The amazing effort people took to outsmart mobile providers

It is important for people who works from home to have a reliable network connection among all things. Otherwise, You would have an annoying and tiresome experience where people would ask you to repeat what you just said moments ago for the umpteenth time because your network suddenly just decided that it was the best time to yeet out the connection.

App bundling

Some social media such as Youtube, Spotify, Facebook, or Twitter is often offered with huge network bandwith and treated as an extra package with regular plan. There is even a brief moment when a certain vendor offers an unimaginable amount of bandwith for a month for a certain app that focuses on video chat. Consider that an app-only network plan is basically just a standard plan with only strict domain whitelist, It would be great if we have a way to circumvent it..

Network spoofing

Up until this post published, there are currently 2 Methods that can be used to bypass their restriction:

1. Http CONNECT exploit
2. DNS Lookup Spoofing* passthrough
3. Shadowsocks

Http CONNECT exploit

The HTTP CONNECT method is described in an expired IETF Internet-Draft written in 1998 by Ari Luotonen. This document clearly explains the security risks associated with the HTTP CONNECT method:

Many vendors' HTTP proxy services are configured by default to listen on all network interfaces and to allow HTTP CONNECT method tunnels to any TCP port. A proxy may also allow the GET method with a crafted HTTP 1.1 Host request-header and the POST method to be used to create arbitrary TCP connections. Other HTTP methods (PUT) and FTP commands (USER/PASS, SITE, OPEN) can also be used to make arbitrary TCP connections through proxy services. SOCKS proxies suffer from similar insecure default configuration vulnerabilities, as do products that provide FTP proxy services.

One such app that utilize this exploit is Http Injector, which is also wildly used by many tutorials to surf the web through mobile app bundling plan than often comes with huge bandwith size. Quoting from their group description page:

HTTP Injector is a professional VPN tool to browse the Internet privately and securely with multiple protocol and tunneling technologies build into one app

It works as an universal SSH/Proxy/SSL Tunnel/DNS Tunnel/Shadowsocks client to encrypts your connection so that you can surf the internet privately and securely. Besides that, it also help you access blocked websites behind firewall.

I won't bother to give you a tutorial on using that app. Please do yourself a favor and use search engine, please. There are hundreds of them available to watch.

• Main site
• Basic http injection implementation in python
• HTTP Tunnel

DNS Lookup Spoofing* passthrough

Yes, there's an asterisk there. As the name suggest, we are fooling mobile providers through dns request, but we do not corrupt their resolver nor causing network outtage due to dns cache poisoning.

The attack is pretty simple :

Given a domain name host.com that is covered under UE subscription, one can tricked mobile provider by requesting a DNS lookup of a spoofed absolute domain name host.com.mydomain.net that contains the domain as a hostname.

The goal is simply to bypass the app-only subscription limit by mistakenly whitelisting our server's IP into their whitelist.

Searching a mobile provider following with wireguard keyword at the end would probably give you a bunch of tutorials that basically exploit this method to 'turn app quota into regular one', which is not even remotely true, since:

1. You are not breaking their system.
2. Your subscription plan does not change.
3. Your mobile provider would immediately notice it and might get your number banned.

Despite what every tutorial out there calling it a "bug", this is more likely considered as negligence and just them cutting corner left and right.

A select number of vendors can be tricked using this method, albeit an occasional subdomain update are required to keep it working.

DNS Lookup Spoofing - Why does it work?

Further research on these bug would be interesting to investigate. Since It only occurs on mobile network, we could guess that they have a weak P-GW (Packet Data Network Gateway) configuration that somehow treat spoofed domain as part of an original domain covered in UE's subscription plan. I'm just spouting some nonsense to you since I have no proof and have no someone working at that mobile provider to talk to.

• 3GPP LTE SAC
• How MME is selected
• Universal Mobile Telecommunications System (UMTS) LTE Domain Name System Procedures

References

• How does free internet work through http injection
• Blog posts containing bypass methods