Starting the Friday, 23rd of August 2013 a large number of connections to https://www.colombotelegraph.com were failing. Readers of the website started to report that the site was not available inside of Sri Lanka from some Internet providers.
History of Colombo Telegraph blocking
First -December 26, 2011 – We are blocked but we will not be stopped
Second – May 8, 2012 –Colombo Telegraph Blocked Again
As the server has been blocked in the past, it was reasonable to believe that blocking was taking place again. In order to verify the cause of the problem we checked 500 different connections inside of Sri Lanka to see from where such blocking was taking place.
Who is blocking the site?
From our analysis we can see that connections from AS45356 and AS9329 are currently blocked. The providers are MOBITEL-LK and STINT-AS-AP
Other providers as AS18001/DIALOG showed signs of blocking the 24th of August but is currently open. The provider AS8966/ETISALAT has never show signs of filtering.
Image: Increase of failed connections from Friday 23rd August 2013 (orange)
How is blocking taking place?
The current blocking implemented in Mobitel and Sri Lanka Telecom consists in reseting the connections of the readers. As shown in the picture RST packets (red) are send back to the client when a connection to www.colombotelegraph.com is requested
We could verify that if requests to the site do not contain the HTTP header
such requests do not get blocked. We could also verify that if we connect to any other server in the Internet and we send the same header a RST packet is received.
But if we send a request to the site using the IP address instead of the site’s name we could bypass the blocking.
A request with the content
GET /index.php HTTP/1.1
Gives a proper response
HTTP/1.1 301 Moved Permanently
Date: Tue, 27 Aug 2013 17:56:45 GMT
Content-Type: text/html; charset=UTF-8
After examining the network traffic and our logs we can conclude without any doubt that active interference is talking place in at least two large providers Mobitel and Sri Lanka Telecom.
How to reach the site?
As a quick measure to bypass such filtering we have enforce secure connections to the website, we advise to all readers to reach the site using HTTPS.
*DPI club – Deep Packet Inspection (and filtering) enables advanced network management to implement internet censorship. See http://en.wikipedia.org/wiki/Deep_packet_inspection
« Mandana, And A Contract Gone Awry
Learning The Rules Of Engagement »