Considerations Concerning Blockades
What happens if you try to break a bomb-proof network
On July 23, 1998, the swiss Federal Police (Bundespolizei, commonly reffered to by its abbreviation “BUPO”) has sent a letter to about 100 swiss Internet-Service Providers demanding blockage of ten Webpages containing revisionist, reactionist material from Neonazis, Antisemits and so on. This letter is available here. I will not go into a political or juridical discussion here whether these sites need to be censored or not, but simply take a look whether it is actually possible to block sites which contain “unpleasant” material.
Well then, let’s take a look at possible methods of blocking.
- DNS-Relocating
The Service which maps domains (e.g. discordia.ch) to IP-numbers
(e.g. 192.168.1.14) can easiliy be used to block the lookup of
such domains and relocate the user to some other page. This only
affects the users which use the respective DNS. Normally, users
use the DNS of their respective ISP because of speed, but are in
no way obliged to. Any user can use any DNS in the world. Furtheron,
any user can bypass the DNS if he knows the IP-address already.
Time needed to block is about 5-15 minutes per domain.
- IP-Blocking
Depending on equipment, in most places IP-Blocking should be no
problem either. In this case not only the lookup but the actual
site really gets blocked. Any attempt to transfer data directly
to or from the blocked site will fail. The Point here is “directly”.
A heavily used method to avoid traffic in the internet is called
proxy. As soon as a page is requested by proxy it is cached within
and remains there for further reference or until it expires. So
if a page is accessed via proxy, the proxy actually gets the page,
caches it and gives a copy to the user. So a user can use a proxy
somewhere else to surpass the block. Most proxys are private or
semiprivate, but there are a lot of public proxys out there, like
Anonymizer. Further problems
include the fact, that there are Sites which host thousands of
Sites on one address, which cannot be blocked selectively, thus
a denial of service. Time needed to block a site is about 5-15 minutes.
- Filtering Proxys
The most restrictive method of blocking a site includes access
to the internet through a proxying firewall, common in some
bigger companies. This makes it impossible to get pages directly,
instead a proxy has to get the file first before the user may get
it. In most environments (especially ISPs) this is not feasible,
since a lot of services won’t work anymore (like IRC, CuSeeMe,
Netmeeting, RealAudio, telnet and many more), due to the inability
of proxying realtime-connections. However, talking only of webpages,
this as been proven as surpassable as well, the
Anti-Filtering-Proxy-Proxy
defeats this. This method of blocking isn’t trivial to implement
will need some month time, a firewall and has such severe drawbacks
that nobody except high-security environments (which actually want
to monitor their users) will want to implement it.
Not surprising the whole issue has given rise to several methods of
countermeasures against such blockades.
- Mirroring
Download the whole site, put it up elsewhere as well. This has happened
as the german zine “Radikal” was to be blocked (including its
provider xs4all). Hundreds of mirrors of Radikal spread everywhere.
The whole issue had to be dropped due to too much sites which had the
Information readily available. This is a matter of hours.
- Relocating
Change of address and/or provider. This can be done within a week
or two if the provider of the DNS has to be changed. Otherwise this
can be accomplished in hours. A change of the actual address represents
a nuisance for blockers as well as for people wanting the
information on the site.
- Other Protocols
Everything that can be put on a webpage can be posted on Usenet (News)
or be made downloadable on IRC (Internet Relay Chat). And of course,
probably many more. While in the Usenet, only groups which are wanted
may be gotten, this doesn’t help against material published in the
wrong group. It is common that people who don’t like each other
crosspost to the opposite groups (i.e. rec.startrek and rec.sf-lovers
which can’t stand each other). The IRC on the other hand is realtime
and can’t be controlled with technical measures. The same applies to
other similar services like ICQ and Hotline.
- Eternity Device
Published in Phrack #51, the
eternity device is a distributed data haven, where all data can
come in, but nothing ever can be deleted. Access to the device is
granted through a
Eternity Service
- Anti-Filtering-Proxy-Proxy
As mentionned above. This can be used to defeat Filtering proxies,
by setting up a reachable proxy-gateway on another webserver. Anyone
with a bit unix-experience can set up one. It’s available
here
- Public Proxies
Several services all over the internet already offer free proxying
for anyone. This is mostly used in order to be able to surf anonymous,
but these proxies also circumvent IP-Blocks. Well known services include
Anonymizer,
LPWA (Lucent
Personalized Web Assistant),
Aixs and the
Onion Router. To these
come hundreds of proxy-servers (caching-proxies like squid and webfilters
like junkbuster) which are not intentionally open to the public, but can
be used anyway.
- Tunnels
Used sometimes for piercing filtering firewalls
are tunnels which tunnel information through another protocol.
This needs some nifty technical knowledge. In won’t go into details
here since I can’t imagine anyone tunneling just to get some information.
Of course, there are other, non-technical implications of attempts to
censor, most noteably relocating the server out of jurisdiction to a place
with “friendlier” law. But this won’t be covered here, we solely took
a look at technical possibilities. In the end we have to admit that
blocking sites is of no use and very costly. To block a dozen sites,
a system administrator will surely need at least an hour, which is
going to be very costly if hundreds of sites should be blocked. On the
other hand, defeating the blocks is a matter of seconds, and in case
of heavy mirroring being done, not only a circumvention but also increases
cost on side of the censor (the BUPO in above case) and on side of the
ISPs which have to do the blocking. In the end, nothing is done against
the sites containing the to be censored material, but instead a lot of
money will be wasted, the hate-groups will still flourish (or alternatively
the child-pornography traders) and we all loose.
Peter Keel,
1998-08-03
Updated April 14, 1999
“The more prohibitions there are, The poorer the people will be”
— Lao Tse