Wednesday, August 03, 2011

Site Blocking: What the UK Government would prefer you not to see

It's well known that internet blocking is easy to circumvent. Ofcom in today's report "Site Blocking" to reduce online copyright infringement admits as much, saying that:
For all blocking methods circumvention by site operators and internet users is technically possible and would be relatively straightforward by determined users. (p.5)
Despite this, however, one branch of the UK Government still appears determined to keep its head in the sand, and according to that report:
The Department for Culture, Media and Sport has redacted some parts of this document where it refers to techniques that could be used to circumvent website blocks.
Unfortunately, the technical competence of the DCMS appears to be somewhat limited, and the redaction was (ironically?) also easily circumvented, by measures as simple as copy/paste. Needless to say, a department which is unable to censor a single PDF does not exactly inspire confidence when it proposes to introduce blocking for the entire UK internet, and it is just as well that the UK government has today announced plans to abandon the blocking provisions of the Digital Economy Act.

[Updated - 1.15pm]

The full, unredacted version now appears on Scribd. As can be seen from that document, the material which was redacted was all improperly removed. The tactics discussed to circumvent blocking are all well-known, even to a mere lawyer such as myself, and the redactions appear to be motivated more by considerations of security theatre than anything else.Ofcom Site Blocking Report With Redactions Removed

[Previously]

Here are the individual portions of the report which the DCMS attempted to quash. Text in italics was not redacted but appears for context:

pp.28-29
Robustness

Bypassing IP address blocking is technically straightforward for those who have an incentive to do so.
The blocked site operator may:

• change IP address but stay on the same network (i.e. on the same hosting provider);
• move to an entirely new network (to a previously unobserved IP address);
• offer encrypted network services which obscure the true network address/destination such as Virtual Private Networking;26,27 or
• server operators may institute a Fast Flux network (where users run software on behalf of blocked site which hides the true network address of the blocked site).

There are other methods available to site operators. When moving to a new IP address a site operator may register multiple IP addresses for a given site in order to maintain service in the event that some of those individual IP addresses are blocked. This approach has legitimate purposes also.28 Furthermore, by setting a low “Time to Live” (TTL) Domain Name System (DNS) record value, determining the length of time that the IP address for a particular domain (expressed in seconds) remains in remote name server caches, it is easier for a site operator to move IP addresses without end users losing access. Where a low TTL is expressed the ISP DNS name server resolution cache is purged quickly thereby ensuring that newly assigned site IP addresses are retrieved from the authoritative name server and site accessibility is maintained. Figure 13 below shows that the TTL value for "kickasstorrents" is one hour, demonstrating that any changes to IP address to DNS name are refreshed and propagated within ISP DNS servers in just over an hour.

Figure 13: Kickasstorrents DNS record Time to Live (1 hour) Name TTL Class Record Address
www.kickasstorrents.com. 3600 IN A 95.215.60.37
www.kickasstorrents.com. 3600 IN A 93.114.40.112
www.kickasstorrents.com. 3600 IN A 193.105.134.81
www.kickasstorrents.com. 3600 IN A 95.143.195.138
www.kickasstorrents.com. 3600 IN A 76.76.107.90

26 Ipredator - Surf anonymously with VPN and proxy https://www.ipredator.se/?lang=en
27 UK based VPN services facilitating access to copyright infringed material may be subject to site blocking injunctions. UK VPN operators may institute site blocking at the VPN egress point. NB: we are not aware of any UK based VPN service marketed or positioned for such activity. Such services are likely to be non-UK based.
pp.33-34
DNS blocking robustness

For site operators and end users with a sufficient incentive to engage in circumvention DNS blocking is technically relatively straightforward to bypass:


• the blocked site may offer services such as Virtual Private Networking, which is where encryption and other security measures are deployed to ensure that the data cannot be viewed by third parties (DNS name resolution may occur within the VPN providers network thereby bypassing the ISP based DNS site-blocking);
• the end-user can change their DNS name servers to 3rd party DNS name servers;32,33
• users may use anonymous web proxy or other anonymising services which are not reliant on the ISP DNS servers; or
• name resolution may be performed locally by adding an entry to a hosts file (IP address resolution information can be obtained from websites running a web-enabled equivalent of “nslookup” command).

32 Google Public DNS - http://code.google.com/speed/public-dns/
33 OpenDNS Store > Sign up for OpenDNS Basic: - https://store.opendns.com/get/basic/

For end users who want to bypass blocks there are several options. For instance, there are many legitimate alternative DNS providers to ISP DNS registries. Examples include OpenDNS and Google DNS. We consider the changing of DNS servers to alternative providers to require low technical skills, as the providers offer clear instructions using plain English. For instance, switching to Google DNS requires 11 steps for Windows users and only 8 for those using MAC OS.

With a modest understanding of internet technologies it is possible to access a site by entering the site IP address (if multiple websites are hosted at the same IP address the user will be displayed the default web site or page for that web server/IP address). Site operators can draw attention to online web based and alternative sources of DNS name resolution within emails to their user base or via online forums.

Other channels that site operators could use to widely distribute advice on how best to circumvent DNS blocking could include posting to online forums, Really Simple Syndication (RSS) or updates via micro blogging sites such as Twitter ®. The advice could include changing to unblocked DNS name servers, Virtual Private Networks and proxy services or other anonymising systems. Similarly, site operators may quickly mirror or make copies of a blocked site on new top level or country code domains pointing towards new IP addresses e.g. www.blockedsite.cc; www.blockedsite.ru; www.blockedsite.vn; www.blockedsite.net.
p.38
Techniques that may undermine URL blocking include:

• web site operators providing encrypted access to their web sites via Secure Sockets Layer/ Transport Layer Security i.e. https connectivity https://www.example.com/downloads/pirate.zip;
• a site operator may run a website on a network port other than port 80;
• the site operator changing the IP address and bypassing the network routing announcements;
• a site operator registering a new domain name e.g. www.example.net or www.example.org;
• the blocked site offering services such as Virtual Private Networking;
• the use of anonymous web proxy or other anonymising services;
• the site operator reorganising the site structure if the blocking is conducted against specific URLs; and
• the site operator or end user encoding URLs to bypass blocking.
p.40
Packet inspection blocking robustness

Both shallow and deep packet inspection can be bypassed by site operators using the following means:


• changing the IP address but staying on the same network;
• moving to an entirely new network (to a previously unobserved IP address);
• the site may use network encryption techniques such as Virtual Private Networking to render scrutiny of the IP packet‟s payload or real IP address destination impossible, given the technology available today; or
• the site operator may add or remove site IP addresses from a pool of IP addresses.

End users who wish to circumvent packet inspection may opt to use anonymous web proxies or other anonymsing services.
p.41
As with the deployment of any of the single primary techniques, the hybrid approach is also susceptible to circumvention by the use of anonymising tools such as The Onion Router, VPNs or anonymous proxy services.
p.44 (Column marked "Difficulty of circumvention" originally redacted)


p.45 (Column marked "Difficulty of circumvention" originally redacted)




p.52
Technical Glossary

Anonymous Web Proxy Service that allows users to place web requests via an intermediary server. The proxy server makes the connection on behalf of the user thereby hiding originating IP address and bypassing blocking network techniques.

The Onion Router (ToR) Anonymity network originally developed by the United States Navy. Used in many countries to bypass state censorship.

5 comments:

  1. Thanks for this - did you manage to get a copy of the other Ofcom document relating to the costs of subscriber appeals?

    ReplyDelete
  2. @Duke - I've just looked at that document now. I don't know about the original, but the version now online (http://stakeholders.ofcom.org.uk/binaries/internet/appeals-process.pdf) appears to have been redacted by someone who actually knew what they were doing.

    ReplyDelete
  3. Why does this report have Stormfront as a citation (page 21)? Especially when the page cited is a copy/paste of this:

    http://arstechnica.com/tech-policy/news/2011/04/do-domain-seizures-keep-streaming-sites-down.ars

    ReplyDelete
  4. @Anonymous - well spotted. I would have thought Stormfront would be blocked by Ofcom's own internal filters, but evidently not. The relevant link is actually footnote 21, p.24.

    ReplyDelete