Belarus links about bbs HOT 10 OPEN

Internet blocking in Belarus (archive)

Qurium and Human Constanta have published a report giving details of how blocking is done on four ISPs in Belarus.

• Business Network
  • HTTP requests get an injected HTTP redirect to a block page at http://212.98.160.60/ (archive).
  • HTTPS requests get an injected RST/ACK with TCP window size 502 and IP ID 0.
• Beltelecom
  • HTTP requests get an injected HTTP redirect to http://82.209.230.23 with TCP window size 32678 [sic] and IP ID 1. The block page currently times out for me, but you can find its contents in an earlier comment.
• Unitary enterprise A1
  • HTTP and HTTPS requests go through a Squid transparent proxy. Block pages can be returned by the proxy and don't need to be injected.
  • HTTP requests get a redirect to https://a1.by/mininfo/ (archive).
  • HTTPS requests get a forged certificate for the requested domain and a commonName of Atlant-Telecom HTTPS Proxy. Accepting the certificate leads to a redirect to the same block page as HTTP.
• Mobile TeleSystems Belarus (MTS)
  • Enforces blocking by DNS only, using its DNS servers at 134.17.1.1 and 134.17.1.0.
  • Queries for blocked domains get an A record for 134.17.0.7.
  • The web server at 134.17.0.7 serves redirects to https://internet.mts.by/blocked/. Both of these servers currently time out for me, but you can find their contents in an earlier comment.

Summary table of how each of 56 domains is blocked on the four ISPs:

from bbs.

We're seeing a sudden drop of obfs4 usage in Belarus recently, and a rise in meek usage:

Link to relay graph
Link to bridge graph

I posted the graph also to NTC, because there may be a greater number of experts on Belarus there.

Psiphon Data Engine doesn't show a change in Psiphon users in Belarus at that time. (Screenshotted before the date falls off the recent history.)

While looking at the graphs, I also noticed an apparent Tor relay block on 2020-10-13 that I don't think has been discussed before.

from bbs.

There was a decrease in Tor relay users and an increase in Tor bridge users, mainly obfs4.

https://metrics.torproject.org/userstats-relay-country.html?start=2020-04-01&end=2020-08-15&country=by

https://metrics.torproject.org/userstats-bridge-combined.html?start=2020-04-01&end=2020-08-15&country=by

Psiphon shows an increase in daily connections from Belarus, from near zero on August 7 to over 15 million on August 11.

https://psix.ca/d/nyi8gE6Zk/regional-overview?orgId=2&var-region=BY (archive)

OONI has a decrease in "available" measurements and an increase in "blocked" measurements.

from bbs.

@jakubd shares OONI measurements that show what overt blockpages look like.

On the ISP A1 (formerly velcom):

https://explorer.ooni.org/measurement/20200809T064736Z_AS42772_Sn8W1QKfDMxmJzphNHpEWpYmWbyNQS09eB8wgpQQCYIASBbkPh?input=http://intimby.net/

<!doctype html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
	<link href="https://www.velcom.by/mininfo/css/main.css" rel="stylesheet">
    <title>Доступ ограничен</title>
  </head>
  <body>
	<div class="container">
		<div class="my-auto">Доступ к информационному ресурсу ограничен на основании решения Министерства информации Республики Беларусь, принятого в соответствии с Законом Республики Беларусь &laquo;О cредствах массовой информации&raquo;.
		</div>
	</div>
  </body>
</html>

Access restricted

Access to an information resource is restricted on the basis of a decision of the Ministry of Information of the Republic of Belarus, taken in accordance with the Law of the Republic of Belarus «On Mass Media»

On MTS:

https://explorer.ooni.org/measurement/20200808T195507Z_AS25106_hY9xbufjqUKiqPI5LZJ4IqiwfGMNcaOdrtKnwCaXADPRhSOL8J?input=http://intimby.net/

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://internet.mts.by/blocked/">here</a>.</p>
</body></html>

On Beltelecom:

https://explorer.ooni.org/measurement/20200808T143914Z_AS6697_vIveEEZm32Xz4qc8nChMRmJQvQXS2vKLEFQ553NmpborhsfzDY?input=http://intimby.net/

<!DOCTYPE html>
<html >
	<head>
		<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
		<style type="text/css">
			.exactCenter {
				width:600px;
				height:20px;
				position: fixed;
				background-color: #ffffff;
				top: 50%;
				left: 50%;
				margin-top: -100px;
				margin-left: -300px;
				font-family: Verdana, Arial, Helvetica, sans-serif;
			}
		</style>
	</head>
	<body>
		<div class="exactCenter">Доступ к информационному ресурсу ограничен на основании решения Министерства информации Республики Беларусь, принятого в соответствии с Законом Республики Беларусь "О средствах массовой информации"</div>
	</body>
</html>

Access to an information resource is restricted on the basis of a decision of the Ministry of Information of the Republic of Belarus, taken in accordance with the Law of the Republic of Belarus "On Mass Media"

from bbs.

@fortuna analyzed Censored Planet data for Beltelecom on August 9–10, 2020, and made a sorted list of domains by interference rate. About 96% of tested domains experienced no interference, 3% were blocked in every measurement, and the remaining 1% were sometimes blocked and sometimes not. The blocked domains include a lot of Google domains, social networks, communication tools, and proxies.

https://gist.github.com/fortuna/ae68a39de773251ef7c427c1eb25b75a

from bbs.

FYI , I've updated the gist with another CSV with the actual errors that the Censored Planet probes see:
https://gist.github.com/fortuna/ae68a39de773251ef7c427c1eb25b75a#file-errors-csv

Most of the errors are timeouts, but there are some EOFs, which I believe mean a premature TCP FINs.

I see TCP resets for some domains. Presumably they were blocked previously by a different mechanism. For example:

from bbs.

You can see the shutdown clearly on Google's Transparency Report.

Web Search traffic

YouTube traffic

The Censored Planet data does not show blocking of the google.com.* and google.co.* domains, which could explain the small traffic for Web Search.

from bbs.

In a series of articles, Ryan Gallagher reports that the block in Belarus was done, at least partially, using technology provided by Sandvine. After facing criticism, on 2020-09-15 Sandvine cancelled its deal with the government of Belarus. The first article is according to two unnamed sources, later backed up by internal Sandvine documents and a recording of a conference call with employees.

Previous discussion of the use of Sandvine equipment for censorship in Pakistan.

2020-08-28 Belarusian Officials Shut Down Internet With Technology Made by U.S. Firm (archive)

The government of Belarus shut down access to much of the internet during a crucial election this month by using equipment manufactured by a U.S. company to block people's access to thousands of websites, according to two people familiar with the matter.

As voters went to the polls on Aug. 9 to pass judgment on the country's authoritarian leader, President Alexander Lukashenko, social media websites like Twitter and Facebook suddenly became inaccessible, and news sources from outside the country were blocked. Protesters soon found ways around the blockage, using their own anti-censorship technology.

Belarusian authorities said the disruption was caused by a massive cyber-attack, but cybersecurity experts and data rights groups say that a technical analysis of internet activity in the country points to the government. Sandvine's equipment was integral to the recent internet censorship, according to the two people.

Citizen Lab, a Toronto-based research group that tracks illegal hacking and surveillance, determined in 2018 that deep packet inspection devices from Sandvine was being against users in Turkey, Syria and Egypt to redirect them from legitimate sites to malicious ones, some containing spyware commonly used by governments. In Egypt and Turkey, the devices were also used to block political, human rights and news content, Citizen Lab found.

Sandvine declined to comment on whether its equipment was sold to Jet Infosystems or used to censor the internet in Belarus. A spokesman directed a Bloomberg reporter to the corporate ethics page on the company's website, which details how a Business Ethics Committee reviews the use of Sandvine technology to determine the risk of it being used in a "manner detrimental to human rights."

2020-09-11 U.S. Company Faces Backlash After Belarus Uses Its Tech to Block Internet (archive)

The private-equity-backed technology firm demonstrated its equipment to a government security team in Belarus in May, two people with knowledge of the matter said, and its marketing materials boast of the blacklisting capabilities, according to documents reviewed by Bloomberg. ... The documents and product demonstration, as recounted by the people familiar with the company's affairs, lend added insight into Sandvine's work in Belarus, showing that company representatives met directly with officials in Belarus and later shipped the equipment, via a contractor, to be installed at data centers in Minsk.

During a Sandvine conference call on Thursday, which sought to address employee concerns about its work in Belarus, executives said they had been working with a government organization in the country for more than a year. Sandvine had provided Belarus with technology that is filtering about 40% of all internet traffic moving in and out of the country, the executives said. They said the work didn't violate U.S. sanctions. A recording of the call was shared with Bloomberg.

The revelations about Sandvine have prompted criticisms from U.S. senators, a human-rights organization and Belarusians now living in the U.S., and it has also ignited internal protests within Sandvine, according to the two people familiar with the matter.

Pressure on Sandvine's leadership has also mounted within the company, causing unrest among employees, some of whom didn't know about the work in Belarus until it was revealed last month by Bloomberg, according to the two people familiar with the company's affairs.

2020-09-15 Francisco-Backed Sandvine Cancels Belarus Deal, Citing Abuses (archive)

Sandvine Inc., the technology company backed by private equity firm Francisco Partners, canceled a deal with Belarus, saying the government used its technology to violate human rights.

Sandvine said in a statement on Tuesday that a preliminary investigation determined that "custom code" was inserted into its products "to thwart the free flow of information during the Belarus election."

This is a human rights violation and it has triggered the automatic termination of our end user license agreement," according to the statement. "Sandvine takes human rights abuses very seriously. We also abhor the use of technology to suppress the free flow of information resulting in human rights violations."

from bbs.

Belarus protests: From internet outages to pervasive website censorship (archive)

OONI, Human Constanta, and the Digital Observers Community Belarus have a report on web page blocking in Belarus between 2020-08-01 and 2020-09-03. Mass blocking of web sites is reported to have begun on 2020-08-22, which is later than the temporary shutdown which took place between 2020-08-09 and 2020-08-12. Blocking is done by block page for HTTP, TCP RST for HTTPS (possibly triggered by SNI), and in one case, DNS spoofing. Their source data is available in a spreadsheet (archive).

Amid ongoing mass protests, Belarusian ISPs blocked access to more than 70 websites, many of which include news media, electoral sites, and sites expressing political criticism. The blocking reportedly began on 22nd August 2020, which is also when OONI Probe users in Belarus started testing most of the reportedly blocked websites.

Our analysis of OONI measurements collected from Belarus between 1st August 2020 to 3rd September 2020 shows that at least 86 websites appear to be blocked. Many more websites presented anomalies as part of the testing, but we narrowed down the scope to the sites that received both the highest volume of testing and which presented the highest ratio of anomalies. This means that we excluded websites which presented non-deterministic signs of blocking and which received limited testing coverage, thereby limiting our ability to rule out potential false positives.

We automatically confirmed the blocking of websites when block pages were served. Based on this, we were able to confirm the blocking of the following domains: afn.by, www.belaruspartisan.org, www.afn.by, www.charter97.org, intimby.net, charter97.org, dmp2.org, is.gd,txti.es, zapraudu.info, svaboda2.net, www.svaboda.org, www.praca-by.info, ucpb.org, spring96.org, mfront.net, gazetaby.com, eurobelarus.info, belsat.eu,belarus.regnum.ru, tsepkalo.com, 015.by, vkurier.by, udf.by, rusproxy.telegramproxy.me, telegram-socks.tk, tgproxy.me, www.ucpb.org,www.bchd.info, www.moyby.com, opg.ucoz.net, zubr.in, naviny.by, nn.by.

We observe a variance in blocking both in terms of which websites are blocked across ISPs (i.e. different sites blocked on different networks), as well as in terms of censorship techniques. We not only observe variance in censorship techniques across ISPs, but we also see that the same ISP may adopt different censorship techniques, particularly depending on whether a site is hosted on HTTP or encrypted HTTPS.

On 22nd August 2020, for example, Beltelecom (AS6697) served a block page in order to block access to the HTTP version of www.svaboda.org. On the same day, we see Beltelecom blocking access to the HTTPS version of www.svaboda.org by interfering with the TLS handshake and resetting the connection. While the blocking of many of these media websites appears to have started on 22nd August 2020, some of these media websites appear to have been blocked since earlier in the month.

On election day, on 9th August 2020, we observed DNS spoofing in the testing of an election related site: belarus2020.org. The testing of belarus2020.org often presented HTTP failures and genetic timeout errors from 10th August 2020 onwards (though this could potentially have been affected by the internet outages during that period), while previous testing showed that the site used to be accessible.

From 22nd August 2020, we start to observe that the testing of belarus2020.org starts to always present connection reset errors (instead of generic timeout errors), which is consistent with how most of the other websites were blocked from that date onwards. This suggests that that local ISPs (such as Beltelecom) may have switched to blocking belarus2020.org with the same censorship technique as other sites.

Quite similarly, we observe that zubr.in – a system for the online monitoring of Belarus’ 2020 electoral process – presented HTTP failures and generic timeout errors everytime it was tested from 13th August 2020 onwards, suggesting potential blocking. From 22nd August 2020, we start to observe that the testing of the site consistently presents connection reset errors (with interference happening during the TLS handshake), similarly to how most sites were blocked from that date onwards.

from bbs.

We're seeing a sudden drop of obfs4 usage in Belarus recently, and a rise in meek usage:

I wonder if some new Tor blocking prompted the switch.

from bbs.