Togoweb.net blocked by Deep Packet Inspection


May 5, 2021

Togoweb, a media project funded in 2017 after the 2017-2018 Togolese protests by Aic Persepectiv, is known for the critical reporting about the Togolese government.

According to Togoweb, their website was first blocked after the presidential election in February 2020. The blocking was in place from the 15th of March 2020 and was removed 10 months later on the 15th of January 2021. The second blocking started on 15th March 2021.

In late April 2021, the Committee to Protect Journalists (CPJ) made Qurium aware of that Togoweb.net was no longer reachable inside Togo. With the help of CPJ, Qurium obtained traffic captures from inside and outside the country to determine what was triggering the blocking.

Traffic captures show inline Deep Packet Inspection

HTTP (80) traffic captures shows that when the domain name is sent in the Host header the traffic flow is dropped.

HTTPS (443) traffic captures show that when the domain name is sent as part of the TLS Hello Client (server_name) the traffic flow is dropped.

To fully confirm that the presence of Deep Packet Inspection is the reason behind the blocking of the website, Qurium performed a series of requests with similar domain names: togowweb.net, t0g0web.com, etc. Only when using *.togoweb.net in both HTTP and HTTPS the traffic was silently dropped. The test suggest the presence of Deep Packet Inspection capable of perform dissect network protocols and apply string matching to specific fields of the communication.

Further tests confirms that the blocking equipment is installed inline within the core infrastructure of AS24691 TogoTelecom.

TogoTelecom mostly uses Nokia SR7 core routers to route their traffic internationally via a few Internet exchanges: LINX (London), Telma (Paris) and local and regional peerings. Togotelecom is also member of the TogoIX.

Nokia SR7 routers have the capability to block domains using a MS-ISA. The MS-ISA is a Integrated Services Adapter for Multi-Service processing, as a resource module within the SR7 router system. According to the documentation URL filtering is limited to the domain name information and supports “flow blocking”

In order to confirm where the blocking was taking place we looked into the Internet routing of the different providers and their peering networks. Our tests showed that traffic drops in the 41.207.161.0/24 network of Togotelecom where the Nokia equipment is hosted.

While we can not fully confirm that Nokia SR7/MS-ISA is being used to block the website, the traffic patterns recorded during blocking are consistent with TogoTelecom border routers capabilities.

To obtain more details, we also mailed to the Nokia representative in Togo and received no answer.