Monitoring Information Controls in Iraq in Reaction to ISIS Insurgency

Page 1

The Citizen Lab

Research Brief Number 40 – June 2014

Monitoring Information Controls in Iraq in Reaction to ISIS Insurgency

Read the Arabic Version / ‫ ﺍاﻝلﻉعﺭرﺏبﻱيﺓة ﺍاﻝلﻥنﺱسﺥخﺓة‬translated by Cyber Arabs In this report, we document the results of network measurement tests we ran to determine how the Internet is being filtered in Iraq in reaction to ongoing insurgency in the country. The results identify 20 unique URLs that are blocked on three Iraq-based Internet Service Providers. These websites include social media platforms (such as Facebook and Twitter), proxy / circumvention tools (such as Psiphon), and the websites of mobile messaging apps (such as WhatsApp and Viber). Notably, none of the 7 websites we tested that are affiliated with, or supportive of, the jihadist insurgent group the Islamic State in Iraq and Greater Syria (ISIS) were found to be blocked.

BACKGROUND The ongoing insurgency within Iraq continues to escalate. In recent weeks, the jihadist group, the Islamic State in Iraq and Greater Syria (ISIS) seized control of the northern provincial capitals Mosul and Tikrit and Iraq’s largest oil refinery. The conflict has led Iraqi Prime Minister, Nouri al-Maliki, to formally request the U.S. military to engage in air strikes to limit the ISIS advances. Following the seizure of Mosul and Tikrit, the government of Iraq implemented restrictions on Internet accessibility as means of limiting the ability of ISIS to mobilize and communicate their message. On June 13, 2014, reports emerged that numerous social media platforms, including Facebook, Twitter, and YouTube, had been blocked. By June 16, reports suggested that Ministry of Communications officials had ordered a complete Internet shutdown in certain regions. These reports are confirmed by BGP data from Renesys:

1


Number 40 – June 2014

Figure 1: Renesys BGP Data showing reduction in reachable networks as a result of the shutdown. SOURCE Similarly, traffic from the content delivery network Akamai dropped off substantially following the reported shutdown and blocks:

2


Number 40 – June 2014

Figure 2: Traffic from Akamai content delivery network to Iraq in June 2014. SOURCE A letter allegedly leaked from the Ministry of Communications details these outages, indicating the ISIS-held provinces in which Internet access was to be blocked completely. In addition the letter lists websites and platforms (which included Facebook, Twitter, YouTube, Viber, Skype, and others) to be blocked. More recently, on the morning of June 20, measurements from the RIPE Network Coordination Centre showed 4 of the 38 networks in Iraq went offline, including Earthlink, as shown in Figure 3:

3


Number 40 – June 2014

Figure 3: RIPE NCC measurements of ASNs in Iraq. SOURCE Renesys reported that these networks were restored several hours later: Figure 4: Renesys BGP and Traceroute data showing June 20th outage. SOURCE ISIS actively uses social media to spread its messaging. For example, the group introduced an Android app in April 2014, called The Dawn of Glad Tidings, which leverages Twitter users’ accounts to share ISIS-related tweets. The application was removed from the Google Play store for violating community guidelines.

4


Number 40 – June 2014

Figure 5: ISIS Android app Dawn of Glad Tidings. SOURCE The group also uses well coordinated hashtag campaigns to spread their message, and had their Twitter account shut down after a number of graphic photos of victims attacked by ISIS were shared. Complete shutdown of the Internet during political crises have been seen in numerous other countries in recent years, including Egypt and Libya during the 2011 Arab Spring and in Syria during the ongoing conflict in the country. We have documented the ways in which sensitive political events, ranging from violent conflict to elections and the hosting of international events, lead to changes in the application of information controls.

METHODOLOGY We used two methods to determine if and how filtering is being applied in Iraq. The first method performs remote lookups of DNS records to identify suspicious results which could be indicative of filtering. The second method undertakes remote testing of website accessibility through proxies. We wrote a script that performs a GET request of a list of websites through six different publicly accessible proxies located in Iraq. We then compare the results of these GET requests with attempts to access the same URLs from the University of Toronto network to identify instances of blocking. Early reports from Iraq suggested that blocking was performed on some ISPs through DNS tampering. DNS converts domain names (such as “citizenlab.org”) to an IP address (74.208.36.253). If the information in DNS records is tampered with, domain names can resolve to an incorrect IP address, which can lead visitors to a blockpage. In some cases, it is possible to perform lookups of the DNS records used by Iraq-based ISPs remotely, without being connected to that ISP directly. After performing these DNS lookups, we are able to compare the results for a given domain name with what we would expect to see to identify aberrations. We performed a lookup of a list we compiled of 1,358 URLs to identify suspicious DNS results. We also did GET requests for the URLs on this list on the publicly accessible proxies we found in Iraq. This list contains content ranging from international news sites, social media platforms, and content specific to Iraq’s domestic political, social and cultural context. A full list of URLs tested can be found in the Data section.

RESULTS From June 16-20, 2014, we tested a list of 1,358 URLs remotely through eight name servers that correspond to the following ISPs: ISP

Hostname

IP address

Suspicious result?

IQ Net

nserver3.iqnet.com

62.201.201.201 Yes

IQ Net

nserver4.iqnet.com

62.201.201.202 Yes

Earthlink Telecommunications n/a

37.239.34.206 Yes

Earthlink Telecommunications n/a

37.236.154.55 Yes

ScopeSky

185.23.153.242 Yes

ns1.itc.iq

5


Number 40 – June 2014

ScopeSky

ns2.itc.iq

185.23.153.243 Yes

Newroz Telecom

ns1.newroztelecom.com 93.91.200.200 No

Newroz Telecom

ns2.newroztelecom.com 93.91.200.201 No

EARTHLINK TELECOMMUNICATIONS Remote tests of these nameservers showed a number of URLs resolved to the IP address 192.168.222.66, which is a private, non-routable IP address. See this example for a DNS lookup of psiphon.ca: ; <<>> DiG 9.7.0-P1 <<>> psiphon.ca;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38318 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;psiphon.ca.INA ;; ANSWER SECTION: psiphon.ca.300INA192.168.222.66 From our testing list, the following domains resolve to this IP address: ec2-174-129-26-64.compute-1.amazonaws.com hidemyass.com instagram.com www.softlayer.com openvpn.net plus.google.com psiphon.ca twitter.com ultrasurf.us www.dmoz.org www.facebook.com www.hotspotshield.com www.skype.com www.strongvpn.com www.tango.me www.viber.com www.whatsapp.com www.xroxy.com www.youtube.com

6


Number 40 – June 2014

This result is unexpected. It is abnormal for a domain name to resolve to an IP address that is not publicly routable. We tested the same list of sites through six Earthlink proxies from June 16 to 20, 2014. When accessing some sites we are redirected to the same IP address (192.168.222.66) and presented with the blockpage pictured in Figure 6. Although there was some variability between sites found blocked on the six proxies, the following list of domains were found blocked at least once on one of the proxies, over the four day period. hidemyass.com instagram.com openvpn.net twitter.com ultrasurf.us www.dmoz.org www.facebook.com www.hotspotshield.com www.skype.com www.softlayer.com www.strongvpn.com www.tango.me www.viber.com www.wechat.com www.whatsapp.com www.xroxy.com www.youtube.com www.gayhealth.com In addition, when accessing this IP address (192.168.222.66) directly in a web browser, we also see the blockpage pictured in Figure 6.

Â

7


Number 40 – June 2014

Figure 6: Blockpage seen using proxy on Earthlink Telecommunications One interesting result is the block of the URL: ec2-174-129-26-64.compute-1.amazonaws.com. This domain naming scheme is consistent with servers hosted on the Amazon EC2 hosting service (a large and popular cloud hosting provider based in the United States). During subsequent testing we find that any domain in the *.compute-*.amazonaws.com domain namespace is blocked on this ISP. For example, this URL http://ec2174-129-212-31.compute-1.amazonaws.com which is hosting no content other than the default placeholder content of a webserver is blocked on Earthlink:

Figure 7: A side-by-side comparison of accessing the same Amazon EC2 URL in Canada and Iraq. Given that the content of this URL is benign it is likely not being targeted for blocking. This block is more likely to be the result of an overzealous filtering pattern used in the configuration of the domain name server. Â

8


Number 40 – June 2014

This block also results in the collateral filtering of any URL that both hosts their website on the Amazon EC2 service and configures their DNS to use the compute-*.amazonaws.com domain, such as through a common name (CNAME) record. Examples of sites that are filtered as result of this configuration include: http://www.virtuefitness.com/ – Fitness site http://www.gayhealth.com/ – Defunct gay health information site http://www.exoplatform.com/ – Social platform for companies

ScopeSky From our testing list, five domains resolved to the IP address 185.23.153.235, as shown in this example of a lookup of twitter.com: ;; QUESTION SECTION: ;twitter.com.INA ;; ANSWER SECTION: twitter.com. 86400INA1 85.23.153.235 ;; AUTHORITY SECTION: twitter.com. 86400INNS ns1.itc.iq. 185.23.153.235 is an IP address hosted on the ISP ITC in Iraq: 60929 | 185.23.153.235 | ITC Investment and technology group of companies limited,IQ When visiting this IP address in a web browser, we are presented with the following blockpage:

Figure 8: Blockpage seen on ScopeSky Communications

9


Number 40 – June 2014

On this ISP the following domains were found to resolve to this IP address and are blocked: twitter.com www.facebook.com www.viber.com www.whatsapp.com www.youtube.com IQ Net During the course of testing our list through IQ Net, the nameserver gave responses that delegated the nameserver itself (nserver3.iqnet.com) as authoritative for a number of domains by altering the start of authority (SOA) record. See an example of this in a response for a DNS lookup for www.viber.com: $ dig +short @62.201.201.201 viber.com SOA nserver3.iqnet.com. firas.iqnet.com. 2014061301 10800 900 604800 86400 Compare this result to one using a public DNS resolver instead: $ dig +short @8.8.8.8 viber.com SOA a1.verisigndns.com. dnssupport.verisign-grs.com. 1384964559 28800 7200 1209600 300 While this result is not itself evidence of deliberate filtering (for example, we may see such a result if a company such as Google were to host servers on the ISP), the list of domains with altered SOA is suspicious and is likely indicative of blocking. The following list of domains returned an altered SOA record when resolving through IQ Net name servers: google.com viber.com whatsapp.com youtube.com

Newroz Telecom There were no suspicious results found in tests of the nameservers of this ISP. This result was expected, because this ISP serves the Kurdistan area, and reports have indicated that the shutdown and social media blocking orders did not include Kurdistan.

SUMMARY OF RESULTS The websites our tests found to be blocked represent a small number of content categories, and generally correspond with the list of sites ordered to be filtered by the Iraqi Ministry of Communications. We also tested the accessibility of 7 URLs of sites which are affiliated with or supportive of ISIS. We did not find any evidence, through both DNS lookups and proxy testing, that any of these URLs are blocked. Given that the insurgency was cited as the rationale for the shutdown and filtering, this finding is curious. The following table summarizes the domains we found blocked in Iraq: Â

10


Number 40 – June 2014

Domain

Description

ec2-174-129-26-64.compute-1.amazonaws.com

Hosting Provider

hidemyass.com

Circumvention/Anonymization

instagram.com

Social media

www.softlayer.com

Hosting Provider

openvpn.net

Circumvention/Anonymization

plus.google.com

Social media

psiphon.ca

Circumvention/Anonymization

twitter.com

Social media

ultrasurf.us

Circumvention/Anonymization

www.dmoz.org

Web Portal

www.facebook.com

Social media

www.hotspotshield.com

Circumvention/Anonymization

www.skype.com

Voice-over-IP

www.strongvpn.com

Circumvention/Anonymization

www.tango.me

Mobile Messaging App

www.viber.com

Mobile Messaging App

www.whatsapp.com

Mobile Messaging App

www.xroxy.com

Circumvention/Anonymization

www.youtube.com

Video Sharing

www.wechat.com

Mobile Messaging App

CIRCUMVENTION USAGE IN IRAQ In many cases Internet filtering implemented by DNS tampering is straightforward to circumvent. Users can simply select an alternate DNS service that will perform name resolution correctly. However this circumvention method can also be manipulated by censors, as seen recently in Turkey where providers intercepted requests to Google’s public DNS servers in order to prevent censorship circumvention. We have received anecdotal reports from users located in Iraq that using Google’s public DNS servers did not 11


Number 40 – June 2014

circumvent censorship, suggesting that DNS requests are being hijacked. However, circumvention services have reported increased usage from users based in Iraq. The circumvention service Psiphon reports a significant increase in users connecting from Iraq starting from June 13 after social media platforms were blocked, as seen in Figure 9. Note that 97% of these users are connected to Psiphon through their mobile phone using the Psiphon Android application.

Figure 9: Daily users of circumvention tool Psiphon in Iraq in June 2014.

Similarly, usage of Tor, a popular anonymization tool which can circumvent censorship, has also increased significantly in June:

Â

12


Number 40 – June 2014

Figure 10: Directly connecting users of Tor in Iraq in June 2014. SOURCE

CONCLUSION Given the volatile situation in the country, it is uncertain how Internet accessibility will be further affected. The Citizen Lab will continue to monitor the situation and post updates to our findings.

DATA A full list of data from these tests can be found at our GitHub repository.

ACKNOWLEDGEMENTS Jakub Dalek, Adam Senft, Helmi Noman, and Masashi Crete-Nishihata undertook research and writing of this report, supported by the Social Sciences and Humanities Research Council (Canada) Grant 430-2014-00183, Prof. Ronald J. Deibert, Principal Investigator.

MEDIA COVERAGE Media coverage of the report includes VICE’s Motherboard and The Daily Beast.

13


Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.