Testers wanted to validate external censorship measurements in Turkmenistan

tango · August 9, 2023, 6:42pm

At the “publications” subforum, the authors of the recent “Measuring and Evading Turkmenistan’s Internet Censorship” are asking for help from people in Turkmenistan to check their observations. They tested for censorship by sending DNS queries and HTTP/HTTPS requests into the country and checking for packets injected by the firewall.

One of the surprising results was that not every IP address in Turkmenistan triggered censorship. For example, sending a packet with a destination address of 95.85.96.36 triggered censorship, while 95.85.96.35 did not. The authors want help in checking whether the same is true in the other direction: whether censorship can differ based on the source address of a person in Turkmenistan.

This is what you can do:

Find your external IP address.
Search for your IP address at TMC Dashboard.
- If your IP address is one that triggers censorship when measured externally, it will have first_checked with a date.
- If your IP address does not trigger censorship when measured externally, it will say not found.
Try accessing some of the censored domains that the research project detected as being censored. For example:
- hrw.org
- wikipedia.org
- twitter.com

Avoid posting your IP address. The research team mainly wants to know if your own tests match what they were able to measure from outside.

Measuring and Evading Turkmenistan’s Internet Censorship: A Case Study in Large-Scale Measurements of a Low-Penetration Country

Hi everyone, I’m Sadia, one of the authors of this paper. In order to measure Turkmenistan’s censorship, we had to take advantage of bidirectional censorship, in which we had a client outside of Turkmenistan send censored requests to non-responsive IP addresses inside of Turkmenistan to trigger the censor. However, one question we frequently asked ourselves is whether our measurements from the outside→inside direction corroborates with measurements from the inside→outside direction.

It would be great if there were some volunteers within Turkmenistan who could spot-check some of our measurements for us from the inside→outside direction. Please ensure your safety and understand the risks of doing so before proceeding.

You can check whether TMC considers you to be censored by searching for your own IP address here. If you are deemed to be censored, you could test some of the domains that TMC believes to be censored. These domains can be found here and here. In order to test these domains, you could try to use the packet sequence we use for our measurements mentioned in the paper, or just send a simple DNS and HTTP(S) request.

If you determine that your IP address is NOT considered to be censored by TMC, you could still test some domains to determine whether the IP address is uncensored from the inside→outside direction as well.

0ka · August 9, 2023, 7:40pm

agts: wikipedia works, hrw is dns banned, twitter is ip and dns banned
telecom: wikipedia works, hrw is dns banned, twitter is ip and dns banned
tmcell: wikipedia works, hrw works, twitter is ip banned

atabally · August 11, 2023, 3:50pm

Yes, my IP triggers censroship (my external IP in the list)

hrw.org & twitter.com → doesn’t work (when I ping returns response from 127.0.0.1)
wikipedia.org → Works (I think it never get censored)

tkmw1985 · August 11, 2023, 4:32pm

You should know that Telecom rotates IP addresses (dynamic IP) about AGTS I do not know

snourin · August 31, 2023, 3:24pm

Thank you for your measurements.

We were able to obtain two vantage points in agts and telecom and have some insight into your measurements.

We observed that twitter.com was both IP and DNS blocked, but that it was HTTP(S) blocked as well (i.e. if twitter.com was moved to a different IP address, it would still be blocked).

hrw.org is DNS blocked, but it is also HTTP blocked, NOT HTTPS blocked. If your browser automatically redirects HTTP to HTTPS, then it’s possible you would not experience censorship.

It seems that the regular expression used to block wikipedia.org is actually .*wikipedia\.org.+ not .*wikipedia\.org.*. From our measurements, wikipedia.org is accessible over HTTP and HTTPS but wikipedia.org.il and wikipedia.org.cn are blocked over HTTPS while wikipedia.org.au is IP blocked.

Furthermore, wikipedia.com is blocked over HTTP but NOT HTTPS, so similar to the case with hrw.org, if your browser automatically redirects HTTP to HTTPS, you may not experience censorship.

snourin · August 31, 2023, 3:32pm

We still experienced inside->outside censorship from the two vantage points we obtained in telecom and AGTS, which both have external IPs that are not censored from the outside->inside direction. I do wonder if dynamic IPs are responsible for this behavior.

anonymous121 · September 2, 2023, 8:21pm

destination address of 95.85.96.36 triggered censorship, while 95.85.96.35 did not

Censorship depends f(x). Where f is a bitwise operation or general hash func and x is octet(s). Like be^bk^bl^bm^bn…^C

Summary

Alone bit (dst addr start with 95.85.96., proto UDP, dst port 53):
0 +
1 +
2 +
3 -
4 -
5 -
6 +
7 +

Zero +

Sounds like (broken) network load balancing.

anonymous121 · September 3, 2023, 10:34am

Seems like they divide inbound traffic by 3 or more, and only some bypass DPI
Hash is not so simple

95.85.96

00000000 +
00000001 +
00000010 +
00000011 +
00000100 +
00000101 +
00000110 +
00000111 +
00001000 -
00001001 -
00001010 -
00001011 -
00001100 -
00001101 -
00001110 -
00001111 -
00010000 -
00010001 -
00010010 -
00010011 -
00010100 -
00010101 -
00010110 -
00010111 -
00011000 -
00011001 -
00011010 -
00011011 -
00011100 -
00011101 -
00011110 -
00011111 -
00100000 -
00100001 -
00100010 -
00100011 -
00100100 +
00100101 +
00100110 +
00100111 +
00101000 -
00101001 -
00101010 -
00101011 -
00101100 -
00101101 -
00101110 -
00101111 -
00110000 +
00110001 +
00110010 +
00110011 +
00110100 +
00110101 +
00110110 +
00110111 +
00111000 +
00111001 +
00111010 +
00111011 +
00111100 +
00111101 +
00111110 +
00111111 +
01000000 +
01000001 +
01000010 -
01000011 +
01000100 +
01000101 +
01000110 +
01000111 +
01001000 +
01001001 +
01001010 +
01001011 +
01001100 +
01001101 +
01001110 +
01001111 +
01010000 -
01010001 -
01010010 -
01010011 -
01010100 -
01010101 -
01010110 -
01010111 -
01011000 -
01011001 -
01011010 -
01011011 -
01011100 -
01011101 -
01011110 -
01011111 -
01100000 -
01100001 -
01100010 -
01100011 -
01100100 -
01100101 -
01100110 -
01100111 -
01101000 -
01101001 -
01101010 -
01101011 -
01101100 -
01101101 -
01101110 -
01101111 -
01110000 -
01110001 -
01110010 -
01110011 -
01110100 -
01110101 -
01110110 -
01110111 -
01111000 -
01111001 -
01111010 -
01111011 -
01111100 -
01111101 -
01111110 -
01111111 -
10000000 +
10000001 +
10000010 +
10000011 +
10000100 +
10000101 +
10000110 +
10000111 +
10001000 +
10001001 +
10001010 +
10001011 +
10001100 +
10001101 +
10001110 +
10001111 +
10010000 +
10010001 +
10010010 +
10010011 +
10010100 +
10010101 +
10010110 +
10010111 +
10011000 +
10011001 +
10011010 +
10011011 +
10011100 +
10011101 +
10011110 +
10011111 +
10100000 +
10100001 +
10100010 +
10100011 +
10100100 +
10100101 +
10100110 +
10100111 +
10101000 +
10101001 +
10101010 +
10101011 +
10101100 +
10101101 +
10101110 +
10101111 +
10110000 +
10110001 +
10110010 +
10110011 +
10110100 +
10110101 +
10110110 +
10110111 +
10111000 +
10111001 +
10111010 +
10111011 +
10111100 +
10111101 +
10111110 +
10111111 +
11000000 +
11000001 +
11000010 +
11000011 +
11000100 +
11000101 +
11000110 +
11000111 +
11001000 +
11001001 +
11001010 +
11001011 +
11001100 +
11001101 +
11001110 +
11001111 +
11010000 +
11010001 +
11010010 +
11010011 +
11010100 +
11010101 +
11010110 +
11010111 +
11011000 +
11011001 +
11011010 +
11011011 +
11011100 +
11011101 +
11011110 +
11011111 +
11100000 +
11100001 +
11100010 +
11100011 +
11100100 +
11100101 +
11100110 +
11100111 +
11101000 +
11101001 +
11101010 +
11101011 +
11101100 +
11101101 +
11101110 +
11101111 +
11110000 +
11110001 +
11110010 +
11110011 +
11110100 +
11110101 +
11110110 +
11110111 +
11111000 +
11111001 +
11111010 +
11111011 +
11111100 +
11111101 +
11111110 +
11111111 +

95.85.97

00000000 -
00000001 -
00000010 -
00000011 -
00000100 -
00000101 -
00000110 -
00000111 -
00001000 -
00001001 -
00001010 -
00001011 -
00001100 +
00001101 +
00001110 +
00001111 +
00010000 +
00010001 +
00010010 +
00010011 +
00010100 +
00010101 +
00010110 +
00010111 +
00011000 +
00011001 +
00011010 +
00011011 +
00011100 +
00011101 +
00011110 +
00011111 +
00100000 -
00100001 -
00100010 -
00100011 -
00100100 +
00100101 +
00100110 +
00100111 +
00101000 +
00101001 +
00101010 +
00101011 +
00101100 -
00101101 -
00101110 -
00101111 -
00110000 +
00110001 +
00110010 +
00110011 +
00110100 -
00110101 -
00110110 -
00110111 -
00111000 +
00111001 +
00111010 +
00111011 +
00111100 +
00111101 +
00111110 +
00111111 +
01000000 -
01000001 -
01000010 -
01000011 -
01000100 -
01000101 -
01000110 -
01000111 -
01001000 +
01001001 +
01001010 +
01001011 +
01001100 +
01001101 +
01001110 +
01001111 +
01010000 -
01010001 -
01010010 -
01010011 -
01010100 +
01010101 +
01010110 -
01010111 +
01011000 +
01011001 +
01011010 +
01011011 +
01011100 +
01011101 +
01011110 +
01011111 +
01100000 +
01100001 +
01100010 +
01100011 +
01100100 -
01100101 +
01100110 +
01100111 +
01101000 -
01101001 -
01101010 -
01101011 -
01101100 -
01101101 -
01101110 -
01101111 -
01110000 +
01110001 +
01110010 +
01110011 +
01110100 +
01110101 +
01110110 +
01110111 +
01111000 +
01111001 +
01111010 +
01111011 +
01111100 +
01111101 +
01111110 +
01111111 +
10000000 +
10000001 +
10000010 -
10000011 +
10000100 +
10000101 +
10000110 +
10000111 +
10001000 +
10001001 +
10001010 +
10001011 +
10001100 -
10001101 -
10001110 -
10001111 -
10010000 +
10010001 +
10010010 +
10010011 +
10010100 +
10010101 +
10010110 +
10010111 +
10011000 -
10011001 -
10011010 -
10011011 -
10011100 +
10011101 +
10011110 +
10011111 +
10100000 +
10100001 +
10100010 +
10100011 +
10100100 +
10100101 +
10100110 +
10100111 +
10101000 +
10101001 +
10101010 +
10101011 +
10101100 -
10101101 -
10101110 -
10101111 -
10110000 +
10110001 +
10110010 +
10110011 +
10110100 +
10110101 +
10110110 +
10110111 +
10111000 +
10111001 +
10111010 +
10111011 +
10111100 +
10111101 +
10111110 +
10111111 +
11000000 +
11000001 +
11000010 +
11000011 +
11000100 +
11000101 +
11000110 +
11000111 +
11001000 +
11001001 +
11001010 +
11001011 +
11001100 +
11001101 +
11001110 +
11001111 +
11010000 +
11010001 +
11010010 +
11010011 +
11010100 +
11010101 +
11010110 +
11010111 +
11011000 -
11011001 -
11011010 -
11011011 -
11011100 +
11011101 +
11011110 -
11011111 +
11100000 +
11100001 +
11100010 +
11100011 +
11100100 +
11100101 +
11100110 +
11100111 +
11101000 +
11101001 +
11101010 +
11101011 +
11101100 +
11101101 +
11101110 +
11101111 +
11110000 +
11110001 +
11110010 +
11110011 +
11110100 +
11110101 +
11110110 +
11110111 +
11111000 +
11111001 +
11111010 +
11111011 +
11111100 +
11111101 +
11111110 +
11111111 +

anonymous121 · September 3, 2023, 3:32pm

Can you enumerate any reachable subnet by censored dns traffic for inside->outside direction?

snourin · September 7, 2023, 3:33pm

Thank you for running these experiments.

We discovered something odd that may not point to a load balancer being responsible for this behavior. When we run traceroutes from multiple vantage points across the world to an IP address subjected to censorship vs an IP address NOT subjected to censorship in AS20661, we observe a fork in the paths. This happens even if the IPs are within the same /24 network, such as in the case for 95.85.96.36 vs 95.85.96.35.

More specifically, packets destined to IPs subjected to censorship pass through routers within 217.174.235.0/24 when they first enter Turkmenistan’s network. When sending TTL limiting probes to such IP addresses using a censored domain, we can pinpoint at which hop the censor sits at. This hop always has an IP address within 217.174.235.0/24 as well and is approximately the third hop from when the packet first enters Turkmenistan’s network. We do not see packets destined for IPs that are NOT subjected to censorship enter this /24 network at all.

What’s interesting is that this routing decision seems to be made by the provider of AS20661, AS12389 (a Russian AS), because the fork occurs before it first enters Turkmenistan’s network. Perhaps it is unintentional that we don’t see all IPs censored from the outside->inside direction; the routing decision just causes packets to some IPs to not pass through the censor.

snourin · September 7, 2023, 4:00pm

I’m not sure I quite understand. Are you asking to check whether from the inside->outside directions, the DNS injector does not filter a censored domain if the destination server is within a non-routable subnet?