About the author
Alex Henthorn-Iwane leads Product Marketing at ThousandEyes, which delivers Network Intelligence solutions that that enable companies to gain digital experience insights from every user to every app over any network. Prior to ThousandEyes, Alex has worked with big data network analytics, DevOps orchestration and Internet routing monitoring technologies at Kentik, Quali and Packet Design.
With recent news that the government in Russia has signed the “Russian Internet Law”, it is setting in motion plans to use an alternative Domain Name System (DNS). This news, alongside Iran’s recent test of a country-wide firewall, is some of the latest proof it would appear more and more countries are seeking to take control of their Internet infrastructure.
In Russia’s case, it appears that some structural changes to its Internet have been in the works for a while. In 2012 the Russian government began blocking web users in the country from accessing certain websites based on a set criteria. Subsequently in 2015, a law was passed requiring all software-as-a-service (SaaS) providers to maintain a local copy of all data of Russian citizens. However, to date few have complied with this request with little to no repercussion as of yet.
2017 marked further developments when Russian officials issued a ban on all software and websites related to Internet filtering, including virtual private networks (VPNs) and anonymisers, as well as all websites containing instructions on how to access websites blocked by the government.
This latest “sovereign Internet law” seems to be an attempt by the Russian government to test the feasibility of isolating Russia from the rest of the Internet. This recalls one very similar, successful, system – The Great Firewall of China.
How China’s Great Firewall works
China serves as the largest example of attempting to control the Internet within its borders, and a large part of its success, in this attempt, is the fact that it started from the very beginning, building architecture for this from scratch.
The Great Firewall was built in 1999, and is the blanket term for the collection of techniques used to filter web traffic in China. Two things have made the Firewall possible: China introduced the policy in a much earlier phase of the Internet, allowing the ecosystem to evolve alongside the Internet organically; secondly, state-run monopolies control telecommunications within China, and these have fully complied with the censorship demanded by the government. What has resulted is the largest filtering infrastructure of Internet traffic in the world, with few, if any, choke points in and out of the country.
Internet traffic in China can be analysed and manipulated by Chinese authorities far more easily than in a country like the US, for one thing because all Internet service providers in China are licensed and controlled by the Ministry of Industry and Information Technology. Furthermore, a small number of fiber-optic cables enable virtually all of China’s Internet traffic, these enter the country at one of ten different backbone access points, seven of which were only added in January 2015. This all leads to almost total control over the Internet.
China then is a unique example of Internet disconnection. For a country like Russia, where the Internet has been allowed to evolve in a much more integrated way, these roots are now firmly intertwined, meaning it will be very difficult to separate from them.
So how realistic is global “splintering” of the Internet?
While the Internet is of course mostly open today, there are already restrictions in several countries. For instance, Saudi Arabia already restricts DNS, forcing the DNS request traffic through nationally controlled proxy service, with the same technology is used in China.
Such examples show that there is a clear impulse to secure more control of the Internet along national lines, whilst still allowing traffic to flow. Initiatives like GDPR and other privacy laws can also be seen as examples of this. A US company wanting to do business in the EU, for example, needs to keep all data there.
How could a country “disconnect”?
When it comes to Internet censorship, often the first step (and the easiest) is IP blocking, which has the added bonus of being generally very low cost and easy to deploy. IP blocking works when a country has a “blacklist” of undesirable IP addresses, routers then drop all packets destined to blocked IPs, potentially including the address of what a country would classify as a “sensitive” site, or of a DNS resolver. In China, an IP blacklist is injected via Border Gateway Protocol (BGP) using null routing.
The fact that with IP blocking the government can maintain a centralised blacklist without much involvement from the ISPs, and thus without much risk of leakage, makes it a particularly lightweight solution.
Often used in conjunction with IP blocking are DNS-related techniques. Changing a domain name is not nearly as trivial as changing an IP address. Routers can disrupt unwanted communication by hijacking DNS requests containing banned keywords and injecting forged DNS replies and DNS tampering falsifies the response returned by the DNS server. Used together, DNS tactics and IP blocking can effectively seal off censored sites and servers on both the domain and IP levels.
There are a host of other approaches to imposing control on a country’s Internet including:
Self-censorship: In China, ISPs are expected to monitor and filter content on their networks according to state guidelines and all Internet companies operating in China are also required by law to self-censor their content. If companies can’t successfully censor their content, they face penalties: warnings, fines, temporary shutdowns and possible revocation of their business licenses. These processes have fostered a culture of self-censorship in the country.
Manual enforcement: The Chinese Internet police force has an estimated 50,000 employees. They manually monitor online content, directly deleting content or ordering websites, content hosts and service providers to delete material.
Keyword filtering: Chinese authorities inspect content passing through their pathways, including URLs for blacklisted keywords. However filtering is inconsistent, functioning as more of a “panopticon” than a firewall.
Is this the dawn of the “splinternet”?
Overall most countries globally still keep their Internet fully open – and even the most severe systems like China are not 100% effective at complete isolation. While there is certainly a trend of fragmentation which will likely continue, at present Russia and China are more severe examples of trying to control the flow of traffic, requests and services.
As such, it looks like anything approaching a “splinternet” is still a long way off.
Alex Henthorn-Iwane, VP Product Marketing at ThousandEyes