How do countries block access to the Internet?
In the recent past, there has been news of certain countries blocking certain websites or the entire Internet from being accessed by the citizens. We have seen stories of countries in the middle east blocking YouTube, Google and social media websites such as Facebook and twitter during the Arab spring and the recent release of a movie that touched on the Muslim religion. We have also seen countries such as China block access to Facebook for political reasons. Just last week, Syria blocked Internet and mobile access by its citizens as the civil war ragged on.
The distributed nature of the Internet ecosystem means that there is more than one path to and from an Internet resource such as a server hosting a website. distributed content delivery and hosting also means there exists more than one copy of the same website or content on several servers that are located in geographically distinct regions. For example, if you tried to access a YouTube video from an Internet connection in Kenya, the video could be hosted at the Google cache servers on Mombasa road. A person accessing the same video in the UK can get the same video from a content server in London for example. This poses a challenge to people who might want to block access to the Video.
How the Internet works in ‘layman’ terms
The Internet utilizes a special routing protocol called Border Gateway Protocol (BGP). In BGP, each Internet service provider has IP addresses that they give users who want to connect to the Internet. All of an ISPs IP addresses then belong to what is called an Autonomous System (AS) number which belongs to the ISP. What happens then is that all ISPs in the world announce their IP addresses under their AS numbers. To find your ISP’s AS number click here.
As an example, assume ISP 1 has the IP addresses from 18.104.22.168 to 22.214.171.124 (total of 16382 addresses) and has them under AS 1, ISP 2 had the IP range from 126.96.36.199 all the way to 188.8.131.52 (16382 addresses also) under AS 2 and so on and so forth up to say ISP100 with IP range x.x.x.x to y.y.y.y on AS 100. So if say for example YouTube is hosted under the IPs that belong to ISP 40 with AS number 40, then if there is a customer on ISP1 that wants to access YouTube, then the routers on each AS will have what is called a routing table that tells them to which AS to send traffic for a particular IP address. A BGP routing table is something like this:
- To reach the IP range from 184.108.40.206 to 220.127.116.11 on AS 1, send this traffic to the BGP router advertizing AS1
- To reach the IP range from 18.104.22.168 to 22.214.171.124 on AS 2, send this traffic to the BGP router advertizing AS2
- To reach IP addresses on AS n, send this traffic to the router advertizing AS n
- To reach all other IP addresses that I do not know how to reach, I should ask some few knowledgeable routers at some big ISPs who because of their size might know.
This means very many IP addresses can be addressed by the common AS Number they share. One ISP can have only 1 AS number to address all its customers. The YouTube IP belonging to AS 40 can therefore be reached by the customer on AS 1 if the AS 1 router knows the route to AS 40 from its routing table.
The above is a simplified explanation of how an Internet routing table looks like. From this we see there are three critical conditions that need to be fulfilled for an ISP user such as you and me to reach or be reached from the Internet. These are:
- A user must have an IP address
- This IP address must belong to an AS
- This AS must be announced by BGP to other BGP speaking routers on the Internet.
How then can Internet access be blocked?
The above means that a user without an IP address cannot access the Internet, but it would be nearly impossible to remove all IP addresses from devices in a country if the powers that be do not want them to connect to the Internet.
The easiest way to make these users not reach the Internet or be reachable is to stop announcing their IP addresses and AS number via BGP. This means that if an ISP is asked by the government to stop announcing its AS, then users on that ISP cannot access the Internet. All a government needs to do is threaten the withdrawal of ISP operating license for non compliance and boom, the entire country is without Internet access!
The diagram below shows how about 57 Syrian AS’s containing thousands of IP addresses stopped being reachable on 29th November 2012 after the government ‘asked’ ISP’s to stop announcing them on the net. The few remaining AS’s were most probably government-run networks.
On the other hand, a government might want to block access to a particular website. This they can do in several ways.
- By asking ISPs to install filters that can detect and filter traffic to and from particular IP addresses that host the website. This is usually a long drawn process and can take months to implement. Iran, China have such systems in place. Nokia Siemens was in the news facing criticism from EU in 2010 for supplying Iran with such equipment.
- If a government wants to block with immediate effect without involving the ISP, they can do this by use of illegal means of advertising a more specific route to the website and discarding the traffic upon receipt. In this method, a government announces an AS with a smaller IP block similar to what belongs to the website. Lets say for example there is an AS number 78 advertising the block 126.96.36.199 to 188.8.131.52 (8190 IP addresses), If a government comes up with an AS number 94 with a similar IP address block but more specific say 184.108.40.206 to 220.127.116.11 (4094 IP addresses). Then lets say the website address is 18.104.22.168 which is part of this IP block, then there will be two AS Numbers 78 and 94 announcing that they know how to reach the website IP on the Internet, so which AS is chosen? The AS chosen is the one with a more specific route (less IP addresses on it) in this case the malicious government AS number 94. So user traffic from this country to that website can be picked by the government router and discarded. Pakistan Telecom (The govt controlled incumbent) inadvertently announced routes to YouTube on the Internet in 2008. They however did not apply this to Pakistan ISPs only but this specific route leaked to the Internet causing a worldwide YouTube outage as all YouTube traffic was now being routed to a BGP speaking router in Pakistan. See how it happened here.
- Countries or organizations that control the root name servers for top-level domains (TLD) such as .com and .net can also block access to websites using the TLD by not answering domain name queries to the root servers for particular domain names. The root server method is what the hacktivist group anonymous wanted to use to bring down the Internet, if they attacked all the existing 13 root servers and bring them down long enough, then the DNS resolution system would collapse leading to a world-wide Internet blackout. This method of blacking out Internet access to certain websites can only be done by countries or organizations controlling these root servers such as the USA.
There are many other numerous ways to block Internet access or access to certain websites by a country, some legitimate and some illegitimate like example 2 above. All in all, it is very easy to block entire countries from the Internet should the need arise.