tech

"HINET browsing timelimit" Research

Yoni Yang

2 min read
"HINET browsing timelimit" Research
Your network has launched "HINET browsing time limit" protection. Perhaps take a rest?
中文版本在這:https://blog.nicewhite.xyz/hinet_browsing_timelimit_research_zhtw/

What is this?

This is a simple writeup that bypasses the time control of the 中華電信上網時間管理.
Of course, this is intended for educational purposes only.

Tested on 2024 Sep 10, no follow up planned.

How does this work?

yoni@yoni-A-Power-T200:~/icm2$ ping 1.1.1.1 -I enp3s0
PING 1.1.1.1 (1.1.1.1) from 192.168.1.106 enp3s0: 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=58 time=11.6 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=58 time=12.1 ms
64 bytes from 1.1.1.1: icmp_seq=3 ttl=58 time=11.4 ms
64 bytes from 1.1.1.1: icmp_seq=4 ttl=58 time=11.5 ms
64 bytes from 1.1.1.1: icmp_seq=5 ttl=58 time=11.9 ms
^C
--- 1.1.1.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4004ms
rtt min/avg/max/mdev = 11.374/11.708/12.115/0.275 ms

Since the time control doesn't block ICMP requests, we can use repo friedrich/hans to begin with our bypass.

What do I need?

  • A linux server that doesnt have time control (Debian or Ubuntu recommend), and make sure it has a public IP. I used a VPS from Lazco Cloud (not sponsored).
  • A linux client (Debian or Ubuntu recommend, I am not able to figure out the windows workround)

Setup on the server

  1. Download hans from SourceForge and decompress & build it on both server and client side.
sudo apt-get install git build-essential screen
tar -xzf hans-version.tar.gz
cd hans-version
make
  1. Setup server
    Tells the kernel not to respond to PING requests.
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

Enable IP forwarding.

echo 1 | dd of=/proc/sys/net/ipv4/ip_forward

Setup the tunnel and IP/IPtables.

./hans -s 10.1.2.0 -p <set a password>

Now your ICMP tunneling server should be up.
3. Setup client

./hans -c server_address -p password

Testing connection to google.con via tunnel.

curl google.com --interface tun0

Force all traffics of current user (exclude root ofc) go through tunnel and run a speedtest.

sudo ip route flush table 502

sudo ip route add table 502 default dev tun0

sudo ip rule add uidrange $UID-$UID table 502

sleep 3

speedtest

Now,all traffics of current user (exclude root ofc) should go through the tunnel.

Q&A

Some websites works,some still got ERR_CONNECTION_RESET

Disable IPv6 on your client.

Slow speed

My original speed is 60M/20M,but after bypassing,I only got 0.9M/20M.
So my best guess is due to CHT's crappy router,which might not able to handle the ICMP tunneling well.
Maybe you can try to use other tunnel softwarer (ex: esrrhs/pingtunnel)
Or maybe use the time your parents restrict you to learn Networking.

How do I forward request made by root?

IDK, maybe you can try to use iptables to forward all traffics to the tunnel except the icmp requests to the server itselfs.

Happy Hacking.