Internet blocking in Jordan

March 12, 2018


My.Kali is one of the first LGBTQIA-inclusive webzines in the Middle East and North Africa. The magazine was established in 2007 by a group of passionate students with various interests ranging from design to arts and politics. My.Kali strives to address homophobia and transphobia and to empower the youth to defy mainstream gender binaries in the Arab world.

On July 31, 2017, the Jordanian Audiovisual Commission, a government regulator, publicly ordered the blocking of the website because it had not applied to the Minister of Information for a license in accordance with Jordan’s Press and Publication Law. However, in practice, My.Kali has been blocked in Jordan since July 14th 2016 after an interview with Khalid Abdel-Hadi (founder of MyKali) published by the independent media platform Raseef22. The article was headlined, “How do homosexuals live in Jordan?”.

Unblocking My.Kali

Since late January 2018, is hosted with Qurium Media Foundation, in an effort to find ways to make its content available in Jordan. Since then, Qurium maintains a dynamic copy of the website inside of Google Cloud Storage


Understanding the blocking

This report documents how the Internet blocking has been implemented in three Internet Service Providers (ISP) in the country, namely (1) Umniah/Batelco, (2) Orange and (3) Zain. The report shows how two ISPs implement DNS-based blocking and how Zain operates Deep Packet Inspection (DPI) filtering using equipment from Procera.

UMNIAH – DNS tampering


UMNIAH (Umniah Lil-Hawatef Al-Mutanaqelah Co.) is the fourth GSM cellular phone service set up in Jordan. The company is owned by Batelco and routes traffic using the ASN 9038

DNS tampering is taking place in DNS servers used by batelco and umniah in the prefix


DNS tampering is implementing by responding with Response Code 3 (No such name) and 5 (Refused).

RFC 1035 defines the RCODE (Response code) of DNS. Source:


Mobile Devices with enforced DNS servers

UMNIAH offers their customers a rebranded Huawei 4G Mobile Router. The device connects to the 3G/4G/EVO Mobile network and builds a WiFi hostspot that other devices can connect to. The WiFi hostpot offers private IP addresses to the connected users by means of DHCP. The DHCP server built-in in the mobile router announces the very same Mobile router as the local hostspot’s DNS server.
Most of the mobile devices on the market use internally a software like dnsmasq to act as a DNS forwarder and DHCP server of the WiFi Hotspot. UMNIAH uses the Huawei 3g/4g devices such as the E5577, which does not provide means to the user to change the DNS servers used in the WiFi hotspot.

The configuration GUI of the Mobile Router has no option to change the DNS servers offered by DHCP.

Rebranded Huawei 4G Mobile router offered to UMNIAH clients.

Original Huawei 4G Mobile router.


In this customized GUI, UMNIAH offers a link to their portal where all the personal information of the subscriber of the device can be found.

The DNS filtering does not seem fully enforced within the UMNIAH infrastructure. For example, the nameserver with IP is not forwarding the requests to UMNIAH main DNS forwarders but is using Google Open Resolvers instead. The result is that users using the Domain Name Server might not get the domain resolution blocked.

Orange – DNS Tampering

Jordan Telecom Group (Orange) with ASN 8376 blocks Internet content using DNS tampering.

For example, ADSL users are redirected to two private DNS servers ( and that filter DNS requests. Unfiltered requests are handled by DNS forwarder with IPs, 115 and 178.

The ADSL modem (H108N) from ZTE used by Orange clients.


Traceroute to from the Orange network in Jordan.

In the case of Orange, the DNS tampering is “case sensitive”. In practice that means that DNS requests to the domain are filtered,  while requests to remain unblocked.

ZAIN – Deep Packet Inspection from Procera

Zain is implementing blocking by means of Deep Packet Inspection (DPI). HTTP connections to the website receive RST packets at both sites of the connection. The webserver and the client receive a RST packet that tears down the connection in both sides of the communication.

Packet traces obtained from inside and outside Jordan show that the RST packets have different TTL values that expected from the communicating party. This finding suggests that the traffic is injected or travels back to the webserver via a different and shortest path or location.

In this example, we can see how the expected TTL value from the webserver is 54 but the RST packets have TTL value 56. This higher TTL value suggest that the equipments sits two hops before the IP which corresponds to the website

 31 8.743695 X.X.X.X → 64 TCP 5849 → 80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=1024
 33 8.836966 → X.X.X.X 54 TCP 80 → 5849 [SYN, ACK] Seq=0 Ack=1 Win=14600 Len=0 MSS=1460 SACK_PERM=1 WS=128
 35 8.837004 X.X.X.X → 64 TCP 5849 → 80 [ACK] Seq=1 Ack=1 Win=29696 Len=0
 37 8.837145 X.X.X.X → 64 HTTP 134 GET / HTTP/1.1 
 39 8.930414 → X.X.X.X 56 TCP 80 → 5849 [RST, ACK] Seq=1 Ack=79 Win=4111360 Len=0


Where is the DPI located?

The DPI is placed close to the upstream routers somewhere between

TTL=56 ?? (1ms)
TTL=54 (

Our tests trying to reach show that:

  • The DPI equipment filters the HTTP Host Header independent of the destination of the traffic. By forging the Host: in connections against we can see the DPI engaged.
  • The DPI equipment acts on both inbound and outbound traffic. The equipment triggers the blocking when someone from outside the Zain network in Jordan places a web connection to any random webserver inside the country.
  • The DPI equipment is monitoring ALL network ports.


All traffic is under DPI

One very interesting finding is that the DPI is not only looking into the traditional port 80 to block HTTP requests to, but it is monitoring ALL traffic to ALL destinations and services. In order to verify this, we connected to a POP3 (mail) server in Jordan and placed HTTP requests against it. The results are presented below.

Test 1: Random domain HTTP requests on port 110

* Connected to ( port 110 (#0)
+OK Dovecot ready.

>GET / HTTP/1.1
>User-Agent: curl/7.38.0
>Accept: */*

* -ERR Unknown command.
* -ERR Unknown command.
* -ERR Unknown command.
* -ERR Too many invalid bad commands.

Test 2: HTTP requests in port 110

* Connected to ( port 110 (#0)
+OK Dovecot ready.

>GET / HTTP/1.1
>User-Agent: curl/7.38.0
>Accept: */*

* Recv failure: Connection reset by peer
* Closing connection 0

These tests verify that DPI is implemented on all TCP ports and directions of the traffic.

How is Zain blocking

The most likely equipment used to block content in Jordan is the Procera box. Procera and Sandvine are since 2015 the same company and the RST, ACK traffic has a signature reported by Citizen Lab as Procera DPI gear.


IP (tos 0x0, ttl 56, id 13330, offset 0, flags [none], proto TCP (6), length 40)

In a press release in 2015 from Procera Networks Inc. it can be read:

“Zain has used Procera for the past three years and the solutions have met the business requirements to help Zain in understanding the customers’ behavior,” said Yousef Al-Mutawe, COO at Zain. “We have decided to continue our partnership with Procera through upgrading the current platform to the new version and adding on top of the data inspection tool the insights analytics solutions.”


How to bypass the blocking?

  1. Readers that suffer from DNS tampering can bypass the blocking using any of these publicly available DNS resolvers
  2. Readers that are blocked by means of DPI (in the case of Zain), can currently reach the website using HTTPS:
  3. Independent of ISP and blocking technique, an updated mirror of the website is available for all readers in the Google Cloud Storage service: