiFi network that blocks websites like YouTube in order to conserve bandwidth. I'm assuming the router is monitoring all traffic and rejecting all requests sent to the sites on its blacklist. In order to get around this, I tried using an SSH tunnel so that I'd have an encrypted connection with my remote server and the web requests would be made from the remote server. So the router I'm connected to shouldn't have any idea what the packets I'm sending are.

I've tried this method before on other networks that filtered traffic to sites like YouTube and it has worked perfectly. somehow this router is still able to block the websites. I've checked to make sure that my traffic is really going through the remote server by verifying the IP address, so I know I didn't just mess up the settings or forget to point my browser to the correct port. I've tried routing the traffic through two separate servers, one that uses password authentication and another that only uses keys, and the traffic is filtered in both cases.

If the packets I'm sending to and from the remote server are encrypted, how can the router know that I'm trying to access YouTube? Is the router doing a man in the middle attack on me? I checked the server's fingerprint and it was the same as usual, but maybe the router can spoof the fingerprint?

I just want to understand how the router is doing this.

eyuelt

Posted 2014-03-26T12:07:17.083

Reputation: 141

16My first thought is a DNS leak. I would suggest you use a packet sniffing tool like Wireshark to make sure that your DNS request for youtube.com is going through the SSH tunnel and not going direct to the router and being blocked. – user2675345 – 2014-03-26T12:11:47.657

@user2675345 is probably correct. – Shadur – 2014-03-26T12:55:22.433

Perhaps it blocks all traffic which looks like "small outgoing payload - huge incoming payload coming in below line capacity" (which might indicate a streaming video)? – Piskvor left the building – 2014-03-26T16:45:54.237

Could also be some packet inspection engine in the works For better results, have your SSH server listen on tcp/443 :) – None – 2014-03-26T16:23:23.157

@Piskvor - They were blocking the entire website, not just videos. So I wasn't even able to go to the YouTube homepage. – None – 2014-03-26T23:57:40.377

@user2675345 - Thanks, this is the first I'm hearing about DNS leaks. I'll look into it and I'll make sure to check next time I'm on that network again. – None – 2014-03-27T00:05:54.427

How exactly does a blocked site manifest? If possible, provide a screenshot. – Daniel B – 2014-03-27T10:07:31.380

How do you access YouTube? With a PC+browser or something like an Android phone? If Android: could it be that the youtube app ignores the tunnel? Also (for all devices): what DNS servers are you using? As user2675345 pointed out, maybe your DNS requests ignore the tunnel. Have you also tried to clean your DNS cache? – masgo – 2014-04-11T08:34:07.700

1You could use OpenVPN and route all traffic, including DNS, through your server. – gogators – 2014-05-01T16:32:45.060

If you are using a proxy on the other end of the ssh tunnel, that should do its own dns lookups. – Tom Newton – 2014-05-31T20:07:27.090

Answers

tl;dr: It was a DNS leak. Thanks to @user2675345 for the tip off!

Here is the page I got when I accessed a blocked site:

I first tried pinging a few websites and saw that their IP addresses were the same. As can be seen in this image:

both youtube.com and metacafe.com, which are both blocked, have 176.12.107.179 as their IP. Unsurprisingly, navigating to this IP in a browser yields the "Requested Site Blocked" page shown above. Pinging www.google.com on the other hand, results in a legit IP pointing to Google.

So the urls were getting mapped to the wrong IP. I used dig to inspect the DNS entries and confirm this.

digs

Indeed, the DNS entry for youtube.com had 176.12.107.179 as it's IP.

I then used Wireshark to check out the DNS requests and saw that the requests weren't coming from the IP of the server I was SSH'ed into, but from my local IP address.

trace

Even though I was using an SSH tunnel, my DNS requests were not going through the tunnel. Also, they seemed to be going to an IP address on the same network. So it looks like the router onboard the bus was acting as a DNS server and giving out bad DNS answers for sites on its blacklist.

This is a very serious vulnerability. Not only could an eavesdropper see all of the websites I was going to, but the person controlling the router/DNS server could easily route me to a malicious version of youtube, rather than to the "Requested Site Blocked" page. And ll the while, I'm thinking that my traffic is all going through the SSH tunnel and I'm completely secure.

eyuelt

Posted 2014-03-26T12:07:17.083

Reputation: 141

Just like @user2675345 is saying, you should probably check the DNS proxy settings if your browser has any.

Follow these steps to enable DNS lookups through a proxy in Firefox:

enter about:config in the address bar
search for proxy
set network.proxy.socks_remote_dns to true

I used to be a Chrome user myself, but switched to Firefox when I noticed that the DNS lookups didn't use the proxy settings. That was a while ago and should be fixed now according to this bug report.

MoonSire

Posted 2014-03-26T12:07:17.083

Reputation: 874