December 15, 2016 · Digital Ocean MiTM

DigitalOcean India Datacenter Interception

Introduction

In February 2016, DigitalOcean announced that they have started their new datacenter in Bangalore India. The new region was named BLR1.

Last night, I installed a VPN server on my droplet (hosted at BLR1) to access a few banned websites in India. After accessing some blocked websites I received the following error with a www.airtel.in/dot URL:

Indian netizens are quite familiar with this error message; it is used by Indian ISPs when they block a website on court orders, in this case it was airtel. What really hit me was the fact my ISP wasn't airtel and I was using DigitalOcean VPN connection to access the websites. This gave me some confidence in theorising a possible eavesdropping and tampering_ on the BLR1 origin based on the previous incident of airtel-CloudFlare MitM.

Tests and Observation

To prove the theory, I grabbed a list of banned websites through Google and did some connection tests over a droplet at BLR1 using cURL.

Droplet IP

Droplet IP

Connection to Banned Sites

Most of the banned websites when contacted from the droplet get redirected to airtel's website blocked error page.

1. livecricfun.com

Result: Blocked by airtel

2. torrentz.to

Result: Blocked by airtel

Connection Test to Normal Sites

A connection test to reddit was performed to check if usual unblocked websites are working properly, which came out to be fine.

Conclusion

Based on the above tests, it is evident that connections originating from BLR1 region droplets are getting inspected and tampered by airtel, which I believe is upstream internet provider for Digital Ocean's Bangalore datacenter. I advise the users to move their droplets from BLR1 region for now till this gets sorted out.

DigitalOcean was informed of this over Twitter.