Belarus links

[wkrp]

• Контейнер и виртуальная машина для возможного предстоящего отключения интернета в Беларуси Container and virtual machine for possible forthcoming Internet blackout in Belarus

A long thread at NTC (in Russian) where @ValdikSS has prepared a server container and client VM to maintain access in Belarus. If you make an account at NTC and log in, there is an 🌐 automatic translation button beneath each post.

Сделал серверный контейнер и клиентскую виртуальную машину для продвинутых пользователей, для применения в случае серьезной цензуры интернета.

Образ маскирует интернет-трафик под скачивание почты с Gmail (протокол IMAP с шифрованием, TLS-запросы на imap.gmail.com, порт 993) по умолчанию, также есть режим маскировки под DNS-запросы на фиктивный домен int.loc, с прямым подключением к серверу по порту DNS 53. Почта и DNS — наиболее «живучие» протоколы, которые будут блокироваться в последнюю очередь.

Файлы здесь: ftp://serv.valdikss.org.ru/Downloads/Temp/cenvm-belarus/

Made a server container and a client virtual machine for advanced users, for use in case of serious censorship of the Internet.

The image masks Internet traffic for downloading mail from Gmail (IMAP protocol with encryption, TLS requests imap.gmail.com for, port 993) by default, there is also a mode of camouflage under DNS requests for a fictitious domain int.loc , with direct connection to the server on the port DNS 53. Mail and DNS are the most "live" protocols that will be blocked in the last turn.

Files here: ftp://serv.valdikss.org.ru/Downloads/Temp/cenvm-belarus/

• Our First Glance at the Belarus Outages - RIPE Atlas, via @becha42

On Sunday 9 August, the day presidential elections took place in the country, wide-scale Internet outages occurred, partially disrupting the ability of people in Belarus to connect with the rest of the world via the Internet. Questions about the scale of these outages and their impact have been circulating since.

RIPE Atlas, a service we provide that allows anyone anywhere to create various kinds of useful Internet measurements, is made up of a network of probes distributed all over the world. On the day the outages occurred in Belarus, we see that a significant number of probes in the country went offline. The following visualisation from RIPEstat gives an indication of the extent of this.

We also see a drop in routing visibility for Belarus networks on 9 August. If we look at the BGP data collected via our Routing Information Service (RIS) - available in the RIPEstat country routing statistics for Belarus - we see that during a certain period later in the day, the number of IPv4 visible prefixes dropped by a little over 10%, from 1,044 to 922. These numbers then recovered the following day.

• What is happening with the BY internet segment in terms of BGP and IPv4/IPv6 - Qrator, via @darkk

The first thing that got our attention was the fact that IPv6 sessions were shut down by both national telecommunication companies a little bit before everything that happened after. According to Qrator.Radar data, more than 80% of IPv6 prefixes were unreachable starting 18:00 UTC on August 8. Moreover, this is continuing for three days straight - a very unusual course of action, considering the increasing use of IPv6.

As you can see, those two ASes almost entirely cut their IPv6 connectivity for some reason, and have not restored it until now. We could only speculate due to what specific reason this was done, but dropping almost all IPv6 from maintenance is a thing that could only be done from “within” - we have never seen such a massive and simultaneous “outside” IPv6 shutdown.

It is much trickier with IPv4, however.

At first glance, from the outside perspective, almost nothing changed. Those two critical autonomous systems of Belarus’ are still connected to their global upstreams even after 20% prefix drop on August 10:

So the reason for massive unavailability of resources hosted inside the BY segment, and vice versa, the inability of users inside Belarus to reach global internet resources, is probably somewhere else.

• https://ioda.caida.org/ioda/dashboard#view=inspect&entity=country/BY&lastView=overview&from=1596824893&until=1597343293

IODA dashboard for Belarus in the past 6 days. For help using the IODA dashboard, see the IMV talk by Ramakrishna Padmanabhan or the screencast by Philipp Winter.

[wkrp]

There was a decrease in Tor relay users and an increase in Tor bridge users, mainly obfs4.

https://metrics.torproject.org/userstats-relay-country.html?start=2020-04-01&end=2020-08-15&country=by https://metrics.torproject.org/userstats-bridge-combined.html?start=2020-04-01&end=2020-08-15&country=by

Psiphon shows an increase in daily connections from Belarus, from near zero on August 7 to over 15 million on August 11.

https://psix.ca/d/nyi8gE6Zk/regional-overview?orgId=2&var-region=BY (archive)

OONI has a decrease in "available" measurements and an increase in "blocked" measurements.

[wkrp]

@jakubd shares OONI measurements that show what overt blockpages look like.

On the ISP A1 (formerly velcom):

https://explorer.ooni.org/measurement/20200809T064736Z_AS42772_Sn8W1QKfDMxmJzphNHpEWpYmWbyNQS09eB8wgpQQCYIASBbkPh?input=http://intimby.net/

<!doctype html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
    <link href="https://www.velcom.by/mininfo/css/main.css" rel="stylesheet">
    <title>Доступ ограничен</title>
  </head>
  <body>
    <div class="container">
        <div class="my-auto">Доступ к информационному ресурсу ограничен на основании решения Министерства информации Республики Беларусь, принятого в соответствии с Законом Республики Беларусь &laquo;О cредствах массовой информации&raquo;.
        </div>
    </div>
  </body>
</html>

Access restricted

Access to an information resource is restricted on the basis of a decision of the Ministry of Information of the Republic of Belarus, taken in accordance with the Law of the Republic of Belarus «On Mass Media»

On MTS:

https://explorer.ooni.org/measurement/20200808T195507Z_AS25106_hY9xbufjqUKiqPI5LZJ4IqiwfGMNcaOdrtKnwCaXADPRhSOL8J?input=http://intimby.net/

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://internet.mts.by/blocked/">here</a>.</p>
</body></html>

On Beltelecom:

https://explorer.ooni.org/measurement/20200808T143914Z_AS6697_vIveEEZm32Xz4qc8nChMRmJQvQXS2vKLEFQ553NmpborhsfzDY?input=http://intimby.net/

<!DOCTYPE html>
<html >
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
        <style type="text/css">
            .exactCenter {
                width:600px;
                height:20px;
                position: fixed;
                background-color: #ffffff;
                top: 50%;
                left: 50%;
                margin-top: -100px;
                margin-left: -300px;
                font-family: Verdana, Arial, Helvetica, sans-serif;
            }
        </style>
    </head>
    <body>
        <div class="exactCenter">Доступ к информационному ресурсу ограничен на основании решения Министерства информации Республики Беларусь, принятого в соответствии с Законом Республики Беларусь "О средствах массовой информации"</div>
    </body>
</html>

Access to an information resource is restricted on the basis of a decision of the Ministry of Information of the Republic of Belarus, taken in accordance with the Law of the Republic of Belarus "On Mass Media"

[wkrp]

@fortuna analyzed Censored Planet data for Beltelecom on August 9–10, 2020, and made a sorted list of domains by interference rate. About 96% of tested domains experienced no interference, 3% were blocked in every measurement, and the remaining 1% were sometimes blocked and sometimes not. The blocked domains include a lot of Google domains, social networks, communication tools, and proxies.

https://gist.github.com/fortuna/ae68a39de773251ef7c427c1eb25b75a

[fortuna]

FYI , I've updated the gist with another CSV with the actual errors that the Censored Planet probes see: https://gist.github.com/fortuna/ae68a39de773251ef7c427c1eb25b75a#file-errors-csv

Most of the errors are timeouts, but there are some EOFs, which I believe mean a premature TCP FINs.

I see TCP resets for some domains. Presumably they were blocked previously by a different mechanism. For example:

domain	date	error	count
www.crazyshit.com	2020-08-10	HTTPS: Get https://[IP]: read tcp [IP]:[PORT]->[IP]:[PORT]: read: connection reset by peer	4
4chan.org	2020-08-10	HTTPS: Get https://[IP]: read tcp [IP]:[PORT]->[IP]:[PORT]: read: connection reset by peer	1

[fortuna]

You can see the shutdown clearly on Google's Transparency Report.

Web Search traffic

YouTube traffic

The Censored Planet data does not show blocking of the google.com.* and google.co.* domains, which could explain the small traffic for Web Search.

[wkrp]

In a series of articles, Ryan Gallagher reports that the block in Belarus was done, at least partially, using technology provided by Sandvine. After facing criticism, on 2020-09-15 Sandvine cancelled its deal with the government of Belarus. The first article is according to two unnamed sources, later backed up by internal Sandvine documents and a recording of a conference call with employees.

Previous discussion of the use of Sandvine equipment for censorship in Pakistan.

2020-08-28 Belarusian Officials Shut Down Internet With Technology Made by U.S. Firm (archive)

The government of Belarus shut down access to much of the internet during a crucial election this month by using equipment manufactured by a U.S. company to block people's access to thousands of websites, according to two people familiar with the matter.

As voters went to the polls on Aug. 9 to pass judgment on the country's authoritarian leader, President Alexander Lukashenko, social media websites like Twitter and Facebook suddenly became inaccessible, and news sources from outside the country were blocked. Protesters soon found ways around the blockage, using their own anti-censorship technology.

Belarusian authorities said the disruption was caused by a massive cyber-attack, but cybersecurity experts and data rights groups say that a technical analysis of internet activity in the country points to the government. Sandvine's equipment was integral to the recent internet censorship, according to the two people.

Citizen Lab, a Toronto-based research group that tracks illegal hacking and surveillance, determined in 2018 that deep packet inspection devices from Sandvine was being against users in Turkey, Syria and Egypt to redirect them from legitimate sites to malicious ones, some containing spyware commonly used by governments. In Egypt and Turkey, the devices were also used to block political, human rights and news content, Citizen Lab found.

Sandvine declined to comment on whether its equipment was sold to Jet Infosystems or used to censor the internet in Belarus. A spokesman directed a Bloomberg reporter to the corporate ethics page on the company's website, which details how a Business Ethics Committee reviews the use of Sandvine technology to determine the risk of it being used in a "manner detrimental to human rights."

2020-09-11 U.S. Company Faces Backlash After Belarus Uses Its Tech to Block Internet (archive)

The private-equity-backed technology firm demonstrated its equipment to a government security team in Belarus in May, two people with knowledge of the matter said, and its marketing materials boast of the blacklisting capabilities, according to documents reviewed by Bloomberg. ... The documents and product demonstration, as recounted by the people familiar with the company's affairs, lend added insight into Sandvine's work in Belarus, showing that company representatives met directly with officials in Belarus and later shipped the equipment, via a contractor, to be installed at data centers in Minsk.

During a Sandvine conference call on Thursday, which sought to address employee concerns about its work in Belarus, executives said they had been working with a government organization in the country for more than a year. Sandvine had provided Belarus with technology that is filtering about 40% of all internet traffic moving in and out of the country, the executives said. They said the work didn't violate U.S. sanctions. A recording of the call was shared with Bloomberg.

The revelations about Sandvine have prompted criticisms from U.S. senators, a human-rights organization and Belarusians now living in the U.S., and it has also ignited internal protests within Sandvine, according to the two people familiar with the matter.

Pressure on Sandvine's leadership has also mounted within the company, causing unrest among employees, some of whom didn't know about the work in Belarus until it was revealed last month by Bloomberg, according to the two people familiar with the company's affairs.

2020-09-15 Francisco-Backed Sandvine Cancels Belarus Deal, Citing Abuses (archive)

Sandvine Inc., the technology company backed by private equity firm Francisco Partners, canceled a deal with Belarus, saying the government used its technology to violate human rights.

Sandvine said in a statement on Tuesday that a preliminary investigation determined that "custom code" was inserted into its products "to thwart the free flow of information during the Belarus election."

This is a human rights violation and it has triggered the automatic termination of our end user license agreement," according to the statement. "Sandvine takes human rights abuses very seriously. We also abhor the use of technology to suppress the free flow of information resulting in human rights violations."

[wkrp]

Belarus protests: From internet outages to pervasive website censorship (archive)

OONI, Human Constanta, and the Digital Observers Community Belarus have a report on web page blocking in Belarus between 2020-08-01 and 2020-09-03. Mass blocking of web sites is reported to have begun on 2020-08-22, which is later than the temporary shutdown which took place between 2020-08-09 and 2020-08-12. Blocking is done by block page for HTTP, TCP RST for HTTPS (possibly triggered by SNI), and in one case, DNS spoofing. Their source data is available in a spreadsheet (archive).

Amid ongoing mass protests, Belarusian ISPs blocked access to more than 70 websites, many of which include news media, electoral sites, and sites expressing political criticism. The blocking reportedly began on 22nd August 2020, which is also when OONI Probe users in Belarus started testing most of the reportedly blocked websites.

Our analysis of OONI measurements collected from Belarus between 1st August 2020 to 3rd September 2020 shows that at least 86 websites appear to be blocked. Many more websites presented anomalies as part of the testing, but we narrowed down the scope to the sites that received both the highest volume of testing and which presented the highest ratio of anomalies. This means that we excluded websites which presented non-deterministic signs of blocking and which received limited testing coverage, thereby limiting our ability to rule out potential false positives.

We automatically confirmed the blocking of websites when block pages were served. Based on this, we were able to confirm the blocking of the following domains: afn.by, www.belaruspartisan.org, www.afn.by, www.charter97.org, intimby.net, charter97.org, dmp2.org, is.gd,txti.es, zapraudu.info, svaboda2.net, www.svaboda.org, www.praca-by.info, ucpb.org, spring96.org, mfront.net, gazetaby.com, eurobelarus.info, belsat.eu,belarus.regnum.ru, tsepkalo.com, 015.by, vkurier.by, udf.by, rusproxy.telegramproxy.me, telegram-socks.tk, tgproxy.me, www.ucpb.org,www.bchd.info, www.moyby.com, opg.ucoz.net, zubr.in, naviny.by, nn.by.

We observe a variance in blocking both in terms of which websites are blocked across ISPs (i.e. different sites blocked on different networks), as well as in terms of censorship techniques. We not only observe variance in censorship techniques across ISPs, but we also see that the same ISP may adopt different censorship techniques, particularly depending on whether a site is hosted on HTTP or encrypted HTTPS.

On 22nd August 2020, for example, Beltelecom (AS6697) served a block page in order to block access to the HTTP version of www.svaboda.org. On the same day, we see Beltelecom blocking access to the HTTPS version of www.svaboda.org by interfering with the TLS handshake and resetting the connection. While the blocking of many of these media websites appears to have started on 22nd August 2020, some of these media websites appear to have been blocked since earlier in the month.

On election day, on 9th August 2020, we observed DNS spoofing in the testing of an election related site: belarus2020.org. The testing of belarus2020.org often presented HTTP failures and genetic timeout errors from 10th August 2020 onwards (though this could potentially have been affected by the internet outages during that period), while previous testing showed that the site used to be accessible.

From 22nd August 2020, we start to observe that the testing of belarus2020.org starts to always present connection reset errors (instead of generic timeout errors), which is consistent with how most of the other websites were blocked from that date onwards. This suggests that that local ISPs (such as Beltelecom) may have switched to blocking belarus2020.org with the same censorship technique as other sites.

Quite similarly, we observe that zubr.in – a system for the online monitoring of Belarus’ 2020 electoral process – presented HTTP failures and generic timeout errors everytime it was tested from 13th August 2020 onwards, suggesting potential blocking. From 22nd August 2020, we start to observe that the testing of the site consistently presents connection reset errors (with interference happening during the TLS handshake), similarly to how most sites were blocked from that date onwards.

[wkrp]

Internet blocking in Belarus (archive)

Qurium and Human Constanta have published a report giving details of how blocking is done on four ISPs in Belarus.

• Business Network
  • HTTP requests get an injected HTTP redirect to a block page at http://212.98.160.60/ (archive).
  • HTTPS requests get an injected RST/ACK with TCP window size 502 and IP ID 0.
• Beltelecom
  • HTTP requests get an injected HTTP redirect to http://82.209.230.23 with TCP window size 32678 [sic] and IP ID 1. The block page currently times out for me, but you can find its contents in an earlier comment.
• Unitary enterprise A1
  • HTTP and HTTPS requests go through a Squid transparent proxy. Block pages can be returned by the proxy and don't need to be injected.
  • HTTP requests get a redirect to https://a1.by/mininfo/ (archive).
  • HTTPS requests get a forged certificate for the requested domain and a commonName of Atlant-Telecom HTTPS Proxy. Accepting the certificate leads to a redirect to the same block page as HTTP.
• Mobile TeleSystems Belarus (MTS)
  • Enforces blocking by DNS only, using its DNS servers at 134.17.1.1 and 134.17.1.0.
  • Queries for blocked domains get an A record for 134.17.0.7.
  • The web server at 134.17.0.7 serves redirects to https://internet.mts.by/blocked/. Both of these servers currently time out for me, but you can find their contents in an earlier comment.

Summary table of how each of 56 domains is blocked on the four ISPs:

Domain	Business telecom	Beltelecom	A1	MTS
015.by	443
afn.by	80,443	80	80,443	DNS
babariko.vision	443	80	80,443	DNS
bchd.info	443	80	80,443	DNS
belarus2020.org	80	80,443	DNS
belarusinfocus.info	443	DNS
belarus.regnum.ru	80	80	80,443	DNS
belprauda.org	80	80,443	DNS
belsat.eu	80	80	80,443	DNS
by.tribuna.com	80	80,443	DNS
charter97.org	80,443	80	80,443	DNS
elections2020.spring96.org	443	80	80,443	DNS
eurobelarus.info	80	80	80,443	DNS
euroradio.fm	443	80	80,443	DNS
flagshtok.info	443	DNS
honestby.org	443	80	80,443	DNS
gazetaby.com	80	80,443	DNS
hramada.org	443	80	80,443	DNS
intimby.net	80,443	80	80,443	DNS
masheka.by	443	80	80,443	DNS
mfront.net	80	80	80,443	DNS
mspring.online	443	DNS
narodny-opros.info	80	80,443	DNS
news.vitebsk.cc	443	80	80,443	DNS
opg.ucoz.net	443	80	80,443	DNS
pramenby.wordpress.com	80,443	80	80,443	DNS
pramen.io	80,443	80	80,443	DNS
primaries.by	443	80	80,443	DNS
progomel.by	443	80	80,443	DNS
psiphon.ca	443	80	80,443	DNS
pyx.by	443	80	80,443	DNS
regnum.ru	80	80	80,443
safervpn.com	443	80	80,443	DNS
spring96.org	443	80	80,443
sputnikipogrom.com	80,443	80	80,443	DNS
statkevich.org	443	80,443	80,443	DNS
surfshark.com	443	80,443	80,443	DNS
svaboda2.net	80	80,443	80,443	DNS
tip.by	DNS
tsepkalo.com	80	80,443	80,443	DNS
tsepkalo.info	443	80,443	80,443	DNS
txti.es	80	80,443	80,443	DNS
ucpb.org	80	80	80	DNS
udf.by	80	80,443	80,443	DNS
virtualbrest.by	443	80,443	80,443	DNS
vitebskspring.org	443	80,443	80,443	DNS
vkurier.by	80	80,443	80,443	DNS
vot-tak.tv	443	80,443	80,443	DNS
www.moyby.com	443	DNS
www.politnavigator.net	443	80,443	80	DNS
www.svaboda.org	80,443	80	DNS
www.the-village.me	443	80	DNS
zapraudu.info	80	80,443	80,443	DNS
zenmate.com	443	80,443	80,443	DNS
zona.media	443	DNS
zubr.in	80,443	80	80,443	DNS

[cohosh]

We're seeing a sudden drop of obfs4 usage in Belarus recently, and a rise in meek usage:

I wonder if some new Tor blocking prompted the switch.

[wkrp]

We're seeing a sudden drop of obfs4 usage in Belarus recently, and a rise in meek usage:

Link to relay graph Link to bridge graph

I posted the graph also to NTC, because there may be a greater number of experts on Belarus there.

Psiphon Data Engine doesn't show a change in Psiphon users in Belarus at that time. (Screenshotted before the date falls off the recent history.)

While looking at the graphs, I also noticed an apparent Tor relay block on 2020-10-13 that I don't think has been discussed before.