This article aims to identify the different Internet censorship methods utilized to block Clubhouse in Jordan, based on some schematic analysis we performed since Clubhouse-related issues were first reported on March 15th.
It is important to note that not all the ISPs were, or are currently, blocking Clubhouse, specifically, as of April 18th, JCS (AS44702) is currently not restricting access to the application. On the other hand, Zain (AS48832), on its 4G network, Orange (AS8376), VTel (AS50670) and DAMAMAX (AS47887) have restricted access to Clubhouse, on a continuous basis since mid-March, while Umniah apparently started implementing the blocking in a later phase around end of March.
Blocking access to certain websites in Jordan is mainly done through two different methods depending on the ISP. While Umniah (AS9038) and DAMAMAX (AS47887) are using DNS tampering, analysis on the traffic on Zain (AS48832) and Orange (AS8376) suggests the use of Deep Packet Inspection (DPI) techniques, here we are presenting some findings from the analysis.
Altering responses from the DNS is a common technique to block access to websites, this is done by interfering with DNS and providing clients with altered responses, specifically, in ‘DNS hijacking’, the DNS resolver ‘lies’ and returns the wrong IP address to the client, a behaviour which we encountered on Umniah’s network. Although Umniah apparently allowed access to Clubhouse for a number of days, it is currently blocking the domain joinclubhouse.com by responding to the DNS query by a
NXDOMAIN status (No such name), informing the client that the queried domain name does not exist in the DNS:
Querying the Clubhouse’s domain on a different name server, 22.214.171.124 in this example, will provide a different answer, where the domain name is correctly resolved to 126.96.36.199 and 188.8.131.52, Clubhouse’s IP addresses on Cloudflare.
Umniah are providing their 4G customers a Huawei E5577 Wifi router with a built-in DHCP server and a DNS server, accessible by the same router’s IP address, 192.168.8.1, once a blocked domain is queried, an
SOA (Start of Authority) resource record is provided to the client with a name of the zone
blacklist.umniah.local. In our query, we assumed that the serial number of the zone follows the recommendations in RFC 1912, therefore, the date of the last change as announced by the record was March 29, 2021.
It doesn’t seem that traffic on Umniah presents other anomalies, in this case and similar cases, users could access Clubhouse by changing their DNS resolver.
On DAMAMAX, the domain joinclubhouse.com fails to resolve too, even after changing the DNS into an open/public DNS resolver like 184.108.40.206 or 220.127.116.11. Specifically, no answers are received to the DNS queries to Clubhouse’s domain.
A DNS query response with the same transaction ID (
0xa4b6 in the example below) and an address would have been expected, however no response was received, this might suggest DNS responses containing
joinclubhouse.com might be filtered out.
After this finding, an attempt to resolve the domain through DoH (DNS-over-HTTPS) has been conducted, in DoH, the domain name is sent to a DoH-compatible DNS server using an encrypted HTTPS connection instead of a plain text one. The domain is correctly resolved, as shown in the last connection of the following response:
Deep Packet Inspection
Now, let’s have a look at some quick analysis we have done on Zain. While a TCP connection can be established successfully to
https://joinclubhouse.com (IP: 18.104.22.168), a
“Connection reset by peer” error is received:
The error is generated due to the reception of a
RST/ACK packet after we have sent the initial packet of the TLS handshake (
Client Hello), as can be seen in our captured packets (PCAP) while analyzing Clubhouse:
Previous network measurements on Zain strongly indicated the utilization of DPI techniques to block websites and apps. The specific use of Sandvine Packetlogic devices, produced by the U.S.-based company Sandvine, can be seen in one of our reports, published in cooperation with OONI, by looking at some fingerprint elements that are considered specific to these devices, namely, the injected packet received by the client is an empty
RST/ACK packet of which the IPID was
0x00003412, a highly distinctive fingerprint of Sandvine Packetlogic according to a CitizenLab report. In October 2020, a report from Bloomberg mentioned the use of such devices in Jordan, according to one current and two former employees of Sandvine, their equipment has enabled repeated government-ordered internet shutdowns.
However, recent packets captured while scanning Clubhouse do not show the same fingerprint, although an empty
RST/ACK packet is still received, the IPIDs are not fixed:
Compared to previous analysis (in 2018 and early 2019) that always shows a fixed IPID of 0x00003412 in the fifth packet:
A not-fixed IPID is indeed the normal behaviour, there are several possible explanations on the reason why the previous IPID (
0x00003412) is not showing in more recent analysis of blocked websites on Zain, this might include the potential recent use of newer versions of Packetlogic devices or alternative devices or techniques not characterized by the aforementioned fingerprint.
In contrast to Zain, the website
joinclubhouse.com is accessible on Orange, which in turn bans access to the app by blocking access to its API endpoints available at
https://www.clubhouseapi.com/api, analysis of the traffic to Clubhouse on Orange shows, similarly to Zain, that the connections are closed by injecting an
RST/ACK packet with not-fixed IDs.
As not all the ISPs are implementing the blocking of Clubhouse equally, and different techniques are in place, it would be safe to confirm that the blocking of Clubhouse is not implemented on a central level, but rather independently by each service provider.
The use of alternative DNS resolvers and/or the use of DNS over HTTPS/TLS should allow users to bypass blocking on operators adopting DNS tampering techniques (like Umniah and DAMAMAX).
The use of VPN can circumvent both the Internet Censorship methods used in Jordan. As Clubhouse was first reported blocked on some networks on March 15th, it was not strange that instantly after facing issues connecting to the app, multiple users in Jordan resorted to VPNs to circumvent the blocking. In a matter of minutes, many people returned to the app just by enabling their already-installed VPNs, tools that became extremely popular in the last years as a result of a not-so-shiny history of Internet censorship in this country, consequently, some of these VPN tools were also affected to some blocking, including TunnelBear, NordVPN and ExpressVPN.
(UPDATE APRIL 18, 2021: Analysis on Orange shows the app is blocked, the article was modified to reflect that)
(UPDATE JUNE 16, 2021: More recent analysis shows the app is still blocked by the ISPs listed in this article)