Mauritius Did ICTA change its CSA Internet filter?

Internet users in Mauritius, especially on Facebook, have been asking recently whether the ICT Authority (ICTA has already started monitoring people's Internet connection.

Ish Sookun

5 min read min read

I received a tweet from a friend yesterday morning, that showed a screenshot of the whatismyip.com website. My friend was alarmed that instead the website showing him his public IP address, it was showing another IP address in Netherlands.

What are these websites?

These websites provide a simple service that shows the visitor his own public IP address. If you check the network settings on your computer or mobile device it will show you the local IP address assigned to your device by your router, not your public IP address.

People usually check websites like monip.org, ifconfig.co, whatismyip.com & many others to see their public IP address.

You could also log into your ISP's router to check your public IP address.

Why is whatismyip.com showing Netherlands instead of Mauritius?

My first reaction was that it must be probably an issue with whatismyip.com.

I replied a few comments on Facebook yesterday & posted on my wall that I will analyze this later.

Analysis

Screenshot from whatismyip.com taken on 3 May 2021 at 15h50
Screenshot from whatismyip.com taken on 3 May 2021 at 15h50

When accessing whatismyip.com from an Emtel or My.T Internet connection, one will see the above IP address, i.e 165.22.199.12 instead of the router's public IP address. This behaviour is not seen when trying another similar service such as monip.org or ifconfig.co.

Find the route

I used a utility in Linux called traceroute to check which network path the request takes before reaching the whatismyip.com website.

traceroute to whatismyip.com (104.27.194.88), 30 hops max, 60 byte packets
 1  _gateway (192.168.100.1)  2.654 ms  3.785 ms  4.420 ms
 2  197.224.48.1 (197.224.48.1)  7.296 ms  9.084 ms  10.440 ms
 3  196.192.102.166 (196.192.102.166)  10.400 ms  10.333 ms  10.290 ms
 4  197.226.230.12 (197.226.230.12)  236.662 ms  236.611 ms  236.544 ms
 5  mauritiusams3.netsweeper.com (165.22.199.12)  238.951 ms  238.896 ms  238.851 ms
 6  * * *
 7  10.82.69.47 (10.82.69.47)  227.325 ms 10.82.69.39 (10.82.69.39)  222.554 ms  225.284 ms
 8  138.197.250.100 (138.197.250.100)  225.229 ms  225.636 ms  227.063 ms
 9  138.197.250.80 (138.197.250.80)  225.108 ms 138.197.250.96 (138.197.250.96)  276.327 ms 138.197.250.74 (138.197.250.74)  276.249 ms
10  138.197.244.88 (138.197.244.88)  276.206 ms 138.197.244.86 (138.197.244.86)  275.141 ms 138.197.244.88 (138.197.244.88)  275.044 ms
11  * * *
12  104.27.194.88 (104.27.194.88)  255.166 ms  255.124 ms  254.842 ms

The above result indicates that after leaving the Mauritius Telecom network at hop no. 4, it heads to 165.22.199.12 and there instead of a network routing device, there is a proxy server by Netsweeper which then forwards the request further ahead until it reaches its destination at 104.27.184.88.

The behaviour is not observed when accessing other websites, e.g facebook.com.

Who can shed light on this behaviour?

I asked the question on the Mauritius Network Operators Group (MUNOG), which is a group comprising of Computer Network Professionals from various organizations (ISPs, Network Operators, Regional Internet Registries, etc).

I got an answer from someone who works for an ISP who said that Netsweeper is advertising the address 104.27.195.88/32. What's happening here?

Let's see, the domain whatismyip.com resolves to the below two IP addresses by Cloudflare.

; <<>> DiG 9.16.8-Ubuntu <<>> @1.1.1.1 A whatismyip.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27070
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;whatismyip.com.			IN	A

;; ANSWER SECTION:
whatismyip.com.		300	IN	A	104.27.194.88
whatismyip.com.		300	IN	A	104.27.195.88

;; Query time: 11 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Mon May 03 17:59:29 +04 2021
;; MSG SIZE  rcvd: 75

However, when tracing the network path to either 104.27.194.88 or 104.27.195.88 the request is being sent to 165.22.199.12.

You will note earlier when writing the Cloudflare IP address I specified /32 which indicates that specific IP address instead of a block of IP addresses.

One more thing that I learned in the Network Operators Group is that the Internet Service Providers do not accept /32 addresses from their peers but only a minimum of /24 which represents 256 IP addresses. Then, how come a single IP address of another organization is being advertised with a different routing info?

ICTA enters the scene

Indeed, when Network Operators peer among them they accept only the minimum of /24 addresses. The CSA filter of the ICT Authority uses the Border Gateway Protocol, the same that Network Operators use to peer with each other and they advertise their networks.

However, the difference here is that the CSA filter advertises /32 i.e individual IP addresses with further routing information.

In Mauritius, it seems that only ICTA's CSA filter does so and the Internet Service Providers accept it.

Therefore, the conclusion (so far) is that the CSA filter managed by the ICT Authority is telling the Internet Service Providers in Mauritius that the request to whatismyip.com should be routed to 165.22.199.12 (which hosts a proxy server by Netsweeper).

Netclean or Netsweeper

Until now, I had only heard of Netclean as the CSA filter for outgoing Internet traffic in Mauritius, implemented by the ICT Authority in 2011. Refer to page 26 of the ICTA Annual Report of 2011.

ICTA implemented Netclean Whitebox solution in 2011 which was an on-premise solution hosted at ICTA itself. In 2014, it was upgraded to Netclean Cloud Solution and hosted in Sweden. In 2017, after an international tender exercise, Netclean was selected again.

There is no mention of changing provider in the annual report of 2018.

In April 2020, ICTA launched the tender again for a Cloud-based Child Sexual Abuse (CSA) filtering system. You may consult the tender document for details.

There is no information about who won the bid or Netsweeper for that matter on ICTA's website. However, while replying to a question on CSA filter in the National Assembly on 17 November 2020, the Prime Minister mentioned that the CSA filtering system is currently being provided by a Canadian-based company, Netsweeper Ltd. Refer to page 32 of Hansard No. 34 of 2020.

Based on the Prime Minister's answer, we can assume that the tender was awarded to Netsweeper instead of Netclean.

I did not contact ICTA for a response on this issue because they have not publicly informed Internet users in Mauritius that they have changed the configuration of the CSA filter, whether they changed the software itself, what new features the software provides, what are the data collected on Internet users now, etc. ICTA does not mention Netsweeper in its Consultation Paper either.

I sent an email to Netsweeper support asking them why the request to whatismyip.com from Mauritius has been proxied via the Digital Ocean server in Netherlands. I'll update this blog post when I have more information.

Update

  • I got a reply from Netsweeper support that they're looking into this.
  • Issue has been fixed and request to whatismyip.com is no more being proxied to Amsterdam, Netherlands.
  • Will update if I obtain the root cause from Netsweeper.
  • ICTA issued a communique with a reply from Netsweeper stating that the incident involving whatismyip.com was due to the same IP addressed being on the Internet Watch Foundation's list.
Thanks to subscribers of the Mauritius Internet Users Group & the Mauritius Network Operators Group to provide information that helped me understand this "network anomaly" observed by Mauritian Internet users.