Using BGP For Internet Censorship

Border Gateway Protocol (BGP) is the protocol that makes up the Internet. It is used by networks to connect to one another. BGP allows networks to announce IP blocks to one another. These announcements paint a picture of how to reach every IP address on the Internet. This picture is stored in a routing table. Every router connected to the Internet has it's own routing table. These routing tables let the routers decide which interface (port) to send data out of.

Things are more complex than the above, but in a nutshell that's how the Internet works. Routers talk to each other using BGP as their language. They tell each other who knows how to get to every IP address on the Internet. They each use this information when deciding where they should each send packets of traffic.

BGP Connections Require Trust

A BGP connection between two networks requires a level of trust. Each network must trust the other network to only announce honest and true routes. If fake routes are announced, then Internet traffic will be sent to the wrong destination.

There are ways to filter announcements. These filters provide networks with ways to ignore false announcements. If a tiny little network that normally announces two routes all of the sudden starts to announce 50,000 routes, their transit provider will not accept those routes. The transit provider's network will in effect be saying "I don't believe you actually know how to reach 50,000 routes."

There are a number of ways BGP routes are filtered, and this helps because network engineers do make mistakes. It's easy to input a wrong number in your router settings. One network engineer making a mistake should not affect the whole Internet.

But there filters are not perfect. Sometimes one network just has to trust everything it learns from another network.

How BGP Makes Websites Inaccessible

Networking mistakes can propagate throughout the Internet. These mistakes can lead to huge outages. In an infamous example, Pakistan's state-owned telecommunications company announced the IP blocks of Youtube. This announcement was accepted by a huge network called PCCW. PCCW sells Internet to Pakistan Telecom and many other companies. PCCW then began to announce the false routes.

Because PCCW is a large, upstream provider, other networks do not filter the announcements they learn from PCCW. This led to most of the Internet believing that PCCW knew how to reach Youtube and send PCCW all their traffic destined to Youtube. PCCW then forwarded that traffic on to Pakistan Telecom, who announced that they were the destination for Youtube.

Long story short, one incorrect BGP announcement was accepted by the rest of the Internet and it made traffic to Youtube inaccessible.

Instead of sending traffic to Youtube servers, the Internet sent them to Pakistan.

Mistakes like the above happen all the time. Usually they are filtered and do not spread to the rest of the Internet.

Government Internet Censorship

What is interesting in the above example is the reason that Pakistan Telecom started to announce Youtube IP blocks in the first place. The government of Pakistan meant to censor Youtube. To do this, the government ordered the country's telecom provider to block all access to Youtube.

The mistake that Pakistan Telecom made was to announce this censorship to the rest of the Internet. The engineers should have kept the changes they made to their BGP table within their own network and should not have announced it to PCCW.

Pakistan Telecom should have blocked all traffic to Youtube only within their own network.

In 2017 Iran did something very similar. They began to announce IP blocks for a number of pornography websites and Apple’s iTunes. This announcement was made to networks outside of Iran, who accepted the announcement and those IP blocks and websites became inaccessible for users outside of Iran as well as within Iran.

How It Works

BGP is used by routers to decide where to send traffic. If a network injects fake BGP destinations into its routers, then the routers will send traffic to the wrong place. This is how BGP censorship works.

Iran and Pakistan meant to create more attractive BGP routes within their own network. These more attractive routes would be believed by their routers, and traffic destined to Youtube, Apple and the other websites that were being censored would go to the wrong place.

The users of these telecommunication organizations would never be able to reach the servers they actually wanted to reach.

Private Company Censorship

Governments block access to websites by instructing telecommunication networks to block access to those websites. The telecommunications network might be government owned, but they might be a private company.

In 2017, The Pirate Bay and 20 other torrent websites were completely inaccessible from Cogent Communication's network. Cogent is an United States Internet backbone. This led to many people around the world not being able to access the blocked torrent sites.

Cogent blocked these sites due to a court order issued in Spain. The target of the court order was not The Pirate Bay specifically, but they were one of the sites that was inadvertently blocked.

This censorship of a number of websites by a private company (ordered by a government) did not use BGP. The block was not announced to other networks, so those who did not send traffic through Cogent were not affected. This is an example of how Internet censorship works. A network drops or reroutes all traffic to a certain destination, making that destination inaccessible.

Because the Internet and BGP are built on a layer of trust, a few false announcements can wreck havoc on user access. Most Internet traffic passes through a dozen large networks. If any of them were to block access to a website, many end users would be affected.