Internet blocking in Belarus

23 September 2020

Following the controversial presidential elections in August 2020, where incumbent president Lukashenko won a “landslide victory” with 80% of the votes, the people of Belarus went to the streets to show their dissatisfaction and claimed the election result to be fraudulent.

The protests quickly grow and the authorities responded with widespread and violent arrests, Internet outage, and blocking of a large amount of news and political websites.

This report investigates the Internet blocking in place in Belarus, focusing on a few selected providers to look deeper into the nature of the hardware used for the blocking and to understand which capabilities that are in place. The following four operators have been chosen for the study:

  1. Business Network
  2. Beltelecom
  3. Unitary Enterprise A1 (A1)
  4. Mobile TeleSystems Belarus (MTS)

The report is a joint investigation with the Belarusian human rights organization Human Constanta.

Websites with restricted access

The official registry of websites with restricted access in Belarus is not public, but only accessible to the authorities and internet service providers. The registry includes election monitoring initiatives, human rights organizations, websites of political candidates to Lukashenko, and independent news outlets.

Based on the block list provided by OONI, we have identified the blocking in place by the four selected operators for each blocked site.

DomainBusiness telecomBeltelecomA1MTS
015.by443
afn.by80,4438080,443DNS
babariko.vision4438080,443DNS
bchd.info4438080,443DNS
belarus2020.org8080,443DNS
belarusinfocus.info443DNS
belarus.regnum.ru808080,443DNS
belprauda.org8080,443DNS
belsat.eu808080,443DNS
by.tribuna.com8080,443DNS
charter97.org80,4438080,443DNS
elections2020.spring96.org4438080,443DNS
eurobelarus.info808080,443DNS
euroradio.fm4438080,443DNS
flagshtok.info443DNS
honestby.org4438080,443DNS
gazetaby.com8080,443DNS
hramada.org4438080,443DNS
intimby.net80,4438080,443DNS
masheka.by4438080,443DNS
mfront.net808080,443DNS
mspring.online443DNS
narodny-opros.info8080,443DNS
news.vitebsk.cc4438080,443DNS
opg.ucoz.net4438080,443DNS
pramenby.wordpress.com80,4438080,443DNS
pramen.io80,4438080,443DNS
primaries.by4438080,443DNS
progomel.by4438080,443DNS
psiphon.ca4438080,443DNS
pyx.by4438080,443DNS
regnum.ru808080,443
safervpn.com4438080,443DNS
spring96.org4438080,443
sputnikipogrom.com80,4438080,443DNS
statkevich.org44380,44380,443DNS
surfshark.com44380,44380,443DNS
svaboda2.net8080,44380,443DNS
tip.byDNS
tsepkalo.com8080,44380,443DNS
tsepkalo.info44380,44380,443DNS
txti.es8080,44380,443DNS
ucpb.org808080DNS
udf.by8080,44380,443DNS
virtualbrest.by44380,44380,443DNS
vitebskspring.org44380,44380,443DNS
vkurier.by8080,44380,443DNS
vot-tak.tv44380,44380,443DNS
www.moyby.com443DNS
www.politnavigator.net44380,44380DNS
www.svaboda.org80,44380DNS
www.the-village.me44380DNS
zapraudu.info8080,44380,443DNS
zenmate.com44380,44380,443DNS
zona.media443DNS
zubr.in80,4438080,443DNS

Business Network

Business Network is a LLC party (40%) owned by NTEC (National traffic exchange center).

Many providers run their infrastructure behind the organization Org: ООО “Деловая сеть” aka bn.by (AS12406) .

The provider intercepts HTTP connections and redirects them to 212.98.160{.}60 in the core network of the company.

HTTP/1.1 307 Temporary Redirect
Location: http://212.98.160.60/

HTTPS traffic is blocked by injecting [RST, ACK] packets with Win Size=0x01 0xf6 (502). The spoofed injection contains the IPID=0

Inside of the company we found the server “BLOCK-SERVER.bn.by” with IP 212.98.160{.}157

Non encrypted connections are redirected to a captive portal with the message:

ACCESS TO THIS INTERNET RESOURCE IS LIMITED
“Access to the resource is limited in pursuance of the decision of the Ministry of Information of the Republic of Belarus, adopted on the basis of the Law of the Republic of Belarus “On Mass Media”.
“Access to the resource is limited on the basis of clause 11 of the Regulations on the procedure for restricting access to information resources (their constituent parts) located on the global computer network Internet.”

Beltelecom

Beltelecom is the national telecommunications company in Belarus, fully owned by the Government of Belarus and operated by the Ministry of Telecommunications.

Beltelecom AS6697 uses different blocking signatures. In this case, HTTP traffic to port 80 is redirected to the IP 82.209.230{.}23. Redirection is achieved with a HTTP 302 message.

HTTP/1.1 302 FOUND
Content-Type: text/html
Location: http://82.209.230{.}23

The spoofed injection contains the IPID=1 and Win Size=0x7f 0xa6 (32678)

Unitary enterprise A1

Unitary enterprise A1 (A1) is the largest private telecom, ICT & content service provider in Belarus.

A1 opted to block websites using HTTP and HTTPS transparent proxies based on Squid. The web proxy (reserved.a1.by), only triggers a response for the IP addresses of the blocked websites, sends a HTTP 302 redirect:

 HTTP/1.1 302 Found
 Server: squid
 Mime-Version: 1.0
 Date: Mon, 14 Sep 2020 13:31:25 GMT
 Content-Type: text/html;charset=utf-8
 Content-Length: 0
 Location: https://a1.by/mininfo/
 X-Squid-Error: 403 Access Denied
 X-Cache: MISS from reserved.a1.by
 X-Cache-Lookup: NONE from reserved.a1.by:3128
 Via: 1.1 reserved.a1.by (squid)
 Connection: keep-alive

The proxy also hijacks the HTTPS sessions forging certificates with commonName: Atlant-Telecom HTTPS Proxy

A1 is forging X509 certificates.
A1 forged X509 certificate.

When the user accepts the certificate, it gets redirected to a captive portal hxxps://www.a1.by/mininfo/

Captive portal of A1 presenting the block message.

Forged certificates impersonate Domains and its Subjects

A1 forges all the X509 certificates of the blocked websites. Instead of creating a totally new self-signed certificate, they opted for keeping some of the values of the original certificate (Subject field and Validity) and replace the Issuer and crypto material only.

The Subject field of a X509 certificate is the entity that its public key is associated with. For example the certificate of zenmate.com changed “Issuer” from Cloudflare to Atlant-Telecom but kept Cloudflare details in the certificate in the Subject field.

Forged certificates impersonate Domains and its Subjects.

Mobile TeleSystems Belarus

Mobile TeleSystems (MTS) is the largest mobile network operator in Russia, also serving Armenia and Belarus. The largest owner of MTS Belarus is Beltelecom (51% of shares), the national telecommunications company of Belarus.

Mobile TeleSystems Belarus (MTSBY AS25106) enforces the blocking using their DNS servers 134.17.1.1 and 134.17.1.0. When a blocked website is requested, the DNS server responds with A record 134.17.0{.}7. SOA request for the same domains are not responded.

A self-signed certificate valid for 274 years is served in 134.17.0{.}7 with the name “Default Company Ltd”. Once the certificate is accepted the browser receives a HTTP 301 redirect to hxxps://internet.mts.by/blocked

HTTP/1.1 301 Moved Permanently
Date: Sat, 15 Sep 2020 11:43:37 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips
Location: hxxps://internet.mts.by/blocked
< Content-Length: 240
< Content-Type: text/html; charset=iso-885-1

MTS Belarus forged certificate.
Block page provided by MTS Belarus.
MTS Belarus’ certificate for blocked sites.

Conclusions

  • The Internet blocking in Belarus is implemented within the infrastructure of each provider, and not on a central level.
  • The techniques used include:
    • HTTP: transparent web proxies
    • injection of HTTP responses
    • HTTPS: stateless and stateful SSL DPI
    • Fake DNS responses
  • The list of blocked websites is not 100% consistent between the providers, but there is a very high degree of overlap that suggest that a list of websites have been provided to the ISPs for blocking.

Recommended reading

OONI in collaboration with Human Constanta have published a comprehensive report on Internet blocking in Belarus.

Media coverage