Turkmenistan and their “Golden DPI”

1 July 2019

Free press does not exist in Turkmenistan, where the government, headed by president Gurbanguly Berdymukhammedov controls all media. A small part of the population has access to a highly-censored version of the internet, where all regime critical websites are blocked, as well as all social media platforms.

Qurium has been investigating how Turkmenistan has implemented its wide-spread Internet blocking. During our investigation we have identified several commercial websites being blocked such as yahoo.com, dropbox.com, teamviewer.com, Twitter.com, Facebook.com, Linkedin.com, Youtube.com and Vk.com.

Two websites that are hosted within our infrastructure are blocked inside Turkmenistan: Turkmen.news (Turkmen independent news) and Azadliq.info (Azerbaijan independent news).

The national providers

Most of the traffic that arrives from inside the country comes from provider State Company of Electro Communications Turkmentelecom AS20661. A few other providers peer and operate behind the national operator such as

TMCELL (AS59974 Altyn Asyr CJSC)
Turkmen hemrasi CJSC (AS204579)
The State Bank for Foreign Affairs of Turkmenistan TFEB-AS (AS201558)
Telephone Network of Ashgabat CJSC (AS51495)

Techniques used for blocking

Three different techniques are currently in use to block websites:

DNS spoofing
HTTP Host Header Inspection
IP blocking

DNS spoofing

All Domain Name queries are hijacked in transit and replaced by a bogus response (127.0.0.1). It does not matter which DNS server is queried as responses are always spoofed.

Two responses are always injected with two different TTL values. In our tests we recorded TTL=125 and TTL=126 that suggests that more than one device sits inline of the traffic.

The Deep Packet Inspection (DPI) is hosted in the State Company of Electro Communications Turkmentelecom.

An interesting element of the responses is that the IPID (IP Identification) of the spoofed responses is always 0x7530 (30000).

HTTP Host Header Inspection

The Deep Packet Inspection (DPI) is also inspecting the Host header of the HTTP requests. When we tested turkmen.news and azadliq.info, two reset (RST) packets were injected towards the client and two against the server. The four RST packets seem to originate from the same device(s) that hijacks the DNS traffic.

The TTL values and IPID signature is consistent with the DNS spoofed responses: 0x7530 (30000).

An interesting aspect of the DPI is that it blocks websites independent of what goes before or after the domain name. For example, the DPI will block:

azadliq.info
1azadliq.info
azadliq.info1.

The regex used to block the sites seems to be: (.*)domain.tld(.*)

IP blocking

Other websites being blocked, such as TeamViewer, Yahoo and Twitter seem to be blocked by means of IP blocks using standard IP filters.

133 websites of the top 10K sites

During our investigation we discovered that 133 websites from the Alexa top 10.000 sites worldwide are blocked. The following top-sites are blocked in Turkmenistan:

  youtube.com
  facebook.com
  qq.com
  vk.com
  twitter.com
  instagram.com
  reddit.com
  blogspot.com
  xvideos.com
  imgur.com
  paypal.com
  msn.com
  wordpress.com
  tumblr.com
  pinterest.com
  mediafire.com
  soundcloud.com
  dropbox.com
  bbc.co.uk
  ok.ru
  dailymotion.com
  twimg.com
  vimeo.com
  blogger.com
  yelp.com
  archive.org
  scribd.com
  messenger.com
  wetransfer.com
  livejournal.com
  redtube.com
  yy.com
  cdninstagram.com
  pinimg.com
  line.me
  telegram.org
  bp.blogspot.com
  zippyshare.com
  uptodown.com
  sex.com
  cloudfront.net
  goodreads.com
  flickr.com
  pikabu.ru
  beeg.com
  files.wordpress.com
  spiegel.de
  giphy.com
  naver.jp
  kakao.com
  ytmp3.cc
  kp.ru
  jw.org
  nur.kz
  turbobit.net
  media.tumblr.com
  t-online.de
  reuters.com
  dw.com
  1fichier.com
  yaplakal.com
  badoo.com
  4shared.com
  hurriyet.com.tr
  imagetwist.com
  fb.ru
  surveymonkey.com
  mk.ru
  echo.msk.ru
  sabq.org
  v-s.mobi
  dawn.com
  iz.ru
  rutube.ru
  tut.by
  sozcu.com.tr
  ask.fm
  indianexpress.com
  porno365.cc
  mynet.com
  ixxx.com
  fishki.net
  renren.com
  1xbet.com
  tasnimnews.com
  litres.ru
  yxdown.com
  xunlei.com
  tiktok.com
  bolshoyvopros.ru
  mehrnews.com
  change.org
  movs4u.to
  haberturk.com
  tass.ru
  riafan.ru
  smi2.ru
  daftsex.com
  topwar.ru
  wired.com
  infourok.ru
  fbsbx.com
  rusvesna.su
  shutterfly.com
  mp3juices.cc
  russian7.ru
  rfi.fr
  life.ru
  haber7.com
  obozrevatel.com
  vz.ru
  firefox.com
  livemaster.ru
  foursquare.com
  mashreghnews.ir
  mirtesen.ru
  inosmi.ru
  anysex.com
  kproxy.com
  wday.ru
  pornosveta.net
  sendspace.com
  songsmp3.cool
  tagesspiegel.de
  photobucket.com
  sndcdn.com
  meduza.io
  staticflickr.com
  tvzvezda.ru
  resetera.com
  lilo.org
  pokemonshowdown.com
  newsru.com

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.