Leaked paper sheds light on filtering failures

ACMA filter trial blocked YouTube, DNS poisoning discussed

A technology whitepaper by ISP Watchdog, which specialises in supplying filtered internet access, is pointing to several problems with official Net censorship trials in Australia and New Zealand. The whitepaper was published on whistleblower site Wikileaks and contains Watchdog’s recommendations for managing URL (Uniform Resource Locator) lists to block sites containing images of child sexual abuse. Among the issues that affected the Australian Communications and Media Authority (ACMA) trial were URLs with question marks or ones that were longer than 200 characters. The first problem blocked all YouTube URLs in the ACMA trial. The question mark problem was solved with a firmware upgrade, the document says, and the long URLs one with a redirect to shorter links. YouTube URLs continue to be problematic to block for hybrid Border Gateway Protocol (BGP) filtering systems such as the NetClean Whitebox that the New Zealand Department of Internet Affairs uses, and through which most of the country’s ISPs will filter their internet traffic. High traffic sites such as YouTube “can seriously affect the performance” of systems such as NetClean Whitebox, the document says. A further traffic-related issue was discovered this year when the Internet Watch Foundation added a URL to block an image on Wikipedia to its list. BT’s Cleanfeed system, and possibly others, pass filtered traffic through a proxy server that modifies requests to web servers, replacing the ISP user’s IP address with one of its own. Wikipedia saw a large amount of traffic from a single IP address and interpreted this as an attack. All traffic from that single IP address was blocked by Wikipedia, resulting in access to the reference site being denied to customers of the ISP using the filter. In the end, IWF had to remove the URL from its list, admitting that it had added it in error, the document says. Poisoning of the domain name system (DNS) is used by most of the filtering systems described by the white paper, but not NetClean Whitebox as used by the DIA. DNS poisoning is a controversial technique that is used in internet attacks to divert traffic by subverting domain name queries, and returning incorrect IP addresses for them. Watchdog’s white paper says DNS poisoning systems cannot block parts of websites, only the entire domain. For this reason, DNS poisoning filter lists should only contain root domain names, the document recommends. It adds that it’s a risky practice if the domain in question contains material that shouldn’t be blocked as everything in a listed domain will be inaccessible. Security for distributing blocking lists is also touched upon in the Watchdog document that recommends encryption and authentication for safe access. Passwords to secure blocking list files and non-disclosure arguments to give managers legal redress in case of leaks are also recommended by Watchdog.

Join the newsletter!

Error: Please check your email address.

Tags Security ID

Show Comments