Failures in a Hybrid Content Blocking System

  • Richard Clayton
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3856)


Three main methods of content blocking are used on the Internet: blocking routes to particular IP addresses, blocking specific URLs in a proxy cache or firewall, and providing invalid data for DNS lookups. The mechanisms have different accuracy / cost trade-offs. This paper examines a hybrid, two-stage system that redirects traffic that might need to be blocked to a proxy cache, which then takes the final decision. This promises an accurate system at a relatively low cost. A British ISP has deployed such a system to prevent access to child pornography. However, circumvention techniques can now be employed at both system stages to reduce effectiveness; there are risks from relying on DNS data supplied by the blocked sites; and unhappily, the system can be used as an oracle to determine what is being blocked. Experimental results show that it is straightforward to use the system to compile a list of illegal websites.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bright, M.: BT puts block on child porn sites. Observer (June 6, 2004),,6903,1232422,00.html
  2. 2.
    Brightview Internet Services Ltd.: WebMinder, a configuration for restricting access to obscene sites identified by the Internet Watch Foundation, 21 p. (June 9, 2005)Google Scholar
  3. 3.
    Dornseif, M.: Government mandated blocking of foreign Web content. In: von Knop, J., Haverkamp, W., Jessen, E. (eds.): Security, E-Learning, E-Services: Proceedings of the 17. DFN-Arbeitstagung über Kommunikationsnetze, Düsseldorf 2003, Lecture Notes in Informatics, pp. 617–648 (2003) ISSN 1617-5468Google Scholar
  4. 4.
    Edelman, B.: Web Sites Sharing IP Addresses: Prevalence and Significance. Berkman Center for Internet and Society at Harvard Law School (February 2003),
  5. 5.
    Her Majesty’s Stationery Office: Protection of Children Act (1978)Google Scholar
  6. 6.
    Internet Watch Foundation: Annual Report 2003 (March 22, 2004),
  7. 7.
    King Abdulaziz City for Science and Technology: Local Content Filtering Procedure. Internet Services Unit, KACST, Riyadh (2004),
  8. 8.
    Lowe, G.: An Attack on the Needham-Schroeder Public-Key Authentication Protocol. Information Processing Letters 56(3), 131–133 (1995)CrossRefMATHGoogle Scholar
  9. 9.
    McWilliams, B.: Cloaking Device Made for Spammers. Wired News (October 9, 2003),,1367,60747,00.html
  10. 10.
    OpenNet Initiative: Google Search & Cache Filtering Behind China’s Great Firewall. Bulletin 006, OpenNet Initiative (Augest 30, 2004),
  11. 11.
    Norge, T.: Telenor and KRIPOS introduce Internet child pornography filter. Telenor Press Release (September 21, 2004)Google Scholar
  12. 12.
    US District Court for the Eastern District of Pennsylvania: CDT, ACLU, Plantagenet Inc v Pappert, Civil Action 03-5051 (September 10, 2004)Google Scholar
  13. 13.
    Zittrain, J., Edelman, B.: Documentation of Internet Filtering Worldwide. Harvard Law School (October 24, 2003),

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Richard Clayton
    • 1
  1. 1.Computer LaboratoryUniversity of CambridgeCambridgeUnited Kingdom

Personalised recommendations