New Podcast
Managing Traffic During Peak Demand; Plus, Microsoft, Akamai Outages

Outage Analyses

Internet Censorship Around the World

By Young Xu
| | 26 min read

Summary


As the Internet has evolved, so too has its censorship. In the beginning, many believed that censoring the Internet was impossible, since networks were to designed to adapt to major disruptions and simply route around any barriers—including intentional ones. However, countries like Singapore, China, Saudi Arabia and Iran found ways to leverage the design of their network infrastructure to make filtering possible, and more and more countries began to follow their lead, including both countries known for their repressive regimes and those with long traditions of democracy and free speech. Great Britain censored child pornography, France blocked hate speech, and the U.S. seized domain names and blocked access to their content due to allegations of intellectual property infringement. Iraq even shut down Internet access for the entire country to prevent cheating on national exams.

Not only are there a diverse range of reasons for censorship, but there are also a variety of censorship methods that have been used around the world. Let’s dive into several examples that illuminate the complexity, variety and difficulty of using technical methods to censor the Internet.

The Great Firewall of China

With by far the largest and most sophisticated system of Internet censorship, China has become a model for a number of other countries, even exporting cyber surveillance technology to countries including Cuba, Zimbabwe and Belarus. The “Great Firewall of China,” as this system of censorship is commonly known, has evolved into a highly advanced, precise machine that can block entire sites, individual pages and even specific search results on the fly, as news events and changes in the political climate unfold.

The Chinese government controls all eight of the ISPs in the country, in addition to all ten of the international Internet gateways through which traffic travels between China and the rest of the world. In Figure 1, traffic flows from our St. Louis agent to the destination, baidu.com. The paths converge at a “narrow waist,” one of the Internet gateways in China Telecom. The link directly upstream observes a significant average delay time of 152.4 ms, which is likely due to the process of filtering traffic associated with passing through the Great Firewall.

Figure-1
Figure 1: Paths from the St. Louis agent to baidu.com converge at one of China’s Internet gateways in China Telecom. The link directly upstream from it sees significant delay, likely due to the content filtering process deployed there.

Not only is the government able to leverage control of all crucial points of the nation’s networks into a wide ability to analyze and manipulate traffic into, out of and within China, but it is also able to delegate most of the content filtering to the ISPs, who carry out much of the technicalities of orchestrating nationwide censorship.

Researchers have identified a handful of major techniques that the ever-evolving Great Firewall uses to censor the Internet for Chinese users:

1. IP blocking

A standard feature of most routers, blocking IP addresses is the most primitive and easiest to implement technique. In China, routers are given a blacklist of undesirable IP addresses; the routers will then inspect and drop any packet destined to one of the blocked IPs so that users are unable to establish a connection.

The downside of IP blocking is that other innocent websites may also be blocked if they’re located at the same IP address or in the same address block. Used alone, this censorship method is easily circumvented if the site changes IP addresses, which is a relatively easy fix. However, changing domain names is not so trivial—which is part of the reason why DNS poisoning is used in conjunction with IP blocking, when a simple IP block isn’t effective.

2. DNS poisoning and hijacking

DNS poisoning blocks websites at the domain level, crippling the ability of websites to circumvent IP blocking. DNS caches are intentionally poisoned with the wrong addresses for websites like Facebook, so that users are directed to the wrong location for blocked sites.

We can see DNS poisoning in practice in China using a DNS+ test that sends DNS requests for the A record for facebook.com to DNS servers around the world. Facebook has been blocked in China since 2009. Figure 2 shows the percentage of vantage points in each country that return the mapping to 66.220.158.68. At the time shown, 94.5% of all vantage points return this mapping, though only 1% of vantage points in China return this address. Feel free to interact with the data at this share link.

Figure-2
Figure 2: For the domain name facebook.com, 94.5% of all vantage points return
a mapping to 66.220.158.68, though only 1% of vantage points in China do so.

With some more digging, we see that 71.1% of vantage points in China point to an IP that no other country’s servers return: 159.106.121.75.

Figure-3
Figure 3: 71.1% of vantage points return a mapping to 159.106.121.75, an address that no other country’s servers return.

It’s clear that the DNS records for facebook.com have been poisoned in China so that Facebook’s domain name is mapped to a false address. In this way, Chinese users are directed to the wrong location if they attempt to access Facebook’s services.

Apart from DNS poisoning, routers also hijack DNS requests that contain URLs with banned keywords by providing a fake DNS response that also points to the wrong location.

DNS-related techniques can certainly be powerful, though they have the potential to accidentally redirect huge loads of traffic to innocent sites that can’t handle it. These methods can be circumvented by accessing sites directly at certain IPs or by using unofficial, unpoisoned DNS servers. However, this won’t work if the IP addresses of banned sites are also blocked.

3. Keyword filtering

The most sophisticated method, keyword filtering uses Intrusion Detection Systems (IDS) to inspect all traffic passing through, likely at edge routers deployed by major ISPs that handle much of China’s incoming and outgoing traffic. If the traffic contains any matches with a blacklist of pre-defined keywords, the traffic is suppressed with a TCP connection reset. TCP reset packets are sent to both endpoints to force the connection to close, and the connection is blocked for up to an hour.

In addition to the many technical methods of censorship at hand, the Chinese government also employs a number of other techniques, including employing an Internet police force that manually checks content, cooperating with search companies to remove undesirable search results, and propagating a legal and cultural system of self censorship. However, getting past the Great Firewall isn’t impossible, and a small proportion of users in China use VPN services and anonymity networks to do so, leading to a game of cat and mouse with the Chinese censors.

Because the Great Firewall is both opaque and constantly evolving, these techniques are likely just a part of how China censors its Internet. There’s probably a lot we don’t know about how China controls the web, and that’s how China wants it. Rest assured that the Chinese government has used almost every play in the book to mold the Internet into a state-approved form — if you're interested in further exploring the technicalities of China’s censorship system, see our post on the Great Firewall.

As you’ll see in the following examples, a number of countries borrow from many of the censorship methods that China pioneered, adapting these techniques to different purposes and scopes.

Brazil Blocks WhatsApp’s IPs

In December 2015, WhatsApp refused to provide information for a criminal investigation in Brazil. As punishment, a judge in Brazil ordered a 48-hour blackout of the single most used app in Brazil with about 93 million users, or about 93% of the country’s Internet population.

The service went down on December 16 at midnight and came back online 16 hours later after a second judge ruled that the punishment seemed unreasonable. Figure 4 shows the 100% loss that our Sao Paulo agent—and no other agent—observed. If you prefer more interactive data, follow along at our share link.

Figure-4
Figure 4: The agent located in Sao Paulo, Brazil observed 100% loss to WhatsApp during the nationwide ban.

So how did Brazil pull off the ban? During the outage, we see that all packets are lost at one particular node with private IP address 10.223.238.77.

Figure-5
Figure 5: All packets from the Sao Paulo agent were lost at the node at 10.223.238.77.

If we go back to the point in time right before the block was instituted, we see that the same node at 10.223.238.77 is still traversed, and that the path downstream remains unchanged. To get a sense of the path, feel free to interact with the path visualization below. In addition, there were no BGP path changes throughout the duration of the entire outage. The fact that the path didn’t change when WhatsApp was blocked rules out the possibility of any DNS-related tactics that redirect traffic to the wrong address. It’s most likely that Brazil’s ISPs simply blocked WhatsApp’s IP addresses so that routers, armed with an IP blacklist, would drop all packets destined for WhatsApp’s IPs. In the case of our Sao Paulo agent, the router dropping packets was located at 10.223.238.77.

Path visualization

The node three hops downstream from our packet-dropping router belongs to TIM Celular, a Brazilian ISP, and the node directly upstream is located in Brazil and belongs to SoftLayer Technologies, WhatsApp's hosting provider. The green nodes all denote points within SoftLayer Technologies as well. The router’s location suggests that it’s an edge router in TIM’s network—it’s likely that the packet dropping and censoring were carried out at all edge routers in the Brazilian ISPs.

Sometimes a simple IP block isn’t enough. When Twitter was banned in Turkey, the government had to escalate its censorship techniques in order to keep Internet-savvy citizens from accessing the service.

Turkey’s Stepwise Censorship of Twitter

Ahead of local elections in Turkey, allegations of government corruption and reputation-damaging wiretapped recordings emerged on Twitter. A court ordered that “protection measures” be applied to the service, and Prime Minister Recep Tayyip Erdoğan vowed to "wipe out Twitter." Turkey’s ISPs complied, and access to Twitter was blocked on March 20, 2014.

At first, the ISPs used only one technique, DNS poisoning, changing DNS records so that requests for Twitter’s site were redirected to a government webpage. However, as we discussed above, using this strategy alone is easily circumvented by directly using IP addresses or accessing alternative DNS servers. In Turkey, a strange form of graffiti appeared; people began scrawling the addresses for Google’s public DNS servers on walls and in public places.

Figure-7
Figure 7: Internet-savvy Turks began spray painting the IPs of Google’s DNS servers in public places
to tip others off on circumventing the Twitter ban.

After the ban was instituted, the social media campaign against the prime minister strengthened, and even more Turks joined Twitter, as Twitter usage in the country increased 138 percent.

On March 23, the government escalated censorship measures, and ISPs blocked traffic to all IP addresses assigned to Twitter. All traffic to and from Twitter’s IPs was dropped, rendering the circumvention technique of using alternative DNS servers useless.

The government again raised the bar on March 29. To better seal off access to social media sites, Turkish ISPs began hijacking the IP address space of DNS servers belonging to providers including Google and Level 3, so that, for instance, DNS requests meant for Google servers were instead redirected to Turk Telecom servers masquerading as Google DNS servers, that then returned bogus DNS records.

Following a difficult battle between Turkish citizens and the ISPs, the Twitter ban was finally lifted after two weeks. As the Turkish government learned, censorship will become increasingly difficult as the Internet grows in complexity and as netizens become more and more Internet savvy.

How Censorship Went Wrong in Pakistan

Apart from any weaknesses Internet censorship methods may have, they can also go horribly wrong and cause unintended consequences even for completely unrelated entities. One infamous example occurred in Pakistan in February 2008, where YouTube was blocked after the service refused to remove objectionable anti-Islamic videos on the site. Pakistan Telecom instructed the country’s roughly 70 ISPs to block YouTube’s IPs. In general, there are two ways to block IP addresses:

  1. Configure access-control lists (ACLs) on router interfaces to drop all packets going to and from the blacklisted IPs. We’ve seen this method used in countries like Brazil and Turkey, described above.
  2. Divert all traffic to the forbidden site to a different location by creating a more specific route pointing to a null or discard interface, blackholing all traffic going to the address.

Pakistan chose to block Youtube using the more convoluted and less common, latter method. Pakistan’s ISPs introduced a /24 routing table entry for YouTube’s IP address space and began advertising a route for 208.65.153.0/24, which is a more specific prefix than the one used by YouTube, 208.65.152.0/22. Because most routers prefer routes to more specific prefixes, this method redirected YouTube-bound traffic to a black hole.

But these routing changes were only intended for use within Pakistan’s borders, and that’s where things started to go wrong. On February 24, 2008, Pakistan Telecom leaked the /24 routing advertisement, likely by mistake, to one of its upstream ISPs, PCCW, located in Hong Kong. If PCCW had validated the prefix announcements based on Regional Internet Registry (RIR) allocations, it would have known to ignore the route, but it failed to do so and further propagated the BGP update to its peers. When PCCW’s neighbors saw that PCCW was advertising a more specific, and thus more preferred, route, they followed suit and imported the routes into their routing tables, propagating them further to their neighbors, until an estimated two-thirds of the Internet had at least seen this leaked routing table entry for YouTube’s IPs.

Within a very short amount of time, the false BGP announcement had reached entire swaths of the Internet, causing much of the traffic bound for YouTube to instead head toward Pakistan, where it was subsequently blackholed or lost in congested networks ill-equipped for the tsunami of traffic. Service to YouTube was interrupted for a few hours for many users around the world, and to this day network engineers remember the event with exasperation.

Not only did the event raise uncomfortable questions around transitive trust and the security and fragility of the Internet, but it also served as a hard lesson to the many countries engaged in content filtering and censorship. The Internet as it was designed was never meant to have bottlenecks or points of centralized control; in fact, it was made to be a richly interconnected, robust system that would sidestep choke points without batting an eye. As networks and protocols like BGP and DNS are manipulated far beyond their design, problems inevitably occur, sometimes on a grand scale.

Proxy Servers and Unintended Consequences in the UK

As our final example, we’ll look at how content filtering has been carried out in the UK. ISPs in the UK began to engage in deep packet inspection, blocking URLs with obscene content, but in 2008 the practice led to unintended consequences for Wikipedia users in the country.

In 2004, BT Group, the UK’s largest ISP, introduced its Cleanfeed content blocking system technology, which blocks illegal content blacklisted by the Internet Watch Foundation (IWF). The IWF is a charity that provides the child abuse image content URL list (CAIC list) to the police, government and ISPs to enable the blocking of obscene content online. Other ISPs began to adopt Cleanfeed or some version of it, and by mid 2008, 95% of consumer broadband connections passed through the blocking technology.

The confidential CAIC list contains specific URLs of pages, rather than entire sites, to be blocked. IWF provides a less confidential list of the IP addresses of sites potentially containing blocked pages to ISPs. Under the Cleanfeed system, if edge routers encounter traffic with a destination IP matching one on this list, it redirects the suspicious traffic to transparent HTTP proxy servers hosting filters that check HTTP requests against URLs on the IWF blacklist. For positive matches, the error message, “Website not found,” is returned. For negative matches, the traffic is simply forwarded through the proxy filter.

On December 5, 2008, IWF blacklisted a Wikipedia article on the Scorpions album, Virgin Killer, because the album cover featured a potentially illegal image of a young girl posing nude; six ISPs in the UK began to block the content. Though the Cleanfeed system was designed to be able to block single pages, it could not anticipate certain site behavior—because all traffic to Wikipedia was routing through small numbers of proxies, from Wikipedia’s vantage point, all of the incoming users belonged to the same IP range. Because Wikipedia couldn’t distinguish between legitimate users and those abusing the site, it blocked the ability to edit pages for these users. After a deluge of complaints, the IWF removed the album’s article from its blacklist on December 9.

Apart from any negative externalities, Cleanfeed has also received a lot of criticism for being a virtually invisible censorship mechanism. Because the list of blocked sites is confidential and because blocked sites return only 404 errors, users can’t tell if they’re being blocked by Cleanfeed, experiencing connection issues, or encountering a genuine 404 error. Cleanfeed’s reach can be easily extended to encompass blocking sites unrelated to child pornography, as it was used in 2011 to block NewzBin2, a copyright-infringing website. Many users are concerned that Cleanfeed could very easily morph into an opaque, increasingly restrictive censorship system reaching into every area of the Internet. Though the UK’s history is steeped in traditions of free speech and democracy, it’s interesting to see that censorship technologies deployed within the country are more advanced, harder to circumvent and potentially more far-reaching than even countries with repressive regimes, as we’ve explored in the above examples.

An Uncertain Future

During its short history, the Internet has evolved into an incredibly powerful tool for disseminating information and organizing movements around the world. On the other side, a number of national governments have accomplished what many thought was impossible—manipulating network infrastructures to pave the way for Internet censorship. The Internet’s increasingly large role in political, cultural and legal affairs has transformed it into a new, digital battleground, often for protesting citizens and their governments. In the coming years, it will be fascinating to watch as both sides push the Internet to new heights beyond what it was ever intended to do.

Subscribe to the ThousandEyes Blog

Stay connected with blog updates and outage reports delivered while they're still fresh.

Upgrade your browser to view our website properly.

Please download the latest version of Chrome, Firefox or Microsoft Edge.

More detail