iTunes Store Blocked in China



UPDATE: I can now access the iTunes store from China.

Recent reports indicate that China is blocking access to Apple’s iTunes Store:

Users reported receiving an error message when attempting to reach iTunes: “iTunes could not connect to the iTunes store. An unknown error occurred.(-4) Make sure your network connection is active and try again.”

While in some cases this error is associated with iTunes itself, I can confirm that in this case China was blocking access to URLs necessary to load the iTunes Store. China employs a variety of methods of filtering. In this case, all of the domains properly resolved to correct IP addresses and all of the IP addresses were accessible. Moreover, SSL access was also fine. The initial requests that iTunes makes work fine, until a particular URL is requested.

More specifically, GET requests containing “ax.phobos.apple.com.edgesuite.net/WebObjects/MZStore” are disrupted. (There were probably more ways to trigger the RST’s, I did not get the chance to test more as the blocking appears to have been lifted). After making a few connections, iTunes eventually attempts to connect to:

http://ax.phobos.apple.com.edgesuite.net/WebObjects/MZStore.woa/wa/initiateSession?ix=2

This triggers spoofed RST packets.

In addition to checking from computers in China, this behaviour can be triggered by connecting into China as well. Here I’ve set up a 3-way TCP handshake with yahoo.cn’s IP address, since yahoo.cn is located in China. I then send a packet with the payload “ax.phobos.apple.com.edgesuite.net/WebObjects/MZStore” but with a TTL that is insufficient to reach the intended destination. An ICMP packet comes back from a router (for me, at TTL 16) followed by spoofed RST packets that disrupt the connection.

See http://www.cl.cam.ac.uk/~rnc1/ignoring.pdf and http://www.cs.unm.edu/~crandall/concept_doppler_ccs07.pdf for more on this technique.

Post a comment.