What we’re seeing
A thread over on gpforums.co.nz has discussed problems Telecom users have had accessing content delivered by various CDNs (content delivery networks – used by many sites to handle video streaming).
Network traces showed a large amount of packet loss and the path taken by the data looked a bit unusual.
This appears to be the first sign of a site being either adversely affected or actually blocked by the DIA filter. We’ve also had confirmation of other ISPs (Internet service providers) believed to be using the filter having access blocked.
What we believe is happening
The filter works by creating alternative routes to particular network IP addresses and passing them onto the participating ISPs. Traffic to those IP addresses is then passed to the DIA and checked by the filter to see whether it is going to the blocked site or another site on the same IP address. If it is going to a blocked site, the user is redirected to www.dce.net.nz, or else it allowed through the DIA’s ISP and out onto the Internet. (Read more in our Filtering Frequently Asked Questions article.)
Inspection of the traces shows that the traffic is going through an ISP with a relationship with the Department. The address 22.214.171.124 in the traces is from that ISP. The traffic is then going out through a link that the ISP has to Australia.
This ISP’s link to the Internet appears to be either under considerable pressure or is simply broken. The level of traffic being dropped by it (as reported by users and our own investigation) is likely to be degrading access significantly to any site hosted – but not actually blocked – by any IP address the DIA is wanting to inspect.
What does this mean?
The site in question hosts anime (animated video from Japan and other countries). While we believe that some anime work has been found objectionable in New Zealand, we cannot find any reference to this site being banned by the Chief Censor.
Even if one video at the site has been blocked by the DIA, this blocking appears to be generally degrading performance to other material on that site or any other site hosted by the same content delivery network.
The Department has repeatedly denied access to the filter list in the expectation that hiding the list will prevent people from accessing it. As this story illustrates, it’s not difficult to uncover the filter given the effects it has on an IP address being filtered/intercepted.
We’re very interested in hearing from anyone else having difficulties accessing a site where 126.96.36.199 appears in a traceroute to the site. We’re particularly interested in legal content being degraded by passing through the DIA’s filter.