idnits 2.17.1 draft-hall-censorship-tech-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** The document is more than 15 pages and seems to lack a Table of Contents. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a Security Considerations section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. == There are 1 instance of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (October 27, 2014) is 3440 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- No issues found here. Summary: 4 errors (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 NETWORK WORKING GROUP J. Hall 3 Internet-Draft M. Aaron 4 Intended status: Informational Center for Democracy and Technology 5 Expires: April 30, 2015 October 27, 2014 7 A Survey of Worldwide Censorship Techniques 8 draft-hall-censorship-tech-00 10 Abstract 12 This document describes the technical mechanisms used by censorship 13 regimes around the world to block or degrade internet traffic. It 14 aims to make designers, implementers, and users of Internet protocols 15 aware of the properties being exploited and mechanisms used to censor 16 end-user access to information. This document makes no suggestions 17 on individual protocol considerations, and is purely informational, 18 intended to be a reference. 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at http://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on April 30, 2015. 37 Copyright Notice 39 Copyright (c) 2014 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (http://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 1. Introduction 54 2. Technical Aggregation 56 Aggregation is the process of figuring out what censors would like to 57 block. Generally, censors aggregate "to block" information in three 58 possible sorts of blacklists: Keyword, Domain Name, or IP. Keyword 59 and Domain Name blocking take place at the application level (e.g. 60 HTTP), whereas IP blocking tends to take place in the TCP/IP header. 61 The mechanisms for building up these blacklists are varied. Many 62 times private industries that sell "content control" software, such 63 as SmartFilter, provide their services to nations which can then pick 64 from broad categories, such as gambling or pornography, that they 65 would like to block [ref-1]. In these cases, the private services 66 embark on an attempt to label every semi-questionable website as to 67 allow for this metatag blocking. Countries that are more interested 68 in retaining specific political control, a desire which requires 69 swift and decisive action, often have ministries or organizations, 70 such as the Ministry of Industry and Information Technology in China 71 or the Ministry of Culture and Islamic Guidance in Iran, which 72 maintain their own blacklists. 74 3. Technical Identification 76 3.1. Points of Control 78 Digital censorship, necessarily, takes place over a network. Network 79 design gives censors a number of different points-of-control where 80 they can identify the content they are interested in filtering. An 81 important aspect of pervasive technical interception is the necessity 82 to rely on software or hardware to intercept the content the censor 83 is interested in. This requirement, the need to have the 84 interception mechanism located somewhere, logically or physically, 85 implicates four general points-of-control: 87 o Internet Backbone: If a censor controls the gateways into a 88 region, they can filter undesirable traffic that is traveling into 89 and out of the region by sniffing and mirroring at the relevant 90 exchange points. Censorship at this point-of-control is most 91 effective at controlling the flow of information between a region 92 and the rest of the internet, but is ineffective at identifying 93 content traveling between the users within a region. 95 o Internet Service Providers: Internet Service Providers are perhaps 96 the most natural point-of-control. They have a benefit of being 97 easily enumerable by a censor paired with the ability to identify 98 the regional and international traffic of all their users. The 99 censor's filtration mechanisms can be placed on an ISP via 100 governmental mandates, ownership, or voluntary/coercive influence. 102 o Institutions: Private institutions such as corporations, schools, 103 and cyber cafes can put filtration mechanisms in place. These 104 mechanisms are occasionally at the request of a censor, but are 105 more often implemented to help achieve institutional goals, such 106 as to prevent the viewing of pornography on school computers. 108 o Personal Devices: Censors can mandate censorship software be 109 installed on the device level. This has many disadvantages in 110 terms of scalability, ease-of-circumvention, and operating system 111 requirements. The emergence of mobile devices exacerbate these 112 feasibility problems. 114 At all levels of the network hierarchy, the filtration mechanisms 115 used to detect undesirable traffic are essentially the same: a censor 116 sniffs transmitting packets and identifies undesirable content, and 117 then uses a blocking or shaping mechanism to prevent or degrade 118 access. Identification of undesirable traffic can occur at the 119 application, transport, or network layer of the IP stack. Censors 120 are almost always concerned with web traffic, so the relevant 121 protocols tend to be filtered in predictable ways. For example, a 122 subversive image would always make it past a keyword filter, but the 123 IP address of the site serving the image may be blacklisted when 124 identified as a provider of undesirable content. 126 3.2. Application Layer 128 3.2.1. HTTP Request Header Identification 130 A HTTP header contains a lot of useful information for traffic 131 identification; although host is the only required field in a HTTP 132 request header, a HTTP method field is necessary to do anything 133 useful. As such, the method and host fields are the two fields used 134 most often for ubiquitous censorship. As a censor, I can sniff 135 traffic and identify a specific domain name (host) and usually a page 136 name (GET /page) as well. This identification technique is usually 137 paired with TCP/IP header identification for a more robust method. 138 Tradeoffs: Request Identification is a technically straight-forward 139 identification method that can be easily implemented at the Backbone 140 or ISP level. The hardware needed for this sort of identification is 141 cheap and easy-to-acquire, making it desirable when budget and scope 142 are a concern. HTTPS will encrypt the relevant request and response 143 fields, so pairing with TCP/IP identification is necessary for 144 filtering of HTTPS. Empirical Examples: Empirical examples of pure 145 HTTP Request Identification are unusually hard to identify due to the 146 lack of distinguishing charistics. Commercial technologies such as 147 the McAfee SmartFilter and NetSweeper are often purchased by censors 148 [ref-2]. These commercial technologies use a combination of HTTP 149 Request Identification and TCP/IP Header Identification to filter 150 specific URLs. There has not been research conducted to try and 151 identify if only one of these two techniques is being used. 153 3.2.2. HTTP Response Header Identification 155 While HTTP Request Header Identification relies on the information 156 contained in the HTTP request from client to server, response 157 identification uses information sent in response by the server to 158 client to identify undesirable content. Usually implemented at the 159 Backbone or ISP level, the technique normally relies on mirroring, or 160 duplicating the packets such that one can provide uninterrupted 161 service while inspecting the duplicates for undesirable content, to 162 prevent QoS degradation [ref-3] - the mirrored traffic is identified 163 by relevant response fields (such as Server or Via). Tradeoffs: As 164 with HTTP Request Header Identification, the techniques used to 165 identify HTTP traffic are well-known, cheap, and relatively easy to 166 implement, but is made useless by HTTPS, because the response in 167 HTTPS is encrypted, including headers. The response fields are also 168 less helpful for identifying content than request fields, as Server 169 could easily be identified using HTTP Request Header identification, 170 and Via is rarely relevant. HTTP Response censorship mechanisms 171 normally let the first n packets through while the mirrored traffic 172 is being processed; this can let a page momentarily load before 173 blocking mechanisms kick in; giving the user a very clear indication 174 that the censor is actively interfering with undesirable content. 175 Empirical Examples: pointing to the "smoking-gun" examples in 176 response header identification is difficult for the same reasons 177 identifying requests is difficult. The best targeted evidence comes 178 from a 2010 study conducted by Jong Park at the University of New 179 Mexico. The study strongly indicates HTTP Response Header 180 Identification was being used as a censorship identification 181 technique in China from August 2008-January 2009 [ref-4]. 183 3.2.3. Search Engine Keyword Identification 185 While technically similar to a HTTP request filter, the pervasiveness 186 of search engines blacklisting search terms warrants its own 187 attention. Search Engine Keyword Identification differentiates 188 itself from other keyword identification techniques by being 189 controlled by the company managing the search engine. Identification 190 can be regional or worldwide. Implementation is occasionally 191 voluntary, but normally is based on laws and regulations of the 192 country a search engine is operating in. The keyword blacklists are 193 most likely maintained by the search engine provider. Tradeoffs: 194 Search Engine Keyword Identification is an inconvenience as opposed 195 to a hard block. As around half of all web traffic comes from search 196 [ref-5], disrupting the flow of users to undesirable content is an 197 effective method to redirect non-dedicated, curious users to less 198 subversive content. It is also likely an effective method at 199 encouraging self-censorship (see below) around the blocked content. 200 Empirical Examples: Search Engine Keyword Identification is one of 201 the easiest mechanisms to detect given the clear indicators, such as 202 a specialized or blank results, paired with a trivial enumeration 203 mechanism. China requires search engine providers to "voluntarily" 204 maintain search term blacklists to acquire/keep an ICP license 205 [ref-6]. It is clear these blacklists are maintained by each search 206 engine provider based on the slight variations in the intercepted 207 searches [ref-7][ref-8]. The United Kingdom has been pushing search 208 engines to self censor with the threat of litigation if they don't do 209 it themselves: Google and Microsoft have agreed to block more than 210 100,00 queries in U.K. to help combat abuse [ref-9][ref-10]. 212 3.2.4. Deep Packet Inspection (DPI) Identification 214 Deep Packet Inspection has become computationally feasible as a 215 censorship mechanism in the past 5 years [ref-11]. DPI differs from 216 other filtration techniques in that it examine the application "data" 217 section of traversing packets as opposed to only the header. To 218 prevent substantial QoS impacts, DPI normally works by splitting the 219 traffic, using either a mirror switch or fiber splitter, and 220 analyzing a copy of the traffic. Keyword identification is often 221 times used to flag undesirable content. Tradeoffs: While DPI can be 222 employed across entire networks, it is one of the most expensive 223 technical filtration mechanisms to implement and avoiding a large 224 impact to QoS is difficult [ref-12]. Often times a targeted approach 225 proves itself more feasible. Any encryption on the application 226 level, such as HTTPS, also makes DPI useless as a censorship 227 technique as the content typically analyzed is encrypted in this 228 case. DPI, when paired with a keyword filter, can cause major 229 overblocking problems if used indiscriminately. Empirical Evidence: 230 Identifying deep packet inspection censorship is non-trivial; one 231 must be sure that the undesirable content being filtered isn't being 232 caught by simpler mechanisms before claiming more advanced DPI 233 techniques are being used. The Tor project claims that China, Iran, 234 Ethiopia, and others must being using DPI to block the obsf2 protocol 235 [ref-13]. Malaysia has been accused of using target DPI, paired with 236 DDoS, to identify and subsequently knockout pro-opposition material 237 [ref-14]. It also seems likely that organizations not so worried 238 about blocking content in real-time could use DPI to sort and 239 categorically search gathered traffic using technologies such as 240 NarusInsight [ref-15]. 242 3.3. Transport Layer 244 3.3.1. TCP/IP Header Identification 246 TCP/IP Header Identification is the most pervasive, reliable, and 247 predictable type of identification. TCP/IP headers contain a few 248 invaluable pieces of information that must be transparent for traffic 249 to be successfully routed: destination and source IP address and 250 port. Destination and Source IP are doubly useful, as not only does 251 it allow a cto block undesirable content via IP blacklisting, but 252 also allows a censor to identify the IP of the user making the 253 request. Port is useful for whitelisting certain applications or 254 forcing an HTTP proxy for non-technical users. Trade-offs: This 255 method of filtration is popular due to its simplicity, relative 256 cheapness, and wide availability. It is trivial to implement a 257 filtration mechanism at the Backbone, ISP, or Institutional level 258 that compares the IP address of a packet with a blacklist of IP 259 addresses. IP blocking is relatively crude, often leading to 260 overblocking, and one of the simplest to circumvent via VPN or proxy 261 as those either mask transport protocol within a tunnel or reroute 262 data that might have been blocked otherwise. Port blocking is semi- 263 effective at best. A censor can block communication on the default 264 port of an undesirable application (for example uTorrent defaults to 265 32459), but almost all applications allow the user to change ports. 266 Port whitelisting, where a censor only allow communication on 267 approved ports, such as 80 for HTTP traffic, is more often used. 268 This identification mechanism is often used in conjunction with HTTP 269 Identification. Empirical Examples: TCP/IP Header Identification is 270 pervasive. Some form of TCP/IP Header Identification is used by 271 most, if not all, ISP and backbone censors. Any time an IP blacklist 272 is being used, TCP/IP Header Identification is probably the technique 273 being used to match the request against the blacklist. The examples 274 of TCP/IP Header Identification are too numerous to enumerate in any 275 meaningful way. 277 3.3.2. Protocol Identification 279 Protocol identification is a network analysis technique where one 280 attempts to identify the protocols being used based on a variety of 281 traffic characteristics. There have been a number well documented 282 cases where traffic identification has been used to filter 283 undesirable protocols. A very simple example of traffic 284 identification would be to recognize all TCP traffic over port 80 as 285 HTTP, but much more sophisticated methods, such as analyzing 286 statistical properties of payload data and flow behavior, have been 287 used [ref-16][ref-17]. Trade-offs: Protocol Identification 288 necessarily only provides insight into the way information is 289 traveling, and not the information itself. This can lead to massive 290 overblocking problems if used with popular protocols. Most often 291 undesirable protocols are those which can be used to transmit 292 information that is otherwise hard to analyze or considered to likely 293 cary undesirable information; VoIP, P2P, SSL, and Tor have all been 294 targets of protocol identification in the past. As statistical 295 analysis is used, the methods tend to be expensive, both 296 computationally and financially, and are occasionally imprecise and 297 under-filter obfuscated protocols. Empirical Examples: Protocol 298 Identification is easy to prove given the ubiquitous nature of the 299 throttling/interruption; If only a specific protocol(s) are being 300 prevented, then Protocol Identification is the most likely culprit. 301 Iran censors have used Protocol Identification to identify and 302 throttle SSH traffic by such a large amount as to make it unusable 303 [ref-18]. The method used by censors in China to identify Tor 304 connections could also be viewed as a type of Protocol 305 Identification[ref-19]. Protocol Identification has also been used 306 by industry from traffic management, such as the 2007 case where 307 Comcast in the United States was using RST injection to interrupt 308 BitTorrent Traffic [ref-20]. 310 4. Technical Prevention 312 4.1. Packet Dropping 314 Packet dropping is a simple mechanism to prevent undesirable traffic. 315 The censor identifies undesirable traffic and chooses to not properly 316 forward any packets it sees associated with the traversing 317 undesirable traffic instead of following a normal routing protocol. 318 This can be paired with any of the previously described mechanisms so 319 long as the censor knows the user must route traffic through a 320 controlled router. Trade offs: Packet Dropping is most successful 321 when every traversing packet has transparent information linked to 322 undesirable content, such as a Destination IP. One downside Packet 323 Dropping suffers from is the necessity of overblocking all content 324 from otherwise allowable IP's based on a single subversive sub- 325 domain; blogging services and github repositories are good examples. 326 China famously dropped all github packets for three days based on a 327 single repository hosting undesirable content [ref-21]. The need to 328 inspect every traversing packet in close to real time also makes 329 Packet Dropping somewhat challenging from a QoS perspective. 330 Empirical Examples: Packet Dropping is a very common form of 331 technical prevention and lends itself to accurate detection given the 332 unique nature of the time-out requests it leaves in its wake. The 333 Great Firewall of China uses packet dropping as one of its primary 334 mechanisms of technical censorship [ref-22]. Iran also uses Packet 335 Dropping as the mechanisms for throttling SSH [ref-23]. These are 336 but two examples of a ubiquitous censorship practice. 338 4.2. RST Packet Injection 340 Packet injection, generally, refers to a MITM network interference 341 technique that spoofs packets in an established traffic stream. RST 342 packets are normally used to let one side of TCP connection know the 343 other side has stopped sending information, and thus the receiver 344 should close the connection. RST Packet Injection is a specific type 345 of packet injection attack that is used to interrupt an established 346 stream by sending RST packets to both sides of a TCP connection; as 347 each receiver thinks the other has dropped the connection, the 348 session is terminated. Trade-offs: RST Packet Injection has a few 349 advantages that make it extremely popular is a censorship technique. 350 RST Packet Injection is an out-of-band prevention mechanism, allowing 351 the avoidance of the the QoS bottleneck one can encounter with inline 352 techniques such as Packet Dropping. This out-of-band property allows 353 a censor to inspect a copy of the information, usually mirrored by an 354 optical splitter, making it an ideal pairing for DPI and Protocol 355 Identification[ref-24]. RST Packet Injection also has the advantage 356 of only requiring one of the two endpoints to accept the spoofed 357 packet for the connection to be interrupted[ref-25]. The difficult 358 part of RST Packet Injection is spoofing "enough" correct information 359 to ensure one end-point accepts a RST packet as legitimate; this 360 generally implies a correct IP, port, and sequence number. Sequence 361 number is the hardest to get correct, as RFC 793 specifies an RST 362 Packet should be in-sequence to be accepted, although the RFC also 363 recommends allowing in-window packets as "good enough"[ref-26]. This 364 in-window recommendation is important, as if it is implement it 365 allows for successful Blind RST Injection attacks[ref-27]. When in- 366 window sequencing is allowed, It is trivial to conduct a Blind RST 367 Injection, a blind injection implies the censor doesn't know any 368 sensitive (encrypted) sequencing information about the TCP stream 369 they are injecting into, they can simply enumerate the ~70000 370 possible windows; this is particularly useful for interrupting 371 encrypted/obfuscated protocols such as SSH or Tor. RST Packet 372 Injection relies on a stateful network, making it useless against UDP 373 connections. RST Packet Injection is among the most popular 374 censorship techniques used today given its versatile nature and 375 effectiveness against all types of TCP traffic. Empirical Examples: 376 RST Packet Injection, as mentioned above, is most often paired with 377 identification techniques that require splitting, such as DPI or 378 Protocol Identification. In 2007 Comcast was accused of using RST 379 Packet Injection to interrupt traffic it identified as BitTorrent 380 [ref-28], this later led to a FCC ruling against Comcast [ref-29]. 381 China has also been known to use RST Packet Injection for censorship 382 purposes. This prevention is especially evident in the interruption 383 of encrypted/obfuscated protocols, such as those used by Tor 384 [ref-30]. 386 4.3. DNS Cache Poisoning 388 DNS Cache Poisoning refers to a mechanism where a censor interferes 389 with the response sent by a DNS resolver to the requesting device by 390 injecting an alternative IP address on the return path. Cache 391 poisoning occurs after the requested site's name servers resolve the 392 request and attempt to forward the IP back to the requesting device; 393 on the return route the resolved IP is recursively cached by each DNS 394 servers that initially forwarded the request. During this caching 395 process if an undesirable keyword is recognized, the resolved IP is 396 poisoned and an alternative IP is returned. These alternative IP's 397 usually direct to a nonsense domain or a warning page[ref-31]. 398 Alternatively, Iranian censorship appears to prevent the 399 communication en-route, preventing a response from ever being 400 sent[ref-32]. Trade-offs: DNS Cache Poisoning is one of the rarer 401 forms of prevention due to a number of shortcomings. DNS Cache 402 Poisoning requires the censor to force a user to traverse a 403 controlled DNS resolver for the mechanism to be effective, it is 404 easily circumvented by a technical savvy user that opts to use 405 alternative DNS resolvers, such as the 8.8.8.8/8.8.4.4 public DNS 406 resolvers provided by Google. DNS Cache Poisoning also implies 407 returning an incorrect IP to those attempting to resolve a domain 408 name, but the site is still technically unblocked if the user has 409 another method to acquire the IP address of the desired site. 410 Blocking overflow has also been a problem, as occasionally users 411 outside of the censors region will be directed through a DNS server 412 controlled by a censor, causing the request to fail. The ease of 413 circumvention paired with the large risk of overblocking and blocking 414 overflow make DNS Cache Poisoning a partial, difficult, and less than 415 ideal censorship mechanism. Empirical Evidence: DNS Cache Poisoning, 416 when properly implemented, is easy to identify based on the 417 shortcomings identified above. Turkey relied on DNS Cache Poisoning 418 for its country-wide block of websites such Twitter and Youtube for 419 almost week in March of 2014 but the ease of circumvention resulted 420 in an increase in the popularity of Twitter until Turkish ISP's 421 implementing an IP blacklist to achieve the governmental 422 mandate[ref-33]. To drive proverbial "nail in the coffin" Turkish 423 ISPs started hijacking all requests to Google and Level 3's 424 international DNS resolvers [ref-34]. DNS Cache Poisoning, when 425 incorrectly implemented, has as has resulted in some of the largest 426 "censorship disasters". In January 2014 China started directing all 427 requests passing through the Great Fire Wall to a single domain, 428 dongtaiwang.com, due to an improperly configured DNS Cache Poisoning 429 attempt; this incident is thought to be the largest internet-service 430 outage in history [ref-35][ref-36]. Countries such as China, Iran, 431 Turkey, and the United States have discussed blocking entire TLDs as 432 well, but only Iran has acted by blocking all Israeli (.il) domains 433 [ref-37]. 435 4.4. Distributed Denial of Service (DDoS) 437 Distributed Denial of Service attacks are a common attack mechanism 438 used by "hacktivists" and black-hat hackers, but censors have used 439 DDoS in the past for a variety of reasons. There is a huge variety 440 of DDoS attacks[ref-38], but on a high level two possible impacts 441 tend to occur; a flood attack results in the service being unusable 442 while resources are being spent to flood the service, a crash attack 443 aims to crash the service so resources can be reallocated elsewhere 444 without "releasing" the service. Trade-offs: DDoS is an appealing 445 mechanism when a censor would like to prevent all access to 446 undesirable content, instead of only access in their region for a 447 limited period of time, but this is really the only uniquely 448 beneficial feature for DDoS as a censorship technique. The resources 449 required to carry out a successful DDoS against major targets are 450 computationally expensive, usually requiring renting or owning a 451 malicious distributed platform such as a botnet, and imprecise. DDoS 452 is an incredibly crude censorship technique, and appears to largely 453 be used as a timely, easy-to-access mechanism for blocking 454 undesirable content for a limited period of time. Empirical 455 Examples: In 2012 the U.K.'s GCHQ used DDoS to temporarily shutdown 456 IRC chat rooms frequented by members of Anonymous using the Syn Flood 457 DDoS method; Syn Flood exploits the handshake used by TCP to overload 458 the victim server with so many requests that legitimate traffic 459 becomes slow or impossible [ref-39][ref-40]. Dissenting opinion 460 websites are frequently victims of DDoS around politically sensitive 461 events in Burma [ref-41]. Controlling parties in Russia[ref-42], 462 Zimbabwe[ref-43], and Malaysia[ref-44] have been accused of using 463 DDoS to interrupt opposition support and access during elections. 465 4.5. Network Disconnection or Adversarial Route Announcement 467 Network Disconnection or Adversarial Route Announcement The crudest 468 of all censorship techniques, there is no more effective way of 469 making sure undesirable information isn't allowed to propagate on the 470 web than by shutting off the network. The network can be cut off in 471 a region when a censoring body withdraws all of the BGP prefixes 472 routing through the censor's country. Trade-offs: The impact to a 473 network disconnection in a region is huge and absolute; the censor 474 pays for absolute control over digital information with all the 475 benefits the internet brings; this is never a long-term solution for 476 any rational censor and is normally only used as a last resort in 477 times of substantial unrest. Empirical Examples: Network 478 Disconnections tend to only happen in times of substantial unrest, 479 largely due to the huge social, political, and economic impact such a 480 move has. One of the first, highly covered occurrences was with the 481 Junta in Myanmar employing Network Disconnection to help Junta forces 482 quash a rebellion in 2007 [ref-45]. China disconnected the network 483 in the Xinjiang region during unrest in 2009 in an effort to prevent 484 the protests from spreading to other regions [ref-46]. The Arab 485 Spring saw the the most frequent usage of Network Disconnection, with 486 events in Egypt and Libya in 2011 [ref-47][ref-48], and Syria in 2012 487 [ref-49]. 489 5. Non-Technical Aggregation 491 As the name implies, sometimes manpower is the easiest way to figure 492 out which content to block. Manual Filtering differs from the common 493 tactic of building up blacklists in that is doesn't necessarily 494 target a specific IP or DNS, but instead removes or flags content. 495 Given the imprecise nature of automatic filtering, manually sorting 496 through content and flagging dissenting websites, blogs, articles and 497 other media for filtration can be an effective technique. This 498 filtration can occur on the Backbone/ISP level, China's army of 499 monitors is a good example [ref-50]; more commonly manual filtering 500 occurs on an institutional level. ICP's, such as Google or Weibo, 501 require a business license to operate in China. One of the 502 prerequisites for a business license is an agreement to sign a 503 "voluntary pledge" known as the "Public Pledge on Self-discipline for 504 the Chinese Internet Industry". The failure to " energetically 505 uphold" the pledged values can lead to the ICP's being held liable 506 for the offending content by the Chinese government [ref-51]. 508 6. Non-Technical Prevention 510 6.1. Self Censorship 512 Self censorship is one of the most interesting and effective types of 513 censorship; a mix of Bentham's Panopticon, cultural manipulation, 514 intelligence gathering, and meatspace enforcement. Simply put, self 515 censorship is when a censor creates an atmosphere where users censor 516 themselves. This can be achieved through controlling information, 517 intimidating would-be dissidents, swaying public thought, and 518 creating apathy. Self censorship is difficult to document, as when 519 it is implemented effectively the only noticeable tracing is a lack 520 of undesirable content; instead one must look at the tools and 521 techniques used by censors to encourage self-censorship. Controlling 522 Information relies on traditional censorship techniques, or by 523 forcing all users to connect through an intranet, such as in North 524 Korea. Intimidation is often achieved through allowing internet 525 users to post "whatever they want", but arresting those who post 526 about dissenting views, this technique is incredibly 527 common[ref-52][ref-53][ref-54][ref-55][ref-56]. A good example of 528 swaying public thought is China's "50-Cent Party", composed of 529 somewhere between 20,000[ref-57] and 300,000[ref-58] contributors who 530 are paid to "guide public thought" on local and regional issues as 531 directed by the Ministry of Culture. Creating apathy can be a side- 532 effect of successfully controlling information over time and is ideal 533 for a censorship regime [ref-59]. 535 6.2. Domain Name Reallocation 537 As Domain Names are resolved recursively, if a TLD deregisters a 538 domain all other DNS resolvers will be unable to properly forward and 539 cache the site. Domain name registration is only really a risk where 540 undesirable content is hosted on TLD controlled by the censoring 541 country, such as .ch or .ru [ref-60]. 543 6.3. Server Takedown 545 Servers must have a physical location somewhere in the world. If 546 undesirable content is hosted in the censoring country the servers 547 can be physically seized or the hosting provider can be required to 548 prevent access [ref-61]. 550 7. References 552 [ref-1] Glanville, J., ""The Big Business of Net Censorship"", 553 November 2008 , 554 . 557 [ref-2] Dalek, J., ""A Method for Identifying and Confirming the 558 Use of URL Filtering Products for Censorship"", October 559 2013 , . 562 [ref-3] EF, A., ""EFA Filtering Overview"", May 2009 , 563 . 566 [ref-4] Crandall, J., ""Empirical Study of a National-Scale 567 Distributed Intrusion Detection System: Backbone-Level 568 Filtering of HTML Responses in China"", June 2010 , 569 . 571 [ref-5] Dobie, M., ""Junta Tightens Military Screws"", September 572 2007 , 573 . 575 [ref-6] Cheng, J., ""Google stops Hong Kong auto-redirect as China 576 plays hardball"", June 2010, . 580 [ref-7] Zhu, T., ""An Analysis of Chinese Search Engine 581 Filtering"", July 2011 , . 584 [ref-8] Whittaker, Z., ""1,168 keywords Skype uses to censor, 585 monitor its Chinese users"", March 2013 , 586 . 589 [ref-9] News, B., ""Google and Microsoft agree steps to block 590 abuse images"", November 2013 , 591 . 593 [ref-10] Condliffe, J., ""Google Announces Massive New Restrictions 594 on Child Abuse Search Terms"", November 2013 , 595 . 598 [ref-11] Wagner, B., ""Deep Packet Inspection and Internet 599 Censorship: International Convergence on an 'Integrated 600 Technology of Control'"", June 2009 , 601 . 605 [ref-12] Porter, T., ""The Perils of Deep Packet Inspection"", Oct 606 2010, . 609 [ref-13] Wilde, T., ""Knock Knock Knockin' on Bridges Doors"", 610 January 2012, . 613 [ref-14] Wagstaff, J., ""In Malaysia, online election battles take 614 a nasty turn"", May 2013, 615 . 618 [ref-15] EFF, T., ""Hepting vs. ATand T"", Updated December, 619 . 621 [ref-16] Hjelmvik, E., "July 2010 7", "Breaking and, 622 . 624 [ref-17] Vine, S., ""Technology Showcase on Traffic Classification: 625 Why Measurements and Freeform Policy Matter"", May 2014, 626 . 630 [ref-18] Anonymous, A., ""How to Bypass Comcast's Bittorrent 631 Throttling"", October 2007, . 634 [ref-19] Lee, T., ""Here's how Iran censors the Internet"", August 635 2013, . 639 [ref-20] Winter, P., ""How China is Blocking Tor"", April 2012, 640 . 642 [ref-21] Anonymous, A., ""GitHub blocked in China - how it 643 happened, how to get around it, and where it will take 644 us"", January 2013, 645 . 649 [ref-22] Ensafi, R., ""Detecting Intentional Packet Drops on the 650 Internet via TCP/IP Side Channels"", December 2013, 651 . 653 [ref-23] Aryan*, A., ""Internet Censorship in Iran: A First Look"", 654 August 2013 , . 657 [ref-24] Weaver, S., ""Detecting Forged TCP Packets"", June 2009 , 658 . 661 [ref-25] Weaver, S., ""Detecting Forged TCP Packets"", June 2009 , 662 . 665 [ref-26] Weaver, S., ""Detecting Forged TCP Packets"", June 2009 , 666 . 669 [ref-27] Anonymous, A., ""TCP-RST Injection"", June 210 , 670 . 672 [ref-28] Schoen, S., ""EFF tests agree with AP: Comcast is forging 673 packets to interfere with user traffic"", October 19th,, 674 . 677 [ref-29] VonLohmann, F., ""FCC Rules Against Comcast for BitTorrent 678 Blocking"", August 3rd,, 679 . 682 [ref-30] Phillip Winter, S., ""How China Is Blocking Tor"", April 683 2nd,, . 685 [ref-31] DNS, V., ""DNS Cache Poisoning in the People's Republic of 686 China"", September 6th, . 689 [ref-32] Aryan*, A., ""Internet Censorship in Iran: A First Look"", 690 August 2013 , . 693 [ref-33] Zmijewki, E., ""Turkish Internet Censorship Takes a New 694 Turn"", March 2014, . 697 [ref-34] Zmijewki, E., ""Turkish Internet Censorship Takes a New 698 Turn"", March 2014, . 701 [ref-35] AFP, .A., ""China Has Massive Internet Breakdown 702 Reportedly Caused By Their Own Censoring Tools"", January 703 2014, . 706 [ref-36] Anonymous, A., ""The Collateral Damage of Internet 707 Censorship by DNS Injection"", July 2012 , 708 . 711 [ref-37] Albert, K., ""DNS Tampering and the new ICANN gTLD 712 Rules"", June 2011, . 715 [ref-38] Anonymous, A., ""Denial of Service Attacks (Wikipedia)"", 716 N/A N/A, . 719 [ref-39] Esposito, S., ""Snowden Docs Show UK Spies Attacked 720 Anonymous, Hackers"", February 2014, 721 . 725 [ref-40] CMU, .C., ""TCP SYN Flooding and IP Spoofing Attacks"", 726 November 2000, . 729 [ref-41] Villeneuve, N., ""Open Access: Chapter 8, Control and 730 Resistance, Attacks on Burmese Opposition Media"", 731 December 2011 , . 734 [ref-42] Kravtsova, Y., ""Cyberattacks Disrupt Opposition's 735 Election"", October 2012, 736 . 739 [ref-43] Orion, E., ""Zimbabwe election hit by hacking and DDoS 740 attacks"", August 2013, 741 . 744 [ref-44] Muncaster, P., ""Malaysian election sparks web blocking/ 745 DDoS claims"", May 2013, 746 . 749 [ref-45] Dobie, M., ""Junta tightens media screw"", September 2007, 750 . 752 [ref-46] Heacock, R., ""China Shuts Down Internet in Xinjiang 753 Region After Riots"", July 2009, 754 . 757 [ref-47] Cowie, J., ""Egypt Leaves the Internet"", January 2011, 758 . 761 [ref-48] Cowie, J., ""Libyan Disconnect"", February 2011, 762 . 764 [ref-49] Thomson, I., ""Syria Cuts off Internet and Mobile 765 Communication"", November 2012, 766 . 769 [ref-50] News, B., ""China employs two million microblog monitors 770 state media say"", October 2013, 771 . 773 [ref-51] MacKinnon, R., ""'Race to the Bottom' Corporate Complicity 774 in Chinese Internet Censorship"", August 2006 , 775 . 778 [ref-52] Calamur, K., ""Prominent Egyptian Blogger Arrested"", 779 November 2013, . 783 [ref-53] Press, A., ""Sattar Beheshit, Iranian Blogger, Was Beaten 784 In Prison According To Prosecutor"", December 2012, 785 . 788 [ref-54] Hopkins, C., ""Communications Blocked in Libya, Qatari 789 Blogger Arrested: This Week in Online Tyranny"", March 790 2011, . 793 [ref-55] Gaurdian, T., ""Chinese blogger jailed under crackdown on 794 'internet rumours'"", April 2014, 795 . 798 [ref-56] Johnson, L., ""Torture feared in arrest of Iraqi 799 blogger"", Febuary 2010, 800 . 803 [ref-57] Bristow, M., ""China's internet 'spin doctors'"", November 804 2013, 805 . 807 [ref-58] Fareed, M., ""China joins a turf war"", September 2008, 808 . 811 [ref-59] Gao, H., ""Tiananmen, Forgotten"", June 2014, 812 . 815 [ref-60] Anderson, R., ""Access Denied: Tools and Technology of 816 Internet Filtering"", December 2011 , 817 . 820 [ref-61] Murdoch, S., ""Access Denied: Tools and Technology of 821 Internet Filtering"", December 2011 , 822 . 825 Authors' Addresses 827 Joeseph L. Hall 828 Center for Democracy and Technology 830 Email: jhall@cdt.org 832 Michael D. Aaron 833 Center for Democracy and Technology 835 Email: maaron@cdt.org