Thousands of Websites are collaterally blocked in Egypt

Date : Sunday, 19 May, 2019
Facebook
Twitter

By: Mohammad El-Taher

This report presents an analysis of a blocking technique that Egyptian authorities have used to prevent internet users from accessing some websites. There are several blocking techniques that have been used in Egypt. However,  this report focuses only on the blocking of the Transmission Control Protocol and Internet Protocol (TCP/IP). Since this type of blocking affects many other websites that are not targeted with blocking.

TCP/IP blocking technique is to ban data flowing between users and the IP address of a particular hosting server of the targeted website. This means that all other hosted websites on the server will be blocked too.

AFTE has previously released several reports on the state of internet censorship in Egypt, you can find them on the following links;

 

In this report, a set of technical tools have been used to check on blocking particular IP Addresses of some blocked websites in Egypt since May 24, 2019.

All of the checking tests in this report conducted via an internet service provided by Egyptian Telecommunication Company (TE data). These tests are likely to vary depending on the internet service provider.

Report at hand presents testing results of the following IP Addresses;

Website IP Address
Al Borsa News

Daily News Egypt

104.24.18.24
Fakar tany 188.121.43.37
Egypt Daily News 216.97.237.25
Alaraby Aljadeed 152.195.32.173
Arabic Observatory of Media Freedom 108.179.242.132
Batel’Void’ campagin’s websites 104.198.14.52

 The Primary Results 

The following results are likely to differ by time, increase or decrease, for many reasons. Websites might change their hosting server or use Content Delivery Network techniques (CDN). the internet service providers may replace the (TCP/IP) banning with another different blocking technique.

Website IP Address The probable number of collaterally blocked websites
Al Borsa, Daily News Egypt 104.24.18.24 18
Fakar tany 188.121.43.37 161
Egypt Daily News 216.97.237.25 124
Al Araby Al Gadid 152.195.32.173 9
Arabic Observatory of Media Freedom 108.179.242.132 43
Batel’Void’ campagin’s websites 104.198.14.52 26175

 The Testing Tools 

The following tools were used in collecting and analyzing the data of the aforementioned IP Addresses and domains;

  • Ooniprobe : A free software, global observation network for detecting censorship, surveillance and traffic manipulation on the internet. This tool can check websites blocking.
  • Telnet, Curl and NC: To check the TCP connection of the examined IP Addresses and domains.
  • Check host and  KeyCDN: To conduct primary checks on the examined  IP addresses and domains accessibility out of Egypt.
  • Crips: To conduct the Reverse IP Lookup process which gathers all the domains hosted by a specific IP Address.
  • Outline VPN : to compare connectivity results between the regular connection and the Virtual Private Network connection (VPN).
  • Securry: to conduct Reverse DNS lookup process on a group of domains.
  • Geek Flare: to conduct Reverse DNS lookup on a particular domain.
  • DNSlytics: to gather data on a particular IP address or domain.

 The Testing Process

This report comes in the context of AFTE’s monitoring of the internet censorship state in Egypt since 2017. So, the checking process of this report as following;

  • Rechecking the blocked websites since May 2017 till now, according to AFTE’s monitoring list of the blocked websites,  using Ooniprobe software.
  • Ooniprobe’s  Web connectivity testing results have identified some websites links that blocked via TCP/IP banning. Then we extracted the primary data of each domain including their IP addresses.
  • Ooniprobe’s TCP Connect test was used on the preselected IP addresses to confirm the blocking.
  • Check host and  KeyCDN were used via VPN connection to confirm that these IP addresses are normally accessible in more than 15 other countries. In order to minimize the possibility of servers errors or Geo-blocking.
  • Crips was used to identify the domains share the same IP address from the examined IPs.
  • Securry was used to look up the DNS data of every identified domain by Crips, then, the domains have a different IP address from the selected testing sample were excluded.
  • Ooniprobe’s Web connectivity test was applied on the list generated by Crips after excluding the domains with IP addresses out of the testing sample.
  • Telnet, Curl, and  NC were used to check the TCP connection of the examined IP addresses. Via a regular internet service provided by Te Data and a VPN to compare the results.

 The Results

 First: the blocking of Batel “Void” campaign’s website caused 26175 collateral banned websites

  • Batel’s website uses 104.198.14.52 domain which refers to IP: 104.198.14.52
  • Another 26175 domains share the same IP 104.198.14.52. And by testing a sample of these domains, there is a significant probability to be all blocked too.
  • TCP connection failed when testing the IP address or any of its domains via a regular internet service connection, however it is accessible via VBN connection.
  • All websites that  share the IP address 104.198.14.52 are likely blocked in Egypt (26175 domain including Batel’s websites)
Note: 8037 identified domains by Crips have been denied from testing as thier DNS showed a diffirent IP address. All subdomains fall under the main IP address were deleted from the testing list.
  • The Batel campaign announced its first website via its Facebook and Twitter accounts on April 8, 2019, for a petition against the constitutional amendments. They used (voiceonline.net) domain. On April 9, the website has been blocked after only 13 hours of launching and amassing around 60000 signatures, according to the campaign’s official Facebook page.
  • Then, to work around the website blocking, Batel campaign announced on its Facebook and Twitter accounts that the petition is available on Telegram application on this link: https://t.me/batel_2034bot
  • On April 9, Netblocks tests showed that (voiceonline.net) domain was blocked in Sudan and some users in Saudia Arabia reported inaccessibility of the website but AFTE couldn’t reconfirm these results.
  • On April 10, the campaign announced on its Facebook page four hacking attempts and despite the blocking, they managed to reach 79000 signatures. They also launched alternative new domain batel2034.net to work around the blocking.
  • On April 11, after the campaign announcement of reaching 100000 signatures,  the new domain was blocked but Batel campaigners added the availability of petitioning via Facebook Messenger through this link: https://m.me/batel2034
  • Batel activists have kept launching alternative domains to overcome the blocking. The following table illustrates the ten launched domains:

 

Domain registering date Launching date IP Address Blocking date
voiceonline.net April 7 April 8 104.198.14.52 voiceonline.net
batel2034.net April 10 April 10 104.198.14.52 batel2034.net
myvoice2019.today April 10 April 12 104.198.14.52 myvoice2019.today
masryaom.me April 13 April 13 104.198.14.52 masryaom.me
dostorakbatel.today April 13 April 14 54.72.135.216 dostorakbatel.today
sotna.today April 15 April 15 99.81.59.163 sotna.today
34000sites.com April 16 April 16 3.86.168.228 34000sites.com
sout1.us April 17 April 17 3.210.90.207 sout1.us
helm1.us April 17 April 17 3.210.90.207 helm1.us
hurreya.net April 20 April 20 3.86.168.228 hurreya.net

 

  • Netblocks has stated that the Batel domains blocking caused a collateral blocking of 34000 other domains which shares the same IP Address. The tests showed this was occurred by the blocking of the following domains: voiceonline.net و batel2034.net and Myvoice2019.today
  • Corroborating of Netblocks’ numbers, during writing this report, we gathered all domains that share the same Batel’s IP Address and excluded the subdomains that share the same IP Address with their main domains. This came up with a list of 26175 domains which are likely blocked in Egypt because of Batel’s website blocking.
  • Starting from April 14, Batel’s activists have used Amazon Web Services (AWS), on the latest six domains, as an attempt to work around the blocking or to improve the access quality for the visitors.
  • We have noticed that Batel’s activists were already prepared for challenging the blocking with alternative domains since some domains registration dates precede launching dates. myvoice2019.today and helm1.us were registered two days before launching. Also, dostorakbatel.today and  hurreya.net were one day before launching.

 Secound: The blocking of Fakkar Tany website caused 261 collateral banned websites

  • Fakkar Tany website uses fakartany.com domain which refers to IP address: 188.121.43.37. This IP belongs to GoDaddy company which is considered one of the biggest companies provide web hosting services. Tests showed the blocking of this IP address.
  • Tests results show that the 279 domains which share the IP address:188.121.43.37 are likely blocked.
  • Testing this IP or any of its domains via regular internet connection resulted in TCP failure. However, there is a successful connection via VPN.
  • All domains that share IP:188.121.43.37 are likely blocked in Egypt (262 domains including Fakkar Tany).
Note: 17 extracted domains by Crips have been denied from testing as thier DNS showed a diffirent IP address. All subdomains fall under the main IP address were deleted from the testing list.

 Third: The blocking of EgyptDailyNews website caused 125 collateral banned websites

  • EgyptDailyNews website uses egyptdailynews.com domain which refers to IP address: 216.97.237.25. This IP belongs to Lunarpages company which provides web hosting services.
  • Tests resultes show that the 156 domains which share the IP adress:216.97.237.25 are likely blocked.
  • Testing this IP or any of its domains via regular internet connection resulted in TCP failure. However, there is a successful connection via VPN, using the same checking tools.
  • All domains that share IP:216.97.237.25 are likely blocked in Egypt ( 125 domains including EgyptDailyNews).
Note: 31 extracted domains by Crips have been denied from testing as thier DNS showed a diffirent IP address. All subdomains fall under the main IP address were deleted from the testing list.

 Fourth: the blocking of Arabic Observatory of Media Freedom website caused 44 collateral banned websites

  • The Arabic Observatory of Media Freedom website uses ikshef.com, ikshef.net and ikshef.org domains which refer to IP address: 108.179.242.132.
  • Tests results show that the 40 domains which share the IP address:108.179.242.132 are possibly blocked due to tcp_ip.
  • All domains that share IP:108.179.242.132  are likely blocked in Egypt ( 40 domains including 3 domains of  Arabic Observatory of Media Freedom).

Note: 220 extracted domains by Crips have been denied from testing as thier DNS showed a diffirent IP address. All subdomains fall under the main IP address were deleted from the testing list.

 Fifth: The blocking of Al BorsaNews and DailyNewsEgypt websites caused 18 collateral banned websites

  • Al BorsaNews and DailyNewsEgypt websites use Dailynewsegypt.com and Alborsanews.com  domains which refer to IP address: 104.24.18.24 which is blocked according to tests results.
  • Tests resultes show that 20 domains which share the IP adress:104.24.18.24 are likely blocked.
  • Testing this IP or any of its domains via regular internet connection resulted in TCP failure. However, there is a successful connection via VPN, using the same checking tools.
  • All domains that share IP:104.24.18.24 are likely blocked in Egypt ( 20 domains including AlBorsaNews and DailyNewsEgypt).
Note: 6 extracted domains by Crips have been denied from testing as thier DNS showed a diffirent IP address. All subdomains fall under the main IP address were deleted from the testing list.

 Sixth: The blocking of Alaraby Aljadeed website

  • AlarabyAljadeed website uses alarabyaljadeed.co.uk domain which refers to IP address: 152.195.32.173.  This is the first website has been blocked in Egypt.
  • Tests results show that 10 domains which share the IP address:152.195.32.173  are likely blocked.
  • Testing this IP or any of its domains via regular internet connection resulted in TCP failure. However, there is a successful connection via VPN, using same checking tools.
  • All domains that share IP:152.195.32.173 are likely blocked in Egypt ( 10 domains including AlarabyAljadeed domain).
  • It is noteworthy that AlModon and UltraSound websites (ultrasawt.com – almodon.com) tests have different results in comparison with the other domains. Also, they have been blocked later than AlarabyAljadeed. So, we can infer that they have been intentionally blocked.

To subscribe to AFTE’s monthly newsletter

leave your email address below