Tech Liberty NZ Defending civil liberties in the digital age

Is this what the DIA filter looks like?

Posted on February 22, 2011

What we're seeing

thread over on gpforums.co.nz has discussed problems Telecom users have had accessing content delivered by various CDNs (content delivery networks - used by many sites to handle video streaming).

Network traces showed a large amount of packet loss and the path taken by the data looked a bit unusual.

This appears to be the first sign of a site being either adversely affected or actually blocked by the DIA filter. We've also had confirmation of other ISPs (Internet service providers) believed to be using the filter having access blocked.

What we believe is happening

The filter works by creating alternative routes to particular network IP addresses and passing them onto the participating ISPs. Traffic to those IP addresses is then passed to the DIA and checked by the filter to see whether it is going to the blocked site or another site on the same IP address. If it is going to a blocked site, the user is redirected to www.dce.net.nz, or else it allowed through the DIA's ISP and out onto the Internet. (Read more in our Filtering Frequently Asked Questions article.)

Inspection of the traces shows that the traffic is going through an ISP with a relationship with the Department. The address 124.150.165.62 in the traces is from that ISP. The traffic is then going out through a link that the ISP has to Australia.

This ISP's link to the Internet appears to be either under considerable pressure or is simply broken. The level of traffic being dropped by it (as reported by users and our own investigation) is likely to be degrading access significantly to any site hosted - but not actually blocked - by any IP address the DIA is wanting to inspect.

What does this mean?

The site in question hosts anime (animated video from Japan and other countries). While we believe that some anime work has been found objectionable in New Zealand, we cannot find any reference to this site being banned by the Chief Censor.

Even if one video at the site has been blocked by the DIA, this blocking appears to be generally degrading performance to other material on that site or any other site hosted by the same content delivery network.

The Department has repeatedly denied access to the filter list in the expectation that hiding the list will prevent people from accessing it. As this story illustrates, it's not difficult to uncover the filter given the effects it has on an IP address being filtered/intercepted.

We're very interested in hearing from anyone else having difficulties accessing a site where 124.150.165.62 appears in a traceroute to the site. We're particularly interested in legal content being degraded by passing through the DIA's filter.

Posted by Tech Liberty

Comments (6) Trackbacks (0)
  1. Excuse my ignorance, could you provide the traceroot code for terminal?

    I have recently installed CensorCheap on my computer and have tried to load some of the sites as listed as being blocked by other countries, most of them do not load. The CensorCheap site often does not load and is very inefficient when it does. There is no blocking listed for these sites for New Zealand, although many are hosted in countries that are not listed as blocking the sites.

    http://censorcheap.org/

    I have also recently determined a threat to my computer through a Local Shared Object LSO cookie. A super cookie enables extensive tracking of online activity. I’m wondering if these things are connected in any way?

    http://en.wikipedia.org/wiki/Local_Shared_Object

    • Traceroute comes as standard on most computers. One Windows the command is tracert, on most Unix-based systems it’s traceroute

      You generally use it by start up a command line/terminal and typing the command followed by the site you want to trace the route to. e.g.

      traceroute stuff.co.nz

      The command will display a number of lines, with each line representing the next hop that the data is taking to the destination.

  2. Hey I am on telecom broadband and I can access http://www.crunchyroll.com and it loads fast. What other LEGAL websites appear to be running slow that pass through the DIA filter that I can test?

    • Looking at comments in the thread where this first came up, it appears the site has disappeared off the DIA filter:

      http://www.gpforums.co.nz/showthread.php?s=&postid=7828897#post7828897

      We sadly have no information on why this has suddenly changed.

      • wouldnt that be becuase it is not the filter?

        as ryan states it is loading fast on his system the CDN mentioned in the gpforum hosts alot of content not just anime as it is a CONTENT DELIVERY NETWORK. which would be from what I understand outside of the guidelines for the filter as it is not a website hosting child abuse material.

        everything here just points to a routing issue. not a conspiracy

  3. Maybe Thomas Beagle you should start up a petition on this site and the question could be, “I am planning on leaving telecom broadband by the middle of 2011 and switch to another ISP if telecom is still using the DIA filter?”. Then once the petition has hundreds of signatures you could physically post it to Paul Reynolds and maybe telecom would remove the DIA filter.


Trackbacks are disabled.