March 12, 2018
My.Kali is one of the first LGBTQIA-inclusive webzines in the Middle East and North Africa. The magazine was established in 2007 by a group of passionate students with various interests ranging from design to arts and politics. My.Kali strives to address homophobia and transphobia and to empower the youth to defy mainstream gender binaries in the Arab world.
On July 31, 2017, the Jordanian Audiovisual Commission, a government regulator, publicly ordered the blocking of the website because it had not applied to the Minister of Information for a license in accordance with Jordan’s Press and Publication Law. However, in practice, My.Kali has been blocked in Jordan since July 14th 2016 after an interview with Khalid Abdel-Hadi (founder of MyKali) published by the independent media platform Raseef22. The article was headlined, “How do homosexuals live in Jordan?”.
Since late January 2018, mykalimag.com is hosted with Qurium Media Foundation, in an effort to find ways to make its content available in Jordan. Since then, Qurium maintains a dynamic copy of the website inside of Google Cloud Storage https://storage.googleapis.com/qurium/mykalimag.com/index.html
Understanding the blocking
This report documents how the Internet blocking has been implemented in three Internet Service Providers (ISP) in the country, namely (1) Umniah/Batelco, (2) Orange and (3) Zain. The report shows how two ISPs implement DNS-based blocking and how Zain operates Deep Packet Inspection (DPI) filtering using equipment from Procera.
UMNIAH – DNS tampering
UMNIAH (Umniah Lil-Hawatef Al-Mutanaqelah Co.) is the fourth GSM cellular phone service set up in Jordan. The company is owned by Batelco and routes traffic using the ASN 9038
DNS tampering is implementing by responding with Response Code 3 (No such name) and 5 (Refused).
Mobile Devices with enforced DNS servers
UMNIAH offers their customers a rebranded Huawei 4G Mobile Router. The device connects to the 3G/4G/EVO Mobile network and builds a WiFi hostspot that other devices can connect to. The WiFi hostpot offers private IP addresses to the connected users by means of DHCP. The DHCP server built-in in the mobile router announces the very same Mobile router as the local hostspot’s DNS server.
Most of the mobile devices on the market use internally a software like dnsmasq to act as a DNS forwarder and DHCP server of the WiFi Hotspot. UMNIAH uses the Huawei 3g/4g devices such as the E5577, which does not provide means to the user to change the DNS servers used in the WiFi hotspot.
The configuration GUI of the Mobile Router has no option to change the DNS servers offered by DHCP.
In this customized GUI, UMNIAH offers a link to their portal where all the personal information of the subscriber of the device can be found.
The DNS filtering does not seem fully enforced within the UMNIAH infrastructure. For example, the nameserver dns01.umniahcloud.com with IP 22.214.171.124 is not forwarding the requests to UMNIAH main DNS forwarders but is using Google Open Resolvers instead. The result is that users using the Domain Name Server dns01.umniahcloud.com might not get the domain resolution blocked.
Orange – DNS Tampering
Jordan Telecom Group (Orange) with ASN 8376 blocks Internet content using DNS tampering.
For example, ADSL users are redirected to two private DNS servers (10.50.6.88 and 10.50.6.130) that filter DNS requests. Unfiltered requests are handled by DNS forwarder orange-cache-odns-c.go.com.jo with IPs 126.96.36.199, 115 and 178.
In the case of Orange, the DNS tampering is “case sensitive”. In practice that means that DNS requests to the domain mykalimag.com are filtered, while requests to MyKaliMAG.com remain unblocked.
ZAIN – Deep Packet Inspection from Procera
Zain is implementing blocking by means of Deep Packet Inspection (DPI). HTTP connections to the website receive RST packets at both sites of the connection. The webserver and the client receive a RST packet that tears down the connection in both sides of the communication.
Packet traces obtained from inside and outside Jordan show that the RST packets have different TTL values that expected from the communicating party. This finding suggests that the traffic is injected or travels back to the webserver via a different and shortest path or location.
In this example, we can see how the expected TTL value from the webserver is 54 but the RST packets have TTL value 56. This higher TTL value suggest that the equipments sits two hops before the IP 188.8.131.52 which corresponds to the website zain.jo.
31 8.743695 X.X.X.X → 184.108.40.206 64 TCP 5849 → 80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=1024 33 8.836966 220.127.116.11 → X.X.X.X 54 TCP 80 → 5849 [SYN, ACK] Seq=0 Ack=1 Win=14600 Len=0 MSS=1460 SACK_PERM=1 WS=128 35 8.837004 X.X.X.X → 18.104.22.168 64 TCP 5849 → 80 [ACK] Seq=1 Ack=1 Win=29696 Len=0 37 8.837145 X.X.X.X → 22.214.171.124 64 HTTP 134 GET / HTTP/1.1 39 8.930414 126.96.36.199 → X.X.X.X 56 TCP 80 → 5849 [RST, ACK] Seq=1 Ack=79 Win=4111360 Len=0
Where is the DPI located?
The DPI is placed close to the upstream routers somewhere between
TTL=57 188.8.131.52 TTL=56 ?? (1ms) TTL=55 184.108.40.206 TTL=54 www.zain.jo (220.127.116.11)
Our tests trying to reach mykalimag.com show that:
- The DPI equipment filters the HTTP Host Header independent of the destination of the traffic. By forging the Host: mykalimag.com in connections against www.zain.jo we can see the DPI engaged.
- The DPI equipment acts on both inbound and outbound traffic. The equipment triggers the blocking when someone from outside the Zain network in Jordan places a web connection to any random webserver inside the country.
- The DPI equipment is monitoring ALL network ports.
All traffic is under DPI
One very interesting finding is that the DPI is not only looking into the traditional port 80 to block HTTP requests to mykalimag.com, but it is monitoring ALL traffic to ALL destinations and services. In order to verify this, we connected to a POP3 (mail) server in Jordan and placed HTTP requests against it. The results are presented below.
Test 1: Random domain HTTP requests on port 110
* Connected to 18.104.22.168 (22.214.171.124) port 110 (#0) +OK Dovecot ready. >GET / HTTP/1.1 >User-Agent: curl/7.38.0 >Accept: */* >Host: www.dpi-in-all-ports.com * -ERR Unknown command. * -ERR Unknown command. * -ERR Unknown command. * -ERR Too many invalid bad commands.
Test 2: mykalimag.com HTTP requests in port 110
* Connected to 126.96.36.199 (188.8.131.52) port 110 (#0) +OK Dovecot ready. >GET / HTTP/1.1 >User-Agent: curl/7.38.0 >Accept: */* >Host: www.mykalimag.com * Recv failure: Connection reset by peer * Closing connection 0
These tests verify that DPI is implemented on all TCP ports and directions of the traffic.
How is Zain blocking Mykalimag.com?
The most likely equipment used to block content in Jordan is the Procera box. Procera and Sandvine are since 2015 the same company and the RST, ACK traffic has a signature reported by Citizen Lab as Procera DPI gear.
IP (tos 0x0, ttl 56, id 13330, offset 0, flags [none], proto TCP (6), length 40)
In a press release in 2015 from Procera Networks Inc. it can be read:
“Zain has used Procera for the past three years and the solutions have met the business requirements to help Zain in understanding the customers’ behavior,” said Yousef Al-Mutawe, COO at Zain. “We have decided to continue our partnership with Procera through upgrading the current platform to the new version and adding on top of the data inspection tool the insights analytics solutions.”
How to bypass the blocking?
- Readers that suffer from DNS tampering can bypass the blocking using any of these publicly available DNS resolvers
- Readers that are blocked by means of DPI (in the case of Zain), can currently reach the website using HTTPS: https://www.mykalimag.com
- Independent of ISP and blocking technique, an updated mirror of the website is available for all readers in the Google Cloud Storage service: https://storage.googleapis.com/qurium/mykalimag.com/index.html