Last week, UK communications regulator OFCOM published a report which came to the conclusion that blocking ‘pirate’ websites would not be effective. The report contained a number of sensitive government redactions which were easily removed, effectively providing a comprehensive guide to bypass web blocking measures. Since the US government wants to adopt the same technical measures via the PROTECT IP Act, they too will be rendered ineffective using the same methods.
Last week UK business secretary Vince Cable confirmed that the website blocking provisions put in place under the country’s controversial Digital Economy Act would be abandoned. Communications regulator OFCOM had been asked to conduct a review to see if the system could work. Ultimately it found that the plans were unworkable.
Parts of the report produced by OFCOM were censored by the UK government but those restrictions, ironically, were easily bypassed. The net result is that the uncensored report provides a pretty decent guide on how Internet users are expected to bypass future website blocks and how ‘pirate’ site operators will attempt to help them. We offer a summary below.
What makes the assessment of OFCOM particularly interesting is that it shows how ineffective the anti-piracy plans of the US government are. According to the report, many of the censorship measures that are included in the PROTECT IP Act wont be as effective as advertised.
Measures Users Can Take To Bypass Website Blocking Measures
— Use a Virtual Private Network (VPN)
The key to a VPN is that they hide a user’s traffic from their own ISP. Since ISPs will be the entities required to implement blocks, it necessarily follows that they cannot block VPN’d users accessing blocked sites if they cannot see what they’re doing.
OFCOM notes that any UK-based VPN services which facilitate access to a previously blocked site (say, Newzbin2 to give a current example) may also be required to comply with the terms of a blocking injunction. This means that subscribers to a UK-based VPN service could find that it is rendered useless. In order to avoid such a situation, users would need to subscribe to a non-UK VPN service.
— Change their DNS servers to those offered by 3rd parties
OFCOM states that in the event that a DNS block of a site is ordered, users can circumvent their own ISP’s blockade simply by changing to a DNS server operated by 3rd parties outside the UK.
Helpfully they also provide two examples – Google Public DNS and OpenDNS – both of which come with detailed instructions to get them working.
— Use an anonymous web proxy which is not reliant on UK ISP DNS servers
Foreign web proxy sites such as Kproxy and HideMyAss both offer free services which can be used to bypass DNS blocks.
OFCOM also says that the use of TOR (The Onion Router) would also prove effective.
— Don’t use a remote DNS at all
Windows users can add IP address entries to their ‘hosts file’ which means that external DNS systems won’t even be consulted. Further information on the technicalities, provided by critics of US blocking, can be found here.
Another often-effective option is for a user to enter the IP address of a site directly into the URL bar of their browser.
Measures Site Operators Can Take To Bypass Bans
— Change the site’s IP address by moving host and manipulating TTL
In respect of IP address cycling, OFCOM also explain how TTL can be manipulated to assist with domain unblocking.
“When moving to a new IP address a site operator may register multiple IP addresses for a given site in order to maintain service in the event that some of those individual IP addresses are blocked,” OFCOM writes.
“Furthermore, Domain Name System (DNS) record value, determining the length of time that the IP address for a particular domain (expressed in seconds) remains in remote name server caches, it is easier for a site operator to move IP addresses without end users losing access. Where a low TTL is expressed the ISP DNS name server resolution cache is purged quickly thereby ensuring that newly assigned site IP addresses are retrieved from the authoritative name server and site accessibility is maintained.”
— Change domains and IP addresses
“Similarly, site operators may quickly mirror or make copies of a blocked site on new top level or country code domains pointing towards new IP addresses e.g. www.blockedsite.cc; www.blockedsite.ru; www.blockedsite.vn; www.blockedsite.net,” OFCOM explains.
— Facilitate user access to blocked site via Virtual Private Network (VPN)
Sites could offer an in-house VPN service to offer access to blocked users. However, in keeping with the VPN item in the section above, if they are deemed to be too closely associated with the blocked site in question, they too could be blocked via UK injunction. See the Pirate Bay and BTjunkie proxy-blocking cases in Italy for a practical example of how that can happen.
— Operate a so-called Fast Flux network
Fast Flux systems are often associated with malware, but can also be used to facilitate access to blocked sites. In very shallow detail, users of a blocked site could choose to operate a piece of software which would associate hundreds or thousands of IP addresses with a blocked site which could change as often as every few minutes. More technical detail here.
— Possible site operator counter-measures specific to URL blocking
OFCOM list a number of techniques operators can use to circumvent blocks which target a site’s URL (i.e Newzbin.com, ThePirateBay.org)
- Provide encrypted access via SSL/TLS, i.e via HTTPS rather than simple HTTP.
- Running a website on a port other than the standard port 80
- Reorganizing site structure if blocking is directed only at specific URLs
- Encoding URLs to evade blocking
Blocking techniques and OFCOM’s assessment of how difficult they are to circumvent
IP address blocking – Easy by site operator & various ways by end-user
DNS blocking – Easy. Use of 3rd party UK or overseas DNS, new domain registration, end-user bypass, mirroring to new domains.
Shallow Packet Inspection (SPI) – Easy by site operator and various ways by end-user e.g encryption, anonymity-networks.
Deep Packet Inspection – Evade by use of encryption, anonymity networks.
URL Blocking – Site operator can reorganize site with ease thereby creating new URLS. Evade by use of encryption, anonymity networks.
Hybrid DNS and DPI – Evasion by use of encryption, anonymity networks.
Hybrid DNS and URL – Evasion by use of encryption, anonymity networks – new domain registration, mirroring.
Hybrid DNS and SPI – Evasion by use of encryption, anonymity networks – new domain registration, mirroring on new site/domain.
OFCOM final conclusion on DNS blocking effectiveness from a technical stance
“For site operators and end users with a sufficient incentive to engage in circumvention DNS blocking is technically relatively straightforward to bypass,” OFCOM notes.
Another paragraph sums up their technical assessment clearly.
“Circumvention of a block is technically a relatively trivial matter irrespective of which of the techniques used. Knowledge of how site operators and end users can work around blocks is widely distributed and easily accessible on the internet.”
“It is not technically challenging and does not require a particularly high level of skill or expertise.”