Inside Internet Filtering

After my post about CyberPatrol’s new SiteSURV product, one of my readers emailed and asked “What is DNS Poisoning?”  Instead of responding personally, I thought it would make a good blog post.

First a little background on the Domain Name System or DNS.  Basically every computer on the Internet has an IP address, for instance this site is 72.54.145.200.  But it is a whole lot easier to reference these computers by name, like www.insideinternetfiltering.com.  So the Domain Name System was created to turn these names into the numbers that our computers understand.

This system works as a hierarchy of DNS servers.  At the top are the root servers, they have .com, .org, .net etc.  When you register a domain, an entry is added to these root servers that tells computers looking for your domain where to look next.  So at the root servers there is a entry for insideinternetfiltering.com that tells them to look to my two DNS servers for more information about my domain.  My DNS servers have an entry for www that describes my IP address.

For your computer to work properly on the Internet you need to at least one DNS server entered in your network settings.  Most of the time this happens automatically for you when you connect to your Internet Service Provider or corporate network.  Then when you enter a URL in your browser, www.insideinternetfiltering.com for example, your computer consults that DNS server behind the scenes.  If that DSN server doesn’t know the IP address for www.insideinternetfiltering.com it then typically consults the root server looking for insideinternetfiltering.com, which in turn sends it to my DNS server, which returns the IP address for my site.  This is known as an authoritative response.

So with that as background, what is DNS poisoning?  Quite simply it is technical jargon for changing the normal flow of the DNS system and introducing results that aren’t authoritative.  This term is often applied to malicious types of attacks as the DNS poisoning article wikipedia article points out.  However, it has also traditionally be used to describe a method of Internet filtering in which DNS return values are altered from their authoritative value for the purposes of filtering content.

For instance, lets say that the DNS server that is configured on my computer is programmed with a blacklist of bad websites.  On this list is a site called www.badsite.com.  When you try to visit www.badsite.com, your computer asks the DNS server for the IP address of www.badsite.com.  The DNS server is programmed to look at the blacklist and if it finds www.badsite.com it does not consult the root DNS server, but instead returns an invalid value that causes your computer to not connect to the site.  It could even return a new valid IP address that would send you to a server that has been configured to display a “this site has been blocked” page.

This was a long post.  If there is something that doesn’t make sense, please comment.

 Share on Facebook

 Tweet This

CyberPatrol today announced a new business-level filtering product called SiteSURV (Press Release).

The product uses a DNS poisoning technique to accomplish the filtering by checking DNS lookups against CyberPatrol’s site database.  While this type of filtering is easy to deploy by simply changing your DNS settings, it is also among the easiest to bypass (I won’t go into details on how).

They have two versions currently: the standard version and a self hosted version for larger organizations (SiteSURV Plus).  The plus version seems to have more customization capability than the standard version, such as choosing your categories, and creating your own list of allowed/blocked sites.  However, with the plus version you also will need to furnish your own windows based server to run the software on.

 Share on Facebook

 Tweet This

The NetNanny for Mac website is now online at http://www.netnanny.com/mac.  It appears that the new product is a branded version of Intego’s ContentBarrier X4 product.  If you compare the screen shots from here: http://www.netnanny.com/mac/features and http://www.intego.com/contentbarrier/ you will find them pretty much the same with NetNanny branding instead of Intego branding.

 Share on Facebook

 Tweet This

ContentWatch, the developer of NetNanny, announced the release of NetNanny for Mac.
From the release it appears the product will contain:

• Content Filtering
• Usage Reports
• Time Limits

The new Mac version of NetNanny will be available in English, French, German, Spanish, Italian and Japanese for $39.99 for one computer and $20 for each additional computer.

More information is supposed to be availabe online at: www.netnanny.com/mac However, the link was not working at the time of this posting.

 Share on Facebook

 Tweet This

The government of Australia, under the leadership of Stephen Conroy, have been pushing forward on the concept of creating and ISP-level “cleanfeed” for the entire country of Australia.  It is envisioned that this system would replace the free filter scheme currently in place in Australia.

In support of this system, the UK Cleanfeed system deployed by British Telecom is often referenced as proof that Internet Filteirng at the ISP-level can be effective and won’t slow down an Internet connection.  However, if you take a deeper look at the system deployed by British Telecom, you find that there are some key differences.

The BT System Only Blocks Illegal Content.
The cleanfeed system in the UK was built and designed to block a fairly small number of sites that contain illegal content (mostly child pornography).  It seemed at the time of launch it was blocking somewhere around 3,600 sites and it was cited as growing at a rate of between 60-100 sites a month.  So today, that would put the total list size at an estimated 6,000 sites today.

So will Stephen Conroy and the Department of Broadband, Communications and Digital Economy only block illegal content or provide for protection for minors from inappropriate content.  The lab-based test was run on both by ACMA and Stephen Conroy has made statements that he wants the cleanfeed to be free of inappropriate and pornographic content.

I mention this because it is much easier and less costly to filter out a small number of sites than it is to filter all sites to determine if they are inappropriate or pornographic.  So if you extend the blocking to include inappropriate content, you can’t point to the UK cleanfeed system as a previous success story as Stephen Conroy does.

The BT Cleanfeed was not government mandated.
British Telecom came up with the cleanfeed system of their own accord.  It wasn’t required by the government.  The list of sites that is blocked by the UK cleanfeed system is created by the Internet Watch Foundation a non-government Internet watchdog group.  So the government doesn’t have to deal with censorship issues head on.

On the other hand the Australian clean feed system, even if it only blocked illegal content, would likely be blocking the list built by the Australian Communications and Media Authority (ACMA).  This combined with the fact that the system will be mandatory and likely funded by the government to offset the ISP’s operational expenses directly links the government to the filtering.  This of course raises all kinds of issues of Internet censorship.  Electronic Frontiers Australia is already opposing the system on their site nocleanfeed.com.

BT System can only block web content.
The system designed by British Telecom was designed to block only web traffic.  This means that they don’t block peer-2-peer file sharing, Instant Messengers, FTP or a number of other type protocols.

The test conducted by ACMA looked at the blocking capabilities of other protocols.  However, this was only done by “Expert Review”, meaning someone looking at the features of the software.  No test were run to determine the scalability of blocking additional protocols at the scale an ISP would have to be able to deal with.

So what does all this mean?
A low cost system to simply block illegal content on an ISP-level could be built.  However, if you look at this from the angle of Internet safety for kids, you will find that the ISP-Level system potentially reduces the level of protection offered to Australian parents today through the NetAlert free filter scheme.

With an ISP-level filtering system will a parent be able to control the time spent online, review instant messenger conversations, block peer-2-peer filesharing or games?  These are all things that parents can do today with the free filters offered by NetAlert.

Stephen Conroy claims that the new ISP-level filteirng initiative will provide better protection for kids, but is this really true?

 Share on Facebook

 Tweet This

The city council for Birmingham, England, recently installed new Internet monitor and filtering software.  However, the filtering policy they have created is meeting with some opposition.

The city council has blocked sites relating to Atheism and the Occult, which fall under what they call “a long-standing Internet usage policy for staff”.  The policy bans sites “that promote witchcraft, the paranormal, sexual deviancy and criminal activity.”

The opposition is coming from the Lawyers at the National Secular Society, who claim the move violates the Employment Equality (Religion or Belief) Regulations 2003.  The regulations make it unlawful to discriminate against employees on the basis of thier religious belief.

 Share on Facebook

 Tweet This

One element that the ACMA ISP-Level Filtering Report touched on, was the different circumvention possibilities between PC and ISP based Internet Filtering solutions.  It presented a table of possible work-arounds to both systems, indicating a high, moderate, or low level of possibility to circumvention.

After looking at this table, you are left with the impression that ISP level filtering is nearly bullet proof.  This is not the case though.  They didn’t include in the table at least two methods that I am aware of for bypassing an ISP level Internet filter, and there are possibly more depending on the particular ISP’s deployment model.

It wouldn’t be appropriate for me to go into details about how to circumvent ISP level Internet filters here. But I will say that for at least one of the methods a PC based filter is actually able to filter when an ISP level filter would not.

 Share on Facebook

 Tweet This

Last year the Australian government launched its free filter scheme, where any resident of Australia could download a free Internet filter.  InternetSafety.com is a participant in this scheme with Safe Eyes.  A few months after the launch, there was an election which caused a shift in the controlling party of the Australian government, and Labor party had a different view on Internet Filtering.  They felt that it was best performed by the ISP, instead of with software installed on each PC.

They commissioned a study to review the products currently available to determine the state-of-the-art of the industry, and if creating a ISP based clean feed was possible.  They had conducted a similar study in 2005.  The results of the report were released today in the ACMA Report on ISP-Level Internet Filters.

I believe that the software-based filters are better for famlies.  Not just becaue we participate in the current scheme in Australia, but because I think they have the ability to provide the parents with richer features.  Features, like Time Controls, Privacy Controls, Application Control, and IM Monitoring are all things that can be done much more effectively on the local computer.  So what did the report find:

Performance

• One product showed only a 2% speed degradation.
• Three products showed 22-30% speed degradation.
• Two products showed a 75% speed degradation.

Effectiveness

• 88%+ blocking capability for all products.
• 94%+ blocking capability for 4 products.
• 8% or less over-blocking by all products.
• 3% of less over-blocking by 4 products.

Scope of Test

• Products where able to block content on non-web based protocols such as IM, and P2P.
• Products where not able to identify content on these non-web based protocols.

Overall Conclusion

• ISP level filters are faster than they were in 2005.
• ISP level filters are more effective than they were in 2005.
• Non-web based protocols are still a problem.

There is a lot of good information in this report, which I will dig into in future posts.

 Share on Facebook

 Tweet This

On Friday leading legislators in New Jersey called on the Office of Legislative Services to install Internet filtering software on all legislative computers.  Currently no Internet filtering software is installed.  They are calling for:

the most aggressive Internet filtering software available on all computers in the Legislature.

The move was motivated by the seizure of Assemblyman Neil Cohen’s computer on Wednesday, which reportedly contained child pornography.

 Share on Facebook

 Tweet This

On Tuesday the Child Online Protection Act was affirmed as un-constitutional by 3rd Circuit Court of Appeals.  It was previously ruled as un-constitutional by the U.S. Supreme Court in 2004 because it vioalted the 1st and 5th Admendments because it was vague and broad.

After reviewing the technology available today, the district court ruled that Internet Filtering provides a much better mechasnism for keeping our kids safe online than COPA.

 Share on Facebook

 Tweet This