NZ Internet Filtering Technical FAQ

21 Responses to “NZ Internet Filtering Technical FAQ”

  1. 1Anon on Jul 12, 2009 at 8:50 pm:

    This is sickening.

    Also, there are 7000 sites on the banned list? WTF?

    This is far worse than the Australian filter.

  2. 2Jason on Jul 13, 2009 at 8:02 am:

    For all their desire to keep the list “private”, putting it out as BGP records means it’s public. They should just publish the list and be done with it.

  3. 3thomas on Jul 13, 2009 at 8:32 am:

    Hi Jason. The BGP records are only made available to the ISPs but I do agree that there is a high chance that they will be leaked at some point.

    However, that only tells you which IP addresses are redirected to the DIA’s filter server. It doesn’t tell you which websites or parts of websites on those IP addresses are blocked.

  4. 4Jason on Jul 13, 2009 at 11:31 am:

    Here’s an attack that will make the list of IP Addresses public:

    1) Find a site that is likely to be filtered. WikiLeak’s copy of the Aussie list is good to use.
    2) Traceroute the site.
    3) If the route shows up as being to the DIA, you’ve got a filtered location.
    4) Get a route to an unfiltered location. Google.com is probably good.
    5) Find the _earliest_ difference.

    Then, foreach IP Address:
    1) Send out an ICMP packet with a TTL set to the number of hops to the difference in the traceroutes.
    2) When the timeout packet returns compare it to the DIA router.
    3) Output the IP address when it matches.

    Nice, cheap and easy probes to make the list public. How many UDP packets can you send out in a second?

    Once you have the IP addresses:
    Google “Find all vhosts for a single IP”

    Make the list public, and make additions to the list public. Also, remove the NGO from the process.

  5. 5Pieter on Jul 13, 2009 at 11:56 am:

    If the list is made public, in an updated state, people can block the sites at a local level…I know I would !

    Come on ?!?!

  6. 6Benjamin B. on Jul 13, 2009 at 10:27 pm:

    So, barely escaping Zensursula, I have to read this. Thanks for your great OIA work. Now what do I or we do?

  7. 7thomas on Jul 14, 2009 at 10:24 am:

    What do we do? I’m currently:

    – Still finding out more information.
    – Publicising the issue as much as I can.
    – Trying to get Internet NZ to change their policy and start campaigning against it.

    I believe the next stage after that is to form a campaign, recruit people to help, develop a policy, and then try and get that policy implemented.

    Email me if you’d like to help, otherwise watch this space.

  8. 8Anonymous on Jul 15, 2009 at 2:57 am:

    Couldn’t this be used for DoS attacks by getting a domain banned and then pointing it to say public government web sites? This will work for https without too much effort. Getting your IP address totally blocked probably isn’t that hard and that will break http as well.

  9. 9What the shit on Jul 15, 2009 at 3:04 am:

    “If a request is made for a non-banned website on an internet address that also has banned websites, does the request still go through the DIA system?

    Yes.”

    Ok, so any requests for any wikipedia page will still go through the DIAs servers if one file on that domain is blocked, as has been done for wikipedia pages in the past?

    If that were true, then they would be getting a log of every single page acessed.

  10. 10FAIL COMMENT FORM on Jul 15, 2009 at 9:42 am:

    ——
    Does it support the next version of IP, v6?

    No.
    ——

    So why are we using this system? If it can’t support IP6 won’t people just access the ip6 versions? :\

    ——
    What if the website uses HTTPS (secure HTTP)?
    If the website uses https (e.g. as used for internet banking or online shopping), the filter server can’t examine the request to see what website it is going to on the target internet address.
    This means the the filter server must block all https websites on a filtered internet address. This will interrupt service to any website that needs to use a secure connection.
    ——

    This is just plain lame.

  11. 11Anon on Jul 15, 2009 at 10:25 am:

    Just from looking at how they say it works, its going to do nothing for catching the real perverted users out there that are sharing this sorta stuff, its going to target everyone else, not only that but I dont trust them, they dont share the list for fear that they wont catch as many people out but theres no way to verify that the sites are or arnt related to child porn or animal porn.
    Dont get me wrong I think its good that they are doing something about it and if this is there best then so be it, but its not going to be very effective agaist the type of users they are wantting to stop.

  12. 12Sean Duggan on Jul 15, 2009 at 11:38 am:

    if this is a purely DNS filter, then why not just use an other DNS server than the ones provided by your ISP. I’ve used this FREE service for ages

    http://www.opendns.com/

  13. 13thomas on Jul 15, 2009 at 11:46 am:

    Hi Sean, it’s an IP-based filter, not a DNS filter. Using a different DNS provider won’t do anything for you as your traffic to the website’s IP address will still be diverted.

  14. 14Anonymous on Jul 15, 2009 at 12:18 pm:

    The WhiteBox webpage claims “no proxying”. There’s only 1 way they can do that.

    In order for any device to reject a request, and send back a block page, it must be monitoring the TCP stream and be able to inject packets back in the stream in sequence (matching SN/AN) so that the client will not reject the packets. This means it must

    a) inspect all the packets of the request.
    b) reassemble the packets to form the request to extract the URI requested. This will typically require parsing the request to extract the Host header, and abs_path part of the request.
    c) pend the request packet upstream while it tests the URI against its blacklist. If it doesn’t do this, some quick server could start a response before the blacklist check is complete, which would break the ability of the device to send a proper response. Otherwise it will need to queue response packets while it determines if the response can go back to the client.
    d) if blocked, it will have to send a synthesized response back, matching the Seq and Ack numbers in the TCP connection it was monitoring, and ensure no other packets from upstream make it back to the client.

    This will certainly introduce some latency, as the request or response is pended and blacklist checked. A decent DB lookup should be pretty quick, and in terms of NZ average latency for access to international sites, I’d expect it will probably be hardly noticeable unless the system is overloaded.

    There could be other effects as well. Setting up an IP-IP tunnel will typically introduce some packet overhead. It’s likely this will affect the MTU of the path to these sites. This could allow detection without relying on ICMP / tracert, which I’d expect to be blocked or at least not answered by the NetClean box.

    Most web browser requests fit within a single TCP packet (usually 1460 bytes of payload). I wonder how the NetClean will handle a request being sent 1 byte at a time.

    My biggest concern is what about false-positives? Does the DIA offer to warn a site it is blocked? This is the thin edge of the wedge, using the horror of child porn to slip a system in which will then be used for other things. The secrecy around it is part of the problem plaguing the Australian system. We have to rely on humans in the DIA to be infallible. We all know humans are not. If they don’t tell a site it is blocked, how would a hosting site know it needs to clean out a client hosting kiddie porn?

    How as a company can I pre-filter my users to prevent the possibility of the police busting through my door if one of them goes to a bad place?

  15. 15gringer on Jul 15, 2009 at 1:22 pm:

    So, if I want to put a black mark on someone, I look at the list of banned URLs, and put a hyperlink somewhere so that the target person will click through to a banned URL. I could also put a message on the original page saying something like, “if you get an ‘access is refused'” message, go back and click on the link again. It’s worth it!”

    [from my slashdot post on the same subject]

  16. 16Mick on Jul 15, 2009 at 1:43 pm:

    Very interesting, and thanks for your work. I wonder how this compares with the current Australian filtering trial, which I think is purely URL-based.

    I note that the largest actual implementation of this product currently handles 350,000 users; this is, pardon me, “bugger all”, and I’m not convinced a handful of Intel/BSD boxes will scale well for a nationwide implementation.

  17. 17What the shit on Jul 15, 2009 at 3:00 pm:

    “If a request is made for a non-banned website on an internet address that also has banned websites, does the request still go through the DIA system?

    Yes.”

    So would this mean that if, for example, an image was blocked on wikipedia (as has happened with the UK system), then all urls from that domain will go through the DIA system?

    If that were the case, whats to stop them logging all URLs within wikipedia (say) that you visited. If they can do that, how long will this data be stored? How will it be used?

  18. 18What the shit on Jul 15, 2009 at 3:19 pm:

    “Dont get me wrong I think its good that they are doing something about it and if this is there best then so be it, but its not going to be very effective agaist the type of users they are wantting to stop.”

    It’s quite an obvious tactic to start with child porn, because nobody likes that but the perverts. I think you’re right in saying that its not going to stop the real pedos, but I really don’t think thats their intention in the long term. The NZ Censorship system for movies (for example) doesn’t allow a film to be released in NZ unless it’s been screened by the office (at a cost), and given a rating. I can see they would see the internet as a huge gaping hole to them, since you can view videos and publications without any oversight or guidance at all.

    They are not going to stop with the child porn. That’s just to get the support of the parents and make anyone wary of protesting it, in fear of being labelled a pervert. This is quite obviously the first step toward a much more restricted internet, blocking anything they don’t agree with or see as appropriate, because that’s how the censorship laws for film and video releases are set up, and that’s their job description according to the censorship laws of NZ.

    Even you, as someone very skeptical about it, see the child porn thing as a good step, but that’s not the point, that’s just a ploy. And you’re falling for it. Of course combating child porn is a good thing, everyone knows that. But doing it this way, and in secret, is absolutely not the right way to do it. But again, that’s not their real intention.

    I don’t see the censorship laws in New Zealand as draconian at all, but thats because for the most part, they’re out in the open. Since this is closed and secretive, that changes it quite a bit. And it doesn’t matter if “three people” are looking at each site to decide whether or not it’s acceptable in their opinion – there is no judicial oversight, and there is absolutely no public consultation. It’s creepy, and should be properly addressed.

  19. 19Anon on Jul 16, 2009 at 10:34 am:

    “NetClean WhiteBox runs on one of the fastest high speed networks in the world, SUNET in Sweden. This runs at 10Gb/s and supports over 350,000 users. It has no effect on the performance of their Internet access.”

    That’s a difference of 2,750,000 users. That’s an enormous difference. Also, a few extra milliseconds on an extremely high speed 10Gb pipe supplying a few thousand users is nothing, a few milliseconds on a narrow, clogged tube dribbling data to millions is very significant.

  20. 20Kevin on Jul 16, 2009 at 11:49 am:

    Starts at content that I think every normal person would agree shouldn’t even exist on the internet, but then stops where??? any sites that object to the National government? There’s got to be better ways of dealing with this.

    As a IT manager of a large company – if one of my users manages to get past our filter (it’s old and not very good) then are we as a company liable??

  21. 21hmm on Jul 20, 2009 at 10:07 pm:

    Ok i understand this whole deal about child ponography and all that, and its good to have a filter for that etc etc. But i have a question, do they log ip’s and is this filtering system confined to childponography or does it include other aspects?