Hundreds of Sites Blocked By Canadian ISP

An anonymous reader writes "Last week Slashdot reported on the blockage of a union website by Telus, a leading Canadian ISP. Since that story, the company has restored access but the fallout continues. The move may lead to new ISP regulations in Canada and a study by the OpenNet Initiative has found that by blocking the union site, Telus also blocked an additional 766 websites including a breast cancer fundraising site." From the article: "While there are a number of different ways to block access to Web sites, the method Telus chose to block the Voices for Change site -- blocking its IP address -- produced massive collateral filtering. Filtering by IP address is efficient since ISPs can quickly and effectively block access to the target site using their existing routing technology. Many ISPs already block certain IP addresses to combat spam and viruses. Large networks, like Telus, have mechanisms in place to block IP addresses almost instantaneously, simply by updating their routers with a "block list" of addresses. However, it is common for many different, unrelated Web sites to share the same IP address."

Re:i'm confused....

[Galaxie]

If your using hostname headers to distinguish between sites you host then yes, 1 ip can represent an unlimited number of websites.

Re:i'm confused....

[jez9999]

Yyyyyes, it is. Name-based hosting allows the web server to serve multiple sites up, based on the browser's Host: header as well as the IP address connected to.

Re:i'm confused....

[bmalnad]

Yes! It is. It's called virtual hosting [apache.org].

Re:i'm confused....

[jellomizer]

Yes it is.

From the Apache WebSite.

http://httpd.apache.org/docs/2.0/vhosts/name-based .html [apache.org]

IP-based virtual hosts use the IP address of the connection to determine the correct virtual host to serve. Therefore you need to have a separate IP address for each host. With name-based virtual hosting, the server relies on the client to report the hostname as part of the HTTP headers. Using this technique, many different hosts can share the same IP address.

Name-based virtual hosting is usually simpler, since you need only configure your DNS server to map each hostname to the correct IP address and then configure the Apache HTTP Server to recognize the different hostnames. Name-based virtual hosting also eases the demand for scarce IP addresses. Therefore you should use name-based virtual hosting unless there is a specific reason to choose IP-based virtual hosting. Some reasons why you might consider using IP-based virtual hosting:

• Some ancient clients are not compatible with name-based virtual hosting. For name-based virtual hosting to work, the client must send the HTTP Host header. This is required by HTTP/1.1, and is implemented by all modern HTTP/1.0 browsers as an extension. If you need to support obsolete clients and still use name-based virtual hosting, a possible technique is discussed at the end of this document.
• Name-based virtual hosting cannot be used with SSL secure servers because of the nature of the SSL protocol.
• Some operating systems and network equipment implement bandwidth management techniques that cannot differentiate between hosts unless they are on separate IP addresses.

Wow

[GordoTheGeek]

A buddy of mine is a desktop admin at Telus in Toronto (the strike is in Alberta and BC). That's a hell of a message to send to the rest of your employees: "We 'support' your right to strike, but we don't want your message to get out to the world."

And he thought he hated his job before the strike. Yow.

Re:Hypocrisy in action.

[B3ryllium]

It could have been both (at 766 sites, it could quite easily have been both), not to mention that business websites could have been blocked as well. It was a nice, tidy, cut-and-dry violation of the Canadian telecommunications regulations act. The CRTC will probably have some fun things to say about it.

Nothing new

[vchoy]

For those of us with Dynamic IP addresses: there always been those times where you get that one bad bad 'black-listed' IP (previously used for spamming, haxing etc).

Worse still, 'black-list' blocks not JUST only the IP, but entire subnets or IP ranges...you spend a whole friggen day debugging your network-router-firewall setup and spend the rest of the week arguing with your ISP about who's fault it is.

Solutions:
ifconfig /renew? - sometimes does not work due to DHCP server keeps on serving you the same IP based on your MAC ADDR, and you are forced to wait for expiry lease to lapse.
change MAC address? - an option, as 'most' routers can 'spoof' MAC addresses.

Re:Illegal, reckles, and dangerous.

[Aim Here]

It wasn't. Telus lied.
Hope this helps.

Re:Never thought about it

[Anonymous Coward]

I think some people make the mistake that people who work at ISPs are expert, forward thinking network gurus with 30 years experience and a phd in networks and systems.

More often than not they are just kids recruited from school and payed a pitance, they may as well be flipping burgers.

Same goes for all sorts of companies and institutions. All your precious data and services are run by cretins.

Re:Hypocrisy in action.

[whois]

Thats not how it works, and I suspect these guys are running into the same problem we did.

I used to work for a national NSP and during my tenure there we developed a few ways to block IP's despite the fact that half the linecards in our network didn't support packet filtering.

The best way to do this was with a global null route. We'd add a route on all the routers pointing one of our unused IPs to the null0 interface. Then we ran a "null route server" where anything we wanted to block was routed to that IP address (causing all traffic to it to get blocked at the entry point, rather than routed through the network)

We used these measures exclusively for spammers and for large DOS attacks. (For DOS attacks it was less effective because you actually had to block the victim instead of the source, but it was better than nothing)

The point behind this is, many times we had virtual hosting providers call us up and tell us we'd blocked thousands of sites, some even went on to name names. We told them to get the spammer off their server before service would be restored.

This is the normal policy of most ISPs. No Collateral damage involved, you violated the terms of service and I'm sorry your business revolves around the idea of putting a thousand customers on one point of failure.

Now, I'm not saying this is what Telus did. I'm saying this is what they probably did and you guys are jumping to conclusions. The fact is, from a router standpoint it's extrodinarly hard to block "www.example.com" without doing it by IP address.

Contact the CRTC about this

[StandardCell]

http://www.crtc.gc.ca/RapidsCCM/Register.asp?lang= E [crtc.gc.ca]

There's a five-step form, and they'll refer the complaint. For a quick cut-and-paste snippet, go to the following:

Please be advised that Telus Corporation may be in violation of the Telecommunications Act, Section 36. Please see http://www.crtc.gc.ca/RapidsCCM/Register.asp?lang= E [crtc.gc.ca] for details on the violation.

Telus ethics

[TeQGame]

Here's an exerpt quoted directly from the Telus Ethics page at http://about.telus.com/governance/ethics1.html [telus.com]

How can they possibly claim that they took an ethical approach when they unilaterally terminated access to a website that depicted Telus in an unfavorable light. Whether the site in question was violating other contractual obligations or law is independent of the actions of Telus.

" Fellow TELUS team members:

Central to TELUS' purpose is to make the future friendly for our stakeholders. One of the critical elements in realizing this ambition is to ensure our individual and collective reputation is above reproach. How we work is just as important as what we do. Our goal is to demonstrate the highest level of ethics and integrity in our business dealings with all stakeholders (customers, shareholders, suppliers, colleagues, community). This is a corporate priority and a shared responsibility for all TELUS team members as each one of our actions and decisions affect our company and its reputation."

Re:Illegal, reckles, and dangerous.

[schon]

I was under the impression that the web site was posting the address and personal information of scabs.

No, what the website was doing was posting pictures of Telus managers.

Thats obviously an intimidation tactic, possibly even dangerious.

Yes, and there are methods of dealing with that - like court injunctions.

I think if they felt the site posed a danger to their employees, their right to safety is more important then thier status as a carrier, collateral damage be damned.

Bullshit. If they *really* felt that the site posed a danger, then they could get an injunction in a matter of hours. It is the correct way to do this, and it would actually *WORK*, because it would affect everybody, rather than just Telus customers.

Re:If they want to do that its fine

[Anonymous Coward]

So all I need to do the get the post office in trouble is mail something illegal to some random person?

The parent poster was making the point that by showing willingness to censor some material the ISP could/should be held accountable for failed to censor other material. They lose their common carrier status in other words. The post office doesn't censor mail so you're question is moot.

DMCA

[Chyeld]

In the US of A. If you are a common carrier, you can not be held liable for the information being transmitted over your lines. However, if you censor/filter/control access to what is sent over your lines, you no longer have that safe harbor and are considered to be liable for what is sent as if you are filtering and allow something to go through, it's an implict acceptance of it.

I don't know if this is something that applies to Canada as well. But it's be biggest reasons why ISP's in USA will not filter or control access to parts of the internet based on content. The end user has the option to filter, but it must be controlled by that user, not the ISP.

Telus and ports... 80 is blocked

[phorm]

I know for a fact that they block port 80, 21, and some other common ones for accounts with dynamic IP's. I was stuck with a dynamic while waiting for my server account to kick in at my new address, and all the common inbound web-ports were blocked. Telus wants you to pay up for inbound traffic, no dyndns for you!

Re:Wow

[Malicious]

Recently, the CIRB ruled that employees in Quebec and Ontario aquired in the Clearnet take over were in fact to be considered members of the TWU.
As such the job action encompasses the entire Union, not just Alberta and BC how ever Telus has refused to provide the Union with the names of the employees in Eastern Canada.
Further, the job action is not actually a strike. Union members in BC and Northern Alberta were locked out of their jobs in an act initiated by Telus creating a 'Lock Out' and not a 'Strike'. Important distinction.

telus changes it's tune

[DougMelvin]

Just like to point out this blerb from the front page of the site in question:
After an out of court settlement today, TELUS acted quickly to remove the restrictions it placed on nearly one million customers. TELUS customers, and other Internet Service Providers who provide ADSL connections through the TELUS network are now able to connect to Voices For Change through its domain name www.voices-for-change.com.

(Now why the frack are ppl arguing about semantics and host headers? It's not even relevant to the topic.. sheesh)

Re:On the other hand...

[sugarmotor]

AA -- if it was illegal why did Telus not use the law? (Maybe because they like to stay outside the law themselves??)

Also, it was not the union who "was posting pictures of employees...". The site was run by a union member, which is a completely different story.

See you,

Stephan

Re:DMCA

[billDCat]

I think that there is a difference in this case with regards to the common carrier status. The reason why TELUS took down the site is because the union, which is part of TELUS, posted personal information about union members who were crossing picket lines. The web site was hosted by TELUS as well, so the company took it down I'm sure because they were violating privacy laws, not to mention because of the intimidation factor. In this case, TELUS happens to be a carrier as well, but this issue was an internal matter. If it was another company that had their own web server, and it was being used for that purpose, I'm sure they would pull the plug too.