ISP Mandatory Filtering, a Technical Introduction

---

One of the most controversial subjects in internet circles recently has been the trial and subsequent plan to progress and implement mandatory internet filtering in every ISP throughout Australia.The internet filtering plan is the brainchild of Sen...

One of the most controversial subjects in internet circles recently has been the trial and subsequent plan to progress and implement mandatory internet filtering in every ISP throughout Australia.

The internet filtering plan is the brainchild of Senator Stephen Conroy, who has more recently been under attack for the National Broadband Network's failed tendering process.

How the internet works

In order to understand how the proposed internet filter will work, we first have to quickly examine how the internet works to retrieve information.
For demonstration purposes, we will use a normal internet address, such as http://www.brightlabs.com.au/page/Contact/. When you type this address into your browser and press go, a number of things happen:

1. Your computer splits the address up into a few different pieces:

a. “http://”
b. “www.brightlabs.com.au”
c. “/page/Contact”

2. The computer takes the second part (www.brightlabs.com.au) and contacts your ISP to convert this into an IP address. The IP address is like the phone number for a website and tells your computer where it can look to retrieve the website. The system that takes care of this process is called the Domain Name System, or DNS.

3. Before your computer can contact the server at that IP address, it needs to know how to talk to it. This is where the “http://” part (protocol) comes into play. Each protocol establishes how two computers communicate to transfer the data. Some protocols are rather simple, like HTTP; others can be quite complex, like HTTPS (or secure HTTP). Each protocol has a designated “port” number to communicate on. You can think of these ports as different communication channels on the server, each with its own language. Clients can open these doors and provided they talk the correct language, communicate with the server. The number for HTTP connections is 80.

4. Armed with this information, your computer will start a conversation with the server at the obtained IP address on port 80. The substance of this conversation will be a request for the page at the remaining part of the URL: “/page/Contact/”
When two computers communicate over the internet, the various parts of the conversation are chopped up into little pieces called “packets”. Each packet contains, amongst other things, the IP address of the destination computer, the address of the source computer, and the port number. When the packets arrive at the destination computer they are reassembled and the conversation reformed.

Filtering Techniques

There are a number of filtering techniques that can be applied to internet traffic to examine and block the retrieval of content. Here are some of the more popular ones:

DNS Filtering

This technique works on the domain level (point 2 above). If a computer is asking for the IP address of a blocked address, an incorrect or invalid IP address will be returned in place of the correct one. This will force your computer to request the page from the incorrect server resulting in an error message. This technique can also be used by hackers to force users to malicious sites in an attack known as DNS Poisoning.

Proxy Filtering

A proxy is a middle-man server that is inserted into a conversation. When your computer thinks it is talking to the Brightlabs server, it is actually talking to a server at your ISP. This proxy relays your messages through to the real server and passes the responses back to your computer. This allows the proxy to dictate what communication can take place and filter out communication which is not allowed. This technique can also be used for malicious purposes, and is commonly known as a “man-in-the-middle” attack.
If the proxy can be confident that it knows what your computer is asking for, it may give your computer the information without contacting the server. This arrangement is called a Proxy Cache, and is already used by some ISPs such as TPG to help speed up communication and reduce internet traffic.

Deep Packet Inspection (DPI)

DPI works as a casual observer to the conversation. This computer at the ISP monitors the packets that are passing by, reassembling them and listening in on what is being said. If it finds someone is asking for disallowed content, it will step in and kill the conversation.

Port Blocking (firewalling)

As different protocols use different ports, it is possible to block different types of communication by simply blocking the channel they use.
If you have come across an internet connection where websites work, however your instant chat doesn’t, this is most likely what is happening.
In addition to this, firewalls can also block out all traffic to and from specific IP addresses.

Effectiveness

Some filtering techniques are quite dependent on the protocol being used. For example, DPI and Proxy filtering techniques need to be able to completely read and interpret the conversation between the client and the server. These techniques not only slow down internet traffic (as there is now an additional participant in the conversation), it limits their usefulness for non-HTTP traffic, especially with encrypted traffic like HTTPS (or SSL), which has been specifically design to protect traffic from people listening in or man-in-the-middle attacks.

For other protocols which cannot be understood by filters, ISPs may have to make use of the broader techniques of Firewalling, IP or DNS filtering. However these techniques can still be circumvented relatively easily by technically competent users. One of the more popular techniques is to establish an encrypted Virtual Private Network (VPN) to a computer which is not filtered. The VPN traffic will go unnoticed by the ISP filter as it is encrypted and if it is a privately owned VPN, it is unlikely the VPN server IP address will be blacklisted. Indeed, the internet filtering trial report clearly states “A technically competent user could, if they wished, circumvent the filtering technology”.

In addition to this, some types of traffic such as Peer-to-Peer (or P2P) blur the lines of what makes a server. With P2P, every client also acts as a server, which means if an ISP were to attempt to block traffic by IP address, they would potentially be blocking their customers. There is also the option of blocking the port used by the P2P traffic, however these ports can easily be changed and just because a technology can be used for accessing disallowed material, it does not mean the use of the technology itself is illegal. P2P traffic actually accounts for over half of all internet traffic in many countries.

Given the technical challenges of enforcing an effective filtering system, the ease of which it can be bypassed and the possible impact on the average user’s internet experience, it is understandable that these technical aspects are one of the key issues prompting public debate over the mandatory ISP filtering.