North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Network Level Content Blocking (UK) for people who cant be bothered to read the article..

  • From: Leigh Porter
  • Date: Thu Jun 07 15:28:31 2007

Sean Donelan wrote:

On Thu, 7 Jun 2007, Chris L. Morrow wrote:
Its not "content" blocking, its source/destination blocking.

oh, so null routes? I got the impression it was application-aware, or atleast port-aware... If it's proxying or doing anything more than port-level blocking it's likely it sees content as well, or COULD.

Either way, it's not like it's effective for anything except the m ost
casual of users :(

Its more than null routes, but not much more. The router does a re-route on a list of network/IP address, and then for the protocols the redirector
box understands (i.e. pretty much only HTTP) it matches part of the application/URL pattern.

So IWF can block only one part of a sub-tree of a popular shared webhosting site *IF* is one of a few application protocols.

What we have is a box that takes the IWF feed of dodgy sites and resolves the entries to IP addresses. These are then injected into the network with Quagga's bgpd. The network then obviously routes anything to these IP addresses and therefore those websites to the filter box.

(but not a bad idea....)The filter box runs Squid with the URL list from the IWF. Port 80 traffic is directed through squid and anything appearing on the IWF list that is accessed by anybody returns a page telling them to go away. We thought about the error page stuff but what the heck, it's obvious its being filtered anyway so you may as well put some google ads on the page you return (Joke ;-) In fact you could run upside-down-ternet on it, there's no end to the things you could do to screw with people's heads.

Anything on a virtual host whos URL is not explicitly in the IWF list is passed through squid without being touched.

Since only port 80 is passed through the filter then of course there are all manor of things you could do to circumvent the filter and this will of course always be the case as people will use whatever they can to get what they want. After all, all yuo really need to do in order to get all the dodgy material you want is to subscribe to a decent USENET service and get it all from that.

For what it's worth though it works well for what it is and we certainly get a few hits on it.

Leigh Porter