No happy ending for the 93,000 Kazakh domains that got nixed instead of massage parlour's site
Block by IP, very naaice
Kazakhstan officials blocked 93,000 websites from domestic access in a ham-fisted attempt to blacklist an adult massage parlour.
State censors trying to erase the web presence of an erotic massage emporium called Rainbow Spa back in late July did so by ordering the blocking of the site's IP address instead of its domain name.
Although the given reason for the ban was that the site broke two local laws about protecting children and distributing pornography, it directly resulted in a sizeable number of other websites that relied on the same shared cloud infrastructure also going dark to Kazakhs.
"As most of the providers route their traffic via the national operator, the affected sites were inaccessible in the whole country," according to a blog post on Qurium, the publishing arm of web-hosting biz Virtual Road, which claimed the spa had ties to an "illegal prostitution ring".
The ban-happy block was targeted at two IP addresses, reported by local outlet Hola News as 22.214.171.124 and 126.96.36.199. The first of these hosts around 9,500 domains, while the second keeps just over 84,000 websites online.
Unfortunately for the bungling censors, these two IPs resolve to shared infrastructure in Russia – including a large number of websites hosted on the Tilda Publishing platform, a sort of Wordpress-style CMS-plus-prebuilt-skins intended for rapid deployment by the unskilled.
Customers of local ISPs including the country's largest, Kazakhtelecom, as well as Kcell, Altel, Tele2 Kazakhstan, Activ and Beeline Kazakhstan were reportedly blocked from viewing the 93,000 websites covered by the two IPs.
Kazakhtelecom, however, unabashed by criticism from, among others, a Kazakh film festival and film production agency for KO'ing their websites, told Hola News the outage was caused by "a budget and not quite full-fledged service to customers" provided by their webhost.
"For our part, we offer you to take advantage of the hosting from Kazakhtelecom," boasted the telco, noting that it offers dedicated IPs among other things.
Unimpressed, Tilda Publishing hit back: "We provide all our customers with high-quality protection against DDoS attacks at no extra charge. Traffic filtering is possible only when passing through a single IP address... As far as we know, not a single Kazakh hosting provider provides this service by default without a substantial additional charge."
More relevantly, Tilda also said:
Blocking a resource by IP address is an outdated and barbaric practice that has long been inconsistent with modern cloud-based IT technologies and access restriction mechanics.
Echoing this, the Internet Society said in a 2017 paper (PDF): "Every blocking technique suffers from over-blocking and under-blocking: blocking more than is intended and, at the same time, less than intended," complaining that "they also cause other damage to the internet by putting users at risk (as they attempt to evade blocks), reducing transparency and trust in the internet, driving services underground, and intruding on user privacy."
One of the massage parlour's websites was still online at the time of writing, despite the inept attempts of local censors, and was offering services including "erotic massage", "foot fetish", and (via Google Translate) "a four-hand[ed] massage [to] relieve stress". It also appears to offer screenings of fake Medieval fantasy soap Game of Thrones every Monday. ®