Archive for August, 1998

Considerations Concerning Blockades

Monday, August 3rd, 1998

Considerations Concerning Blockades


What happens if you try to break a bomb-proof network

On July 23, 1998, the swiss Federal Police (Bundespolizei, commonly reffered to by its abbreviation “BUPO”) has sent a letter to about 100 swiss Internet-Service Providers demanding blockage of ten Webpages containing revisionist, reactionist material from Neonazis, Antisemits and so on. This letter is available here. I will not go into a political or juridical discussion here whether these sites need to be censored or not, but simply take a look whether it is actually possible to block sites which contain “unpleasant” material.

Well then, let’s take a look at possible methods of blocking.

  • DNS-Relocating
    The Service which maps domains (e.g. discordia.ch) to IP-numbers
    (e.g. 192.168.1.14) can easiliy be used to block the lookup of
    such domains and relocate the user to some other page. This only
    affects the users which use the respective DNS. Normally, users
    use the DNS of their respective ISP because of speed, but are in
    no way obliged to. Any user can use any DNS in the world. Furtheron,
    any user can bypass the DNS if he knows the IP-address already.
    Time needed to block is about 5-15 minutes per domain.
  • IP-Blocking
    Depending on equipment, in most places IP-Blocking should be no
    problem either. In this case not only the lookup but the actual
    site really gets blocked. Any attempt to transfer data directly
    to or from the blocked site will fail. The Point here is “directly”.
    A heavily used method to avoid traffic in the internet is called
    proxy. As soon as a page is requested by proxy it is cached within
    and remains there for further reference or until it expires. So
    if a page is accessed via proxy, the proxy actually gets the page,
    caches it and gives a copy to the user. So a user can use a proxy
    somewhere else to surpass the block. Most proxys are private or
    semiprivate, but there are a lot of public proxys out there, like
    Anonymizer. Further problems
    include the fact, that there are Sites which host thousands of
    Sites on one address, which cannot be blocked selectively, thus
    a denial of service. Time needed to block a site is about 5-15 minutes.
  • Filtering Proxys
    The most restrictive method of blocking a site includes access
    to the internet through a proxying firewall, common in some
    bigger companies. This makes it impossible to get pages directly,
    instead a proxy has to get the file first before the user may get
    it. In most environments (especially ISPs) this is not feasible,
    since a lot of services won’t work anymore (like IRC, CuSeeMe,
    Netmeeting, RealAudio, telnet and many more), due to the inability
    of proxying realtime-connections. However, talking only of webpages,
    this as been proven as surpassable as well, the
    Anti-Filtering-Proxy-Proxy
    defeats this. This method of blocking isn’t trivial to implement
    will need some month time, a firewall and has such severe drawbacks
    that nobody except high-security environments (which actually want
    to monitor their users) will want to implement it.

Not surprising the whole issue has given rise to several methods of
countermeasures against such blockades.

  • Mirroring
    Download the whole site, put it up elsewhere as well. This has happened
    as the german zine “Radikal” was to be blocked (including its
    provider xs4all). Hundreds of mirrors of Radikal spread everywhere.
    The whole issue had to be dropped due to too much sites which had the
    Information readily available. This is a matter of hours.
  • Relocating
    Change of address and/or provider. This can be done within a week
    or two if the provider of the DNS has to be changed. Otherwise this
    can be accomplished in hours. A change of the actual address represents
    a nuisance for blockers as well as for people wanting the
    information on the site.
  • Other Protocols
    Everything that can be put on a webpage can be posted on Usenet (News)
    or be made downloadable on IRC (Internet Relay Chat). And of course,
    probably many more. While in the Usenet, only groups which are wanted
    may be gotten, this doesn’t help against material published in the
    wrong group. It is common that people who don’t like each other
    crosspost to the opposite groups (i.e. rec.startrek and rec.sf-lovers
    which can’t stand each other). The IRC on the other hand is realtime
    and can’t be controlled with technical measures. The same applies to
    other similar services like ICQ and Hotline.
  • Eternity Device
    Published in Phrack #51, the
    eternity device is a distributed data haven, where all data can
    come in, but nothing ever can be deleted. Access to the device is
    granted through a
    Eternity Service
  • Anti-Filtering-Proxy-Proxy
    As mentionned above. This can be used to defeat Filtering proxies,
    by setting up a reachable proxy-gateway on another webserver. Anyone
    with a bit unix-experience can set up one. It’s available
    here
  • Public Proxies
    Several services all over the internet already offer free proxying
    for anyone. This is mostly used in order to be able to surf anonymous,
    but these proxies also circumvent IP-Blocks. Well known services include
    Anonymizer,
    LPWA (Lucent
    Personalized Web Assistant),
    Aixs and the
    Onion Router. To these
    come hundreds of proxy-servers (caching-proxies like squid and webfilters
    like junkbuster) which are not intentionally open to the public, but can
    be used anyway.
  • Tunnels
    Used sometimes for piercing filtering firewalls
    are tunnels which tunnel information through another protocol.
    This needs some nifty technical knowledge. In won’t go into details
    here since I can’t imagine anyone tunneling just to get some information.

Of course, there are other, non-technical implications of attempts to
censor, most noteably relocating the server out of jurisdiction to a place
with “friendlier” law. But this won’t be covered here, we solely took
a look at technical possibilities. In the end we have to admit that
blocking sites is of no use and very costly. To block a dozen sites,
a system administrator will surely need at least an hour, which is
going to be very costly if hundreds of sites should be blocked. On the
other hand, defeating the blocks is a matter of seconds, and in case
of heavy mirroring being done, not only a circumvention but also increases
cost on side of the censor (the BUPO in above case) and on side of the
ISPs which have to do the blocking. In the end, nothing is done against
the sites containing the to be censored material, but instead a lot of
money will be wasted, the hate-groups will still flourish (or alternatively
the child-pornography traders) and we all loose.

Peter Keel,

1998-08-03

Updated April 14, 1999

“The more prohibitions there are, The poorer the people will be”
— Lao Tse