We found out how the Internet was blocked in Belarus in August 2020, why it did not and will not work
What happened?
In August 2020, people in Belarus have for the first time faced a country-wide Internet shutdown, lasting several days. Although there were rumours about the possible use of shutdowns following the presidential election, a complete shutdown was hard to imagine.
Some companies had sent specialists abroad in advance for whom Internet access was critical. Others were able to organize access from inside the country, circumventing blockades. Typical Internet users were looking for workarounds themselves. In this article, we examine why such a shutdown was possible and whether it could happen again.
Why did it happen? Official versions
On 9 and 10 August 2020, the National Computer Emergency Response Team (CERT) stated that a massive DDoS attack on BY-NET infrastructure was carried out. It also stated that different types of DDoS attacks aimed at overburdening the source of traffic were carried out on the same days. The goal of any DDoS attack is to create a massive flow of requests (data packets), which “compete” with regular traffic. As a result of such an attack, the Internet connection gets weak or lost.
The largest Belarusian Internet provider “Beltelecom” stuck with the same version of events, explaining its users’ problems with the Internet access in the following way:
“It led to a significant network congestion, failures and breakdowns of telecommunications equipment and, as a result, difficulties accessing certain Internet resources and services.”
The National Traffic Exchange Center (NTEC) also mentioned DDoS attacks and emergency repair works on partners’ networks in neighbouring states. The NTEC did not specify which partner networks it meant in its post. However, we were unable to confirm that such works were indeed conducted, while the version that it was the shutdown rather than a breakage is confirmed by the professional community and experts.
Major Belarusian mobile providers also did not provide an expert opinion on the reasons for the inaccessibility of the Internet. Some companies, including key actors like A1, МТС, life, CosmosTV, “Business Network”, cited the “problems with uplink providers,” meaning NTEC and “Beltelecom.”
Court hearings on the absence of Internet access in August (with A1 as the defendant) were conducted in a closed format. “In the course of the hearings the public acquired no new information about the exact actions that led to Internet outages on 9-12 August 2020,” – says lawyer and human rights defender Alexey Kozliuk.
On 2 April 2021, Belarusian authorities presented draft amendments to the law “On Telecommunications.” The draft law allows “to authorize the Operations and Analysis Center under the President of the Republic of Belarus (OAC) to make decisions on suspending or limiting the functioning of telecommunications networks and relevant means of telecommunications in cases defined by the law.”
How realistic are the versions of the authorities?
DDoS attacks do not typically lead to problems with equipment, whatever these problems may be. Large service providers use technical mechanisms for blocking such attacks (BGP blackhole, BGP flowspec). Preventing or curbing the attack is a task that can be managed in minutes or hours. Moreover, attacks targeted at specific Internet resources cannot “break” the whole network.
The CERT reported the attacks on 9 and 10 August 2020.
“The wrongdoers used the following technologies: DP Flooding, UDP Fragment, UDP0 Flooding, DNS Flooding, ICMP Misuse, NTP Flooding. The aggregated capacity of some of them exceeded 200 Gbit/s. Technical protection solutions (Anti-DDoS) of the providers responded to the attack, however, according to information at hand, equipment problems followed,” – CERT website stated.
DDoS attacks seek to overload the network. The actual bandwidth of NTEC outer channels is 600–700 Gbit/s and the bandwitht of “Beltelecom” outer networks is 1500 Gbit/s. Therefore, the attacks running at 200 Gbit/s are not much of a threat. Under such a scenario, some resources targeted by the attack may have not worked and the providers’ clients would note that the Internet is slow.
Attacks, after which something fails, are another type of attack. They hack into hardware and purposefully disable it.Such attacks are usually targeted and exploit bugs or security vulnerabilities.
When CERT was created, it was stated that it cooperated with international teams in order to jointly address global and local threats. At the same time, there were no reports about such attacks outside of Belarus during the internet shutdown in August.
By the way, another version of why the Internet does not work, declared Alexander Lukashenko:
“Some people are itching to take it to the streets. They are even cutting off the Internet access from abroad to cause public dissatisfaction,” – he stated on 10 August 2020.
However, Belarus does not get the Internet from a single source. In order for the suggested scenario to be possible, dozens of independent providers and traffic exchange centers worldwide would have to agree among themselves to cut the Internet access down. The probability of information leakage about such a conspiracy is very high. We have found no information confirming such a scenario and no proof of it was ever provided to the public.
We have, however, discovered that on the nights of 19 June and 16 July 2020 Belarusian Internet users noted the filtration of certain protocols, including TLS, SSH, OpenVPN, IPSEC. Presumably y it was done at the outer channels of NTEC and Beltelecom, because several providers were affected. The same days Viber and Telegram messengers were not working, while many state and corporate VPN tunnels, used to ensure the connection of offices and regions, were inoperative as well. The corporate networks of large companies (for instance, “Belarusian Railways” and “Gazprom”) were targeted. We assume, it was the first trial launches of DPI equipment in production on Belarussian networks.
“It is crucial to look at economic and reputational risks. I am almost certain that they did not enjoy what was going on. The administration of all business processes is contingent upon stable Internet access.
Take logistics, for example. In modern (large) cities, logistics and transport processes are planned and managed through the Internet – imagine what happens if the transport cannot deliver perishable food products from warehouses to stores?” says the director of the Russian non-profit organization Society for Internet Protection. – Mikhail Klimarev, director of the Russian non-profit organization Internet Defense Society, said of the situation in Belarus.
The next evidence took place on 8 August 2020 – IPv6 connectivity with external networks was turned off. The graphs provided by Radar platform launched by QRATORLABS illustrates that the number of “Beltelecom” IPv6 providers dropped from 8 to 0, while the NTEC’s number of providers dropped from 6 to 1. Both providers returned to previous numbers in sync on 13 August 2020.
The likelihood of 13 out of 14 foreign Internet providers simultaneously turning their IPv6 channels off is minimal, which means that the outage was conducted on the Belarusian side – i.e., on the side of “Beltelecom” and NTEC.
We believe that the IPv6 connection was turned off either to avoid creating additional load on DPI equipment or due to the fact that DPI platforms were not properly set up to filter IPv6 traffic.
A more realistic version of the Internet shutdown in Belarus
A likelier scenario is one where the Internet in the country was shut down due to political reasons. Such a scenario is made possible by the very structure of ByNet1.
First, even compared to neighboring states, we are only connected to 18 Internet providers which provide access to the international segment of the Internet.
1 Henceforth we use AS Relationships database (of December 2020), ran by the Center for Applied Internet Data Analysis, as an information source on autonomous systems and Internet connection providers. We use data from the Serial-1 model, client-provider relations, with peer entries ignored. As an information source on the country of autonomous system we use countries from the database as of December 2020.
The number of Internet providers used by closest neighbors is at least three times higher than that in Belarus. The Netherlands is the leader in the number of Internet providers (one of the world centers of Internet traffic exchange) – it connects more than 281 Internet companies.
However, it is not the main problem. As stated above, the likelihood of 18 independent private companies conspiring to shut down the Internet in Belarus is extremely low. The key risks arise when the traffic enters Belarus and is put under the control of only several national providers.
Only two of them (“Beltelecom” and NTEC) have the right to resell worldwide internet traffic to local providers (irrespective of which Internet provider one is using in Belarus, the traffic still passes through the network of one of the market monopolists) or directly to end users.
Internet access is Belarus is provided by more than 100 internet service providers. Only two of them – “Beltelecom” and the National Traffic Exchange Center or NTEC – have the right to access the worldwide web directly. All other providers get access through them. That is why, when you open a foreign website – let’s say, Facebook – a request is sent to your provider, then (through “Beltelecom” or NTEC channels) it leaves Belarus, and finally (through the worldwide web) reaches Facebook servers.
Traffic flows from foreign sources merge into two spots that become the bottleneck of the whole system. Both providers – “Beltelecom” and NTEC – are state-owned and state-operated. Besides Belarus, the system where the access to international networks is only provided by two companies only exists in two states – Azerbaijan and Tajikistan.
This monopoly makes the Internet vulnerable not only in terms of external attacks, if they do occur. The risks of human error, equipment failure, and the consequences they entail become higher.
Was the shutdown intentional?
Shutdown refers to an intentional and complete Internet outage, slowing down the network capabilities, or blockages of certain services in order to control information flows. It makes networks inaccessible or impossible to use by certain groups of population or in certain geographical areas.
In August 2020, Belarusian users experienced difficulties with Internet access, but were still able to restore Internet access by using specialized VPN services to overcome blockages, as well as unencrypted web (HTTP). Standard VPN applications were blocked – the most popular VPN services were rendered useless.
We are of the opinion that the reason for the Internet blockages was the incorrect functioning of Deep Packets Inspection (DPI) equipment, which did not cope with the workload. The Deep Packets Inspection technology was created to filter and prioritize information, transferred on the Internet. It was initially created to increase the service quality for Internet users.
Let’s imagine that users and servers exchange various types of packages. The packages make it from point A to point B through Internet channels, as if moved by a conveyor belt. In this metaphor, the DPI system is the worker at the conveyor belt, who checks certain types of packages and may decide not to let them through. During the shutdown, the task was to check all the encrypted traffic – meaning, almost all of the packages. The DPI system did not manage such workload. The packets were not processed on time and were lost because of delay. The connections were interrupted and worldwide internet services were not available.
What exactly is DPI?
The Internet was originally built upon the principle of net neutrality – all users and types of traffic had the same priority level. The same approach was used when the telegraph was invented in mid-XIX century – telegrams were delivered in the same way, on equal terms, with no attempts to distinguish their contents and regulate technical means of their delivery.
A similar principle works well for messages of approximately the same length. As various online entertainment services developed, the share of heavy content, such as HD-quality video streams, grew and traffic channels became overloaded. It led to regular content, such as websites, being harder to load and users experiencing discomfort.
DPI-systems were created to prioritize of block certain types of traffic, thereby improving the quality of services provided to clients. For instance, the operators of mobile networks, where the network capacity is limited, use DPI-systems primarily to prioritize the delivery of content of latency-sensitive applications. The system of one’s mobile operator may be wired in a way that a sensitive video call would be delivered with a higher priority than a movie being simultaneously downloaded through torrents.
Belarusian mobile operator MTS started rolling out DPI-systems back in 2011 in order to provide users with special plans based on the type of traffic – for instance, cheap plans with unlimited Internet access but no possibility to download torrents or plans with free use of YouTube, messengers, or social media.
State providers also use DPI-systems
On 4 September 2018, on the website of Electronic Auctions Center, NTEC posted a call to buy DPI sub-system equipment worth 2 500 000 USD.
In September 2020, Bloomberg journalist Ryan Gallagher tweeted about Sandvine equipment, stationed at NTEC platform in Minsk.
He wrote that NTEC used Sandvine Policy Traffic Switch equipment.
According to other undisclosed sources, such DPI equipment stationed in two NTEC spots in Minsk has the capacity 800 Gbit/s for each site, i.e. 1,6 Terabit/s total. It must be noted that the actual inspection throughput is contingent upon several factors – types of traffic and the complexity of the rules on its processing.
The NTEC website states that at the beginning of 2020 the outer channels of the enterprise amounted to 410 Gbit/s. However, according to information we possess, the actual network capacity of NTEC outer channels is about 700 Gbit/s.
“Beltelecom” has purchased and currently uses a DPI-platform Huawei SIG9800 (included in OAC certification registry on 12 August 2016).
The estimated total network capacity of such equipment is about 1020 Gbit/s. The estimation is based on the fact that, according to the OAC certification registry, “Beltelecom” purchased 8 units of DPI Huawei SIG9800-X16 (network capacity up to 120 Gbit/s) and one unit of X8 (up to 60 Gbit/s).
As of August 2020, the network capacity of “Beltelecom” outer channel amounted to approximately 1340 Gbit/s, which is 30% higher than the network capacity of the installed equipment – meaning that in peak periods the equipment is not able to process the traffic that passes through it.
In Belarus, the DPI technology was used to cause harm
We suppose that the authorities intended to block VPN services, messengers, and websites of independent media. However, due to wrong settings, DPI equipment was overloaded and failed. The fact that specialized DPI equipment is not even necessary to cut Belarus off foreign networks speaks in favor of the suggested version.
At 8 AM on 9 August 2020, belarussian users lost connectivity to worldwide internet services located outside the country, namely:
1 Standard popular VPN services, such as ExpressVPN, NordVPN and many others. The aim of the blockage was to prevent users from accessing certain websites blocked by the goverment.
2 SSH access. It is an encrypted network protocol used to administer remote servers. It can operate as a secure proxy-server, to access blocked websites.
3 Websites of independent media and political resources, such as https://euroradio.fm and https://belarus2020.org.
4 Telegram and Viber messengers.
5 At approximately 12 AMon 9 August 2020, the access to many foreign websites using SSL was interrupted.
In 2020, 99% of websites opened through a web-browser use SSL/HTTPS. Therefore, almost all foreign services, including Google services gradually became unavailable. The Google Transparency Report on Web Search indicates on the graph that the regular evening peak in Internet use, which usually starts at 6 PM, is absent for Google Search product.
We suppose that “Beltelecom” and NTEC turned on the DPI equipment at about 8 am on 9 August 2020 and during the day, when the traffic flow increased, the equipment could no longer sustain the intensity of requests, leading to the majority of packets being delayed and dropped. This led to the shutdown, meaning most websites and services that use encrypted communication (SSL and HTTPS are the most popular) became unavailable from Belarus.
Google Transparency Report on Youtube indicates that there were no requests from Belarus between 9PM on 9th of August till 6AM on 12th of August, meaning Youtube were completely unavailable from Belarus directly. Requests from Belarusian users which used circumvention tools are not shown on the Google Transparency Report charts because due to the VPN systems design they appear as users from other countries when browsing the web.
Mikhail Klimarev is of the opinion that the Internet was going to be filtered in Belarus.
– But equipment failed. It is hard to speak about the details, but most likely several factors played into it. The professional qualification of senior staff and technical specialists is not high, while the sellers have a task of selling a solution – they get money from the deals made. It is only through real time testing that the operability of such a complex platform can be guaranteed. The events of 9-12 August 2020 were, in effect, a failed experiment.
The authorities did not assume any responsibility
– All officials have taken one position: the Internet was not working due to an attack from abroad. Full stop. No one suggested working with international partners, opening an international investigation, or punishing the attackers, – says Alexey Kozliuk. – The public still does not have a defendant or a target of state complaints, except those responsible for telecommunications in Belarus and foreign states.
In my understanding, the providers that bore the consequences of the Internet’s inaccessibility and could not properly deliver their services should have been able to file complaints against those who are responsible for the telecommunications field. An investigation could have been conducted and conclusions could have been made. For instance, it would be useful to change the general policy on infrastructure, which turned out to be that vulnerable to intrusions.
However, no actions are being taken – there are no visible steps from key market players, from the regulator, and from those responsible for the infrastructure. There are no fired lawyers and heads of special services.
It also turned out that there was no procedure that would regulate Internet shutdown in Belarus.
– Internet shutdowns are a measure of last resort, which can rarely be qualified as necessary and proportionate. But even if we move away from the shutdown’s purpose and concentrate on the procedure, the violations are apparent. If a state body has no direct authority to shut the Internet down, it may not issue an order to that effect, – says Aliaxej. – Even if the law provides for a possibility to shut the Internet down, the procedure for such measure must be clearly stipulated – who and how may decide to introduce a shutdown and how the measure can be challenged in court. There are no such guarantees in Belarus.
Therefore, in circumstances when advocacy, lobbying, and other legal instruments are unavailable, only the self-defence is left. In a situation of legal default and absence of legislation in the sphere of protecting digital rights, no one may prohibit us to realize our digital rights ourselves.
I am talking about building knowledge and using technical means for overcoming blockages and shutdowns. The more people own such instruments, the less effective blockages and shutdowns are. It means that the state as a whole and individuals in particular will have less of an incentive to resort to shutdowns due to their decreased efficiency. Yes, it is a constant arms race, but it is fairly effective because the civil society is more flexible and dynamic.
Across the world it is called digital resistance. We see that the government is acting unlawfully and refusing to have a dialogue on the Internet development and governance in Belarus and we do what we can – peacefully resist.
What should you do to use the Internet, even when it is being blocked?
Recommendations below are based on the experience we have acquired on 9-12 August 2020. Secure HTTPS protocols, as well as standard VPN protocols, like IPSEC, OpenVPN, L2PT and others, were blocked around the country.
There are solutions which can help a regular user fully and comfortably use the Internet during the shutdown, if its features and method of execution remain the same.
In order to do that, one should use apps, designed to overcome blockages and pass DPI filters, – for instance, applications like Psiphon, Tachyon, X-VPN, Lantern, HotSpot Shield, Betternet, Tor using Bridge.
Such apps work according to the following principles.
1. In order to make sure that the DPI system does not block the connections, such apps use traffic obfuscation attempting to mimic a whitelisted traffic. The DPI system does not “understand” that it is the VPN connection and lets it pass. Some apps (for instance, Psiphon) automatically pick the best available obfuscation method and others allow the user to manually choose the method of disguise (for instance, X-VPN, allowing the opt for one of 10 protocols).
2. Some apps use peer-to-peer connection. In that case the traffic does not only mask as safe, but connections are made with other VPN clients, rather than a specific Internet server. It complicates the process of finding and blocking such connections by the DPI system, which ends up having to monitor connections with each of the peers, making it a highly complex operation.
We also recommend being able to quickly switch between providers using NTEC and Beltelecom as upstream providers.
For instance, if you are using home cable Internet ByFly (“Beltelecom” consumer brand), while your neighbors use cable Internet A1 or MTS (at the time of the publication both of them are connected through NTEC), in case of a shutdown you should try to switch between them and try using the blockage-avoiding apps listed above. During the shutdown on 9-12 August 2020 we observed that “Beltelecom” DPI filtering was less aggressive than NTEC filtering. Mobile Internet can also be used as an alternative channel, although following August 2020 events, it is turned off increasingly often.
We also recommend contacting your provider and requesting information on how they can help during a shutdown or filtering. Providers can know and update information on the means for avoiding blockages in advance and allow their users an option of downloading them through their website, along with user instructions. On 9–12 August 2020, some local providers unofficially recommended their users solutions to overcome blockages.
– In such emergency situations, as one in August, amateur radio links can be created, – Mikhail Klimarev mentions, when speaking about other means of blockage-avoidance. – Or use mobile Internet which is available from the territory of neighboring states.
With the help of radio links it is possible to create 30-50 Mbit/s radio for a distance over about 10 km, using amateur equipment, worth 100-200 USD. More information about ways of doing it in home conditions, can be found here. You can also put a SIM-card of a foreign mobile operator and drive towards the border – the network of such operator is likely to be available on the territory stretching several km from the border.
But it shouldn’t come to that.
We have previously mentioned that the monopoly of two state-owned and operated providers – “Beltelecom” and NTEC – makes the Internet in the country vulnerable. In order to avoid situations which happened in Belarus in August 2020 the system must be democratized.
Private providers must have an opportunity to connect to international networks and each other directly. It will entail not only the growth of reliability due to the increased interconnectedness with foreign and local Internet providers, but also help decrease the price of accessing foreign networks through healthy competition instead of existing oligopoly. The end result is increased quality and decreased cost.