Turkmenistan and their “Golden DPI”


Free press does not exist in Turkmenistan, where the government, headed by president Gurbanguly Berdymukhammedov controls all media. A small part of the population has access to a highly-censored version of the internet, where all regime critical websites are blocked, as well as all social media platforms.

Qurium has been investigating how Turkmenistan has implemented its wide-spread Internet blocking. During our investigation we have identified several commercial websites being blocked such as yahoo.com, dropbox.com, teamviewer.com, Twitter.com, Facebook.com, Linkedin.com, Youtube.com and Vk.com.

Two websites that are hosted within our infrastructure are blocked inside Turkmenistan: Turkmen.news (Turkmen independent news) and Azadliq.info (Azerbaijan independent news).

The national providers

Most of the traffic that arrives from inside the country comes from provider State Company of Electro Communications Turkmentelecom AS20661. A few other providers peer and operate behind the national operator such as

  • TMCELL (AS59974 Altyn Asyr CJSC)
  • Turkmen hemrasi CJSC (AS204579)
  • The State Bank for Foreign Affairs of Turkmenistan TFEB-AS (AS201558)
  • Telephone Network of Ashgabat CJSC (AS51495)

Techniques used for blocking

Three different techniques are currently in use to block websites:

  • DNS spoofing
  • HTTP Host Header Inspection
  • IP blocking

DNS spoofing

All Domain Name queries are hijacked in transit and replaced by a bogus response (127.0.0.1). It does not matter which DNS server is queried as responses are always spoofed.

Two responses are always injected with two different TTL values. In our tests we recorded TTL=125 and TTL=126 that suggests that more than one device sits inline of the traffic.

The Deep Packet Inspection (DPI) is hosted in the State Company of Electro Communications Turkmentelecom.

An interesting element of the responses is that the IPID (IP Identification) of the spoofed responses is always 0x7530 (30000).

HTTP Host Header Inspection

The Deep Packet Inspection (DPI) is also inspecting the Host header of the HTTP requests. When we tested turkmen.news and azadliq.info, two reset (RST) packets were injected towards the client and two against the server. The four RST packets seem to originate from the same device(s) that hijacks the DNS traffic.

The TTL values and IPID signature is consistent with the DNS spoofed responses: 0x7530 (30000).

An interesting aspect of the DPI is that it blocks websites independent of what goes before or after the domain name. For example, the DPI will block:

  • azadliq.info
  • 1azadliq.info
  • azadliq.info1.

The regex used to block the sites seems to be: (.*)domain.tld(.*)

IP blocking

Other websites being blocked, such as TeamViewer, Yahoo and Twitter seem to be blocked by means of IP blocks using standard IP filters.

133 websites of the top 10K sites

During our investigation we discovered that 133 websites from the Alexa top 10.000 sites worldwide are blocked. The following top-sites are blocked in Turkmenistan:

  youtube.com
facebook.com
qq.com
vk.com
twitter.com
instagram.com
reddit.com
blogspot.com
xvideos.com
imgur.com
paypal.com
msn.com
wordpress.com
tumblr.com
pinterest.com
mediafire.com
soundcloud.com
dropbox.com
bbc.co.uk
ok.ru
dailymotion.com
twimg.com
vimeo.com
blogger.com
yelp.com
archive.org
scribd.com
messenger.com
wetransfer.com
livejournal.com
redtube.com
yy.com
cdninstagram.com
pinimg.com
line.me
telegram.org
bp.blogspot.com
zippyshare.com
uptodown.com
sex.com
cloudfront.net
goodreads.com
flickr.com
pikabu.ru
beeg.com
files.wordpress.com
spiegel.de
giphy.com
naver.jp
kakao.com
ytmp3.cc
kp.ru
jw.org
nur.kz
turbobit.net
media.tumblr.com
t-online.de
reuters.com
dw.com
1fichier.com
yaplakal.com
badoo.com
4shared.com
hurriyet.com.tr
imagetwist.com
fb.ru
surveymonkey.com
mk.ru
echo.msk.ru
sabq.org
v-s.mobi
dawn.com
iz.ru
rutube.ru
tut.by
sozcu.com.tr
ask.fm
indianexpress.com
porno365.cc
mynet.com
ixxx.com
fishki.net
renren.com
1xbet.com
tasnimnews.com
litres.ru
yxdown.com
xunlei.com
tiktok.com
bolshoyvopros.ru
mehrnews.com
change.org
movs4u.to
haberturk.com
tass.ru
riafan.ru
smi2.ru
daftsex.com
topwar.ru
wired.com
infourok.ru
fbsbx.com
rusvesna.su
shutterfly.com
mp3juices.cc
russian7.ru
rfi.fr
life.ru
haber7.com
obozrevatel.com
vz.ru
firefox.com
livemaster.ru
foursquare.com
mashreghnews.ir
mirtesen.ru
inosmi.ru
anysex.com
kproxy.com
wday.ru
pornosveta.net
sendspace.com
songsmp3.cool
tagesspiegel.de
photobucket.com
sndcdn.com
meduza.io
staticflickr.com
tvzvezda.ru
resetera.com
lilo.org
pokemonshowdown.com
newsru.com