Thousands of Websites are collaterally blocked in Egypt

Date : Sunday, 19 May, 2019

Digital Rights

By: Mohammad El-Taher

This report presents an analysis of a blocking technique that Egyptian authorities have used to prevent internet users from accessing some websites. There are several blocking techniques that have been used in Egypt. However, this report focuses only on the blocking of the Transmission Control Protocol and Internet Protocol (TCP/IP). Since this type of blocking affects many other websites that are not targeted with blocking.

TCP/IP blocking technique is to ban data flowing between users and the IP address of a particular hosting server of the targeted website. This means that all other hosted websites on the server will be blocked too.

AFTE has previously released several reports on the state of internet censorship in Egypt, you can find them on the following links;

In this report, a set of technical tools have been used to check on blocking particular IP Addresses of some blocked websites in Egypt since May 24, 2019.

All of the checking tests in this report conducted via an internet service provided by Egyptian Telecommunication Company (TE data). These tests are likely to vary depending on the internet service provider.

Report at hand presents testing results of the following IP Addresses;

Website	IP Address
Al Borsa News Daily News Egypt	104.24.18.24
Fakar tany	188.121.43.37
Egypt Daily News	216.97.237.25
Alaraby Aljadeed	152.195.32.173
Arabic Observatory of Media Freedom	108.179.242.132
Batel’Void’ campagin’s websites	104.198.14.52

The Primary Results

The following results are likely to differ by time, increase or decrease, for many reasons. Websites might change their hosting server or use Content Delivery Network techniques (CDN). the internet service providers may replace the (TCP/IP) banning with another different blocking technique.

Website	IP Address	The probable number of collaterally blocked websites
Al Borsa, Daily News Egypt	104.24.18.24	18
Fakar tany	188.121.43.37	161
Egypt Daily News	216.97.237.25	124
Al Araby Al Gadid	152.195.32.173	9
Arabic Observatory of Media Freedom	108.179.242.132	43
Batel’Void’ campagin’s websites	104.198.14.52	26175

The Testing Tools

The following tools were used in collecting and analyzing the data of the aforementioned IP Addresses and domains;

Ooniprobe : A free software, global observation network for detecting censorship, surveillance and traffic manipulation on the internet. This tool can check websites blocking.
Telnet, Curl and NC: To check the TCP connection of the examined IP Addresses and domains.
Check host and KeyCDN: To conduct primary checks on the examined IP addresses and domains accessibility out of Egypt.
Crips: To conduct the Reverse IP Lookup process which gathers all the domains hosted by a specific IP Address.
Outline VPN : to compare connectivity results between the regular connection and the Virtual Private Network connection (VPN).
Securry: to conduct Reverse DNS lookup process on a group of domains.
Geek Flare: to conduct Reverse DNS lookup on a particular domain.
DNSlytics: to gather data on a particular IP address or domain.

The Testing Process

This report comes in the context of AFTE’s monitoring of the internet censorship state in Egypt since 2017. So, the checking process of this report as following;

Rechecking the blocked websites since May 2017 till now, according to AFTE’s monitoring list of the blocked websites, using Ooniprobe software.
Ooniprobe’s Web connectivity testing results have identified some websites links that blocked via TCP/IP banning. Then we extracted the primary data of each domain including their IP addresses.
Ooniprobe’s TCP Connect test was used on the preselected IP addresses to confirm the blocking.
Check host and KeyCDN were used via VPN connection to confirm that these IP addresses are normally accessible in more than 15 other countries. In order to minimize the possibility of servers errors or Geo-blocking.
Crips was used to identify the domains share the same IP address from the examined IPs.
Securry was used to look up the DNS data of every identified domain by Crips, then, the domains have a different IP address from the selected testing sample were excluded.
Ooniprobe’s Web connectivity test was applied on the list generated by Crips after excluding the domains with IP addresses out of the testing sample.
Telnet, Curl, and NC were used to check the TCP connection of the examined IP addresses. Via a regular internet service provided by Te Data and a VPN to compare the results.

The Results

First: the blocking of Batel “Void” campaign’s website caused 26175 collateral banned websites

Batel’s website uses 104.198.14.52 domain which refers to IP: 104.198.14.52
Another 26175 domains share the same IP 104.198.14.52. And by testing a sample of these domains, there is a significant probability to be all blocked too.
TCP connection failed when testing the IP address or any of its domains via a regular internet service connection, however it is accessible via VBN connection.
All websites that share the IP address 104.198.14.52 are likely blocked in Egypt (26175 domain including Batel’s websites)

Note: 8037 identified domains by Crips have been denied from testing as thier DNS showed a diffirent IP address. All subdomains fall under the main IP address were deleted from the testing list.

The Batel campaign announced its first website via its Facebook and Twitter accounts on April 8, 2019, for a petition against the constitutional amendments. They used (voiceonline.net) domain. On April 9, the website has been blocked after only 13 hours of launching and amassing around 60000 signatures, according to the campaign’s official Facebook page.
Then, to work around the website blocking, Batel campaign announced on its Facebook and Twitter accounts that the petition is available on Telegram application on this link: https://t.me/batel_2034bot
On April 9, Netblocks tests showed that (voiceonline.net) domain was blocked in Sudan and some users in Saudia Arabia reported inaccessibility of the website but AFTE couldn’t reconfirm these results.
On April 10, the campaign announced on its Facebook page four hacking attempts and despite the blocking, they managed to reach 79000 signatures. They also launched alternative new domain batel2034.net to work around the blocking.
On April 11, after the campaign announcement of reaching 100000 signatures, the new domain was blocked but Batel campaigners added the availability of petitioning via Facebook Messenger through this link: https://m.me/batel2034
Batel activists have kept launching alternative domains to overcome the blocking. The following table illustrates the ten launched domains:

Domain	registering date	Launching date	IP Address	Blocking date
voiceonline.net	April 7	April 8	104.198.14.52	voiceonline.net
batel2034.net	April 10	April 10	104.198.14.52	batel2034.net
myvoice2019.today	April 10	April 12	104.198.14.52	myvoice2019.today
masryaom.me	April 13	April 13	104.198.14.52	masryaom.me
dostorakbatel.today	April 13	April 14	54.72.135.216	dostorakbatel.today
sotna.today	April 15	April 15	99.81.59.163	sotna.today
34000sites.com	April 16	April 16	3.86.168.228	34000sites.com
sout1.us	April 17	April 17	3.210.90.207	sout1.us
helm1.us	April 17	April 17	3.210.90.207	helm1.us
hurreya.net	April 20	April 20	3.86.168.228	hurreya.net

Netblocks has stated that the Batel domains blocking caused a collateral blocking of 34000 other domains which shares the same IP Address. The tests showed this was occurred by the blocking of the following domains: voiceonline.net و batel2034.net and Myvoice2019.today

Corroborating of Netblocks’ numbers, during writing this report, we gathered all domains that share the same Batel’s IP Address and excluded the subdomains that share the same IP Address with their main domains. This came up with a list of 26175 domains which are likely blocked in Egypt because of Batel’s website blocking.
Starting from April 14, Batel’s activists have used Amazon Web Services (AWS), on the latest six domains, as an attempt to work around the blocking or to improve the access quality for the visitors.
We have noticed that Batel’s activists were already prepared for challenging the blocking with alternative domains since some domains registration dates precede launching dates. myvoice2019.today and helm1.us were registered two days before launching. Also, dostorakbatel.today and hurreya.net were one day before launching.

Secound: The blocking of Fakkar Tany website caused 261 collateral banned websites

Fakkar Tany website uses fakartany.com domain which refers to IP address: 188.121.43.37. This IP belongs to GoDaddy company which is considered one of the biggest companies provide web hosting services. Tests showed the blocking of this IP address.
Tests results show that the 279 domains which share the IP address:188.121.43.37 are likely blocked.
Testing this IP or any of its domains via regular internet connection resulted in TCP failure. However, there is a successful connection via VPN.
All domains that share IP:188.121.43.37 are likely blocked in Egypt (262 domains including Fakkar Tany).

Note: 17 extracted domains by Crips have been denied from testing as thier DNS showed a diffirent IP address. All subdomains fall under the main IP address were deleted from the testing list.

Third: The blocking of EgyptDailyNews website caused 125 collateral banned websites

EgyptDailyNews website uses egyptdailynews.com domain which refers to IP address: 216.97.237.25. This IP belongs to Lunarpages company which provides web hosting services.
Tests resultes show that the 156 domains which share the IP adress:216.97.237.25 are likely blocked.
Testing this IP or any of its domains via regular internet connection resulted in TCP failure. However, there is a successful connection via VPN, using the same checking tools.
All domains that share IP:216.97.237.25 are likely blocked in Egypt ( 125 domains including EgyptDailyNews).

Note: 31 extracted domains by Crips have been denied from testing as thier DNS showed a diffirent IP address. All subdomains fall under the main IP address were deleted from the testing list.

Fourth: the blocking of Arabic Observatory of Media Freedom website caused 44 collateral banned websites

The Arabic Observatory of Media Freedom website uses ikshef.com, ikshef.net and ikshef.org domains which refer to IP address: 108.179.242.132.
Tests results show that the 40 domains which share the IP address:108.179.242.132 are possibly blocked due to tcp_ip.
All domains that share IP:108.179.242.132 are likely blocked in Egypt ( 40 domains including 3 domains of Arabic Observatory of Media Freedom).

Note: 220 extracted domains by Crips have been denied from testing as thier DNS showed a diffirent IP address. All subdomains fall under the main IP address were deleted from the testing list.

Fifth: The blocking of Al BorsaNews and DailyNewsEgypt websites caused 18 collateral banned websites

Al BorsaNews and DailyNewsEgypt websites use Dailynewsegypt.com and Alborsanews.com domains which refer to IP address: 104.24.18.24 which is blocked according to tests results.
Tests resultes show that 20 domains which share the IP adress:104.24.18.24 are likely blocked.
Testing this IP or any of its domains via regular internet connection resulted in TCP failure. However, there is a successful connection via VPN, using the same checking tools.
All domains that share IP:104.24.18.24 are likely blocked in Egypt ( 20 domains including AlBorsaNews and DailyNewsEgypt).

Note: 6 extracted domains by Crips have been denied from testing as thier DNS showed a diffirent IP address. All subdomains fall under the main IP address were deleted from the testing list.

Sixth: The blocking of Alaraby Aljadeed website

AlarabyAljadeed website uses alarabyaljadeed.co.uk domain which refers to IP address: 152.195.32.173. This is the first website has been blocked in Egypt.
Tests results show that 10 domains which share the IP address:152.195.32.173 are likely blocked.
Testing this IP or any of its domains via regular internet connection resulted in TCP failure. However, there is a successful connection via VPN, using same checking tools.
All domains that share IP:152.195.32.173 are likely blocked in Egypt ( 10 domains including AlarabyAljadeed domain).
It is noteworthy that AlModon and UltraSound websites (ultrasawt.com – almodon.com) tests have different results in comparison with the other domains. Also, they have been blocked later than AlarabyAljadeed. So, we can infer that they have been intentionally blocked.

Latest Update

AFTE condemns the detention of Rajia Omran, Chairwoman of its Board of Trustees, after she participates in a solidarity event with women in Palestine

AFTE’s Weekly Legal Bulletin (14:21 April 2024)|: Continuing the detention of two accused of demonstrating in solidarity with Palestine, the Criminal court renewed the imprisonment of a human rights lawyer and a student, and Shebin Al-Qanater’s misdemeanor acquitted Ahmed Al-Sawaf of the charge of escaping from police surveillance

AFTE files a lawsuit against the Faculty of Arts at Banha University for its refusal to appoint a teaching assistant despite her eligibility

AFTE’s Weekly Legal Bulletin (7:14 April 2024)|: Release of two defendants who were arrested for participating in pro-Gaza demonstrations in front of the Journalists Syndicate and renewal of the detention of a mosque’s custodian pending investigations

Supreme State Security releases Ahmed Abdel Karim after his arrest for participating in a protest against the war in Gaza

State Security Prosecution Released Mustafa Ramadan who is imprisoned due to his participation in a demonstration of solidarity with Palestine in front of the Journalists Syndicate