Any one of five Indian ASes — each needing control of only its BGP-speaking routers — can individually censor traffic for all ~896 Indian ASes via IP prefix hijacking. For example, AS4755 (Tata Comm.) fake advertisements can impact 955 ASes total (896 Indian + 41 foreign); AS9730 (Bharti Telesonic) requires as few as 7 edge routers to execute such an attack.

Only 4 Indian ASes are needed to intercept >90% of AS-level paths from all Indian ASes to censored sites; 10 ASes cover ~95% of paths. Fewer than 5,000 edge routers spread across those ASes would suffice for nationwide IP filtering, with ~70% of those routers belonging to just two private ISPs (Bharti Airtel AS9498 and Tata Comm. AS4755).

§4.1, Table 2, Table 3 evaluation

If India deployed centralized filtering at its key ASes, approximately 121,931 foreign-origin paths (1.15% of all Internet paths to censored sites worldwide) that transit Indian ASes would experience collateral blocking, affecting non-Indian users in Finland, Hong Kong, Singapore, Malaysia, the US, and elsewhere who have no connection to Indian censorship law.

§4.1, §4.4 policy

Eight Indian ASes can collectively intercept 99.14% of AS-level paths connecting all Indian ASes to DNS resolvers, including GoogleDNS and OpenDNS; 4,906 routers across these 8 ASes suffice to launch DNS injection attacks covering the entire country. The same 8 ASes also appear among the 10 key ASes identified for IP filtering.

§4.2 evaluation

India's federated censorship model — each ISP independently enforces government blacklists — produces dramatically inconsistent filtering: Airtel censored only 1 of 50 pornographic sites probed, while MTNL censored 45 of 50; Reliance Jio censored 0 sites across all 540 test URLs. A well-informed user can escape censorship through a judicious choice of ISP.

§3.1, Table 1 evaluation

Article 19 documents that Iran's National Information Network (NIN / SHOMA) was designed with explicit reference to China's Great Firewall as a model, with institutional mirroring: Iran's Supreme Council of Cyberspace parallels China's Cyberspace Administration of China, and both governments share a "cyber sovereignty" doctrine used to justify domestic content controls and cross-border technology transfer. The report frames Iran's filtering infrastructure as deliberately architected to replicate GFW capabilities, not as an independently developed system.

2026-article19-tightening-the-net §2, §3 dpisni-blockingdns-poisoningip-blockingbgp-hijackthrottling

On March 28, 2022, Russian ISP RTComm (AS8342) hijacked Twitter's IPv4 prefix 104.244.42.0/24 for approximately 45 minutes (12:05–12:50 UTC) and announced it to the global Internet as a blocking measure. The hijack was blunted because Twitter had preemptively registered RPKI route origin authorizations (ROAs) for its prefixes, causing RPKI-validating ASes worldwide to reject the hijacked route.

2023-ramesh-network §4.3 bgp-hijackasn-blackholing

On Feb. 5, 2021, Campana Mythic (AS136168) announced Twitter's 104.244.42.0/24 prefix—apparently intending to blackhole Twitter traffic locally as part of the national Twitter block—but the route leaked to operators in Singapore and Vietnam, causing collateral disruption for Twitter users outside Myanmar. This accidental BGP leak corroborates evidence that Myanmar ISPs were independently implementing IP-level censorship without a centralized national kill switch.

2021-padmanabhan-multi-perspective §3.4 bgp-hijackip-blocking

For China (a highly connected, routing-capable adversary), the gossip protocol combined with any symmetric decoy routing design requires only 5 heavyweight downstream stations plus 880 lightweight upstream gossip stations — versus 880 heavyweight stations for purely symmetric designs. Five downstream stations alone impact 78% of routes from Chinese users, while a single downstream station already covers nearly 25% of traffic.

2018-bocovich-secure Table 2 / §3.2 bgp-hijack

Through Internet-scale BGP simulation against China, downstream-only decoy routing (Waterfall) with a single decoy AS provides equivalent resistance to routing attacks as a traditional upstream decoy system (e.g., Telex) with 53 decoy ASes. This efficiency gain arises because censoring ISPs can selectively re-route upstream traffic per destination but must re-route all or none of downstream traffic through each provider AS, making downstream-only routing far more expensive to evade.

2017-nasr-waterfall §4.1.1 bgp-hijack

Table 2 shows that with 50 decoy ASes, the most powerful practical routing attack on downstream-only systems (rewiring-I) impacts 93% of China's routes (22.4% unreachable, 70% re-routed), compared to only 18.2% total impact from RAD on traditional upstream designs. Table 3 shows that even for Syria, the rewiring-II attack with just 1 downstream-only decoy AS already impacts 81% of routes versus 1.5% for RAD on upstream systems.

2017-nasr-waterfall §4.2.1, Table 2, Table 3 bgp-hijack