[liberationtech] Monitoring Information Controls in Iraq

Fri Jun 20 14:46:26 PDT 2014

HI LibTech

I am pleased to announce a new Citizen Lab report "Monitoring Information Controls in Iraq in reaction to ISIS Insurgency."

The full post is here:
https://citizenlab.org/2014/06/monitoring-information-controls-in-iraq/

and pasted below.

Daily Beast has a story about it here:

http://www.thedailybeast.com/articles/2014/06/20/iraq-s-internet-blockade-doesn-t-touch-isis-sites.html

Regards
Ron

Monitoring Information Controls in Iraq in reaction to ISIS Insurgency

June 20, 2014

Tagged: Internet Filtering, Iraq

Categories: Reports and Briefings, Research News
Share on facebookShare on twitterShare on emailShare on pinterest_shareMore Sharing Services
0
In this report, we document the results of network measurement tests we ran to determine how the Internet is being filtered in Iraq in reaction to ongoing insurgency in the country. The results identify 20 unique URLs that are blocked on three Iraq-based Internet Service Providers. These websites include social media platforms (such as Facebook and Twitter), proxy / circumvention tools (such as Psiphon), and the websites of mobile messaging apps (such as WhatsApp and Viber). Notably, none of the 7 websites we tested that are affiliated with, or supportive of, the jihadist insurgent group the Islamic State in Iraq and Greater Syria (ISIS) were found to be blocked.

Background

The ongoing insurgency within Iraq continues to escalate. In recent weeks, the jihadist group, the Islamic State in Iraq and Greater Syria (ISIS) seized control of the northern provincial capitals Mosul and Tikrit and Iraq’s largest oil refinery. The conflict has led Iraqi Prime Minister, Nouri al-Maliki, to formally request the U.S. military to engage in air strikes to limit the ISIS advances.

Following the seizure of Mosul and Tikrit, the government of Iraq implemented restrictions on Internet accessibility as means of limiting the ability of ISIS to mobilize and communicate their message.  On June 13, 2014, reports emerged that numerous social media platforms, including Facebook, Twitter, and YouTube, had been blocked. By June 16, reports suggested that Ministry of Communications officials had ordered a complete Internet shutdown in certain regions. These reports are confirmed by BGP data from Renesys:

Figure 1: Renesys BGP Data showing reduction in reachable networks as a result of the shutdown. SOURCE

Similarly, traffic from the content delivery network Akamai dropped off substantially following the reported shutdown and blocks:

Figure 2: Traffic from Akamai content delivery network to Iraq in June 2014. SOURCE

A letter allegedly leaked from the Ministry of Communications details these outages, indicating the ISIS-held provinces in which Internet access was to be blocked completely. In addition the letter lists  websites and platforms (which included Facebook, Twitter, YouTube, Viber, Skype, and others) to be blocked.

More recently, on the morning of June 20, measurements from the RIPE Network Coordination Centre  showed 4 of the 38 networks in Iraq went offline, including Earthlink, as shown in Figure 3:

Figure 3: RIPE NCC measurements of ASNs in Iraq. SOURCE

Renesys reported that these networks were restored several hours later:

Figure 4: Renesys BGP and Traceroute data showing June 20th outage. SOURCE

ISIS actively uses social media to spread its messaging. For example, the group introduced an Android app in April 2014, called The Dawn of Glad Tidings, which leverages Twitter users’ accounts to share ISIS-related tweets. The application was removed from the Google Play store for violating community guidelines.

Figure 5: ISIS Android app Dawn of Glad Tidings. SOURCE

The group also uses well coordinated hashtag campaigns to spread their message, and had their Twitter account shut down after a number of graphic photos of victims attacked by ISIS were shared.

Complete shutdown of the Internet during political crises have been seen in numerous other countries in recent years, including Egypt and Libya during the 2011 Arab Spring and in Syria during the ongoing conflict in the country. We have documented the ways in which sensitive political events, ranging from violent conflict to elections and the hosting of international events, lead to changes in the application of information controls.

Methodology

We used two methods to determine if and how filtering is being applied in Iraq. The first method performs remote lookups of DNS records to identify suspicious results which could be indicative of filtering. The second method undertakes remote testing of website accessibility through proxies. We wrote a script that performs a GET request of a list of websites through six different publicly accessible proxies located in Iraq. We then compare the results of these GET requests with attempts to access the same URLs from the University of Toronto network to identify instances of blocking.

Early reports from Iraq suggested that blocking was performed on some ISPs through DNS tampering. DNS converts domain names (such as “citizenlab.org”) to an IP address (74.208.36.253). If the information in DNS records is tampered with, domain names can resolve to an incorrect IP address, which can lead visitors to a blockpage. In some cases, it is possible to perform lookups of the DNS records used by Iraq-based ISPs remotely, without being connected to that ISP directly. After performing these DNS lookups, we are able to compare the results for a given domain name with what we would expect to see to identify aberrations.

We performed a lookup of a list we compiled of 1,358 URLs to identify suspicious DNS results. We also did GET requests for the URLs on this list on the publicly accessible proxies we found in Iraq. This list contains content ranging from international news sites, social media platforms, and content specific to Iraq’s domestic political, social and cultural context. A full list of URLs tested can be found in the Data section.

Results

From June 16-20, 2014, we tested a list of 1,358 URLs remotely through eight name servers that correspond to the following ISPs:

ISP	Hostname	IP address	Suspicious result?
IQ Net	nserver3.iqnet.com	62.201.201.201	Yes
IQ Net	nserver4.iqnet.com	62.201.201.202	Yes
Earthlink Telecommunications	n/a	37.239.34.206	Yes
Earthlink Telecommunications	n/a	37.236.154.55	Yes
ScopeSky	ns1.itc.iq	185.23.153.242	Yes
ScopeSky	ns2.itc.iq	185.23.153.243	Yes
Newroz Telecom	ns1.newroztelecom.com	93.91.200.200	No
Newroz Telecom	ns2.newroztelecom.com	93.91.200.201	No
Earthlink Telecommunications

Remote tests of these nameservers showed a number of URLs resolved to the IP address 192.168.222.66, which is a private, non-routable IP address. See this example for a DNS lookup of psiphon.ca:

; <<>> DiG 9.7.0-P1 <<>> psiphon.ca;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38318

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:

;psiphon.ca.INA

;; ANSWER SECTION:

psiphon.ca.300INA192.168.222.66

From our testing list, the following domains resolve to this IP address:

ec2-174-129-26-64.compute-1.amazonaws.com
hidemyass.com
instagram.com
www.softlayer.com
openvpn.net
plus.google.com
psiphon.ca
twitter.com
ultrasurf.us
www.dmoz.org
www.facebook.com
www.hotspotshield.com
www.skype.com
www.strongvpn.com
www.tango.me
www.viber.com
www.whatsapp.com
www.xroxy.com
www.youtube.com
This result is unexpected. It is abnormal for a domain name to resolve to an IP address that is not publicly routable.

We tested the same list of sites through six Earthlink proxies from June 16 to 20, 2014.  When accessing some sites we are redirected to the same IP address (192.168.222.66) and presented with the blockpage pictured in Figure 6.

Although there was some variability between sites found blocked on the six proxies, the following list of domains were found blocked at least once on one of the proxies, over the four day period.

hidemyass.com
instagram.com
openvpn.net
twitter.com
ultrasurf.us
www.dmoz.org
www.facebook.com
www.hotspotshield.com
www.skype.com
www.softlayer.com
www.strongvpn.com
www.tango.me
www.viber.com
www.wechat.com
www.whatsapp.com
www.xroxy.com
www.youtube.com
www.gayhealth.com
In addition, when accessing this IP address (192.168.222.66) directly in a web browser, we also see the blockpage pictured in Figure 6.

Figure 6: Blockpage seen using proxy on Earthlink Telecommunications

One interesting result is the block of the URL: ec2-174-129-26-64.compute-1.amazonaws.com.  This domain naming scheme is consistent with servers hosted on the Amazon EC2 hosting service (a large and popular cloud hosting provider based in the United States).  During subsequent testing we find that any domain in the *.compute-*.amazonaws.com domain namespace is blocked on this ISP.  For example, this URL http://ec2-174-129-212-31.compute-1.amazonaws.com which is hosting no content other than the default placeholder content of a webserver is blocked on Earthlink:

Figure 7: A side-by-side comparison of accessing the same Amazon EC2 URL in Canada and Iraq.

Given that the content of this URL is benign it is likely not being targeted for blocking. This block is more likely to be the result of an overzealous filtering pattern used in the configuration of the domain name server.

This block also results in the collateral filtering of any URL that both hosts their website on the Amazon EC2 service and configures their DNS to use the compute-*.amazonaws.com domain, such as through a common name (CNAME) record.  Examples of sites that are filtered as result of this configuration include:

http://www.virtuefitness.com/ – Fitness site

http://www.gayhealth.com/ – Defunct gay health information site

http://www.exoplatform.com/ – Social platform for companies

ScopeSky

From our testing list, five domains resolved to the IP address 185.23.153.235, as shown in this example of a lookup of twitter.com:

;; QUESTION SECTION:
;twitter.com.INA

;; ANSWER SECTION:
twitter.com. 86400INA1 85.23.153.235

;; AUTHORITY SECTION:
twitter.com. 86400INNS ns1.itc.iq.
185.23.153.235  is an IP address hosted on the ISP ITC in Iraq:

60929   | 185.23.153.235   | ITC Investment and technology group of companies limited,IQ
When visiting this IP address in a web browser, we are presented with the following blockpage:

Figure 8: Blockpage seen on ScopeSky Communications

On this ISP the following domains were found to resolve to this IP address and are blocked:

twitter.com
www.facebook.com
www.viber.com
www.whatsapp.com
www.youtube.com
IQ Net

During the course of testing our list through IQ Net, the nameserver gave responses that delegated the nameserver itself (nserver3.iqnet.com) as authoritative for a number of domains by altering the start of authority (SOA) record. See an example of this in a response for a DNS lookup for www.viber.com:

$ dig +short @62.201.201.201 viber.com SOA
nserver3.iqnet.com. firas.iqnet.com. 2014061301 10800 900 604800 86400
Compare this result to one using a public DNS resolver instead:

$ dig +short @8.8.8.8 viber.com SOA
a1.verisigndns.com. dnssupport.verisign-grs.com. 1384964559 28800 7200 1209600 300
While this result is not itself evidence of deliberate filtering (for example, we may see such a result if a company such as Google were to host servers on the ISP), the list of domains with altered SOA is suspicious and is likely indicative of blocking. The following list of domains returned an altered SOA record when resolving through IQ Net name servers:

google.com
viber.com
whatsapp.com
youtube.com
Newroz Telecom

There were no suspicious results found in tests of the nameservers of this ISP. This result  was expected, because this ISP serves the Kurdistan area, and reports have indicated that the shutdown and social media blocking orders did not include Kurdistan.

Summary of results

The websites our tests found to be blocked represent a small number of content categories, and generally correspond with the list of sites ordered to be filtered by the Iraqi Ministry of Communications. We also tested the accessibility of 7 URLs of sites which are affiliated with or supportive of ISIS. We did not find any evidence, through both DNS lookups and proxy testing, that any of these URLs are blocked.  Given that the insurgency was cited as the rationale for the shutdown and filtering, this finding is curious.

The following table summarizes the domains we found blocked in Iraq:

Domain	Description
ec2-174-129-26-64.compute-1.amazonaws.com	Hosting Provider
hidemyass.com	Circumvention/Anonymization
instagram.com	Social media
www.softlayer.com	Hosting Provider
openvpn.net	Circumvention/Anonymization
plus.google.com	Social media
psiphon.ca	Circumvention/Anonymization
twitter.com	Social media
ultrasurf.us	Circumvention/Anonymization
www.dmoz.org	Web Portal
www.facebook.com	Social media
www.hotspotshield.com	Circumvention/Anonymization
www.skype.com	Voice-over-IP
www.strongvpn.com	Circumvention/Anonymization
www.tango.me	Mobile Messaging App
www.viber.com	Mobile Messaging App
www.whatsapp.com	Mobile Messaging App
www.xroxy.com	Circumvention/Anonymization
www.youtube.com	Video Sharing
www.wechat.com	Mobile Messaging App
Circumvention usage in Iraq

In many cases Internet filtering implemented by DNS tampering is straightforward to circumvent. Users can simply select an alternate DNS service that will perform name resolution correctly. However this circumvention method can also be manipulated by censors, as seen recently in Turkey where providers intercepted requests to Google’s public DNS servers in order to prevent censorship circumvention. We have received anecdotal reports from users located in Iraq that using Google’s public DNS servers did not circumvent censorship, suggesting that DNS requests are being hijacked. However, circumvention services have reported increased usage from users based in Iraq.

The circumvention service Psiphon reports a significant increase in users connecting from Iraq starting from June 13 after social media platforms were blocked, as seen in Figure 9. Note that 97% of these users are connected to Psiphon through their mobile phone using the Psiphon Android application.

Figure 9: Daily users of circumvention tool Psiphon in Iraq in June 2014.

Similarly, usage of Tor, a popular anonymization tool which can circumvent censorship, has also increased significantly in June:

Figure 10: Directly connecting users of Tor in Iraq in June 2014. SOURCE

Conclusion

Given the volatile situation in the country, it is uncertain how Internet accessibility will be further affected. The Citizen Lab will continue to monitor the situation and post updates to our findings.

Data

A full list of data from these tests can be found at our GitHub repository.

Acknowledgements

This report is by Jakub Dalek, Adam Senft, Helmi Noman, and Masashi Crete-Nishihata.

Ronald Deibert
Director, the Citizen Lab 
and the Canada Centre for Global Security Studies
Munk School of Global Affairs
University of Toronto
(416) 946-8916
PGP: http://deibert.citizenlab.org/pubkey.txt
http://deibert.citizenlab.org/
twitter.com/citizenlab
r.deibert at utoronto.ca

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20140620/d08da602/attachment.html>