Streamyx employs Deep Packet Inspection to censor political videos?

Game educates players on what happens when people pirate games
April 30, 2013
Sharing our Customer Support Statistics
May 8, 2013
Show all

Streamyx employs Deep Packet Inspection to censor political videos?

Deep Packet InspectionBefore I begin this post, we at BolehVPN are of diverse political views and have supporters of both sides. However, when it comes to dealing with internet censorship, we’re all in agreement that it’s bad.

There is strong evidence that Streamyx is employing Deep Packet Inspection (DPI) to censor certain political YouTube videos as discovered by Lowyat forumer rizvanrp.

This means Streamyx has employed hardware to identify certain sites as blacklisted and deny access. These sites are such as Youtube videos on Bala’s wife, and possibly MalaysiaKini and DAP’s Facebook page. Using encrypted HTTPS seems to bypass this. Another way is to use a VPN which is a more secure solution to protect yourself against DPI.

This is an excerpt from rizvanrp’s post:

All plaintext HTTP connections on Unifi (and maybe Celcom + Maxis) are being man-in-the-middle’d and dropped if they contain blacklisted data.

What we know :

i. The DPI isn’t only being used to selectively block YouTube videos, however unencrypted Facebook pages belonging to certain parties are also being blocked. You can get around this by appending ‘https://’ to the Facebook URLs rather than trying to use ‘http://’.

ii. The DPI is based on TCP segment analysis. Basically, every single TCP packet has its payload analyzed for certain request URI strings that have been blacklisted. Obfuscation attacks such as packet fragmentation (splitting a large TCP payload containing a single HTTP request into smaller TCP segments) as well as packet padding (appending large amount of junk data to the HTTP request URI in order to force the ‘HTTP/1.1\r\n’ trailer into a separate TCP segment) will also work however you need specialized HTTP proxy software or iptables rules (on Linux) to do this.

iii. Once a blacklisted payload is detected within a packet, the header information for the TCP stream (SRC/DST port + SRC/DST IP address) is added to some kind of blacklist for 90 seconds. This causes all traffic for that particular TCP stream to be dropped for 90 seconds (hence the 90 second gaps in my packet capture samples above). This is also why some of you have noticed that if you wait long enough (well, 90 seconds in my tests).. the videos/sites that are blocked will eventually continue to load. Due to the persistent nature of TCP, once the 90 second blacklist window passes.. your TCP stream will continue and the payload data for whatever you’re requesting will reach your computer.

Mitigation techniques :

i. Use ‘https://’ wherever possible (especially on Facebook). Users in the thread have recommended HTTPS Everywhere which is a Firefox/Chrome addon to do this automatically for most major websites.

* While YouTube supports HTTPS for their main website, their player does not support it so even if you were to use HTTPS on YT.. the videos won’t load.

ii. For accessing blocked YouTube videos, you can use some of the various YouTube proxy sites such as ProxFree.

iii. Get a VPN/SSH tunnel service if you’re worried about having your HTTP requests intercepted.

Sinar Project’s Google + update also confirms this:

TMNet’s filtering of +Malaysiakini video interviews of Bala’s widow

We strongly suspect some sort of basic content filtering to censor online media in Malaysia is happening. Investigation was done on multiple networks based on the id/url of these videos served from Google’s +YouTube  cached servers located in TMNet network.

We are not aware of all the details of Google’s infrastructure, but testing so far has revealed that when request is served from servers not in TMNet’s network, the video can be viewed immediately. The content filtering is not effective all the time, and it can sometimes pass after a period of time if the request is fragmented into multiple packets.

Many people have reported difficulties with viewing the following video interviews linked from MalaysiaKini’s interview article herehttp://www.malaysiakini.com/news/228492. It is an interview of the window of a private investigator’s widow who implicates that the caretaker Prime Minister Najib Razak was indirectly involved in their plight to cover up possible interference in the murder case of Mongolian citizen Altatunya.

– Isteri PI Bala: Kami betul-betul macam pelarian
– Isteri PI Bala: Apakah salah berkata benar?

This is similar to the recent attempts at censoring MalaysiaKini http://www.malaysiakini.com/news/228203 for which normal users think that there is something wrong with their Internet connection, rather than a more sophisticated form of censorship.

We strongly condemn the actions of TMNet and parties involved in censoring  access to free media in Malaysia and hope that +Google‘s +YouTube team can help shed more light on this with their own internal investigations.

1 Comment

  1. Sarah L. says:

    Initially I signed up BolehVPN is to bypass TM speed limit on p2p. Now VPN seems more important to increase surfing privacy!

Leave a Reply

Your email address will not be published. Required fields are marked *