Belarus is holding an election today. This election is particularly important because Aleksandr G. Lukashenko, sometimes referred to as the ‘last dictator of Europe,’ has allowed a fair degree of freedom throughout the campaign, including giving free airtime on national TV to opposition candidates, during which they were allowed to criticize him without censorship.
However, it appears that Belarus is continuing in its mixed record of allowing free access to opposition Internet sites during elections. I am getting reports from a digital activist whom I trust of DDoS attacks against a number of sites, which is common during times of crisis in authoritarian countries. I can verify that the following sites have been inaccessible at times this morning: charter97.org, belaruspartisan.org, ucpb.org. He is also reporting that international connections to ports 443 and 465 are being blocked, which will prevent users from securely posting content to international sites like facebook and twitter and from sending mail through international carriers like gmail (the blocking is apparently for all international sites, though, not just ones that may be offensive to the government).
Most interestingly, he reports that BELPAK, the Belarussian national ISP, has been silently redirecting requests from independent media sites to copies of those sites presumably run by pro-government actors, if not the government itself. So when a user requests gazetaby.com, the ISP hijacks the request and instead of returning the requested page returns a redirect for gazetaby.in. The fake site is almost identical to the originally requested site, and as of this post each fake site appears to contain all of the same stories as the original site. Presumably as election day goes on, though, the government will use the fake site to prevent publication of stories that it does not like (by merely not mirroring them onto the fake site). My source observed this behavior repeatedly this morning, but it has since stopped, so requests from within Belarus are currently going to the original sites. This behavior was reported for the following sites, with the following faked mirrors (which can be accessed as confirmation):
|original site||fake site|
Here’s a zip file of screenshots of each of the above sites, in case the fake sites are taken down.
I cannot verify that this activity was or is happening, but the mere presence of the mirrored sites under almost identical names is strong evidence of bad behavior by someone. My source is working directly with many of the sites listed above and so can verify that those mirrored sites are not being run by the site owners (running such mirrored sites under similar domain names is a very common form of DDoS resistance).
This practice of using a complex combination of different methods for controlling the Internet, particularly during times of crisis like an election or a protest, is very common (we will shortly release a report on DDoS attacks against independent media which includes the finding that independent media sites offer suffer from a range of different types of control rather than just filtering, just ddos, just hijacking, etc). Note above that several of the sites that have been subject to the hijacking described above have also been DDoS’d. It may or may not be the case that the actors DDoS’ing the sites are the same as the ones hijacking them (the hijacking is almost certainly the work of BELPAK, since they are the only ones with the ability to hijack requests as described above).
All of the mirrors above are hosted on IP addresses owned by BELPAK:
gazetaby.in has address 18.104.22.168
nnby.in has address 22.214.171.124
charter97.in has address 126.96.36.199
bchdd.in has address 188.8.131.52
belaruspartisan.in has address 184.108.40.206
euroradio.in has address 220.127.116.11
ucpb.in has address 18.104.22.168
svaboda.in has address 22.214.171.124
This doesn’t necessarily mean that BELPAK itself is directly hosting the sites — it just means that BELPAK or one of its customers is hosting the mirrors sites within its network. Nonetheless, this is further evidence of bad behavior.
Radio Free Europe / Radio Liberty is reporting that one of the site mirrors changed the location of a protest (presumably to misdirect protesters).