Continuing its undeclared war on media Sri Lanka’s government of President Mahinda Rajapkasa blocked the Colombo Telegraph in Sri Lanka, this time with privately owned Telecommunication companies – Dialog and Etisalat – further depriving the people’s right to information.
What is Colombo Telegraph?
Colombo Telegraph is strictly a public interest website relating to Sri Lankan matters and is run completely voluntarily by a group of exiled journalists. The site gives space to a wide range of political views and censored/ underreported stories. Colombo Telegraph has the honour of being first and only Sri Lankan site to be approved for inclusion in “Guardian Select” . It was checked and approved for Guardian Select membership by Guardian editorial. Guardian Select bring together the very best independent publishers from across the web.
Chapter 1: HTTP connections reseted at Mobitel and Sri Lanka Telecom
Starting the Friday, 23rd of August 2013 a large number of connections to https://www.colombotelegraph.com were failing. Readers of the website started to report that the site was not available inside of Sri Lanka from some Internet providers.
As the server has been blocked in the past, it was reasonable to believe that blocking was taking place once again. In order to verify the cause of the problem we checked 500 different connections inside of Sri Lanka to see from where such blocking was taking place.
From our analysis we determined that connections from AS45356 and AS9329 were blocked.
The blocking implemented in Mobitel and Sri Lanka Telecom consists in reseting the connections of the readers. More technical information of the blocking can be found here.
Chapter 2: DNS responses are tampered by Etisalat and Dialog
The 7th of January and 10th February 2014 we monitored a large drop of traffic coming from Dialog LK and Etisalat.
Drop of traffic from Etisalat (10th February 2014) and Dialog (7th January 2014)
A closer look into the Etisalat connections shows that traffic drops at around 10 AM, the 10th February 2014
One interesting fact is that the traffic dropped 90% but not completely. After obtaining traffic samples inside of the country we determined that both Etisalat and Dialog are impersonating DNS responses for the colombotelegraph.com domain name.
Etisalat claims that the name server of colombotelegraph.com is ns2.tigo.lk
- A request to one of their name servers provides this response
dig ns @203.189.X.X colombotelegraph.com
colombotelegraph.com. 86400 IN NS ns2.tigo.lk.
Both ns2.tigo.lk and ns2.etisalat.lk are hosted in the same IP 18.104.22.168
- Requests to the domain colombotelegraph.com are responded with IP address 127.0.0.1, while requests to any subdomain as www.colombotelegraph.com are responded with the DNS response “No such name”
- Requests to the SOA record in the DNS server
dig soa @203.189.X.X. cOlombotelEgrapH.cOM
cOlombotelEgrapH.cOM. 86400 IN SOA ns2.tigo.lk. root.cOlombotelEgrapH.cOM. 45 10800 900 604800 86400
An interesting result of the testing is that the SOA record is also tampered and follows the “capitalization rules” of the request.
Dialog also tampers the DNS responses as Etisalat but the implementation of this blocking technique seems to have a different fingerprint.
- Dialog also claims to be the name servers of colombotelegraph
dig ns @122.255.X.X colombotelegraph.com
colombotelegraph.com. 86400 IN NS ns2.dialogsl.net.
colombotelegraph.com. 86400 IN NS ns1.dialogsl.net.
- colombotelegraph.com and www.colombotelegraph.com are both resolved with IP 127.0.0.1
dig @122.255.X.X colombotelegraph.com
colombotelegraph.com. 86393 IN A 127.0.0.1
dig @122.255.X.X www.colombotelegraph.com
www.colombotelegraph.com. 86287 IN A 127.0.0.1
- The SOA records provided by Dialog do not follow capitalization and contain always the date 2010092701
colombotelegrapH.com. 86400 IN SOA ns1.dialogsl.net. root.dialogsl.net. 2010092701 900 3600 2592000 86400
Summary and Conclusions
The following table summarized the DNS tampering implemented by Dialog and Etisalat. Although both provides use DNS as means to block the site the implementation is different.
Traffic analysis shows that Dialog LK implementation might consist in impersonating the colombotelegraph.com zone and including the colombotelegraph.com and www.colombotelegraph.com A records as 127.0.0.1
Etisalat implementation exhibits a completely different behavior and points to the presence of a dedicated hardware with Deep Packet Inspection capabilities.
History of Colombo Telegraph blocking
First -December 26, 2011 – We are blocked but we will not be stopped
Second – May 8, 2012 – Colombo Telegraph Blocked Again
Fourth – August 23, 2013 – Colombo Telegraph Blocked, How To Reach Us Now: Sri Lanka Telecom And Mobitel Joins The DPI Club!