By: Mohammad El-Taher
This report presents an analysis of a blocking technique that Egyptian authorities have used to prevent internet users from accessing some websites. There are several blocking techniques that have been used in Egypt. However, this report focuses only on the blocking of the Transmission Control Protocol and Internet Protocol (TCP/IP). Since this type of blocking affects many other websites that are not targeted with blocking.
TCP/IP blocking technique is to ban data flowing between users and the IP address of a particular hosting server of the targeted website. This means that all other hosted websites on the server will be blocked too.
AFTE has previously released several reports on the state of internet censorship in Egypt, you can find them on the following links;
- Decision from an Unknown Body: On blocking websites in Egypt
- Occasionally by Decree.. Update on the Block of Websites in Egypt
- Closing Windows.. Censorship of the Internet in Egypt
- By Court Ruling…A Reading in the “YouTube” Block Ruling
In this report, a set of technical tools have been used to check on blocking particular IP Addresses of some blocked websites in Egypt since May 24, 2019.
Report at hand presents testing results of the following IP Addresses;
Website | IP Address |
Al Borsa News
Daily News Egypt |
104.24.18.24 |
Fakar tany | 188.121.43.37 |
Egypt Daily News | 216.97.237.25 |
Alaraby Aljadeed | 152.195.32.173 |
Arabic Observatory of Media Freedom | 108.179.242.132 |
Batel’Void’ campagin’s websites | 104.198.14.52 |
The Primary Results
The following results are likely to differ by time, increase or decrease, for many reasons. Websites might change their hosting server or use Content Delivery Network techniques (CDN). the internet service providers may replace the (TCP/IP) banning with another different blocking technique.
Website | IP Address | The probable number of collaterally blocked websites |
Al Borsa, Daily News Egypt | 104.24.18.24 | 18 |
Fakar tany | 188.121.43.37 | 161 |
Egypt Daily News | 216.97.237.25 | 124 |
Al Araby Al Gadid | 152.195.32.173 | 9 |
Arabic Observatory of Media Freedom | 108.179.242.132 | 43 |
Batel’Void’ campagin’s websites | 104.198.14.52 | 26175 |
The Testing Tools
The following tools were used in collecting and analyzing the data of the aforementioned IP Addresses and domains;
- Ooniprobe : A free software, global observation network for detecting censorship, surveillance and traffic manipulation on the internet. This tool can check websites blocking.
- Telnet, Curl and NC: To check the TCP connection of the examined IP Addresses and domains.
- Check host and KeyCDN: To conduct primary checks on the examined IP addresses and domains accessibility out of Egypt.
- Crips: To conduct the Reverse IP Lookup process which gathers all the domains hosted by a specific IP Address.
- Outline VPN : to compare connectivity results between the regular connection and the Virtual Private Network connection (VPN).
- Securry: to conduct Reverse DNS lookup process on a group of domains.
- Geek Flare: to conduct Reverse DNS lookup on a particular domain.
- DNSlytics: to gather data on a particular IP address or domain.
The Testing Process
This report comes in the context of AFTE’s monitoring of the internet censorship state in Egypt since 2017. So, the checking process of this report as following;
- Rechecking the blocked websites since May 2017 till now, according to AFTE’s monitoring list of the blocked websites, using Ooniprobe software.
- Ooniprobe’s Web connectivity testing results have identified some websites links that blocked via TCP/IP banning. Then we extracted the primary data of each domain including their IP addresses.
- Ooniprobe’s TCP Connect test was used on the preselected IP addresses to confirm the blocking.
- Check host and KeyCDN were used via VPN connection to confirm that these IP addresses are normally accessible in more than 15 other countries. In order to minimize the possibility of servers errors or Geo-blocking.
- Crips was used to identify the domains share the same IP address from the examined IPs.
- Securry was used to look up the DNS data of every identified domain by Crips, then, the domains have a different IP address from the selected testing sample were excluded.
- Ooniprobe’s Web connectivity test was applied on the list generated by Crips after excluding the domains with IP addresses out of the testing sample.
- Telnet, Curl, and NC were used to check the TCP connection of the examined IP addresses. Via a regular internet service provided by Te Data and a VPN to compare the results.
The Results
First: the blocking of Batel “Void” campaign’s website caused 26175 collateral banned websites
- Batel’s website uses 104.198.14.52 domain which refers to IP: 104.198.14.52
- Another 26175 domains share the same IP 104.198.14.52. And by testing a sample of these domains, there is a significant probability to be all blocked too.
- TCP connection failed when testing the IP address or any of its domains via a regular internet service connection, however it is accessible via VBN connection.
- All websites that share the IP address 104.198.14.52 are likely blocked in Egypt (26175 domain including Batel’s websites)
- The Batel campaign announced its first website via its Facebook and Twitter accounts on April 8, 2019, for a petition against the constitutional amendments. They used (voiceonline.net) domain. On April 9, the website has been blocked after only 13 hours of launching and amassing around 60000 signatures, according to the campaign’s official Facebook page.
- Then, to work around the website blocking, Batel campaign announced on its Facebook and Twitter accounts that the petition is available on Telegram application on this link: https://t.me/batel_2034bot
- On April 9, Netblocks tests showed that (voiceonline.net) domain was blocked in Sudan and some users in Saudia Arabia reported inaccessibility of the website but AFTE couldn’t reconfirm these results.
- On April 10, the campaign announced on its Facebook page four hacking attempts and despite the blocking, they managed to reach 79000 signatures. They also launched alternative new domain batel2034.net to work around the blocking.
- On April 11, after the campaign announcement of reaching 100000 signatures, the new domain was blocked but Batel campaigners added the availability of petitioning via Facebook Messenger through this link: https://m.me/batel2034
- Batel activists have kept launching alternative domains to overcome the blocking. The following table illustrates the ten launched domains:
Domain | registering date | Launching date | IP Address | Blocking date |
voiceonline.net | April 7 | April 8 | 104.198.14.52 | voiceonline.net |
batel2034.net | April 10 | April 10 | 104.198.14.52 | batel2034.net |
myvoice2019.today | April 10 | April 12 | 104.198.14.52 | myvoice2019.today |
masryaom.me | April 13 | April 13 | 104.198.14.52 | masryaom.me |
dostorakbatel.today | April 13 | April 14 | 54.72.135.216 | dostorakbatel.today |
sotna.today | April 15 | April 15 | 99.81.59.163 | sotna.today |
34000sites.com | April 16 | April 16 | 3.86.168.228 | 34000sites.com |
sout1.us | April 17 | April 17 | 3.210.90.207 | sout1.us |
helm1.us | April 17 | April 17 | 3.210.90.207 | helm1.us |
hurreya.net | April 20 | April 20 | 3.86.168.228 | hurreya.net |
- Netblocks has stated that the Batel domains blocking caused a collateral blocking of 34000 other domains which shares the same IP Address. The tests showed this was occurred by the blocking of the following domains: voiceonline.net و batel2034.net and Myvoice2019.today
- Corroborating of Netblocks’ numbers, during writing this report, we gathered all domains that share the same Batel’s IP Address and excluded the subdomains that share the same IP Address with their main domains. This came up with a list of 26175 domains which are likely blocked in Egypt because of Batel’s website blocking.
- Starting from April 14, Batel’s activists have used Amazon Web Services (AWS), on the latest six domains, as an attempt to work around the blocking or to improve the access quality for the visitors.
- We have noticed that Batel’s activists were already prepared for challenging the blocking with alternative domains since some domains registration dates precede launching dates. myvoice2019.today and helm1.us were registered two days before launching. Also, dostorakbatel.today and hurreya.net were one day before launching.
Secound: The blocking of Fakkar Tany website caused 261 collateral banned websites
- Fakkar Tany website uses fakartany.com domain which refers to IP address: 188.121.43.37. This IP belongs to GoDaddy company which is considered one of the biggest companies provide web hosting services. Tests showed the blocking of this IP address.
- Tests results show that the 279 domains which share the IP address:188.121.43.37 are likely blocked.
- Testing this IP or any of its domains via regular internet connection resulted in TCP failure. However, there is a successful connection via VPN.
- All domains that share IP:188.121.43.37 are likely blocked in Egypt (262 domains including Fakkar Tany).
Third: The blocking of EgyptDailyNews website caused 125 collateral banned websites
- EgyptDailyNews website uses egyptdailynews.com domain which refers to IP address: 216.97.237.25. This IP belongs to Lunarpages company which provides web hosting services.
- Tests resultes show that the 156 domains which share the IP adress:216.97.237.25 are likely blocked.
- Testing this IP or any of its domains via regular internet connection resulted in TCP failure. However, there is a successful connection via VPN, using the same checking tools.
- All domains that share IP:216.97.237.25 are likely blocked in Egypt ( 125 domains including EgyptDailyNews).
Fourth: the blocking of Arabic Observatory of Media Freedom website caused 44 collateral banned websites
- The Arabic Observatory of Media Freedom website uses ikshef.com, ikshef.net and ikshef.org domains which refer to IP address: 108.179.242.132.
- Tests results show that the 40 domains which share the IP address:108.179.242.132 are possibly blocked due to tcp_ip.
- All domains that share IP:108.179.242.132 are likely blocked in Egypt ( 40 domains including 3 domains of Arabic Observatory of Media Freedom).
Note: 220 extracted domains by Crips have been denied from testing as thier DNS showed a diffirent IP address. All subdomains fall under the main IP address were deleted from the testing list.
Fifth: The blocking of Al BorsaNews and DailyNewsEgypt websites caused 18 collateral banned websites
- Al BorsaNews and DailyNewsEgypt websites use Dailynewsegypt.com and Alborsanews.com domains which refer to IP address: 104.24.18.24 which is blocked according to tests results.
- Tests resultes show that 20 domains which share the IP adress:104.24.18.24 are likely blocked.
- Testing this IP or any of its domains via regular internet connection resulted in TCP failure. However, there is a successful connection via VPN, using the same checking tools.
- All domains that share IP:104.24.18.24 are likely blocked in Egypt ( 20 domains including AlBorsaNews and DailyNewsEgypt).
Sixth: The blocking of Alaraby Aljadeed website
- AlarabyAljadeed website uses alarabyaljadeed.co.uk domain which refers to IP address: 152.195.32.173. This is the first website has been blocked in Egypt.
- Tests results show that 10 domains which share the IP address:152.195.32.173 are likely blocked.
- Testing this IP or any of its domains via regular internet connection resulted in TCP failure. However, there is a successful connection via VPN, using same checking tools.
- All domains that share IP:152.195.32.173 are likely blocked in Egypt ( 10 domains including AlarabyAljadeed domain).
- It is noteworthy that AlModon and UltraSound websites (ultrasawt.com – almodon.com) tests have different results in comparison with the other domains. Also, they have been blocked later than AlarabyAljadeed. So, we can infer that they have been intentionally blocked.