Free press does not exist in Turkmenistan, where the government, headed by president Gurbanguly Berdymukhammedov controls all media. A small part of the population has access to a highly-censored version of the internet, where all regime critical websites are blocked, as well as all social media platforms.
Qurium has been investigating how Turkmenistan has implemented its wide-spread Internet blocking. During our investigation we have identified several commercial websites being blocked such as yahoo.com, dropbox.com, teamviewer.com, Twitter.com, Facebook.com, Linkedin.com, Youtube.com and Vk.com.
The national providers
Most of the traffic that arrives from inside the country comes from provider State Company of Electro Communications Turkmentelecom AS20661. A few other providers peer and operate behind the national operator such as
- TMCELL (AS59974 Altyn Asyr CJSC)
- Turkmen hemrasi CJSC (AS204579)
- The State Bank for Foreign Affairs of Turkmenistan TFEB-AS (AS201558)
- Telephone Network of Ashgabat CJSC (AS51495)
Techniques used for blocking
Three different techniques are currently in use to block websites:
- DNS spoofing
- HTTP Host Header Inspection
- IP blocking
All Domain Name queries are hijacked in transit and replaced by a bogus response (127.0.0.1). It does not matter which DNS server is queried as responses are always spoofed.
Two responses are always injected with two different TTL values. In our tests we recorded TTL=125 and TTL=126 that suggests that more than one device sits inline of the traffic.
The Deep Packet Inspection (DPI) is hosted in the State Company of Electro Communications Turkmentelecom.
An interesting element of the responses is that the IPID (IP Identification) of the spoofed responses is always 0x7530 (30000).
HTTP Host Header Inspection
The Deep Packet Inspection (DPI) is also inspecting the Host header of the HTTP requests. When we tested turkmen.news and azadliq.info, two reset (RST) packets were injected towards the client and two against the server. The four RST packets seem to originate from the same device(s) that hijacks the DNS traffic.
The TTL values and IPID signature is consistent with the DNS spoofed responses: 0x7530 (30000).
An interesting aspect of the DPI is that it blocks websites independent of what goes before or after the domain name. For example, the DPI will block:
The regex used to block the sites seems to be: (.*)domain.tld(.*)
Other websites being blocked, such as TeamViewer, Yahoo and Twitter seem to be blocked by means of IP blocks using standard IP filters.
133 websites of the top 10K sites
During our investigation we discovered that 133 websites from the Alexa top 10.000 sites worldwide are blocked. The following top-sites are blocked in Turkmenistan: