Freerk <[email protected]> (write
in English, German or Spanish),
A tutorial on how to bypass Internet Censorship using Proxies, Shells, JAP e.t.c.
Different ways to beat the filtering in schools, countries or companies (blocked
This is the original and so newer than the translations because
I'm still working on it.
In the last 10 years the Internet grew very, very fast. It is a bunch of thousands
of little networks put together. Billion computers are connected and it is
not controlled or even owned by a government or company. There are no laws,
everybody can put his webpages online which can be accessed by everybody on
the world who is sitting in front of a computer with Internet access. I believe
that this can and will change the world as we know it today.
But there are several governments who think that this unlimited access to information
is dangerous for their citizens. These are for example China, Saudi Arabia,
Bahrain, Cuba, Jordan, Tunisia, Burma, Singapore, Uzbekistan,
Yemen, Kuwait, Vietnam, Syria, Iran, United Arab Emirates and parts of Africa.
and even in countries like Australia, Switzerland and in some parts of Germany
they censor websites. This ranks from a very easy to circumvent DNS blocking
of only 2 Nazi sites in parts
in blocking thousands of websites, services and ports in China.
Though the blocking methods are different there are also different ways to bypass
them. I will try to show you how to access the website of Amnesty International,
BBC, Google and other blocked sites in your country. I made this website in
very basic HTML, so that you can even view it with a very old computer. Please
share this information, link the site, copy it, mirror it, print it (I didn't
"hide" any links, so that no link is lost when you print it) and teach
your friends and relatives!
Well, I'm living in Germany, which is not very famous for it's censoring.
But the local government from one of the 16 German states (NRW) tries to introduce
censorship by blocking 2 US Nazi sites. Sure, I really don't like those guys
but in my opinion no government or even a system administrator got the right
to choose which information a individual have access to. What websites are
next? Who chooses which websites will be blocked? Additionally, my school
websites and so I became interesting in this topic.
Permission is hereby granted, free of charge, to any person obtaining
a copy of this document,
to deal with this document without restriction, including without limitation
the rights to use, copy, modify, translate, merge, publish, distribute,
and/or sell copies of the document, and to permit persons to whom the document
to do so, provided that the author (Freerk Ohling) and at least two mirror
server of the original text (see: 1.3 How to get this file) appear in all
of the document.
You have to choose to bypass the Internet censorship
or not. I only show you how to do it, I can't take any responsibility. In several
censor countries you will go to jail if they catch you, in a lot of companies
you will get fired and some schools will ban you.
Of course the censors not only block Internet traffic, they are also looking
at it (in countries/companies with a little Internet population) and try to
find out who is bypassing their firewall how. An easy way to
find out who (and how) is bypassing the firewall is by just looking for some
in the logfiles:
Right after the Internet connection is established the user
is connecting to only one server and remains connected to it all the time
What a user do right after he gets an "access denied"
message from his censor. (open a special website, go to a chatroom, connect
to a special server...)
There are many different solutions to censor Internet traffic.
Sometimes there are 2 or more combined. Please write me to [email protected]
which blocking methods are used in your country, which ISP are you using and
the ways that work for you to bypass it, it would be very useful for other
This is used for example from some German providers. It is a very cheap and
easy censoring method and the same is true for bypassing it. First, I will
what the Domain Name System is: Every computer on the
Internet has an unique address, a little bit like a telephone number. These
are 4 numbers
from 0 to 255 separated with a dot. For example: 188.8.131.52 is the IP address
for www.freerk.com. Because of remembering such a number is very difficult,
the DNS was invented. This service maps an URL to it's IP address. If you type
www.freerk.com into your browser, the request is send to the DNS-server that
was automatically given to you by your ISP on dialing into the Internet. A
lot of addresses are already cached, so the DNS-server sends the IP address
URL back to you. If the DNS-server has no cached information on the site requested
by you, he asks on of the 13 root servers, which know all addresses. If the
DNS-server from your provider is censoring, he just refuse to send you the
real IP-address. He sends you nothing or an IP from a "sorry" website.
You have to specify a proxy server in your 'Internet Explorer' settings in
order to get a connection to the Internet. Sometimes, the ISP is using a transparent
proxy. With these you can't see easily if there is a proxy or not. Every request
you send to or receive from the Internet is checked at this server and redirected
to you (well, or not...).
This means that all Internet traffic goes through the servers of the censor,
who is scanning the content for 'bad words'. This dynamic filtering is true
for most filters in schools, libraries and companies. If the site contains
bad words it is blocked. The person who is offering the blocked information
prevent the censoring by "hide" the content inside of images. For
the user there is almost no difference, but it is difficult for a computer
to "read" the text inside an image. Also SSL encrypted traffic (a
URL starting with https://...) can't be scanned easily. You can test which
are blocked on your connection on http://www.zensur.freerk.com/kword/
there you can enter the keyword(s) you want to test an click on "send"
when you get the message "You entered [your word here]" in return
everything is fine, but if you get an error message you know which words are
Ports are like doors for a special service to a server or PC. They rank
from 0 to 65535. The standard ports are from 0 to 1024, these are the well
ports. The official list you can get under http://www.iana.org/assignments/port-numbers and a description on http://www.wikipedia.org/wiki/Port_(computing).
If a censor blocks a port, every traffic on this port is dropped, so its
for you. Most censors blocks the ports 80, 1080, 3128 and 8080, because these
are the common proxy ports. Because all of the proxies on common ports are
useless for you, you have to find proxies that are listening on an uncommon
port. These are very difficult to find.
You can easily test which ports are blocked on your connection. Just open
the DOS-prompt, type telnet login.icq.com 80 and hit enter. The number
is the port you want to test. If you get some wired symbols in return everything
is ok, if it says "timeout" or something similar, that port is blocked
by your ISP. Here are the most important ports for us:
20+21 - FTP (file transfer)
22 - SSH (secure remote access)
23 - telnet (remote access) and also Wingates (special kind of proxies)
25 - SMTP (send email)
53 - DNS (resolves an URL to an IP)
80 - HTTP (normal web browsing) and also a proxy
110 - POP3 (receive email)
443 - SSL (secure HTTPS connections)
1080 - Socks proxy
3128 - Squid proxy
8000 - Junkbuster proxy
8080 - a proxy
It's a Open Source Webfilter. Free for non-commercial use and thus it is
widely spread in universities, schools and libraries. It works as a Proxy
with URL and keyword filtering (and also with the PICS-Standard). It's often
used on a IPCop machine, however, the author from DansGuardian doesn't like
Most Internet filters works with a blacklist, which means that access to all
sites is allowed, except some special sites (well, sometimes there are
a lot exceptions...). A whitelist works the other way around: Access to all
sites is blocked, except some special ones. For a normal ISP it is almost
impossible to offer, because the Internet is nearly worthless. The whitelist
scheme is used by free Internet terminals that are sponsored by a company which
allows users the free access to their e-commerce site. This filter scheme is
the most difficult to circumvent.
Some time ago, there was a German ISP who had a completely free 0800-dial in
number. Once you dialed in, you only could surf to amazon.de and about 10 more
e-commerce sites. But you could also connect to the other customers of the ISP.
So somebody with a flatrate connected to both his normal ISP and the 0800-free
ISP and set up a proxy. So all the users of the free ISP could use that proxy
to connect to other sites.
Since you can't directly access a server that is blocked you have to send the
request to a non blocked server which redirects the traffic to the real site
you want to visit. There are different types of these "gatekeepers".
Normally, you automatically would use the DNS-server of your ISP to resolve
domain names like www.freerk.com to 184.108.40.206. Internally, only these
IP-addresses are used to send/receive data in the Internet. If your DNS-server
is censoring, you simply can use another DNS-server. Under Windows, just right-click
in your system panel on the 'network' icon and select properties of the TCP/IP-protocol.
In Linux you have to edit the '/etc/resolv.conf' file. Use the server that
is (virtual) your nearest. If you want to setup your own DNS-server use Bind
The list of the 13 official root servers is located here: ftp://ftp.rs.internic.net/domain/named.root
for redundancy it would be good to ad the alternative root servers located
in Europe from ORSN: ftp://ftp.orsn.org/orsn/orsn.hint.
It's also possible to act as a manual DNS server by yourself. Just use the
ping or traceroute service on a non censoring machine to get the IP of your
desired server. Then use the IP instead of the URL in your browser. You will
always get an IP, but it won't work every time to access the website via the
IP, because a lot of webhosters host up to 500 or more websites on one server
with one IP. But it will work fine with bigger websites.
You can put a proxy server between your Internet connection and the site you
want to visit. You send your request for a special website to that proxy server,
which request the page from the Internet and deliver it to you. Normally, those
servers cache the requested pages, so that on the next request he can deliver
the page directly from the cache. That would be faster and cheaper. We use those
servers to bypass censorship. For the eyes/computers of our ISP/Government we
are only connecting to the proxy, they can't easily see, that we are connecting
to a "bad site". But sometimes the standard proxy ports (80, 1080,
3128 and 8080) are blocked. In that case you have to use the proxies that are
listening on an uncommon port.
Standard Proxies you can find everywhere on the net. Almost every provider
offer a proxy for their customers. Here are a few, its in the widely spread "hostname:port"
format. These proxies are mostly not anonymous!
Planetlab CoDeeN Project (http://codeen.cs.princeton.edu/ -
Very fast, you can also use them on port 3127. No POST allowed, so you only
view/download webpages and use simple forms that
use the GET
(like search engines) but you can not use bigger forms that use POST (like
buy stuff at Amazon)).
Due to the fact that several censors block the common proxy ports (80, 1080,
3128 and 8080) to prevent circumvention you have to use proxies that are listening
on a uncommon port. For example 8000 for the Junkbuster proxy or 6588 for the
AnalogX proxy. You get a weekly updated list of Proxies that are listening
a non standard port here: http://www.web.freerk.com/proxylist.htm
or via eMail autoresponder at [email protected].
JAP is an free and open source anonymity tool invented by a German university.
It sends your traffic encrypted through different mixes, so that absolutely
nobody, not even the owner of on of the mixes know who is accessing which
site. This is also on of the best tools to circumvent censorship. Just follow
the installation instructions on http://anon.inf.tu-dresden.de/index_en.html
or http://www.anon-online.org/index_en.html on installing the Java client
(available for Windows, Unix, Linux, OS/2, Macintosh and others). Here is
a list of the included servers and on which
port they are connecting to:
Hopster is a commercial tool to circumvent firewalls in schools, companies
e.t.c. The free version is only limited to a 4kb/s transfer rate (speed of
a 56k modem). Just download the <1 MB Setup file and install it. It will
test your connection/firewall and than configure everything automatically.
Unlimited version costs 2 or 5 dollar a month.
Webproxies are CGI-scripts that you call with your browser and open a different
URL (Internetaddress) with. So your firewall thinks you are only connecting
the server with the CGI-script. The addresses under 4.5.4
are not really meant as proxies. They act as translators, html-checkers or
as a web archive. You can use them as a kind of proxy anyway. These webproxies
a good thing for "quick 'n dirty" bypassing. You don't have to configure
your browser or something, but it's kind of slow and won't work with all webpages.
Only the proxies that are going over a secure connection can be used for phrase
filtering, but the others a perfect for URL/IP filtering. Use them in your
company or library when you have no privileges to install/change something
on the machine. These links points to google.de because the site is very small,
useful, always on and does not contain the ".com" extension of DOS-Files
that are filtered by some proxies. If you do have webspace with cgi ability
you can download the CGIProxy from James Marshall and install it on that webspace
(there is a easy installer which does everything for you: http://install.xav.com/).
Or you can install it on your PC at home and access it at work. How to do
so you can read here: http://www.peacefire.org/circumventor/simple-circumventor-instructions.html.
To find new working proxies search for "nph-proxy.cgi", "nph-proxy.pl",
"Start Using CGIProxy", "Start browsing through this CGI-based
proxy", "WARNING: Entering non-anonymous area" or something
like that with Google, Alltheweb, Wisenut or another search engine.
Several years ago when the Internet connections where slow and the "www"
just invented, many people just got a to email restricted access to the Internet.
That's the origin of the "Agora" and "www4email" software.
Some of these email robots are still available and we can use them to bypass
Internet censorship. The best thing would be to subscribe to a free email provider
which allows SSL-connections (like https://www.fastmail.fm/,
e.t.c) and use that account with the email addresses below. I put the field
where you have to input the URL in brackets. It still works great for text.
Flash e.t.c. Also other services besides www are possible, for a very good
on this see ftp://rtfm.mit.edu/pub/usenet/news.answers/internet-services/access-via-email.
There is also a web based service under http://www.web2mail.com/.
I again used www.web.freerk.com/c/ as an example because the URL is all time accessible
and the '.com' in the original Google address is often considered as a .com
DOS-file by some computers and censorship systems. The www4mail software
is newer than the Agora software.
A eMail with just "help" in the subject line will get you a
tutorial on howto use the service properly.
Camera/Shy is the only steganographic tool that automatically scans for and
delivers decrypted content straight from the Web. It is a stand-alone, Internet
Explorer-based browser that leaves no trace on the user's system and has enhanced
Camera/Shy is an application that enables stealth communications, such software
can be useful in countries where Email communications are regularly monitored
and censored, such as happens in China.
There are different projects of peer-2-peer programs to bypass censorship.
They work like Napster, Kazaa and eDonkey, which means that you have to download
a little tool that contains a server and a client part.
The goal of the Peekabooty Project is to create a product that can bypass
the nationwide censorship of the World Wide Web practiced by many countries.
Peekabooty uses a complicated communications system to allow users to share
information while revealing little about their identity. When a node receives
a request for a web page it randomly decides whether to pass this on or access
the page itself. It also only knows the address of its nearest partner. This
makes it difficult to determine who requested what information and is designed
to protect users from anyone trying to infiltrate the system from inside.
Freenet is the oldest and most widely spread P2P-program to beat censorship,
so a lot of people use it and its actually working since several years quite
well. There is no access to the Internet possible through the Freenet client.
You can only view/download stuff from the 'free net'. You install the client
as a local proxy which is listening on port 8888 and can access links like
It looks like a kind of normal URL. The 'localhost:8888' addresses the
server on port 8888 that is running on your local machine the rest is something
like an encrypted file name. It is not possible to determine who put some
into the network or who is downloading it.
Safeweb, a company that received funding from In-Q-Tel, the CIS's centure
fund, released software called "Triangle Boy". The software is a peer-to-peer
application that volunteers download onto their PC's. A User that has been
denied access to any website by a censor can use the Triangle Boy software
to circumvent the censorship. Currently the Triangle Boy software only provides
access to the Voice of America, because this service is blocked by the Chinese
The normal port for newsservers 119 is usually blocked, so you have to access
the Usenet via a different port. If you only sometimes want to read some very
common newsgroups you can easily visit them via free web-based newsservers
http://wnews.easyusenet.com/wnews-free.cgi and http://www.news2web.com/.
A lot of newsserver companies offer their services on a non standard port.
ask them before signup. If you need access to a newsserver with your newsclient
you have to subscribe to one of these newsserver-companies which allow access
to their newsservers on an uncommon port:
Instant Messenger are very popular. You have to register your nickname at
one of the companies and download their software. Then when you are in the
Internet you can start the software and log onto their servers. Since then
you are marked as "online" and all your friends who know your
nickname and get the same Instant Messenger can see that you are online
chat with you. Every of the 4 big players has its own software client which
contain advertisement, spyware and is not compatible with other IM protocols.
I recommend you to download Miranda, which is a open source Instant Messenger
which is very small, without ads or spyware and working without installation.
It works great with every IM protocol, even at the same time. http://miranda-im.org/
Users: 7 million
Login server: login.icq.com or login.oscar.aol.com
Used ports: tcp at any port you choose in the settings (default is 5190)
Used protocol: Oscar
Supports proxy: http, https, socks 4 and socks 5
Online version: http://go.icq.com/ (connects
to iht-d01.icq.com at any port you choose, default is 80) or http://www.odigo.org/features/express.html (The
Odigo client online, supports all 4 services)
The one think is to access information that is already censored, but the other
challenge is to publish own information that can't easily be censored. Here
you can see my ideas on how to avoid censorship:
Publish with a lot of mirrors. Especially dynamic IP's with a dyndns.org
redirector are useful. Put your pages on so much different servers that the
censors can't get along with blocking al the servers.
Fax Polling. You can either use a service in the Internet or provide that
service on your own computer with a fax modem.
Use one-time-addresses. These are links/URL's that are only valid
for 1 visit or 1 hour, they are often used for payed downloads.
Hide the 'dangerous' content. For example save text as images. The
users won't notice it, but its difficult for the censor-spiders to 'read'
Host on a secure server in another country. For example with http://www.havenco.com/
which is located at Sealand, an independent country on a little island in
the north sea near England.
Encrypt the content. Use .htaccess and/or SSL for your website and
AES, Twofish or Rijndael for files.
Offer your data in P2P-Programs. Filesharing programs like Kazaa
or eDonkey are very difficult to censor (see the problems of the music companies...)
Send content via eMail. Create a autoresponder from which everybody
with a hotmail account can receive your content from.