23 September 2020
Following the controversial presidential elections in August 2020, where incumbent president Lukashenko won a “landslide victory” with 80% of the votes, the people of Belarus went to the streets to show their dissatisfaction and claimed the election result to be fraudulent.
The protests quickly grow and the authorities responded with widespread and violent arrests, Internet outage, and blocking of a large amount of news and political websites.
This report investigates the Internet blocking in place in Belarus, focusing on a few selected providers to look deeper into the nature of the hardware used for the blocking and to understand which capabilities that are in place. The following four operators have been chosen for the study:
The report is a joint investigation with the Belarusian human rights organization Human Constanta.
Websites with restricted access
The official registry of websites with restricted access in Belarus is not public, but only accessible to the authorities and internet service providers. The registry includes election monitoring initiatives, human rights organizations, websites of political candidates to Lukashenko, and independent news outlets.
Based on the block list provided by OONI, we have identified the blocking in place by the four selected operators for each blocked site.
Domain | Business telecom | Beltelecom | A1 | MTS |
---|---|---|---|---|
015.by | 443 | |||
afn.by | 80,443 | 80 | 80,443 | DNS |
babariko.vision | 443 | 80 | 80,443 | DNS |
bchd.info | 443 | 80 | 80,443 | DNS |
belarus2020.org | 80 | 80,443 | DNS | |
belarusinfocus.info | 443 | DNS | ||
belarus.regnum.ru | 80 | 80 | 80,443 | DNS |
belprauda.org | 80 | 80,443 | DNS | |
belsat.eu | 80 | 80 | 80,443 | DNS |
by.tribuna.com | 80 | 80,443 | DNS | |
charter97.org | 80,443 | 80 | 80,443 | DNS |
elections2020.spring96.org | 443 | 80 | 80,443 | DNS |
eurobelarus.info | 80 | 80 | 80,443 | DNS |
euroradio.fm | 443 | 80 | 80,443 | DNS |
flagshtok.info | 443 | DNS | ||
honestby.org | 443 | 80 | 80,443 | DNS |
gazetaby.com | 80 | 80,443 | DNS | |
hramada.org | 443 | 80 | 80,443 | DNS |
intimby.net | 80,443 | 80 | 80,443 | DNS |
masheka.by | 443 | 80 | 80,443 | DNS |
mfront.net | 80 | 80 | 80,443 | DNS |
mspring.online | 443 | DNS | ||
narodny-opros.info | 80 | 80,443 | DNS | |
news.vitebsk.cc | 443 | 80 | 80,443 | DNS |
opg.ucoz.net | 443 | 80 | 80,443 | DNS |
pramenby.wordpress.com | 80,443 | 80 | 80,443 | DNS |
pramen.io | 80,443 | 80 | 80,443 | DNS |
primaries.by | 443 | 80 | 80,443 | DNS |
progomel.by | 443 | 80 | 80,443 | DNS |
psiphon.ca | 443 | 80 | 80,443 | DNS |
pyx.by | 443 | 80 | 80,443 | DNS |
regnum.ru | 80 | 80 | 80,443 | |
safervpn.com | 443 | 80 | 80,443 | DNS |
spring96.org | 443 | 80 | 80,443 | |
sputnikipogrom.com | 80,443 | 80 | 80,443 | DNS |
statkevich.org | 443 | 80,443 | 80,443 | DNS |
surfshark.com | 443 | 80,443 | 80,443 | DNS |
svaboda2.net | 80 | 80,443 | 80,443 | DNS |
tip.by | DNS | |||
tsepkalo.com | 80 | 80,443 | 80,443 | DNS |
tsepkalo.info | 443 | 80,443 | 80,443 | DNS |
txti.es | 80 | 80,443 | 80,443 | DNS |
ucpb.org | 80 | 80 | 80 | DNS |
udf.by | 80 | 80,443 | 80,443 | DNS |
virtualbrest.by | 443 | 80,443 | 80,443 | DNS |
vitebskspring.org | 443 | 80,443 | 80,443 | DNS |
vkurier.by | 80 | 80,443 | 80,443 | DNS |
vot-tak.tv | 443 | 80,443 | 80,443 | DNS |
www.moyby.com | 443 | DNS | ||
www.politnavigator.net | 443 | 80,443 | 80 | DNS |
www.svaboda.org | 80,443 | 80 | DNS | |
www.the-village.me | 443 | 80 | DNS | |
zapraudu.info | 80 | 80,443 | 80,443 | DNS |
zenmate.com | 443 | 80,443 | 80,443 | DNS |
zona.media | 443 | DNS | ||
zubr.in | 80,443 | 80 | 80,443 | DNS |
Business Network
Business Network is a LLC party (40%) owned by NTEC (National traffic exchange center).
Many providers run their infrastructure behind the organization Org: ООО “Деловая сеть” aka bn.by (AS12406) .
The provider intercepts HTTP connections and redirects them to 212.98.160{.}60 in the core network of the company.
HTTP/1.1 307 Temporary Redirect
Location: http://212.98.160.60/
HTTPS traffic is blocked by injecting [RST, ACK] packets with Win Size=0x01 0xf6 (502). The spoofed injection contains the IPID=0
Inside of the company we found the server “BLOCK-SERVER.bn.by” with IP 212.98.160{.}157
Non encrypted connections are redirected to a captive portal with the message:
ACCESS TO THIS INTERNET RESOURCE IS LIMITED
“Access to the resource is limited in pursuance of the decision of the Ministry of Information of the Republic of Belarus, adopted on the basis of the Law of the Republic of Belarus “On Mass Media”.
“Access to the resource is limited on the basis of clause 11 of the Regulations on the procedure for restricting access to information resources (their constituent parts) located on the global computer network Internet.”
Beltelecom
Beltelecom is the national telecommunications company in Belarus, fully owned by the Government of Belarus and operated by the Ministry of Telecommunications.
Beltelecom AS6697 uses different blocking signatures. In this case, HTTP traffic to port 80 is redirected to the IP 82.209.230{.}23. Redirection is achieved with a HTTP 302 message.
HTTP/1.1 302 FOUND Content-Type: text/html Location: http://82.209.230{.}23
The spoofed injection contains the IPID=1 and Win Size=0x7f 0xa6 (32678)
Unitary enterprise A1
Unitary enterprise A1 (A1) is the largest private telecom, ICT & content service provider in Belarus.
A1 opted to block websites using HTTP and HTTPS transparent proxies based on Squid. The web proxy (reserved.a1.by), only triggers a response for the IP addresses of the blocked websites, sends a HTTP 302 redirect:
HTTP/1.1 302 Found Server: squid Mime-Version: 1.0 Date: Mon, 14 Sep 2020 13:31:25 GMT Content-Type: text/html;charset=utf-8 Content-Length: 0 Location: https://a1.by/mininfo/ X-Squid-Error: 403 Access Denied X-Cache: MISS from reserved.a1.by X-Cache-Lookup: NONE from reserved.a1.by:3128 Via: 1.1 reserved.a1.by (squid) Connection: keep-alive
The proxy also hijacks the HTTPS sessions forging certificates with commonName: Atlant-Telecom HTTPS Proxy
When the user accepts the certificate, it gets redirected to a captive portal hxxps://www.a1.by/mininfo/
Forged certificates impersonate Domains and its Subjects
A1 forges all the X509 certificates of the blocked websites. Instead of creating a totally new self-signed certificate, they opted for keeping some of the values of the original certificate (Subject field and Validity) and replace the Issuer and crypto material only.
The Subject field of a X509 certificate is the entity that its public key is associated with. For example the certificate of zenmate.com changed “Issuer” from Cloudflare to Atlant-Telecom but kept Cloudflare details in the certificate in the Subject field.
Mobile TeleSystems Belarus
Mobile TeleSystems (MTS) is the largest mobile network operator in Russia, also serving Armenia and Belarus. The largest owner of MTS Belarus is Beltelecom (51% of shares), the national telecommunications company of Belarus.
Mobile TeleSystems Belarus (MTSBY AS25106) enforces the blocking using their DNS servers 134.17.1.1 and 134.17.1.0. When a blocked website is requested, the DNS server responds with A record 134.17.0{.}7. SOA request for the same domains are not responded.
A self-signed certificate valid for 274 years is served in 134.17.0{.}7 with the name “Default Company Ltd”. Once the certificate is accepted the browser receives a HTTP 301 redirect to hxxps://internet.mts.by/blocked
HTTP/1.1 301 Moved Permanently Date: Sat, 15 Sep 2020 11:43:37 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips Location: hxxps://internet.mts.by/blocked < Content-Length: 240 < Content-Type: text/html; charset=iso-885-1
Conclusions
- The Internet blocking in Belarus is implemented within the infrastructure of each provider, and not on a central level.
- The techniques used include:
- HTTP: transparent web proxies
- injection of HTTP responses
- HTTPS: stateless and stateful SSL DPI
- Fake DNS responses
- The list of blocked websites is not 100% consistent between the providers, but there is a very high degree of overlap that suggest that a list of websites have been provided to the ISPs for blocking.
Recommended reading
OONI in collaboration with Human Constanta have published a comprehensive report on Internet blocking in Belarus.
Media coverage
- [23 Sept 2020] Security Affairs How do providers implement Internet blocking in Belarus?
- [23 Sept 2020] Il Manifesto La Bielorussia ha messo il bavaglio al web