How can one "filter" the net?

 

 

NB : It is recommended to read our artcile about the DNS prior to this one if you are not very familiar with the subject.

 

"Filtering" the net is a hot subject at the moment. There is seldom a day where the topic is not addressed in some publication or news article.

 

We are going to shed some light on the most used methods, used by governments or other organizations, to "filter" all the informations THEY think you should not have access to, along with a few simple ways to go around them :-)

 

Needless to say, we are totally opposed to ANY form of censorship or filtering. The decision to acces any resource should remain yours, and yours alone.

 

• Commonly used methods to "filter" the net today:

  • DNS filtering (or "Liar DNS" method)
  • Proxy filtering
  • Firewall filtering
  • Black holes BGP routing

•  

• The "Liar DNS" approach

If you read our article about the DNS system you have realized by now how important this system is for the day to day operations of the internet.

 

If you remember, we have shown you that for any connection over the internet, to reach a web site, retrieve your email or whatever else, your computer ask each and every time a nearby DNS (usually the one operated by your ISP) to resolve the address of the site you want to access and return the corresponding IP.

 

Lets assume for a second the government of the country "G" wants to ban access to a web site "W".

 

The government G demands then to all ISP of the country (usually in those countries they first make a law for this purpose, it's coming over here too, don't be fooled) to configure their DNS in such a way that evey request for the site W IP address returns a "Not found" error, or even redirects you to some government bullshit page. It's a pretty easy manipulation and very efficient too since most people rely on their ISP DNS without even knowing it.

 

NB: This method has just been used a few weeks ago by the U.S government to prevent access to so called "piracy" web sites.

 

The same recipe is applied by large corporations or groups to prevent you from accessing any web site they don't want you to from your workplace or the company network.

 

Simple and efficient, indeed.

 

• Proxy filtering

This method is mostly used to "filter" access to certain web sites from your browser. This does not work for any other protocol, like emails for exemple.

 

Every time you use your browser to surf, you are using either the "http" or "https" protocol. This is what you always see in your address bar before the actual web site address. (http://www.xxxx.com for example).

 

Usually, your connection goes straight through your ISP network up to your final destinationsomewhere on the internet. Like this.

 

 

Your Browser -> Your ISP network -> Your destination

You are accessing the rest of the insternet through your ISP network. That's the way it is, you don't have any choice. Unless you have a significant budget and you have your own primary direct connection installed like major corporations.

 

Now, there is a system ou there called "Proxy". What is a proxy? It's a server. Pretty much like a web server, except it doesn't serve any data. Instead, it accepts your connection, connects itself to your destination and put the two together. So, in a way, it acts like an intermediary, a middle man if you prefer.

 

To make a long story short, your ISP could have such a proxy installed in such a way that you wouldn't notice it. In this case it is called a "transparent proxy" and your connection would look like :

 

 

Your Browser → Your ISP Network→ Your ISP transparent Proxy→ Your destination

This proxy can then be configured to allow or not access to certain sites and there is not much you could do about it if don't even know it's there, but we'll get back to that later on :-)

 

It's the favorite toy of large corparation networks or even countries .. like China. It can be used anytime you caontrol the in and out access points of a network. It's pretty complicated to configure and maintain but it is in the end very efficient.

 

The firewall is a system every connection (incoming or outgoing) goes through. It "looks" into every data packet in real time to assess its content, the protocole in use, the realted ip addresses and so on. It then decides in regard of certain "rules" if such connection is authorized, or not. In this case, it either denies it or redirects it somewhere else.

 

Most of the times, the firewall doesn't really care about the destination you are trying to reach, that would be more a job for a proxy, It looks more at the protocol and port you are using. It is then pretty easy for a fireall to force rediraction of http traffic for xeample to a transparent proxy :-)

 

Most ISP out ther don't really filter, except some notorious ones like comcast and such that "bend" at will net neutrality rules to suit their own agenda. However, there are some famoux examples of such massive filtering, like China.

 

•  

• Black Holes and BGP manipulation, or "When you start playing with fire ..."

We saved this one for last because it is in the same time a very dangerous approach and also a very effective one (if you consider effective deploying a nuclear weapon to get rid of a mosquito) that can destabilize the whole internet and disrupt communications for some time. Its use has been pretty rare up to now even if some countries tried it not so long ago ...

 

♦  First, what is BGP?

 

In a nutshell, BGP (or "Border Gateway Protocol") is the routing protocol that makes the internet what it is today. Without BGP, there is no internet.

The Internet is a very flexible network, designed form the ground up to be very resiliant to faults and outages. For each data "packet" to be transmitted, it exists at any given time several possible "routes" to reach its destination. This makes the network very resilient.

 

Your ISP has, usually, several connection swith the rest of the network through several carriers (we call that "peerings"). At any given time, its central routers have to decide which route is the most effective to transmit and recieve data.

 

♦ How is that even possible? Well, here comes our friend BGP.

 

BGP "sits" inside every router out there on the internet. All these routers constantly exchange information about availability and status of routes they can access by "publishing" to the other routers the routes for which they think they are the best suited. All these routers implicitely trust all the other ones to publish accurate information.

 

Now, lets think for a minute you are an evil ISP at your goverment orders, and this one just instructs you to block the access to fecebook, for example.

 

You just need to reconfigure your central routers so they start publishing to any other router a very "attractive" route to facebook IP address range. To each route is associated a "weight" which is a numeric value. A weight of 1 means "the most direct and cost effective route" to that destination. So, to follow on our example, your start offering a "weight 1" route to facebook servers. All routers you are in direct contact with will instantly send all their traffic bound to facebook to ... you. Even more so, they will advertise as well to all the routers THEY are in contact with that you have that wonderful route to facebook. A few moments later, this all thing is snowballing and pretty much the entire world is trying to send you all traffic bound to facebook, and of course, you send all this traffic in turn to a non existant address or "black hole". Now the shit begins to hit the fan, so to speak.

 

Netadmins, all over the place start noticing something is really wrong, facebook guys begin wondering why they servers are not overloading anymore, .... well, in a couple of hours they all know where all that goes .. to you :-)

 

The problem is that the routing tables can then only be altered by hand, which is going to take some time before the situation can be resolved. All this because of you!

 

This has been used, not so long ago, in the same context (facebook denial) by one middle-eastern country with disastrous consequences. Since then, a few precautions have been taken but generally speaking, the system is still vulnerable to this kind of attack today. The good side is that they usually cannot usually get away with it for very long :-)

 

So, yes, that would amount to deploy a nuclear tactical device to get rid of a hornet nest.

 

**UPDATE : It looks like the Chinese have succeeded in hijacking a significant part of the all internet traffic for about 18 minutes a few weeks ago. Did they read our article ? ;-)

•  

• Ways to "go around" a filtering scheme

"Ok then, now that you have scared us, what can we do about it?"

 

There are as many answers than methods.

 

Lets forget the BGP nightmare scenario, because in all reality, if this is ever used around you, there will not be much you can do about it. You could in theory connect to a VPN service, but chances are their routers would end up being polluted as well after some time, or the ones they are connecting to ... nightmare.

 

 

 

You are under no obligation to use your ISP DNS servers. There is on the internet several non-profit organizations(like OpenDNS for example) that offer you a free DNS service, unfiltered and neutral.

 

You can get more inforamtion on www.opendns.com if you like along with the method to change your DNS servers deping on the opertaing system you are using.

 

You can also use a VPN service (ours or anyone else's). When you are connected to a VPN network, ALL your internet traffic is re routed through that network including DNS requests whoch are then served by your VPN provider's own DNS's. We can safely assume your VPN provider is neutral in that matter.

 

 

You can always configure your browser to surf through another proxy. There are several of them on the internet, some free (usually with limited performances or advertising), some for a fee (between 3 and 5 USD per month)

 

Thene again, you can use a VPN service since all your traffic is then handled by your VPN provider you area effectively "escaping" your ISP proxy.

 

 

It is possible to circumvent a firewall, well, most of the time anyways.

In essence, a firewall cannot really "block" everything, if only to allow you to access "something" on the net, would it be just browsing, or retrieving your email, which means ... there is always a way to get out, you just need to find which one. You can find some utilisties to create a "tunnel" through the firewall using one of the authorized protocols to get out. Of coure, our OpenVPN service does just that ... We have a lot of Chinese customers :-)

 

 

This was not intented to be a crash course in hacking network protections, but rather to make you aware of all the possibilities out there just in case someone would like to use one on you. You can always ask our technical staff if you think you are "filtered" and they'll be more than happy to assist you.

© 2009 - 2011 NeXTGenVPN