Considerations Concerning Blockades

On July 23, 1998, the swiss Federal Police (Bundespolizei, commonly reffered to by its abbreviation “BUPO”) has sent a letter to about 100 swiss Internet-Service Providers demanding blockage of ten Webpages containing revisionist, reactionist material from Neonazis, Antisemits and so on. This letter is available here. I will not go into a political or juridical discussion here whether these sites need to be censored or not, but simply take a look whether it is actually possible to block sites which contain “unpleasant” material.

Well then, let’s take a look at possible methods of blocking.

• DNS-Relocating
  The Service which maps domains (e.g. discordia.ch) to IP-numbers
  (e.g. 192.168.1.14) can easiliy be used to block the lookup of
  such domains and relocate the user to some other page. This only
  affects the users which use the respective DNS. Normally, users
  use the DNS of their respective ISP because of speed, but are in
  no way obliged to. Any user can use any DNS in the world. Furtheron,
  any user can bypass the DNS if he knows the IP-address already.
  Time needed to block is about 5-15 minutes per domain.
• IP-Blocking
  Depending on equipment, in most places IP-Blocking should be no
  problem either. In this case not only the lookup but the actual
  site really gets blocked. Any attempt to transfer data directly
  to or from the blocked site will fail. The Point here is “directly”.
  A heavily used method to avoid traffic in the internet is called
  proxy. As soon as a page is requested by proxy it is cached within
  and remains there for further reference or until it expires. So
  if a page is accessed via proxy, the proxy actually gets the page,
  caches it and gives a copy to the user. So a user can use a proxy
  somewhere else to surpass the block. Most proxys are private or
  semiprivate, but there are a lot of public proxys out there, like
  Anonymizer. Further problems
  include the fact, that there are Sites which host thousands of
  Sites on one address, which cannot be blocked selectively, thus
  a denial of service. Time needed to block a site is about 5-15 minutes.
• Filtering Proxys
  The most restrictive method of blocking a site includes access
  to the internet through a proxying firewall, common in some
  bigger companies. This makes it impossible to get pages directly,
  instead a proxy has to get the file first before the user may get
  it. In most environments (especially ISPs) this is not feasible,
  since a lot of services won’t work anymore (like IRC, CuSeeMe,
  Netmeeting, RealAudio, telnet and many more), due to the inability
  of proxying realtime-connections. However, talking only of webpages,
  this as been proven as surpassable as well, the
  Anti-Filtering-Proxy-Proxy
  defeats this. This method of blocking isn’t trivial to implement
  will need some month time, a firewall and has such severe drawbacks
  that nobody except high-security environments (which actually want
  to monitor their users) will want to implement it.

Not surprising the whole issue has given rise to several methods of
countermeasures against such blockades.

• Mirroring
  Download the whole site, put it up elsewhere as well. This has happened
  as the german zine “Radikal” was to be blocked (including its
  provider xs4all). Hundreds of mirrors of Radikal spread everywhere.
  The whole issue had to be dropped due to too much sites which had the
  Information readily available. This is a matter of hours.
• Relocating
  Change of address and/or provider. This can be done within a week
  or two if the provider of the DNS has to be changed. Otherwise this
  can be accomplished in hours. A change of the actual address represents
  a nuisance for blockers as well as for people wanting the
  information on the site.
• Other Protocols
  Everything that can be put on a webpage can be posted on Usenet (News)
  or be made downloadable on IRC (Internet Relay Chat). And of course,
  probably many more. While in the Usenet, only groups which are wanted
  may be gotten, this doesn’t help against material published in the
  wrong group. It is common that people who don’t like each other
  crosspost to the opposite groups (i.e. rec.startrek and rec.sf-lovers
  which can’t stand each other). The IRC on the other hand is realtime
  and can’t be controlled with technical measures. The same applies to
  other similar services like ICQ and Hotline.
• Eternity Device
  Published in Phrack #51, the
  eternity device is a distributed data haven, where all data can
  come in, but nothing ever can be deleted. Access to the device is
  granted through a
  Eternity Service
• Anti-Filtering-Proxy-Proxy
  As mentionned above. This can be used to defeat Filtering proxies,
  by setting up a reachable proxy-gateway on another webserver. Anyone
  with a bit unix-experience can set up one. It’s available
  here
• Public Proxies
  Several services all over the internet already offer free proxying
  for anyone. This is mostly used in order to be able to surf anonymous,
  but these proxies also circumvent IP-Blocks. Well known services include
  Anonymizer,
  LPWA (Lucent
  Personalized Web Assistant),
  Aixs and the
  Onion Router. To these
  come hundreds of proxy-servers (caching-proxies like squid and webfilters
  like junkbuster) which are not intentionally open to the public, but can
  be used anyway.
• Tunnels
  Used sometimes for piercing filtering firewalls
  are tunnels which tunnel information through another protocol.
  This needs some nifty technical knowledge. In won’t go into details
  here since I can’t imagine anyone tunneling just to get some information.

Of course, there are other, non-technical implications of attempts to
censor, most noteably relocating the server out of jurisdiction to a place
with “friendlier” law. But this won’t be covered here, we solely took
a look at technical possibilities. In the end we have to admit that
blocking sites is of no use and very costly. To block a dozen sites,
a system administrator will surely need at least an hour, which is
going to be very costly if hundreds of sites should be blocked. On the
other hand, defeating the blocks is a matter of seconds, and in case
of heavy mirroring being done, not only a circumvention but also increases
cost on side of the censor (the BUPO in above case) and on side of the
ISPs which have to do the blocking. In the end, nothing is done against
the sites containing the to be censored material, but instead a lot of
money will be wasted, the hate-groups will still flourish (or alternatively
the child-pornography traders) and we all loose.

Peter Keel,

Updated April 14, 1999