bgp-hijack   BGP / route manipulation

Article 19 documents that Iran's National Information Network (NIN / SHOMA) was designed with explicit reference to China's Great Firewall as a model, with institutional mirroring: Iran's Supreme Council of Cyberspace parallels China's Cyberspace Administration of China, and both governments share a "cyber sovereignty" doctrine used to justify domestic content controls and cross-border technology transfer. The report frames Iran's filtering infrastructure as deliberately architected to replicate GFW capabilities, not as an independently developed system.

2026-article19-tightening-the-net §2, §3 policy

During the January 8–9, 2026 shutdown, Iran's .ir DNS zone became unavailable in-country, with resolution routed exclusively to a single nameserver located in Amsterdam. This infrastructure takeover was simultaneous with the routing blackout, eliminating DNS as an independent resolution path.

2026-free-the-internet-iran-internet-shutdown §Abstract deployment

Iran executed a full-stack internet shutdown beginning at 18:45 UTC on January 8, 2026, withdrawing BGP prefix announcements nationwide and causing routing failures that prevented clients from completing TCP handshakes. Traffic dropped to effectively zero within hours of the shutdown's onset.

2026-free-the-internet-iran-internet-shutdown §Issue body / Abstract deployment

The January 2026 Iranian shutdown encompassed not only global internet connectivity but also domestic inter-network connectivity and PSTN telephony — even domestic phone calls were reported impossible during the blackout period. This represents a broader telecommunications blockade beyond IP-layer isolation.

2026-free-the-internet-iran-internet-shutdown §Issue body deployment

Iran's January 8, 2026 shutdown was confirmed by Cloudflare Radar traffic telemetry showing a near-instantaneous collapse in Iranian internet traffic to effectively zero. The shutdown was implemented rapidly enough that the Cloudflare Radar timestamp (18:45 UTC) serves as a precise onset marker.

2026-free-the-internet-iran-internet-shutdown §Issue body / Cloudflare Radar source evaluation

During Iran's near-complete February 2026 shutdown, DNS-based tunneling (dnstt over UDP port 53) was identified by the community as the only functioning circumvention method, with participants successfully sharing public dnstt server configurations to maintain connectivity.

2026-gusgustavo-iran-internet-shutdown Issue body / community comments defense

Iran experienced a near-complete internet shutdown on February 28, 2026 beginning at approximately 07:00 UTC, with Cloudflare Radar measuring ~98% connectivity loss relative to the previous week, affecting Tehran, Fars, Isfahan, Alborz Province, and Razavi Khorasan simultaneously.

2026-gusgustavo-iran-internet-shutdown Issue body evaluation

IODA data confirmed the February 28, 2026 Iran shutdown was implemented via BGP route withdrawals and collapse of IP-space announcements, not merely application-layer blocking — the underlying routing infrastructure itself was withdrawn.

2026-gusgustavo-iran-internet-shutdown Issue body (IODA reference) deployment

Community experimentation during the February 2026 Iran shutdown revealed heterogeneity across ISPs in what survived: participants tested different DNS resolvers and ISPs to find working dnstt paths, indicating the BGP withdrawal was not perfectly uniform across all Iranian autonomous systems.

2026-gusgustavo-iran-internet-shutdown Issue comments evaluation

On March 28, 2022, Russian ISP RTComm (AS8342) hijacked Twitter's IPv4 prefix 104.244.42.0/24 for approximately 45 minutes (12:05–12:50 UTC) and announced it to the global Internet as a blocking measure. The hijack was blunted because Twitter had preemptively registered RPKI route origin authorizations (ROAs) for its prefixes, causing RPKI-validating ASes worldwide to reject the hijacked route.

2023-ramesh-network §4.3 detection

On Feb. 5, 2021, Campana Mythic (AS136168) announced Twitter's 104.244.42.0/24 prefix—apparently intending to blackhole Twitter traffic locally as part of the national Twitter block—but the route leaked to operators in Singapore and Vietnam, causing collateral disruption for Twitter users outside Myanmar. This accidental BGP leak corroborates evidence that Myanmar ISPs were independently implementing IP-level censorship without a centralized national kill switch.

2021-padmanabhan-multi-perspective §3.4 deployment

For China (a highly connected, routing-capable adversary), the gossip protocol combined with any symmetric decoy routing design requires only 5 heavyweight downstream stations plus 880 lightweight upstream gossip stations — versus 880 heavyweight stations for purely symmetric designs. Five downstream stations alone impact 78% of routes from Chinese users, while a single downstream station already covers nearly 25% of traffic.

2018-bocovich-secure Table 2 / §3.2 evaluation

Any one of five Indian ASes — each needing control of only its BGP-speaking routers — can individually censor traffic for all ~896 Indian ASes via IP prefix hijacking. For example, AS4755 (Tata Comm.) fake advertisements can impact 955 ASes total (896 Indian + 41 foreign); AS9730 (Bharti Telesonic) requires as few as 7 edge routers to execute such an attack.

2017-gosain-mending §4.3, Table 4 evaluation

If India deployed centralized filtering at its key ASes, approximately 121,931 foreign-origin paths (1.15% of all Internet paths to censored sites worldwide) that transit Indian ASes would experience collateral blocking, affecting non-Indian users in Finland, Hong Kong, Singapore, Malaysia, the US, and elsewhere who have no connection to Indian censorship law.

2017-gosain-mending §4.1, §4.4 policy

Through Internet-scale BGP simulation against China, downstream-only decoy routing (Waterfall) with a single decoy AS provides equivalent resistance to routing attacks as a traditional upstream decoy system (e.g., Telex) with 53 decoy ASes. This efficiency gain arises because censoring ISPs can selectively re-route upstream traffic per destination but must re-route all or none of downstream traffic through each provider AS, making downstream-only routing far more expensive to evade.

2017-nasr-waterfall §4.1.1 defense

Table 2 shows that with 50 decoy ASes, the most powerful practical routing attack on downstream-only systems (rewiring-I) impacts 93% of China's routes (22.4% unreachable, 70% re-routed), compared to only 18.2% total impact from RAD on traditional upstream designs. Table 3 shows that even for Syria, the rewiring-II attack with just 1 downstream-only decoy AS already impacts 81% of routes versus 1.5% for RAD on upstream systems.

2017-nasr-waterfall §4.2.1, Table 2, Table 3 evaluation

BGP simulation shows that a censor's source-block attack against 100 downstream-only decoy ASes disconnects 23% of Chinese Internet destinations, versus only 8% when applying the standard RAD attack against 100 upstream decoy ASes — imposing nearly 3× more unreachability collateral damage on the censor for the same decoy count.

2017-nasr-waterfall §4.1.1, Figure 3 evaluation

Internet connectivity is the primary determinant of RAD attack strength across nation-state censors: China (573 ASes, 858 ring ASes) achieves a censorship metric of 0.277 under profile T1, while Syria (4 ASes, 5 ring ASes) achieves only 0.101 with the same decoy budget. Venezuela, despite fewer total ASes than Saudi Arabia (44 vs. 107), achieves a higher censorship metric (0.210 vs. 0.197) owing to its disproportionately large ring AS count (835 vs. 176), confirming that ring AS count predicts RAD capability better than raw AS count.

2016-nasr-game §6.4 / Table 6 evaluation

Optimal RAD by a QoS-cautious wealthy Chinese censor (profile T1, F/ρ₀ = 5×10^6) forces 10.8% of routes onto non-valley-free (NVF) paths and 1.2% onto less-preferred routes, while still leaving 16.3% of routes traversing decoy ASes—zero routes become unreachable at this budget. The NVF and less-preferred-route fractions rise and then fall as decoy budget increases, as further RAD routing gains diminish past a crossover point.

2016-nasr-game §6.4 / Figure 1 detection

The game-theoretic optimal decoy placement (ε-Nash equilibrium via best-response dynamics against an optimal RAD adversary) achieves a censorship metric of 0.2 at budget ratio F/ρ₀ = 10^8, versus 0.42 for the best prior heuristic ('sorted' placement from Houmansadr et al. [14]) under the same budget—a 2× improvement in censorship resistance per dollar. Prior comparisons used ad hoc RAD deployments rather than the optimal adversary, understating the benefit of principled placement.

2016-nasr-game §6.4 / Figure 3 evaluation

Game-theoretic simulation shows that a QoS-cautious, wealthy Chinese censor (profile T1/T4) cannot reduce decoy-accessible routes below ~27% (censorship metric ≈ 0.277) via the RAD attack regardless of budget. An irrational censor can achieve a censorship metric of 1.000 but only by making 70.3% of all Internet routes unreachable to Chinese users—a collateral-damage threshold that constrains rational nation-state censors in practice.

2016-nasr-game §6.4 / Table 5 defense

In the autonomous (non-centrally-funded) deployment model, the decoy service fee γ (ratio of decoy revenue to transit revenue per MB) is the primary lever for censorship resistance: for China with profile T1, γ = 5 leaves 9.6% of routes usable for circumvention after optimal RAD, compared to 16.3% under the centrally-funded model at budget ratio F/ρ₀ = 5×10^6. Higher fees compensate ASes for RAD-induced transit revenue loss and sustain participation, but the autonomous model delivers roughly half the censorship resistance of a centrally-funded deployment at comparable incentive levels.

2016-nasr-game §6.5 / Figure 5 defense

Table 1 of the survey documents that by 2013–2014 censors were deploying simultaneous blocking across BGP, DNS, IP/port filtering, TCP disruption, TLS, and application-layer keyword filtering. No single detection tool in the survey covers all six layers; the most comprehensive, OONI (2012), covers DNS, IP/port, TCP, TLS, keyword, and HTTP but notes only partial BGP coverage.

2015-aceto-internet Table 1 detection

Property 1 proves that a peer inside a forbidden region F cannot satisfy the safety condition: appearing safe would require reporting an RTT lower than (3/c)·distance(peer,F), a physical impossibility. Property 2 follows: all trustworthy peers ignore packets routing through F regardless of attacker-controlled neighbor sets, making Alibi Routing safe without assuming honest neighbor selection.

2015-levin-alibi §5 defense

Alibi Routing fails for source-destination pairs close to or inside the forbidden region: approximately 10% of pairs cannot provably avoid China and 22% cannot avoid the USA at δ=1.0 (Figure 5), with a strong monotonic correlation between proximity to the forbidden region and the number of available relays (Figure 6). Additionally, about 50% of nodes in target regions fail the alibi condition when avoiding the USA due to its BGP routing centrality causing actual paths to transit it despite geographic distance (Figure 7a).

2015-levin-alibi §6.1–6.2, Figures 4–7 evaluation

Alibi Routing proves packets avoided a forbidden geographic region using physical impossibility: a relay MACs forwarded packets, and the observed RTT must satisfy (1+δ)·R(s,r) < min_{f∈F}{R(s,f)+R(f,r)}, where the minimum RTT to any point in F is estimated as (3/c)·ShortestDistance(q,F) — fiber-optic links at 2/3 the speed of light. This proof requires only GPS coordinates and local RTT measurements, no BGP modifications or PKI.

2015-levin-alibi §3, §4.4.1 defense

Rostelecom (AS12389) performed network-layer redirection of blacklisted traffic rather than DPI-based filtering: 40 of 343 Russian probes returned SSL certificates attributed to Russian ISPs (State Institute of Information Technologies, Rostelecom, Electron Telecom Network). The interference affected all protocols and ports holistically across Rostelecom's downstream peers, consistent with BGP-level false advertisements or forwarding rules rather than application-layer classification.

2014-anderson-global §4.2 detection

When Turkish users shifted to foreign DNS providers as a circumvention mechanism, Türk Telekom escalated by rerouting traffic destined for Google Public DNS (8.8.8.8 and 8.8.4.4) to a local DNS server serving false answers (Event E, March 28), causing a rapid drop in Tor and YouTube availability across all Atlas probes regardless of DNS configuration. At least 6 distinct shifts in filtering strategy were documented within a two-week period.

2014-anderson-global §4.1 detection

Under the RAD attack a large fraction of China's routes to Internet destinations shift to non-valley-free (NVF) paths, which impose direct monetary costs because ASes must pay for traffic they would normally earn revenue transiting. Among valley-free paths that survive, 6%–21% switch to less-preferred (more expensive) routes, 20%–43% become longer, and average path length increases by 1.12×–1.40× depending on placement strategy.

2014-houmansadr-no §VII-B, §VII-C evaluation

Even under the most censor-favorable (random-no-ring-1) decoy placement, launching the RAD attack increases average Internet route latency from China by over 4×; under strategic placements the average latency increase factor reaches 8×. These increases arise because RBGP is forced onto lower-capacity, less-popular transit ASes even when path hop-count is unchanged.

2014-houmansadr-no §VII-C, §I evaluation

The feasibility of the RAD attack scales sharply with the censor's network connectivity. Strategic placement of decoys in just 1% of ASes disconnects China from 18% of Internet destinations, Venezuela from 54%, and Syria from 87%. Countries with fewer controlled ASes and ring ASes have dramatically less routing flexibility and are far more vulnerable to even small decoy deployments.

2014-houmansadr-no §I, §VII evaluation

The RAD attack requires converting a large number of Chinese edge ASes into transit ASes: placing decoys in 2% of global ASes (random-no-ring-1, China-World scenario) forces 59 edge ASes to become transit ASes, nearly doubling China's 30 existing transit ASes. One Chinese transit AS must carry approximately 122× its normal load; the abstract reports a peak of 2,800× in a more aggressive scenario, a threshold the paper considers operationally infeasible.

2014-houmansadr-no §VII-D evaluation

The RAD paper's random decoy placement is heavily biased in favor of the censor: 86.2% of all Internet ASes are edge ASes with customer cone size 1, so random selection rarely hits transit ASes. Replacing random with sorted-no-ring placement (decoys chosen from ASes that appear most on adversary BGP routes) disconnects China from 30% of Internet destinations using only 2% decoy coverage, versus the 4% disconnection reported in the original RAD paper.

2014-houmansadr-no §V, §VII-A defense

In the August 2012 Bell-Dery BGP route leak, TTL analysis at per-prefix granularity revealed that two IP addresses within AS577 maintained constant TTLs and unaffected packet rates throughout the disruption, while 37 of 38 other active /16 prefixes experienced significant volume drops and TTL changes indicating rerouting through longer paths. This demonstrates that BGP route leaks can affect subnets within a single AS asymmetrically, and that TTL inspection can identify unaffected sub-AS paths.

2013-benson-gaining §IV-B evaluation

During the February 2012 Dodo-Telstra BGP route leak, AS1221 (Telstra) exhibited a 20-minute congestion phase in which γC and γ3 both dropped while η rose from approximately 3 to 5 seconds, followed by a complete outage during which zero darknet sources were observed from the AS. The congestion phase produced measurable packet loss before the full blackout, providing an early-warning window of roughly 20 minutes.

2013-benson-gaining §IV-A evaluation

IBR-derived metrics γ (average SYN retransmits per flow) and η (inter-packet time between retransmits) can distinguish packet-loss-induced outages from packet-filtering censorship: during Libya's 2011 packet-filtering phase γC remained near pre-censorship values despite reduced source counts, whereas BGP route leaks caused measurable γ decreases and η increases. This difference exists because filtering reduces the host population but preserves per-flow OS retransmit behavior, while congestion causes routers to drop individual packets mid-flow.

2013-benson-gaining §IV-C, §IV-D evaluation

Libya's 2011 Internet shutdown combined two distinct censor techniques across separate episodes: BGP-level route withdrawal and later packet filtering. During the packet-filtering episode, γC remained near its pre-censorship baseline (~2.0 packets/flow) even as the number of reachable Conficker sources dropped, confirming that the mechanism was per-subnet allowlisting rather than link saturation.

2013-benson-gaining §IV-C detection

A routing-capable warden can enumerate over 90% of decoy-router-deploying ASes for deployments as large as 4,000 ASes using an intersection-based discovery attack: the warden probes many paths, accumulates a set of 'clean' ASes, and prunes candidate paths until a single 'tainted' AS remains. All evaluated wardens (China, Syria, Iran, Australia, France, Venezuela) achieved roughly equal detection success across all deployment sizes.

2012-schuchard-routing §4.1 detection

Containment analysis shows that surrounding China with a 'ring' of decoy routers at AS-hop depth 1 requires covering 161 ASes; depth-2 expands by a factor of more than 23, becoming untenable, while depth-3 is slightly smaller but leaves the majority of the Internet reachable via clean paths. Cutting China off from at least half the Internet would require all 96 of the world's largest ISPs to deploy decoy routers at all exit points simultaneously.

2012-schuchard-routing §6, Table 2 evaluation

Under the Cirripede 'random ASes' deployment scenario — where 0.4%–1.0% of ASes deploy decoy routers — routing-capable wardens need only disconnect themselves from 0.85%–3.04% of the Internet to obtain clean (decoy-free) paths to all remaining destinations. Even at 10% Internet-wide deployment, wardens are cut off from only 7%–9% of non-participating ASes on average.

2012-schuchard-routing §4.2, Figure 2 detection

Both Egypt and Libya demonstrate that concentration of Internet infrastructure under state ownership—in Egypt, all submarine fiber backhaul terminated at a single facility, the Ramses Exchange, controlled by the state telecommunications provider—makes country-wide BGP-based shutdowns technically straightforward. The authors conclude that the small number of state-controlled parties involved in international connectivity was the critical enabling factor, not any novel technical capability.

2011-dainotti-analysis §5.1.1 policy

Unsolicited background radiation traffic to the UCSD network telescope—particularly Conficker worm scanning (TCP SYN, port 445, 48-byte packets)—dropped nearly simultaneously with Egyptian BGP route withdrawals on January 27, corroborating control-plane analysis with data-plane evidence. Crucially, some worm-infected hosts continued to generate outbound scanning traffic even after their prefixes were BGP-withdrawn, because packet filtering was absent; this asymmetry between inbound unreachability and outbound connectivity can distinguish pure BGP-based blocking from combined BGP-plus-filtering approaches.

2011-dainotti-analysis §4.3, §5.1 evaluation

Egypt's Internet shutdown on January 27, 2011 was accomplished via BGP route withdrawals: approximately 2,500 IPv4 prefixes (out of 2,928 visible) disappeared within a 20-minute window beginning at 22:12:26 GMT, leaving only 176 prefixes visible by 23:30:00 GMT. The shutdown lasted more than five days, with BGP connectivity beginning to return at 09:29:31 GMT on February 2, and more than 2,500 Egyptian prefixes back in global BGP tables by 09:56:11 GMT.

2011-dainotti-analysis §5.1.1, §5.1.2 evaluation

During Egypt's 5.5-day Internet blackout, active CAIDA Ark measurements found that only 1% of probes to Egyptian IPv4 prefixes received responses, compared to 16–17% on normal days. The minority of addresses that retained bidirectional connectivity all mapped to BGP prefixes that had not been withdrawn—including prefixes serving the Egyptian stock exchange and two national banks, whose 83 prefixes were kept live until January 31 at 20:46:48 GMT before being simultaneously withdrawn.

2011-dainotti-analysis §5.1.2 evaluation

Libya implemented escalating Internet disruptions before executing a sustained blackout: a 6.8-hour curfew on February 18 and an 8.3-hour curfew on February 19, followed by a 3.7-day near-total blackout beginning March 3. The authors detected what they believe were Libya's attempts to test firewall-based packet filtering before transitioning to more aggressive BGP-based disconnection, demonstrating a two-phase escalation pattern.

2011-dainotti-analysis §1, §5.2 evaluation

Iran and Libya each have a single point of control (1 AS), making complete national internet shutdown achievable with a single administrative action. Egypt's 2011 shutdown left one AS (Noor Group, 4.9% of connected IPs) operational for four days, apparently due to its role serving the Egyptian stock exchange and other core financial institutions.

2011-roberts-mapping §VI, Figure 7 deployment