50

Following Turkey's recent social site blocks, I am wondering how can you efficiently accomplish that as a country. Similar for a big company.

Blocking IPs → easy to circumvent, (proxys, tunnels, etc) Blocking/Redirecting DNS → type the address or similar as above

Deep Packet Inspection → very resource intensive, can it be done in a scale of a whole country? And again, encrypting traffic, HTTPS, SSH etc…

Terminating all connections at country gateways, inspecting traffic, and then encrypting traffic again? Seems very very time consuming.

Is there any (obvious?) or other way I missed?

I am talking generally and not for Turkey's example. And dropping all encrypted traffic does not seem to be an option for a country.

user1306322
  • 916
  • 7
  • 15
blended
  • 2,841
  • 3
  • 15
  • 16
  • 16
    Most censorship initiatives target the less tech-savy internet users. Also, the political intent of state censorship is usually not to suppress information. It is to demonize certain information sources as evil and thus make them appear untrustworthy to the general public. – Philipp Apr 03 '14 at 15:35
  • 8
    Censorship is not just an attack against the content, but also at the source. Why did (sorry, Godwin) the Nazis burn all books written by Jews, even when their content was in no way political? It was a propaganda measure to show "See: These people are evil. But we fight them! We are the good guys!" – Philipp Apr 03 '14 at 15:42
  • 4
    Cicurmventing even the simplest blocking methods with _mobile_ devices is difficult if not quite impossible: How do you get your non-rooted IPhone to use a different DNS server over 3G? – Martin Schröder Apr 03 '14 at 23:01
  • 1
    Most countries ban sites by forcing ISP's to block them from their DNS. In most cases, they'll even redirect to a message with more info about the ban. ISP's can as far as I know also block all requests to a certain IP. Best example for this in my country is the ban of ThePirateBay. You can get around this by using a VPN, an alternate DNS (e.g. Google DNS) or via sites that act as a proxy (e.g. FuckYouTimCook) for the real site. – BlueCacti Apr 04 '14 at 07:50
  • @MartinSchröder: I've never done this myself, not being the ruler of a nation, but I'm pretty sure I'd start by passing laws requiring mobile operators to block or intercept port 53 at their network edge. Actually of course the law wouldn't be that specific, the legislation would grant some ministry the power to regulate communication. Actually of course this is a step further than many censoring nations manage. A lot are working at the DNS level, they "should" restrict the routing. – Steve Jessop Apr 04 '14 at 18:14
  • @SteveJessop: I'm talking about _technical_ problems. Can you set the DNS server on your non-rooted IPhone? – Martin Schröder Apr 04 '14 at 18:16
  • @MartinSchröder: Oh, ISWYM. I don't have an iPhone so no idea, sorry, maybe I should have kept quiet. I just meant that the network itself isn't friendly anyway, so changing DNS server "shouldn't" help even if you could do it. – Steve Jessop Apr 04 '14 at 18:18
  • It isn't a dupe of course, but this question might be less different from https://security.stackexchange.com/questions/22619 than you'd intuitively assume. – Steve Jessop Apr 04 '14 at 18:21
  • 1
    Deep packet inspection isn't that complex, and if your country only has 1 or 2 in/out pipes connecting it to the rest of the network, then you can focus there (and point of entry/exit). It will reduce the quality of service for the country of course, do to the load, however if a country is attempting to block content, it's unlikely service quality is of top priority. -- And yes, everything is thrwartable, just look at what the Brit's have been trying (and failing) to do with pornography filters, they are a joke. – SnakeDoc Apr 04 '14 at 22:12

5 Answers5

37

You have covered the main ones. In short: it's very hard, if not impossible, to effectively block a site you want. You can make it hard by using the techniques you've mentioned: blocking IPs, redirecting DNS, blocking HTTP requests to certain sites / containing certain keywords.

These methods are thwartable by proxies (in the case of deep packet inspection, encrypted proxies would be required) so you end up with a chase situation: as you block a site, proxies will spring up, and as you block those proxies even more will start. The closest anyone has come is North Korea, and they manage this by controlling all sites in their country's intranet.

So the most effective methods:

  • Whitelist (North Korea's method) - Only allowing the sites you control.
  • Blocking all encrypted traffic + deep packet inspect (China's method) - this solution allows the communication that pass your criteria for what is acceptable and blocks communications that you are unable to determine the content of.

Both of these methods require complete control / authority over all the internet infrastructure in the area you want to censor.

As you've said, blocking all encrypted traffic doesn't really work - China has found this too: although they tried to, people are getting round this by using Steganography which is the practice of concealing messages, for example:

I am illustrating a hidden message because I
hate to see unanswered questions. I will help
you to understand.

Reading the first word from each line reveals the hidden message "I hate you" (there are, of course, more intelligent ways to to Steganography but that's just an illustration)

Emily Shepherd
  • 494
  • 3
  • 5
  • do you know how much extra delay Chinese get from deep packet filtering of every packet? I would argue that this is a pretty big decision not to allow your citizens the protection offered by SSL. – blended Apr 03 '14 at 15:58
  • 1
    I don't know the exact time impact this has I'm afraid. Yes, opting for reduced protection *should* be a big decision, but that's not something the type of government that thinks it's ok to censor / spy on its citizens is typically too concerned with ;) x – Emily Shepherd Apr 03 '14 at 16:02
  • but reduced protection for the citizens could affect the overall security of the country. Imagine all the passwords stolen , bank accounts . Every single search intercepted by rivals , integrity is not guaranteed the possibilities are endless:D – blended Apr 03 '14 at 16:08
  • 11
    China does not block all encrypted traffic; I can personally attest to TLS, SSH, and similar encrypted services working fine from within China. Some resources serving encrypted content either have their IPs blocked or are DNS poisoned, but encryption is not automatic grounds for blocking. – Chris Down Apr 04 '14 at 02:50
  • 3
    As for China, they make do not block encrypted data, BUT they make it less reliable by dropping random packets (behavior witnessed on foreign gov VPNs from within China). Concerning the delay, you should imagine China as a big Intranet, with speeds around 15Mb in big cities, but as soon as you try to access foreign websites, it drops to 1 or 2 Mb (but if you use a VPN, you actually get much better speeds than without) – guigui42 Apr 04 '14 at 09:23
12

"Efficiency" depends on your goals.

An important point to be made is that all blocking techniques can be circumvented, at a price. For instance, an individual can use a satellite phone to get connectivity which cannot be blocked by his country, save by direct physical intervention of armed forces. But using such systems is quite expensive. Countries which are intent on blocking such illegal access to external resources will also ban import of technological elements of that kind. E.g. try importing a satellite phone to North Korea... Globally, applying strict, effective censorship against your whole population will be expensive, especially if the said population has otherwise unbarred access to technology (it is easier to block the whole Internet than just a part of it).

On the other hand, if all you want is a posture, to appease the most conservative wing of your own party, then some IP-based blocking is sufficient. This is not a problem that it is easily circumvented with proxies and VPN; the symbol is what matters. As a variant, banning legally some site can be enough to get legal qualification to put trespassers into trouble; in some countries, such legalistic gimmicks are important.

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
5

Some research on this topic:

Empirical Analysis of Internet Filtering in China (2003)

For some 1,043 of sites tested, we confirmed that DNS servers in China report a web server other than the official web sever actually designated via each site's authoritative name servers. We call this phenomenon "DNS redirection," though others sometimes refer to the situation as "DNS hijacking." Consistent with prior reporting by Dynamic Internet Technology, our data show that such sites were consistently unreachable in their entirety.

Filtering on the basis of keywords in URL. Beginning in September 2002, our data reflect that when a subscriber to a Chinese ISP submitted a URL request that itself contains certain words or phrases -- this typically happens for search engine searches, like http://www.google.com/search?q=jiang+zemin -- no response would be received.

Filtering on the basis of keywords or phrases in HTML response. Beginning in September 2002, the authors observed that certain keywords in HTML response pages seemed to be blocked by Chinese network infrastructure. In particular, even when a page came from a server not otherwise filtered, and even when the page featured a URL without controversial search terms, it might nonetheless be inaccessible if the page itself contained particular controversial terms. Such pages were often truncated, i.e. interrupted midway through their display.

Other Effects of Chinese Filtering: Routing. The authors have observed that some American ISPs route packets through China towards destinations beyond China (in particular, to Hong Kong). When the desired web servers are blocked from China, such a routing typically yields to filtering by network equipment in China of an American user's request. In response to this problem, affected American ISPs can address the situation by manually altering the routes used to reach hosts in Hong Kong and elsewhere. However, affected ISPs are often unaware of the situation, and an effective response requires delay and/or causes additional expense as an affected ISP finds the necessary partner ISPs and establishes peering relationships with them.

From the technical appendix: http://cyber.law.harvard.edu/filtering/china/appendix-tech.html

The Velocity of Censorship: High-Fidelity Detection of Microblog Post Deletions (2013)

Weibo and other popular Chinese microblogging sites are well known for exercising internal censorship, to comply with Chinese government requirements. This research seeks to quantify the mechanisms of this censorship: how fast and how comprehensively posts are deleted. Our analysis considered 2.38 million posts gathered over roughly two months in 2012, with our attention focused on repeatedly visiting “sensitive” users.

We found that deletions happen most heavily in the first hour after a post has been submitted. Focusing on original posts, not reposts/retweets, we observed that nearly 30% of the total deletion events occur within 5– 30 minutes. Nearly 90% of the deletions happen within the first 24 hours.

Paper: http://www.cs.unm.edu/~crandall/usenix13.pdf

ConceptDoppler (2007)

ConceptDoppler is a weather tracker for Internet censorship. Using ConceptDoppler we can track the list of keywords that a government uses to censor Internet traffic. For GFC keyword filtering, we can also locate the routers performing filtering and deduce the architecture of this censorship mechanism.

We use Latent Semantic Analysis to prioritize the words we check. Just as an understanding of the mixing of gases led to effective weather tracking, understanding the relationship between sensitive concepts and blocked keywords will lead to more effective tracking of Internet censorship. More details are available in the paper.

Paper: http://www.csd.uoc.gr/~hy558/papers/conceptdoppler.pdf

FAQ: http://www.cs.unm.edu/~crandall/cd/faq.html

Website with list of blocked keywords: http://www.conceptdoppler.org/

The third paper is a bit dated, but Jedidiah R. Crandall is now a professor and still working on combatting censorship; the second paper is from his department. Definitely worth checking out.

Janus Troelsen
  • 471
  • 5
  • 12
4

It's a question of resources actually. If a country were willing to devote a enormous amount of time, money, and expertise to the problem, I believe it would be possible to effectively block a few select sites.

The reasoning is that all the circumvention methods themselves need to be broadly publicized among the target audience to be successful. A well-resourced government could block each proxy, mirror, or tunnel as soon as they became aware of it. This would leave only a few lucky or specialized sources of access (e.g. The 0.0005% of the population who can use Tor), which may be enough to achieve their political goals.

However, without disconnecting from the internet entirely, I don't think broad blocking (e.g. all news sites) can be achieved. Thankfully, The Net interprets censorship as damage and routes around it. (Internet pioneer John Gilmore, co-founder of the Electronic Frontier Foundation)

scuzzy-delta
  • 9,303
  • 3
  • 33
  • 54
  • You can only route around connection problems. TCP and DNS have no way built-in way to verify integrity. The quote is misleading. – Janus Troelsen Apr 05 '14 at 19:33
  • 1
    I'm sure we all realize that the quote is a comment on the culture of the internet in general, not a technical claim about BGP or similar. The Slashdot and EFF links provide context. – scuzzy-delta Apr 06 '14 at 07:55
3

One censorship method that hasn't been mentioned yet is TCP Reset packet injection, which terminates undesired connections via forged TCP RST packets. The Great Firewall of China has been known to do this for years (source: http://www.icir.org/vern/papers/reset-injection.ndss09.pdf). Often this is used in conjunction with DPI, such as to do protocol fingerprinting on Tor connections (http://www.cs.kau.se/philwint/pdf/usenix-login-2012.pdf).

My employer (EFF) has written a good intro guide to detecting packet injection attacks: https://www.eff.org/wp/detecting-packet-injection

Yan Z
  • 136
  • 6