palmarci's blog

a random blog mostly for myself, so i can remember stuff

Investigating Hungarian internet censorship

Table of contents

Intro

My colleagues mentioned they need a VPN to order e‑liquids because the stores are blocked in Hungary. That prompted an investigation into how the blocking is performed. I tested a few domains from my home network and found some interesting documents online.

Abbreviations

  • NMHH: Nemzeti Média- és Hírközlési Hatóság (National Media and Communications Authority)
  • KEHTA: Központi Elektronikus Hozzáférhetetlenné Tételi Határozatok Adatbázisa (Central database of rulings on making electronic data inaccessible)
  • TSR: Technikai segítségnyújtó rendszer (Technical Assistance System).
  • SZTFH: Szabályozott Tevékenységek Felügyeleti Hatósága (Regulated Activities Supervisory Authority)

First idea: DNS

  • My ISP provides (Telekom HU) these servers: 84.2.44.8 and 84.2.46.8.
  • These DNS addresses resolve to the same addresses as Cloudflare's DNS over TLS, so DNS-based blocking does not appear to be used in these cases.

Tracerouting

After Googling around I found the SZTFH blocklist 4, which should list all domains that are blocked in the country. Then, I performed some basic tracerouting.

  • dashvapes.com (172.66.158.199)
    • Result: blocked - loads law text.
    • Route observed: telekom hu -> 195.191.97.62 -> twelve99.net (AS1299 - Arelion T1) -> Cloudflare.


  • 68ninecasino35.com (212.67.24.20)
    • Result: blocked - loads law text.
    • Route: same as dashvapes.com.
    • Reverse DNS for 212.67.24.20 also hosts 98katanaspin21.com, with the same routing.


  • ecigishop.net (188.114.97.8)
    • Result: listed on SZTFH block list but loads fine from my network.
    • Route: telekom hu -> T-Mobile Czech Republic -> Deutsche Telekom -> Arelion -> Cloudflare.
    • Likely not in NMHH/KEHTA list, which may explain why it is reachable despite being on SZTFH list.
      • I would think that they are different government entities, they are probably out of sync?

Weird IP

So what is this 195.191.97.62?

  • It appears in AS12301 (Invitech ICT Services Kft.)
  • Organization name in RIPE is: ORG-NMaI1-RIPE (NMaI stands for National Media and Communications Authority?)
  • Address matches NMHH office in Budapest.
  • Invitech merged into 4iG 11
  • 4iG has known government ties. 12

I think it is safe to assume that this is the host that performs the blocking. Now we know the name, address of who does the blocking.

So how does it work?

After some very basic OSINT, we immediately find the technical details 2, contracts 1 3, test pages 5, forum 6 and blog posts 7. We can also find it inside the Budapest Internet Exchange (BIX) 8, EU parliamentary reports 9 and in personal LinkedIn pages 10.

I recommend going trough the links, because they are interesting but basically it works the following way:

  • ISPs are accepting BGP advertisements from NMHH
  • IP ranges that might need blocking are then routed trough NMHH
  • NMHH performs deep packet inspection
    • HTTP: host and URL are checked.
    • HTTPS: TLS Server Name Indication (SNI) based blocking is performed.
    • Other protocols: IP and port may be used, or just plain IP-based blocking.
  • If NMHH deems the request "illegal", a static HTML law page gets served
  • Otherwise, it gets forwarded to the real destination.

Architecture taken from NMHH documentation

Checking their precision

On the HUP forum post 7, one guy was concerned with the latency introduced in this process and mentioned that they used to block /32 and now something has changed. I wrote a simple script and checked how big a slice of the IP block they were actually targeting.

My limited testing indicates that as of writing, they are mostly still targeting /32, meaning individual addresses. I would think that they are resolving the wanted domains and updating the addresses on the fly.

Conclusion

Although I am very against internet censorship, this system is not that bad. It is clearly "open" and honest about itself and they try to be precise with the blocking and try to limit false positives. Yes, the latency is a bit bigger, however it is limited to sites that are hosted on the same IP as a blocked one.

Also the system is trivial to bypass, just use TOR or a VPN outside of the country.

  1. NMHH contract template: https://nmhh.hu/dokumentum/161067/tsr_egyuttmukodesi_megallapodas.pdf 

  2. NMHH technical recommendations: https://nmhh.hu/upload/NMHH_muszaki_ajanlas_elektronikus_adatok_hozzaferhetetlenne_tetele.pdf 

  3. Contract between NMHH and Online Projects Kft: https://nmhh.hu/dokumentum/160849/Online_Projects_Kft.pdf 

  4. SZTFH block list: https://sztfh.hu/nyilvantartasok/blokkolt-honlapok 

  5. TSR test page: https://tsrt.de 

  6. A hosting companies blog post about NMHH TSR/KEHTA: https://elin.hu/blog/nmhh-tsr-kehta-avagy-isp-routing-modositas 

  7. HUP discussion mentioning NMHH TSR: https://hup.hu/node/186889 

  8. BIX mentioning TSR (during maintenance post): https://www.bix.h/hirek/202109_bix_eszkozcsere_kis_uzemszunettel 

  9. EU Parliamentary document mentioning KEHTA and NMHH operation: https://www.parlament.gv.at/dokument/XXV/EU/132127/imfname_10693630.pdf 

  10. LinkedIn (person involved in TSR): https://www.linkedin.com/in/zoltan-tarcsai-710b0421 

  11. 4iG press release of Invitech's acquisition: https://www.4ig.hu/sw/static/file/4iG_Invitech_PressRelease_20210930.pdf 

  12. Wikipedia - 4iG Távközlési Holding Zrt: https://hu.wikipedia.org/wiki/4iG_T%C3%A1vk%C3%B6zl%C3%A9si_Holding_Zrt