How an ISP restricts you from accessing a website (Case Study: Twitter)
There are many reasons an Internet Service Provider (ISP) restricts you from accessing a website:
- To protect its customers from nefarious contents (E.g: Child pornography, illegal drugs & guns, etc.)
- Online censorship, usually instructed by a regulator, in response to or in anticipation of events such as elections, protests, and riots.
Some Icons To Keep in Mind In This Article
Internet Router
A router is a device owned by an ISP. This device reads the data sent from your device. It looks at who sent it, and where it is going, then it helps the data get there.
Firewall
A Firewall is a device owned by an internet service provider, it can be used to restrict access to contents coming inside its network.
DNS Server
A Domain Name System (DNS) server is owned by an ISP. It has the location of the websites you visit. Even if it doesn't know the website, it will ask other DNS servers on your behalf.
Types of Ways an ISP Restrict Access to Content
- Deep Packet Inspection
- DNS Filtering
- IP Address Filtering
Deep Packet Inspection
Your smartphone and PC’s package 📦 the information you send and receive online into packets of data. Internet routers read the labels on those packets to determine what they are, who they’re from, and where they’re going.
Say, you wanted to buy an illegal Apple device from a website like http://tfwdi3izigxllure.onion/, your ISP knows this is an illegal website, hence when you try to access it, the ISP uses its Firewall to inspect your information and then blocks the website. So, goes for any website it tags as illegal.
Another example is the recent happening in Nigeria. Since the government finds a website called Twitter illegal, all ISPs are instructed to inspect the information (video, photo, API calls, website) and then blocks access to the webpage. Pretty cool right 😎
Here is a diagram from Netblocks, an internet company that tracks disruptions and shutdowns on the internet. The diagram describes all the ISPs who blocked access to Twitter. The yellow column shows that this was a deep packet inspection method used to restrict access to users. So cool!
Here is a diagram to reinforce your understanding of what I just explained above
- In the diagram above, the user is trying to reach Twitter.com
- The firewall has been configured to drop any request to get to Twitter
- The Router knows that if any request gets to it, it can simply ask the DNS server how to get to Twitter
- Hence the user gets an error in their browser
DNS Filtering
If you live in an African country, there is an 80% chance that you have a traditional name like (Seyi, Chidozie, Koffi, Kamara etc.). But your parents also gave you an English name (Taylor, Jane, Chris, etc.), one that is universally easy to pronounce and spell.
In computer networking, think of a website like “Twitter.com” as the English name, with Twitter’s IP address “104.244.42.1” as the traditional name.
The work of a DNS server is to match the “English name” of a website to the “Traditional name.” When you want to access a website like Google.com, Twitter.com, etc. on your browser, the following happens.
- Your browser packages the data (English name of the website) and sends it to your ISP via its internet Router.
- Your ISP gets the data and gives the data to its DNS server to do the matching of English name to Traditional name. The DNS server checks whether it has a location to the traditional name, if it doesn't, it will ask other of its DNS server friends.
- Your ISP sees the location of the website and then delivers it back to your browser. Now, your browser can directly access the website. It's that simple. Note that this happens for every website you visit at a very high speed.
Now, let us say an ISP doesn't want you to access a specific website, it simply just tells its DNS server to block the traditional name and English name of that website. Now, you can never access the website. Pretty cool right 😎
Here is a diagram to reinforce your understanding of what I just explained above
- In the diagram above, the user is trying to reach Twitter.com
- The router asks the DNS server how to get reach Twitter
- Since the “traditional name” of Twitter saved in its memory has been deleted, the DNS server can no longer tell how to reach Twitter.com
- Hence the user gets an error on their browser
IP Address Filtering
Hope you still remembered the traditional name and English name concept I mentioned in the DNS filtering section? The concept applies in this section too.
Say, an ISP does not want you to visit a specific traditional name, they will use their Firewall device to block any information you are sending to the traditional name from your device.
This is a cool technology used in a lot of small, medium & big enterprises, and also ISPs to protect their network from attackers and do other cool things.
So, guys, this rounds up the article.
NOTE: This article is for educational purposes only and not in any way associated with exposing sensitive information or ridiculing an ISP or government.
If you found it interesting and maybe you will love to explore the Network Engineering field and help ISPs and Enterprises design & configure their network devices like firewalls, routers, etc. give me a follow on Twitter 🐦 @network_charles ✌️